Skip to content

Latest commit

 

History

History
158 lines (119 loc) · 4.88 KB

README.md

File metadata and controls

158 lines (119 loc) · 4.88 KB
Raw

Git authentication tools for Google Compute Engine

The git-cookie-authdaemon uses the GCE metadata server to acquire an OAuth2 access token and configures git to always present this OAuth2 token when connecting to googlesource.com or Google Cloud Source Repositories.

Setup

Launch the GCE VMs with the gerritcodereview scope requested, for example:

gcloud compute instances create \
  --scopes https://www.googleapis.com/auth/gerritcodereview \
  ...

To add a scope to an existing GCE instance see this gcloud beta feature.

Installation on Linux

Install the daemon within the VM image and start it running:

sudo apt-get install git
git clone https://gerrit.googlesource.com/gcompute-tools/
./gcompute-tools/git-cookie-authdaemon

The daemon launches itself into the background and continues to keep the OAuth2 access token fresh.

Launch at Linux boot

git-cookie-authdaemon can be started as a systemd service at boot.

# Write the service config
$ sudo cat > /etc/systemd/system/git-cookie-authdaemon.service << EOF
[Unit]
Description=git-cookie-authdaemon required to access git-on-borg from GCE

Wants=network.target
After=syslog.target network-online.target

[Service]
User=builder  # update to your user
Group=builder  # update to your group
Type=simple
ExecStart=/path/to/git-cookie-authdaemon  # update the path
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

# Reload the service configs
$ sudo systemctl daemon-reload

# Enable the service
$ sudo systemctl enable git-cookie-authdaemon

# Start the service
sudo systemctl start git-cookie-authdaemon

# Check the status of the service
systemctl status git-cookie-authdaemon
ps -ef | grep git-cookie-authdaemon

# Reboot and check status again.

Installation on Windows

Prerequisite

Install Python 3.9 and Git for Windows. Older Python3 versions will probably work but are not tested in the setup below.

Run interactively or in a build script

Run git-cookie-authdaemon in the same environment under the same user git commands will be run, for example in either Command Prompt or Cygwin bash shell under user builder. In Windows Command Prompt start can be used to put the process into background.

python git-cookie-authdaemon --nofork

Launch at Windows boot

It may be desired in automation to launch git-cookie-authdaemon at Windows boot. It can be done as a scheduled task. The following is an example on a Jenkins node:

  1. The VM is created from GCE Windows Server 2019 or 2012R2 image.
  2. It runs under builder account.
  3. It is launched from a Bash shell. Cygwin is used here. Msys2 or Git Bash may work too but not tested.
  4. C:\build exists (log file destination in wrapper script used below
    • adjust as needed)

How to create a scheduled task.

  1. Launch Task Scheduler from an Administrator account.
  2. Click Create Task in the right pane.
  3. In General tab:
    1. Change user to the one running Jenkins node if it is different. You may want to run Jenkins node as a non-privileged user, builder in this example.
    2. Select Run whether user is logged on or not
  4. In Trigger tab. Add a trigger
    1. Set Begin the task as At startup.
    2. Uncheck Stop task if it runs longer than.
    3. Check Enabled.
  5. In Actions tab. Add Start a program.
    1. Set Program/script as C:\cygwin64\bin\bash.ext,
    2. Set Add arguments as --login -c /home/builder/git-cookie-authdaemon_wrapper.sh (see note below)
  6. Click Ok to save it.
  7. Optional: click Enable All Tasks History in Task Scheduler's right pane.
  8. Add builder account to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log On As Batch Job

Note: /home/builder/git-cookie-authdaemon_wrapper.sh is as below:

#!/bin/bash
exe=gcompute-tools/git-cookie-authdaemon
log=/cygdrive/c/build/git-cookie-autodaemon.log

# HOMEPATH and HOMEDRIVE are not set in a task scheduled at machine boot.
export HOMEPATH=${HOMEPATH:-'\Users\builder'}
export HOMEDRIVE=${HOMEDRIVE:-'C:'}

/cygdrive/c/Users/builder/AppData/Local/Programs/Python/Python39/python $exe --nofork >> $log 2>&1 # option --debug is also available.

This will write a log file to "C:\build\git-cookie-autodaemon.log" and a cookie to "C:\Users\builder.git-credential-cache\cookie". The cookie is used for authentication by the user's gitconfig as shown below. The wrapper script assumes Python 3.9 is installed to the default location of "%LOCALAPPDATA%\Programs\Python\Python39"

C:\Users\builder.gitconfig contains the following section

[http]
        cookiefile = C:\\Users\\builder\\.git-credential-cache\\cookie