GCP OSlogin Support

Packer
1

Hello,

OSlogin is enabled on my GCP service project. As part of a Jenkins Imagefactory module, packer is utilized. Packer v1.6.1 supports OSlogin [1], however, when we run the pipeline, we are faced with the below error.

2020-09-15T09:58:18.060343822Z: module.middleware.null_resource.create_image (local-exec): ==> shell: Error 404 (Not Found)!!1

2020-09-15T09:58:18.060343822Z: module.middleware.null_resource.create_image (local-exec): ==> shell:

2020-09-15T09:58:18.060343822Z: module.middleware.null_resource.create_image (local-exec): ==> shell:

2020-09-15T09:58:18.060343822Z: module.middleware.null_resource.create_image (local-exec): ==> shell:

2020-09-15T09:58:18.060343822Z: module.middleware.null_resource.create_image (local-exec): ==> shell: Error importing SSH public key for OSLogin: googleapi: got HTTP response code 404 with body:

To summarise the above, the temporary builder instance is unable to import the ssh pub key for oslogin - googleapi: got HTTP response code 404 with body: .

In order to identify the root cause, the question I feel needs answered is how is the ssh pub key dynamically imported for OSlogin?

[1] https://github.com/hashicorp/packer/issues/7663

2

Hi there @stevoscot92 thanks for reaching out.

In order to identify the root cause, the question I feel needs answered is how is the ssh pub key dynamically imported for OSlogin?

The GCP builder uses the OS Login API to add the temporary key generated by Packer to the login profile for the account running the build. The account running the build will need to have the role “roles/compute.osLogin” along with permission to modify the instance metadata in order for the OS Login to work. The code where this is happening can be seen here.

With that said, If you have an existing OS login private key and user you can try that as well. Since the builder will not call the API to import a key if one has been provided.

Let me know if this information helps or if you have any further questions.

1 Like
3

Hi @nywilken thank you very much for responding so quickly and providing the src. This has helped me dig deeper into the issue I am having.

I believe the specific request made to add the temp key generated by packer to login profile is users.importSshPublicKey ? This appears to be the root cause of the issue I am having. This is shown below from my logs - please see first line.

2020-10-15T12:54:55.165947770Z:   <p>The requested URL <code>/v1/users/:importSshPublicKey?alt=json&amp;prettyPrint=false</code> was not found on this server.  <ins>That   s all we know.</ins>

2020-10-15T12:54:55.165947770Z:   <p><b>404.</b> <ins>That   s an error.</ins>

2020-10-15T12:54:55.165947770Z:   <a href=//[www.google.com/](http://www.google.com/)><span id=logo aria-label=Google></span></a>

2020-10-15T12:54:55.165947770Z:   </style>

2020-10-15T12:54:55.165947770Z:     *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//[www.google.com/images/errors/robot.png](http://www.google.com/images/errors/robot.png)) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//[www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png)) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//[www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//[www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//[www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}

2020-10-15T12:54:55.165947770Z:   <style>

2020-10-15T12:54:55.165947770Z:   <title>Error 404 (Not Found)!!1</title>

2020-10-15T12:54:55.165947770Z:   <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">

2020-10-15T12:54:55.165947770Z:   <meta charset=utf-8>

2020-10-15T12:54:55.165947770Z: <html lang=en>

2020-10-15T12:54:55.165947770Z: --> shell: Error importing SSH public key for OSLogin: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>

It appears the request made is not including the user which is resulting in the error. I have tested this by executing the request, with user specified as below, on the temporary builder instance where the above errors logs are from. This request was successful.

[stevoscot92@imagefactory]$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" -X POST https://oslogin.googleapis.com/v1/users/image-builder%40test-project.iam.gserviceaccount.com:importSshPublicKey?projectId=test-project -d '{

>   "key": "ssh-rsa XXXXXXXXXXXXXXX"

> }'

{

  "loginProfile": {

    "name": "12345678910",

    "posixAccounts": [

      {

        "primary": true,

        "username": "sa_12345678910",

        "uid": "1111111",

        "gid": "1111111",

        "homeDirectory": "/home/sa_12345678910",

        "accountId": "test-project",

        "operatingSystemType": "LINUX",

        "name": "users/[image-builder@test-project.iam.gserviceaccount.com/projects/test-project](http://image-builder@test-project)"

      }

    ],

    "sshPublicKeys": {

      "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx": {

        "key": "ssh-rsa xxxxxxxxxxxxxxxxxx",

        "fingerprint": "xxxxxxxxxxxxxx",

        "name": [users/image-buiesat-project.iam.gserviceaccount.com/sshPublicKeys/xxxxxxxxxxxx](mailto:users/image-builder@test-project.iam.gserviceaccount.com/sshPublicKeys/xxxxxxxxxxx)

Whereas if I execute this request without specifying the user, the same error occurs as below.

[stevoscot92@imagefactory]$ curl -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" -X POST https://oslogin.googleapis.com/v1/users/:importSshPublicKey?projectId=test-project -d '{

    >   "key": "ssh-rsa XXXXXXXXXXXXXXX"

    > }'
<!DOCTYPE html>

<html lang=en>

  <meta charset=utf-8>

  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">

  <title>Error 404 (Not Found)!!1</title>

  <style>

    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//[www.google.com/images/errors/robot.png](http://www.google.com/images/errors/robot.png)) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//[www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png)) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//[www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//[www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//[www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png](http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png)) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}

  </style>

  <a href=//[www.google.com/](http://www.google.com/)><span id=logo aria-label=Google></span></a>

  <p><b>404.</b> <ins>That’s an error.</ins>

  <p>The requested URL <code>/v1/users/:importSshPublicKey?projectId=test-project</code> was not found on this server.  <ins>That’s all we know.</ins>

This could well be an issue with the setup of my vm. Please be advised the requirements you mentioned above are both met. Do you know if there is a way for me to inject the specific user into the API request that is made?

4

Hi @stevoscot92 apologies for the delayed response. Thanks for the additional debug information.

It looks like you are running Packer from a Google compute instance. If so, are you able to manually add an SSH key using the gcloud cli?

If it works manually then your VM is probably fine and this may be a bug in Packer.

Packer relies on account.Email for obtaining the username to use when connecting via OS login. This is normally available when using an account file with the Google builder.

Which is how you could inject a user, but this is an extra setup set that should not be needed.

An alternative route is to manually add an SSH key for the sa account and then using ssh_username and ssh_private_key_file but again that is extra work that should not be needed; especially if you are working from a temp compute instance just for building.

With that said, when running on a Google Compute instance Packer will user the Oauth2 API to try and acquire the default email associated with the service account . I don’t remember if the API is enabled by default.

Since the User information is coming back empty it would be good to see what is being returned here

if you are able to import a new SSH key to the login profile using the Gcloud CLI. I would recommend you open a bug on the Packer issue track with your build configuration file and the full debug logs PACKER_LOG=1 packer build <template> so that we can dive in a little further and maybe add a little extra debug info to see what is being returned by the oauth2 API.

1 Like
5

Hi @nywilken, thank you very much for the follow-up.

Yes, I am running from a Google compute instance. I was able to successfully add an SSH key using importsshpublickey method on the instance.

Regarding Oauth2 API, the org I work within does not currently permit this and so there are currently no Oauth clients setup within the GCP service project I am working on.

I have raised a bug report on the Packer GitHub.