How to change identity file directory in pipeline bitbucket?

Mohammad Sharabati June 6, 2023

Hi All,

I have an issue with bitbucket pipeline when I tried connect to a Windows server via SSH and clone the repository from bitbucket using bitbucket pipeline.
I saw it was trying to open the "/root/.ssh/pipelines_id" identity file, so how can I change the directory?

YML:

image: python:3.8
pipelines:
custom: # Pipeline that only runs manually
production:
- step:
name: Connect to the Inline
script:
- pipe: atlassian/ssh-run:0.4.2
variables:
SSH_USER: $SSH_USER
SERVER: $SERVER
COMMAND: >
if not exist "C:/inline_alpha" (cd "C:/" && git clone -b main git clone git@bitbucket.org:workspace-id/repo.git) else (cd "C:\inline_alpha" && git fetch --all && git pull)

 Result:

Status: Downloaded newer image for bitbucketpipelines/ssh-run:0.4.2

INFO: Executing the pipe...

INFO: Using default ssh key

INFO: Executing command on my_ip_address
ssh -A -tt -i /root/.ssh/pipelines_id -o StrictHostKeyChecking=no -p 22 mtil\mohammadsh@my_ip_address bash -c 'if not exist "C:/inline_alpha" (cd "C:/" && git clone -b main git clone git@bitbucket.org:workspace-id/repo.git) else (cd "C:\inline_alpha" && git fetch --all && git pull)
'

 

Thanks

 

1 answer

1 vote
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2023

Hi @Mohammad Sharabati and welcome to the community!

The identity file /root/.ssh/pipelines_id is the SSH key file that the pipe uses in order to connect to your server via SSH.

Since you are not using the variable SSH_KEY in the definition of the pipe, the pipe is going to use the SSH keys of the repo (from Repository settings > SSH keys).

Have you already generated or added an SSH key pair as per the instructions here?

I don't believe that it is possible to change this directory. Why are you looking to do that? And what is the error/problem you are seeing when you run the pipe?

Please keep in mind that the key /root/.ssh/pipelines_id is not used in the clone command you have in the pipe. The git clone command is going to use the SSH keys that you have set up on your Windows server.

I also noticed that your clone command has git clone twice

git clone -b main git clone git@bitbucket.org:workspace-id/repo.git

It should be like this instead:

git clone -b main git@bitbucket.org:workspace-id/repo.git

Please provide the following details so we can better help you:

  • the error you are seeing
  • whether you want to specify an SSH key for the pipe or for the git clone or git fetch and pull commands

Just a heads up, I removed the repo details from your post to comply with our privacy policy.

Kind regards,
Theodora

Mohammad Sharabati June 7, 2023

Hi @Theodora Boudale

Thanks for answering me, and I'm happy to join bitbucket community.

I get this issue below in the bitbucket pipeline when I run it:
ssh: connect to host <ip_address> port 22: Operation timed out

✖ Execution failed.
What I've done:
  • I generated a SSH key pair using ssh-keygen in "C:\Users\<user_name>\.ssh" directory:
ssh-keygen -t ed25519 -b 4096 -C "{username@emaildomain.com}" -f {ssh-key-name}
  • I added the public_key to "~/.ssh/authorized_keys" file on the remote host.
  • I added an SSH key pair to a Bitbucket Pipeline:
  1. At bitbucket.org, navigate to the repository and select Repository settings.
  2. Under Pipelines, select SSH keys.
  3. Select Use my own keys.
  4. I put the private and public key that I generated by ssh key there.
  • I added the SSH_KEY variable in the definition of the pipe and I still get the same issue:
pipelines:
  custom: # Pipeline that only runs manually
    production:
      - step:
          name: Connect to the Inline
          script:
            - pipe: atlassian/ssh-run:0.4.2
              variables:
                SSH_USER: $SSH_USER
                SERVER: $SERVER
                SSH_KEY: $SSH_KEY
                COMMAND: >
                  if not exist "C:/inline_alpha" (cd "C:/" && git clone -b main git clone git@bitbucket.org:workspace-id/repo.git) else (cd "C:\inline_alpha" && git fetch --all && git pull)
  
The value of the variables:
$SSH_USER = <username>
$SERVER = <my_ip_address>
$SSH_KEY = <public_key>

Regards,
Mohammad Sharabati
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 7, 2023

Hi @Mohammad Sharabati,

Thank you for the information.

 

(1) If you followed the steps you mentioned below, then you don't need to use the SSH_KEY variable in the definition of the pipe.

