According to the conversation I had with @nphilipp (See bellow) the git push to your fork is working without problems on https://src.fedoraproject.org, but when tried https://src.stg.fedoraproject.org we got git@pkgs.stg.fedoraproject.org: Permission denied (publickey).. However trying to push to origin repository works.
git push
git@pkgs.stg.fedoraproject.org: Permission denied (publickey).
Could you enable push to forks on https://src.stg.fedoraproject.org?
Not urgent, but it's blocking further development of https://github.com/fedora-infra/the-new-hotness/pull/235
Here is the conversation I had with @nphilipp
## Michal Konecny, 23 min I'm trying to test creating PR requests on staging dist-git and I'm not sure what I'm doing wrong, but it doesn't work for me This is what I did: 1) I created a fork of 0ad repository through dist-git https://src.stg.fedoraproject.org/fork/zlopez/rpms/0ad 2) Cloned the repository via ssh git clone ssh://git@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git 3) cd 0ad 4) Do some small change, I added a new comment line on start of the spec file 5) Try to push git push origin rawhide I'm getting git@pkgs.stg.fedoraproject.org: Permission denied (publickey). at this stage. I already checked that my public key is added on dist-git and I'm in the packager group Does anybody know what I'm missing here? ## Nils Philippsen, 22 min Did you check public key and group membership on staging, too? (smoke test) ## Vipul Siddharth, 22 min public key possibly? ## Michal Konecny, 22 min I checked both of them Without packager group membership you are not able to clone using ssh I asked for it yesterday, to be able to do it Any advice, how to actually check if the ssh key I'm using is valid? I tried to run git push -vvv, but it doesn't show the ssh procedure ## Nils Philippsen, 20 min Like this:nils@makake:~> ssh pkgs.stg.fedoraproject.org Welcome nphilipp. This server does not offer shell access. Connection to pkgs.stg.fedoraproject.org closed. nils@makake:~> ## Michal Konecny, 19 min Thanks, I didn't knew I can ssh directly Do you need to have ssh key added also in noggin? ## Nils Philippsen, 18 min Yes. Ahh you added it in pagure/dist-git (stg)? ## Michal Konecny, 18 min Ok, this will be the issue then 🙂 Yes It's on pagure/dist-git (stg) ## Nils Philippsen, 17 min Alright… I can't push into my own fork of a pkg repo, but I can push into the repo itself. ## Michal Konecny, 17 min I thought it will be enough ## Nils Philippsen, 17 min Ominous ## Michal Konecny, 16 min Do you get permission error with publickey? ## Nils Philippsen, 16 min Yes ## Michal Konecny, 16 min So how should one create a PR, if he can't push to his own fork? 😀 Nils Philippsen, 16 min Hmmm. Let me try it in prod. ## Michal Konecny, 15 min I'm playing with packit and this could be the issue, why my PoC doesn't work ## Nils Philippsen, 13 min OK, it works in prod:nils@makake:~/dist-git/fedora/rpms/python-arrow (rawhide--boop)> git ci -a -s -m "BOOP!" [rawhide--boop ddfdef5] BOOP! 1 file changed, 2 insertions(+) nils@makake:~/dist-git/fedora/rpms/python-arrow (rawhide--boop)> git push -u nphilipp rawhide--boop Enumerating objects: 5, done. Counting objects: 100% (5/5), done. Delta compression using up to 12 threads Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 312 bytes | 312.00 KiB/s, done. Total 3 (delta 2), reused 0 (delta 0), pack-reused 0 remote: - to fedora-message remote: 2021-06-18 09:00:53,054 [WARNING] pagure.lib.notify: pagure is about to send a message that has no schemas: pagure.git.branch.creation remote: Sending to redis to log activity and send commit notification emails remote: * Publishing information for 89 commits remote: - to fedora-message remote: 2021-06-18 09:00:54,704 [WARNING] pagure.lib.notify: pagure is about to send a message that has no schemas: pagure.git.receive remote: remote: Create a pull-request for rawhide--boop remote: https://src.fedoraproject.org/fork/nphilipp/rpms/python-arrow/diff/rawhide..rawhide--boop remote: To ssh://pkgs.fedoraproject.org/forks/nphilipp/rpms/python-arrow.git * [new branch] rawhide--boop -> rawhide--boop Branch 'rawhide--boop' set up to track remote branch 'rawhide--boop' from 'nphilipp' by rebasing. nils@makake:~/dist-git/fedora/rpms/python-arrow (rawhide--boop)> ## Michal Konecny, 11 min This could be the reason, why packit can't push to fork on staging 😕 ## Nils Philippsen, 11 min No idea how pagure/distgit differs between prod and stg, though. Regarding pkg versions and/or configuration. ## Michal Konecny, 8 min I will create a ticket on infra tracker for this There is probably some difference between the configurations
Metadata Update from @asaleh: - Issue tagged with: low-trouble, medium-gain, ops
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review)
I suspect this is because we were trying to enable in staging https pushing with pagure user tokens...
