jenkinsci
SSH connection to Jenkins slave is established twice
Is This plugin starts up a new instance in GCE. It connects to the new instances via SSH using an user, which is configured in the plugin settings in Jenkins (for example, the user "jenkins" is used for connecting via SSH). If this is successful, the plugin reconnects as root via SSH again to the instance. As root, the Jenkins slave is started. See https://github.com/jenkinsci/google-compute-engine-plugin/blob/master/src/main/java/com/google/jenkins/plugins/computeengine/ComputeEngineLinuxLauncher.java#L110 and https://github.com/jenkinsci/google-compute-engine-plugin/blob/master/src/main/java/com/google/jenkins/plugins/computeengine/ComputeEngineWindowsLauncher.java#L112
Question Why is the Jenkins slave started as root?
Downsides As far as I can see, the Jenkins slave could be started as the first SSH-user, too. This should decrease the time it takes to setup a new Jenkins slave. Furthermore, running the Jenkins slave as root should be avoided for security reasons.
Thanks for pointing this out. I'll do a little digging to discover the motivation behind the current permissions strategy and follow up.
Earlier I ran my a jenkins job with whoami. Just prints out my runAsUser. The log statement seems to be incorrect and we will remove it.
Hmm, confusing. But the SSH connection is established twice, isn't it?
- https://github.com/jenkinsci/google-compute-engine-plugin/blob/master/src/main/java/com/google/jenkins/plugins/computeengine/ComputeEngineLinuxLauncher.java#L108 -> https://github.com/jenkinsci/google-compute-engine-plugin/blob/master/src/main/java/com/google/jenkins/plugins/computeengine/ComputeEngineLinuxLauncher.java#L204
- https://github.com/jenkinsci/google-compute-engine-plugin/blob/master/src/main/java/com/google/jenkins/plugins/computeengine/ComputeEngineLinuxLauncher.java#L112
Yep, they both use the same way of authenticating. When I'm authenticating, I'm authenticating as the runAsUser.