I have a GitLab domain, project and repo. This project is accessible via a group I am apart of.
I would like for this to be downloaded via npm install in the following ways:
Local computer
GitLab CI job
Inside of a Docker container
I'm guessing the easiest way of doing this is to just make it public. Is there a way to fix this so it is secure. I can imagine that it must be done with keys.
In my package.json under dependencies I currently have this, but it gives a 401 error of course:
"my-module": "my-domain.com:my-project/my-repo#my-branch",
I do not want hardcoded tokens in the package.json file, if it can be avoided.
You can use SSH keys to access your repository. Add ssh keys to GitLab server and define url to your repsitory in following form:
git+ssh://git#git.mydomain.com:Username/Repository#{branch|tag}
or
git+ssh://git#git.mydomain.com/Username/Repository#{branch|tag}
In your package.json it will be something like this "my-module": "git+ssh://git#my-domain.com:my-project/my-repo#my-branch"
If your ssh key is password protected, then npm will ask for password.
Related
I want to use gitlabs CI/CD to deploy my app on a external server. i have the IP, username and password, and i understand i need to connect through SSH. How can i runn all the nessesary commands on the server side. Server runs on linux.
Currently i just get the code from reposiroty and to the npm build:prod and npm serve:prod for the API and npm start for the UI. How can i do the same chain of cammands with gitlab CI/CD? Or is this even possible? I basically want it to run similarily like jenkins works. But since the code is already on gitlab, it might be simplerer to let gitlab to handle this process instead of installing and setting up jenkins.
To be able to SSH to your machine from within GitLab CI, you probably should setup ssh key authentication, since you can't just type in the password inside the CI.
When you've got that set up, you have to store the private key in an environment variable so you can use it in the CI job. How to do that can be found here.
The last part is actually executing commands over ssh. That can be done in the following way:
ssh <host> '
command1;
command2;
'
My Node.JS project contains references to private NPM repos hosted on github. This works fine locally, but I'm struggling to get this working on Elastic Beanstalk.
dependencies: {
...
"express": "^4.12.4",
"jsonwebtoken": "^5.0.5",
"my-private-module": "git#github.com:<my-user>/<my-repo>.git#<my-version>",
...
}
-
What I need is to be able to set up a working SSH configuration for git on my Elastic Beanstalk instances, without having to store secret keys etc in source control.
Obviously, the EB instances do not have the needed SSH keys to access my private github repos. If I use HTTPS style git URL's with username:password#github.com inlined, it works fine. It also works using the oauth token method offered by github (which is essentially a user:pass). But I do not want any credentials to be checked in to source control, so I'm trying to get cloning from github to work via SSH on my EB instances.
I've tried a million ways, including npm preinstall scripts according to this blog post, which used to work until npm2 where a change made preinstall to run after the tree is built, and the PR to fix that issue is still pending.
I've tried an .ebextensions commands configuration that tries to call git config to place an insteadof on git#github.com into a HTTPS URL with an OAUTH token coming from an environment variable (tricky in itself since env variables aren't set at this time in the startup cycle, and the lack of $HOME makes git config confused).
I've also tried various different ways using .ebextensions to setup SSH on my EB instances, including this solution from the comments on the mentioned blog post. This is basically where I'm stuck now.
I have successfully created a key pair, set it up on my github profile, and verified that the private key is usable from my local client to clone my repo
I have put my private key and a ssh config file on a private S3 bucket
I've created an .ebextensions files configuration which copies these two files from my S3 bucket into /tmp/.ssh/, according to this example
I've created a debug commands .ebextensions configuration which lists /tmp/.ssh and shows that the files were downloaded from S3 successfully:
/tmp/.ssh/config contains:
Host github.com
IdentityFile /tmp/.ssh/deploy_key
IdentitiesOnly yes
UserKnownHostsFile=/dev/null
StrictHostKeyChecking no
/tmp/.ssh/deploy_key contains my private key which is verified to work locally.
However, git still throws an error:
npm ERR! Command failed: git clone --template=/tmp/.npm/_git-remotes/_templates --mirror ssh://git#github.com/[.....]
npm ERR! Cloning into bare repository '/tmp/.npm/_git-remotes/git-ssh-git-github-com-[...]
npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
I am now running out of ideas. My best guess would be that /tmp/.ssh is not the path where git goes to look for the ssh config file - it might have been when the linked solution was proposed but might have changed in later AMI:s etc. The environment used when EB is starting up seems to be a bit limited; commands are run as user nodejs but /tmp seems to be used as the home directory, even though $HOME is not set anywhere.