We should try removing these commit sections: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/distgit/pagure/templates/pagure.cfg#_269 and https://pagure.io/fedora-infra/ansible/blob/main/f/roles/distgit/pagure/templates/pagure.cfg#_282 and see if that gets it working...
Just tried a few things:
@pingou AUIU, the issue here is not being able to push to a fork, pushing to a main repo works apparently...
I can't test this out though, as every time i try to make a fork, i get the error:
Your task failed: failed to make directory '/srv/git/repositories/forks/ryanlerch': Permission denied
@zlopez this now works for me -- are you able to check and see if it is working for you now?
note that the clone url for SSH should be ssh://<username>@<restoftheuri> not ssh://git@<restoftheui> as is displayed in the UI.
ssh://<username>@<restoftheuri>
ssh://git@<restoftheui>
filed a PR here to fix that issue too:
https://pagure.io/fedora-infra/ansible/pull-request/660
@ryanlerch I changed the url for remote git remote set-url fork ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git
git remote set-url fork ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git
Checked if the public key is on the src.stg.fedoraproject.org and tried git push fork rawhide.
git push fork rawhide
And I'm still getting
zlopez@pkgs.stg.fedoraproject.org: Permission denied (publickey). fatal: Could not read from remote repository.
I tried to clone it again to try the clean repo and it seems that I'm no longer able to even clone it.
git clone ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git just fails with the same error as push.
git clone ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git
Maybe just double check the SSH key is set up in:
https://src.stg.fedoraproject.org/settings#nav-ssh-tab
I just created a new fork, and cloned it successfully and pushed back to it:
$ git clone ssh://git@pkgs.stg.fedoraproject.org/forks/ryanlerch/rpms/9wm.git Cloning into '9wm'... git@pkgs.stg.fedoraproject.org: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. $ git clone ssh://ryanlerch@pkgs.stg.fedoraproject.org/forks/ryanlerch/rpms/9wm.git Cloning into '9wm'... remote: Enumerating objects: 148, done. remote: Counting objects: 100% (148/148), done. remote: Compressing objects: 100% (60/60), done. remote: Total 148 (delta 81), reused 148 (delta 81), pack-reused 0 Receiving objects: 100% (148/148), 17.15 KiB | 5.72 MiB/s, done. Resolving deltas: 100% (81/81), done. $ cd 9wm/ $ echo "asdfsafd" >> 9wm.spec $ git commit -a -m"test" $ git push Enumerating objects: 5, done. Counting objects: 100% (5/5), done. Delta compression using up to 8 threads Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 287 bytes | 287.00 KiB/s, done. Total 3 (delta 2), reused 0 (delta 0), pack-reused 0 remote: Protected namespaces: ['rpms', 'modules', 'container'] remote: Blocking unspecified refs: False remote: Blacklists: [re.compile('refs/heads/c[0-9]+.*'), re.compile('refs/heads/master')] remote: User: User: 1350 - name ryanlerch remote: User groups: {'packager'} remote: Committer: True remote: SIG memberships: set() remote: RCM: False remote: By-pass PR-only: False remote: Committer push remote: Protected namespaces: ['rpms', 'modules', 'container'] remote: Blocking unspecified refs: False remote: Blacklists: [re.compile('refs/heads/c[0-9]+.*'), re.compile('refs/heads/master')] remote: User: User: 1350 - name ryanlerch remote: User groups: {'packager'} remote: Committer: True remote: SIG memberships: set() remote: RCM: False remote: By-pass PR-only: False remote: Committer push remote: Sending to redis to log activity and send commit notification emails remote: * Publishing information for 1 commits remote: - to fedora-message remote: 2021-06-22 23:09:41,706 [WARNING] pagure.lib.notify: pagure is about to send a message that has no schemas: pagure.git.receive To ssh://pkgs.stg.fedoraproject.org/forks/ryanlerch/rpms/9wm.git 187e95a..992ee79 rawhide -> rawhide
I checked the https://src.stg.fedoraproject.org/settings#nav-ssh-tab and the key is already there.
