Ok, so I've been playing with SSH and bitbucket.org and I'm begging to believe that I've found an implementation bug in continua SSH. Oh and there is a number of typos in the error message and wiki documents on this topic. In this case I've got a private corporate repo.
Then tried to connect to the repository and validate the connection. It fails and the event log shows the following.
Repository @link(2002, 0ab2db44-76b7-4abf-8a8b-0e260bb4df99)[Iims-Bitbucket] cannot be initialised: Running C:\Program Files\Mercurial\hg.exe failed with return code 255 and error output remote: The system cannot find the path specified.
abort: no suitable response from remote hg! (Args were : clone --noupdate ssh://hg@bitbucket.org/jenasysdesign/iims C:\Continua\Rc\0ab2db44 --config ui.username=Continua)
Bitbucket is a bit different from self hosted ssh/hg - I managed to get it working at home with continua.
In my mercurial.ini [code][ui]ssh = “C:\Program Files\TortoiseHg\TortoisePlink.exe” -ssh -2 -batch -C -i C:\Users\Anne.ssh\vincent_bitbuckey.ppkusername = Vincent Parrett <vincent@finalbuilder.com> [/code]
In the repository dialog, just this in the source path :
ssh://hg@bitbucket.org/finalbuilder/test1
Don’t enter a username as continua will mess up the command line (something to look at tomorrow). Ignore the validation error, the regex we are using doesn’t like bitbucket’s ssh format… just save anyway.
I used puttygen to generate my keypair(be sure to not set a passphrase on the key). Will tidy up the wiki and validation etc for bitbucket tomorrow.
I see that your using the tortoise HG installed <b>TortoisePlink.exe</b> while I was trying to use the continua installed <b>Plink.exe</b>. I’ve been trying to keep my continuous build server very light on software installations as possible for security. Here is the output from my server tests. [code] "C:\Program Files\VSoft Technologies\ContinuaCI Agent\Putty\plink.exe" -ssh -2 -batch -C -i "C:\Continua\ssh-Bitbucket-JenasysDesignContinousIntegrationServer-PrivateKey.ppk" hg@bitbucket.orgThe server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is.The server's rsa2 key fingerprint is: ssh-rsa 2048 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40Connection abandoned.[/code]
My other concern with editing mecurial.ini at the computer level are :- a) the warnings in the file telling you not to do this. <blockquote>!!! Do Not Edit This File !!! </blockquote> b) the need to edit server and agent mecurial.ini files. This just seems like a PITA manual step, where continua has been excellent at managing configuration from the UI. c) the security and storage of the *.ppk key used. d) the possibility I use HTTPS for some of my repo’s like kiln, I’m getting confused about the authentication settings e) I also wonder if the <b> ui.username=Continua</b> isn’t coming from the AD user name for the role I configured for the agent.
Morning guys (I'm on the Gold Coast this morning for sunrise),
To continue on with some more testing notes from the server, using the continua installed plink.exe.
It seems like mecurial.ini editing and continua agents constantly pinging repos out in cyberspace causes a "delay" in picking up the settings. It's mighty confusing tracking this down.
I assume that SSH mush also "cache" approved servers it's communicating with as I got the following error in the continua log.
Message: warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) warning: bitbucket.org certificate with fingerprint 24:9c:45:8b:9c:aa:ba:55:4e:01:6d:58:ff:e4:28:7d:2a:14:ae:3b not verified (check hostfingerprints or web.cacerts config setting) abort: authorization failed
Stack Trace: at Continua.Modules.Builds.Repositories.RepositoryManager.ValidatePlugin(Repository repository) at Continua.Modules.Builds.Repositories.RepositoryManager.Validate(Repository repository, Boolean skipPluginValidation) at Continua.Modules.Builds.Services.RepositoryService.Validate(RepositoryDTO dto) at SyncInvokeValidate(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
The issue you are seeing is that plink prompts the user to accept the server’s fingerprint. PLink.exe is a pain though, as you cannot automate the acceptance of the fingerprint, it will not accept stdin or a file or command line option to do this, and the author refuses to implement it as he believes that is a security risk (he’s probably right).
All that achieves is to have plink prompt you to acccept the server’s fingerprint.
After that using plink or tortoiseplink works fine. Having said that, I’m going to look at including plink (or tortoiseplink, which is more automation friendly as it doesn’t show dialogs or messageboxes like plink) with the server install and add support for ssh directly to the hg repository plugin.
BTW, the agents never talk directly to your bitbucket repo, agents only ever talk to the continua server. When the agent is using SSH/SFTP to talk to the continua server (which it only does when it doesn’t have access to the server’s share) we work around the server thumbprint issue on the agents by connecting with an sftp client library first (before calling hg with plink) and then writing the sever’s thumbprint into the registry in the format that plink expects. I’m going to look at doing the same on the server.
So hopefully in the next week, connecting via ssh to an hg repo will be as simple as specifying the path to your private key file, and using an ssh uri for the repo sourcepath.
On and the ui.username=Continua is hard coded, I think because it’s needed when we use hg for our repo caching (need a user name to commit changes to the cache). I’ll look at whether we can not specify that when not working on the repo cache.
So hopefully in the next week, connecting via ssh to an hg repo will be as simple as specifying the path to your private key file, and using an ssh uri for the repo sourcepath.
Oh that would be excellent! Hats off for jumping through these hoops on behalf of developers. It really adds value to the Continua software IMHO.
SSH just seems like a fantastic authorization model, shame implementation and automation isn’t as easy on MS platform. I just shake my head sometimes, when there is a certification repository solution on MS, but it doesn’t handle SSH keys. WTF! Hopefully this will change in coming releases as GIT/HG become more popular repository tools.
I have this working now, it’s a huge improvement. I still need to do some work on validation, and update the wiki, planning not to work (much) over easter so it will make it into a built mid next week.
Further testing shows, that you can modify Mecurial.ini with a host fingerprints option to apply global fingerprints as per the mercurial guide (http://www.selenic.com/mercurial/hgrc.5.html#hostfingerprints). I figure the continua server could implement this if your dynamically setting the values in .hg\hgrc\ on the server.
I’ve also found that the URL provided by bitbucket and Build 1705 seem to cause some authentication issues. For instance Bitbucket shows the following HTTPS option on the overview page for connecting to the repository.
But to get continua to authenticate correctly you have to use the following settings in “Edit Repositories - Continua” (//ContinuaWebServer/{Project}/ci/configwizard/repositories/{Configuration}). Source Path:
It’s even more confusing because Bitbucket have got a section under User image menu → Manage Account → Account Settings → User Name :
Jamie_Clayton
Essentially what I’m trying to point out is that there are lots of “catches” when configuring Continua Bitbucket repositories, which is a little annoying from a UX point of view.
I have it working nicely with bitbucket and ssh or ssl… While working on the ssh support, I found other issues with the ssl support as well. I just updated the wiki for the mercurial ssh support : http://wiki.finalbuilder.com/display/continua/Mercurial+over+SSH
We’re working on some installer issues at the moment, but hope to have a new build out later today.
Ok, curiosity has me. Both my email address Jamie.Clayton@jenasysdesign.com.au and BitBucket user name Jamie_Claytoncan be used to authenticate with the same very complex password.
BTW, the hostfingerprints are only an issue with ssh, and we got around that by using an ssh client library to connect to the server and record it’s fingerprint in the same manner that putty/plink does. Fortunately we already had this code tried and tested as we use it on the agents when talking to our own ssh server via plink.