Failed to do git clone from a CI CD job into a Windows Gitlab Runner

Developer_2000 · May 26, 2021, 8:20am

Hi All,

I am unable to do git clone successfully in a Gitlab runner running on Windows, while I am able to do this in a gitlab runner running on Ubuntu.

I set the .ssh keys for my user(user1) and setup the same in Gitlab, but I am not sure of which user is used by CI CD job and how to set the SSH Keys for the same, please help.

Code snippet of CI CD Job:

demo_job_0_1:
tags:
- Lp25Maytag
script:
- echo Hello World Windows
- ls
- pwd
- whoami
- git clone git@gitlab.test1.com:user1/testrepo.git

Output of the CI CD job:

git-lfs/2.13.3 (GitHub; windows amd64; go 1.16.2; git a5e65851)
Skipping Git submodules setup
Executing “step_script” stage of the job script
00:03
$ echo Hello World Windows
Hello
World
Windows
$ ls
Directory: C:\GitLab-Runner\builds\m91h5sF7\0\user1\testrepo
Mode LastWriteTime Length Name

-a---- 25-05-2021 23:40 1008 .gitlab-ci.yml
-a---- 25-05-2021 23:12 105 README.md
$ pwd
Drive : C
Provider : Microsoft.PowerShell.Core\FileSystem
ProviderPath : C:\GitLab-Runner\builds\m91h5sF7\0\user1\testrepo
Path : C:\GitLab-Runner\builds\m91h5sF7\0\user1\testrepo
$ whoami
nt authority\system
$ git clone git@gitlab.test1.com:user1/testrepo.git
Cloning into ‘testrepo’…
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
ERROR: Job failed: exit status 1

Thanks in advance!

balonik · May 26, 2021, 12:37pm

Hi @Developer_2000
you need to configure several things if you want to use SSH with Git for Windows.
I think there are already enough information on the internet if you search for “git for windows ssh”

Developer_2000 · May 27, 2021, 11:57am

Hi @balonik ,
I already know how to configure SSH key for my user, I have configured this successfully and I am able to do a git clone of a project repository. The problem is only when I try to do a git clone from a CI CD job. In this case, I need to configure the SSH Key for the CI/CD user or the Gitlab runner user, this part is what I am not aware of how to do, please help.

balonik · May 31, 2021, 10:13am

You can try something like this in your CI/CD job?

  - echo "$DEPLOY_PRIVATE_KEY" > C:\Users\$env:UserName\.ssh\id_rsa
  - (Get-Content $key_path -Raw).Replace("`r`n","`n") | Set-Content $key_path -Force
  - Set-Service -Name ssh-agent -StartupType Manual
  - Start-Service ssh-agent
  - ssh-add

Developer_2000 · May 31, 2021, 6:01pm

balonik:

  - echo "$DEPLOY_PRIVATE_KEY" > C:\Users\$env:UserName\.ssh\id_rsa
  - (Get-Content $key_path -Raw).Replace("`r`n","`n") | Set-Content $key_path -Force
  - Set-Service -Name ssh-agent -StartupType Manual
  - Start-Service ssh-agent
  - ssh-add

Thanks for the response.
I am getting the below error, I am unable to find an user profile with the gitlab user I suppose.
$ whoami

nt authority\system

$ echo $env

$ echo $env:UserName

LAPTOP-7PFUDL2S$

$ echo $DEPLOY_PRIVATE_KEY

$ echo “$DEPLOY_PRIVATE_KEY” > C:\Users$env:UserName.ssh\id_rsa

out-file : Could not find a part of the path ‘C:\Users\LAPTOP-7PFUDL2S$.ssh\id_rsa’.

balonik · May 31, 2021, 6:53pm

You have typo in the path, but in case such folder does not exist you also need to create it.
optionally output the key to different path and use ssh-add to load it to ssh-agent.

I don’t know why you want to use SSH key. I would use HTTP for git clone and use the Job token for authentication. Its easier and it doesn’t store SSH key on local filesystem in case your runner is used by others.

Developer_2000 · June 8, 2021, 6:48am

Hi @balonik ,
Thanks for your response. I tried using ssh-add but got issues ( I will describe it later in this mail).
For creating a Job token, the user needs maintainer access, right? The user I have only has developer access, and in Linux, I was able to use the same and do git clone using SSH Keys. Please suggest a way without maintainer access if known.

Issue while using ssh-add:
$ ssh-agent -s
$ ssh-add “C:\Users\user1.ssh”
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for ‘C:\Users\user1\.ssh’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
ERROR: Job failed: exit status 1

I tried removing access to private key, but it still didn’t work
Thanks in advance!

balonik · June 8, 2021, 7:17am

I assume the repository you are trying to clone is in the same GitLab instance. If not, what I mention below does not apply.

I am talking about $CI_JOB_TOKEN, not Deploy Token. CI_JOB_TOKEN is a token generated for each Job, which is actually used to fetch/clone the repository and other things for that job.
However, CI_JOB_TOKEN inherits all permissions of the user under which the pipeline is running, so if your user has access to gitlab.test1.com/user1/testrepo.git the Job token has it as well. You can use it to clone other private repositories as you need like this git clone https://gitlab-ci-token:$CI_JOB_TOKEN@$CI_SERVER_HOST/user1/testrepo.git

Developer_2000 · June 8, 2021, 11:33am

Thanks a lot, @balonik ! This really worked for me. After weeks of searching in Google and Youtube, I could finally get this resolved by your constant feedback.

I used http instead of https - git clone http://gitlab-ci-token:$CI_JOB_TOKEN@$CI_SERVER_HOST/user1/testrepo.git.