How can I get git to pick up my SSH config, and consequently use my SSH key? How can I find out where git looks for a SSH config file? Normally it's in ~/.ssh, but since $HOME is not set, well... This should be easy but is driving me nuts.
After a full day's struggle and finally stumbling over this answer to a very similar question I had previously missed, it turns out the correct place to put ssh keys in order to be picked up by git on EB is in /root/.ssh, not /tmp/.ssh, not /home/ec2-user/.ssh.
My final configuration (assuming there's a private SSH key located in a S3 bucket at <my-bucket>/github-eb-key, and the corresponding public key is registered with a github user having access to the repo(s)), using an AMI configured as 64bit Amazon Linux 2016.09 v3.3.0 running Node.js, and with the following in .ebextensions/01_ssh_setup.config:
Resources:
AWSEBAutoScalingGroup:
Metadata:
? "AWS::CloudFormation::Authentication"
:
S3Auth:
buckets:
- <my-bucket>
roleName:
? "Fn::GetOptionSetting"
:
DefaultValue: aws-elasticbeanstalk-ec2-role
Namespace: "aws:asg:launchconfiguration"
OptionName: IamInstanceProfile
type: s3
files:
/root/.ssh/github-eb-key:
authentication: S3Auth
mode: "000600"
owner: root
group: root
source: "https://s3-eu-west-1.amazonaws.com/<my-bucket>/github-eb-key"
/root/.ssh/config:
mode: "000600"
owner: root
group: root
content: |
Host github.com
IdentityFile /root/.ssh/github-eb-key
IdentitiesOnly yes
UserKnownHostsFile=/dev/null
StrictHostKeyChecking no
I'm trying to use a private GitLab repo as npm dependency in my node js app, with a private token key, something like this:
"dependencies": {
"my-module": "git+https://<privateToken>:x-oauth-basic#<myGitLabURL>/<MyUser>/my-module.git"
}
when I run npm install I get errors about the git clone with fatal: unable to access <git repo path> with 443 Connection refused replies.
I couldn't find a lot of documentation of how to do this through https and not through ssh.
It seems like it does work on GitHub
Anybody have experience with this on GitLab with Https?
This answer worked for me.
"my-module": "https://oauth2:<PersonalAccessToken>#gitlab.com/<group>/<repository-name>.git
You can create a Personal Access Token under User Settings->Access Tokens (GitLab.com Link).
I am working on linux and I clone a private repository using my github account credentials. But over the period of time my password has changed for github and whenever I try to use git pull it is giving me an error
remote: Invalid username or password.
How can I change the password which I used while cloning the repository for the first time?
You the issue an git remote -v and check what kind of auth you are using. I always use git protocol (which uses SSH). You can freely edit those remote urls in ./git/config file. I believe you cloned it using HTTP (or using SSH w/o .ssh key file being present).
If you want to use SSH, you can follow this: https://help.github.com/articles/generating-ssh-keys
Then you will never need to worry about passwords again.
I installed gitosis on my Ubuntu 10.4 Server via
apt-get install gitosis
Then I initialized the admin repository with
sudo -H -u gitosis gitosis-init < nameOfThePublicKeyFile
After this I thought that it the admin repository is only clonable for clients that offer the private key that fits to the public key file of the repository. So just to be sure, I tested if it is possible to clone the repository without the private key or with a false private key. Unfortunately and surprisingly it worked.
I tested this with tortois git on windows.
Therefore my question is:
How can I secure my repositories, so that they can only be cloned if I provide the correct private key.
Did I skip an important step in the installation process or anything?
Thanks for any help!
I think I found the error and it has nothing to do with gitosis.
I found out that my tortoisgit client on windows somehow caches the correct private key file of a git connection if it cloned a repository succesfully once. Even if I provide a wrong keyfile afterwards.(I don't know where it saves it but I saw it in the config file that is created by tortoisgit when a repository is cloned.)
I tried to clone my repository with with another windows computer, just to be sure, that is is only a caching problem. And voila this other computer that never saw my private key file could not clone the repository.
It is always useful, when the GUI fails (here TortoiseGit) to revert to the CLI (msysgit or git itself) to see if the issue persists.
You saw that it might be related to an authentication cache problem within TortoiseGit, and bug 659 does illustrate that cache problem.
The other option would be trying to use a 'config' ssh address, ie an ssh address based on a ssh config file (where you can reference explicitly the name of the private key to use for that connection).
See as an example "NBGit to remote host with ssh" or "git + assembla + multiple ssh keys/multiple computers".