Cloning another private repo in the build


#1

Hi guys, I have a question regarding cloning another private repository. Let’s say I have two repositories: my-app-backend and my-app-frontend. When going through the workflow with my-app-backend, during one step, I want to clone the frontend repository to run some tests. I’ve set up SSH keys already, namely:

  • I generated new public and private SSH keys.
  • The repository is on Github so I visited the frontend repo, Settings -> Deploy keys and according to hints I added the public SSH key which was required.
  • On CircleCI’s end, in the backend app, I visited Settings -> SSH Permissions and I added the private key which was required.
  • Both fingerprints (on Github and CircleCI) are the same.

The problem occurs while cloning the frontend repository. I’m getting the following error:

Cloning into '/home/circleci/my-app-frontend'...
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Exited with code 128

I’m pretty sure that with CircleCI 1.0 it would work, but with 2.0 I have no idea. Am I doing anything wrong or should I consider adding a machine user which, in my opinion, would be an overkill since I need to do it only in one repository, not everywhere?


Multiple deploy keys for GitHub
#2

It should work just fine. Can we see your config.yml? Did you use add_ssh_keys prior to the git clone?

No, you have a default (root) user in your container, and you don’t need another one.


#3

I totally forgot to include the config file, sorry about that! Here’s the snippet of the file:

version: 2

defaults: &defaults
  working_directory: ~/my-app-backend
  docker:
    - image: circleci/ruby:2.5.1-stretch-browsers
      environment:
        BUNDLE_JOBS: 4
        BUNDLE_RETRY: 3
        BUNDLE_PATH: vendor/bundle
        RAILS_ENV: test
    - image: circleci/postgres:9.6.8-alpine-ram
      environment:
        POSTGRES_USER: my-app-backend
        POSTGRES_DB: my-app-backend_test
        POSTGRES_PASSWORD: ""
run_feature_tests:
    <<: *defaults
    steps:
      - checkout
      - attach_workspace:
          at: ~/my-app-backend
      - add_ssh_keys:
          fingerprints:
            - "<here's the finger print>"
      - run:
          name: Clone frontend repository
          command: >-
            GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa_fingerprint'
            git clone git@github.com:user/my-app-frontend.git ~/my-app-frontend

#4

A couple of things to try:

  • Put -v or -vv etc in your ssh line to see if you can get some logs
  • Make sure you’re actually using an RSA format pair (some encryption algos are not supported)
  • Try adding a continuation \ char at the end of your GIT_SSH_COMMAND line, so the whole thing is one line (I don’t think it would otherwise need export, but it is worth a try).

#5

I added -v option in the ssh command and here’s the output:

#!/bin/bash -eo pipefail
GIT_SSH_COMMAND='ssh -v -i ~/.ssh/id_rsa_<fingerprint>' git clone git@github.com:user/my-app-frontend.git ~/my-app-frontend
Cloning into '/home/circleci/my-app-frontend'...
OpenSSH_7.4p1 Debian-10+deb9u4, OpenSSL 1.0.2l  25 May 2017

debug1: Reading configuration data /home/circleci/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.253.112] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/circleci/.ssh/id_rsa_<fingerprint> type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/circleci/.ssh/id_rsa_<fingerprint>-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
debug1: Remote protocol version 2.0, remote software version libssh_0.7.0
debug1: no match: libssh_0.7.0
debug1: Authenticating to github.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:<key>
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/circleci/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: 
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to github.com ([192.30.253.112]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LANG = C.UTF-8
debug1: Sending command: git-upload-pack 'user/my-app-frontend.git'
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
ERROR: Repository not found.
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK

Transferred: sent 2756, received 1704 bytes, in 0.0 seconds

Bytes per second: sent 64184.2, received 39684.3

debug1: Exit status 1

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Exited with code 128

When it comes to \ at the end of GIT_SSH_COMMAND line it didn’t work, cause I got:

#!/bin/bash -eo pipefail
GIT_SSH_COMMAND='ssh -v -i ~/.ssh/id_rsa_<fingerprint>'\ git clone git@github.com:user/my-app-frontend.git ~/my-app-frontend
/bin/bash: clone: command not found
Exited with code 127

Exporting GIT_SSH_COMMAND described like here didn’t work either.


#6

You need to configure CircleCI to be able to checkout additional private projects. It’s a security/SSH issue: https://circleci.com/docs/2.0/gh-bb-integration/#enable-your-project-to-check-out-additional-private-repositories

I think maybe you added a regular SSH key that CircleCI would use for deployments vs a checkout key it needs for GitHub.


#7

You’re right, adding additional checkout SSH key solved the problem. Thanks!


#8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.