And here is the output:
$ git clone ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git Cloning into '0ad'... zlopez@pkgs.stg.fedoraproject.org: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
Just to be sure, I tried to add the SSH key again and it says that the key is already added.
ah!
ll /srv/git/repositories/forks/zlopez/rpms/0ad.git/ total 12 -rw-rw-r--+ 1 pagure 1001 66 Jun 15 12:47 config -rw-rw-r--+ 1 pagure 1001 73 Jun 15 12:47 description -rw-rw-r--+ 1 pagure 1001 0 Jun 15 12:47 git-daemon-export-ok ...
The group is wrong for the files there, let me fix them and we can try again.
I've seen this on one when forking a project under my name. So there is something wrong at the FS level (no idea what thought).
chown pagure:packager -R /srv/git/repositories/forks/zlopez/rpms/0ad.git/
Try now?
It's possible that I'm just not in the correct groups.
These are the groups I'm part of on staging:
<img alt="Screenshot_from_2021-06-23_10-46-33.png" src="/fedora-infrastructure/issue/raw/files/9f2e0d2f59ac60d4a0e5112b7e8d97fbd844c57725909167461f0d09484524d5-Screenshot_from_2021-06-23_10-46-33.png" />
@pingou Tried it again, but same output.
I tried it again today and I was able to push the changes. Maybe it just took some time to reflect the changes to group ownership.
Metadata Update from @zlopez: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
I tried it inside vagrant machine and it failed again.
Here is what I did: 1) Generate new pairs of keys ssh-keygen 2) Add the new pub key to https://src.stg.fedoraproject.org 3) Try to pull the fork git clone ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git
ssh-keygen
Failed with zlopez@pkgs.stg.fedoraproject.org: Permission denied (publickey).
zlopez@pkgs.stg.fedoraproject.org: Permission denied (publickey).
I even tried direct ssh ssh -vvv pkgs.stg.fedoraproject.org to check if the key is correct and the SHA-256 is same.
ssh -vvv pkgs.stg.fedoraproject.org
I will try it again in a few hours, just to check if there isn't some delay between adding the key to src.stg.fedoraproject.org and trying to use it with pkgs.stg.fedoraproject.org.
src.stg.fedoraproject.org
pkgs.stg.fedoraproject.org
Metadata Update from @zlopez: - Issue status updated to: Open (was: Closed)
Today I added the new key to noggin to check if this helps.
After adding the key I tried to do the same things as before: 1) Try to pull the fork git clone ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git 2) ssh zlopez@pkgs.stg.fedoraproject.org
ssh zlopez@pkgs.stg.fedoraproject.org
Both failed with zlopez@pkgs.stg.fedoraproject.org: Permission denied (publickey).
This looks like there is something wrong when adding new ssh key on staging.
I did one more test in separate VM with F34.
I tried this: 1) Generate new pairs of keys ssh-keygen 2) Add the new pub key to https://src.stg.fedoraproject.org 3) Try to pull the fork git clone ssh://zlopez@pkgs.stg.fedoraproject.org/forks/zlopez/rpms/0ad.git
So I can confirm that there is something wrong with adding new key on staging.
I will try once again with 2048 bit key instead of 3072 bit, which is generated by ssh-keygen by default now, to check if the length is not the issue.
Changing the length of the key didn't helped. I will try again after some time, so I'm sure the change was propagated.
Same output after 30 minutes.
I tried to reproduce this situation on production.
Here is what I did step by step: 1) Generate new pairs of keys ssh-keygen 2) Add the new pub key to https://accounts.fedoraproject.org (I can't see the option to add it to src.fedoraproject.org) 3) Try ssh zlopez@pkgs.fedoraproject.org
ssh zlopez@pkgs.fedoraproject.org
I got the same issue as on staging zlopez@pkgs.fedoraproject.org: Permission denied (publickey).
zlopez@pkgs.fedoraproject.org: Permission denied (publickey).
I tried the same with the key, that was added to https://accounts.fedoraproject.org previously and the authentication worked. So it seems that this affects only the newly added SSH keys, but it affects them even on production.
I tried it again now, and the new SSH key is working on both staging and production. I'm not sure where the root of this issue was, but it's now gone.
Log in to comment on this ticket.