  1. At bitbucket.org, navigate to the repository and select Repository settings.
  2. Under Pipelines, select SSH keys.
  3. Select Use my own keys.
  4. I put the private and public key that I generated by ssh key there.

The variable is to be used when you don't add the keys in Repository settings > SSH keys.

The value of the variable SSH_KEY should be the private key after you base-64 encode it, and additional steps are needed (explained here)

However, since you are adding the public and private keys in Repository settings > SSH keys, you should remove the SSH_KEY variable from the definition of the pipe.

 


(2) The following error you are seeing does not seem to be related to authentication and SSH keys (otherwise, you would see a message "Permission denied" or some other authentication error).

ssh: connect to host <ip_address> port 22: Operation timed out

This error indicates that Bitbucket Pipelines cannot reach your server.

 


(3) I would also suggest going to Repository settings > SSH keys under the Pipelines header, and add the address of your server for the known hosts. Click the Fetch button to see the host's fingerprint.

This is not necessary for the pipe as it uses StrictHostKeyChecking=no, but it's good to have in case you ever add any SSH command in your YML file outside the pipe.

 

Please feel free to let me know if you have any questions.

Kind regards,
Theodora

Mohammad Sharabati June 8, 2023

Hi @Theodora Boudale ,

  • I removed the SSH_KEY variable in the definition of the pipe according to what you mentioned.
  • I made sure that I'm using a private IP address.
  • I checked the port 22 for SSH connections is open, and I run this command to check if the firewall is blocking any port "netsh firewall show state".
  • I checked the firewall log file to check if firewall is bloking any thing in this directory "C:\Windows\System32\LogFiles\Firewall\",  everything is fine.
  • When I tried to do fetch to the see the host's fingerprint for my_ip_address I get the error "Unable to fetch fingerprints, check host SSH connection and try again", and I tried to do fetch to the ip_bitbucket that located in the "C:\Users\<my_user_name>\.ssh\known_hosts" file, I get a fingerprint value but when I clicking to add host I get the error "Failed to add known host. Bitbucket manages the SSH fingerprint settings for <ip_bitbucket>".

And still didn't work.

Thanks,
Mohammad Sharabati

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 9, 2023

Hi @Mohammad Sharabati!

 

I made sure that I'm using a private IP address.

You actually need to use the public IP address of your server. The way I phrased my question in my previous reply was a bit confusing, sorry for that.

A Pipelines build that runs in our own infrastructure doesn't have access to your local network. Your server needs to have a public IP address and you need to use that in the pipe, so that the build can reach your server.

 

When I tried to do fetch to the see the host's fingerprint for my_ip_address I get the error "Unable to fetch fingerprints, check host SSH connection and try again", and I tried to do fetch to the ip_bitbucket that located in the "C:\Users\<my_user_name>\.ssh\known_hosts" file, I get a fingerprint value but when I clicking to add host I get the error "Failed to add known host. Bitbucket manages the SSH fingerprint settings for <ip_bitbucket>".

You need to use the public IP of your own server in order to fetch its fingerprint (not the one of Bitbucket Cloud).

 

Please feel free to let me know how it goes after you make these changes. If you still get errors, please let me know what the errors are.

 

Kind regards,
Theodora

Mohammad.Sharabati June 11, 2023

Hi @Theodora Boudale

I tried using my server public IP, to fetch its fingerprint, still failed.
I get the error "Unable to fetch fingerprints, check host SSH connection and try again"

Thanks,
Mohammad Sharabati

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2023

Hi @Mohammad.Sharabati,

If you are unable to fetch the fingerprint, then something on your server is blocking SSH connections.

If you have a different computer and if you can connect it to a network different than your server's, you can try to connect via SSH from that computer to your server. This should narrow down whether only SSH connections from Bitbucket Cloud are blocked or if the issue is not specific to Bitbucket Cloud.

Your server needs to be configured to allow SSH connections (at least from the Pipelines IPs), otherwise you won't be able to fetch the fingerprint and the ssh-run pipe won't be able to reach your server.

Kind regards,
Theodora

Mohammad Sharabati June 12, 2023

Hi @Theodora Boudale

 

I use a VPN to connect to my server via SSH.

Maybe because the VPN I can't connect to my server via pipeline.

 

Thanks,
Mohammad Sharabati

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2023

Hi @Mohammad Sharabati,

It sounds like there is a firewall that allows SSH connections to your server only from computers connected to the VPN.

In order for Bitbucket Pipelines to connect via SSH to your server, you will need to whitelist in that firewall the IPs used by Pipelines:

You can find the IPs used by Pipelines in the following documentation, in the section "Valid IP addresses for Bitbucket Pipelines build environments":

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events