getting started with gitlab

CodeRanch is talking about moving to Git for our source code. Some of the moderators expressed a preference for GitLab. I’ve used GitHub, but not GitLab so decided to try it out with one of my personal projects. Looking at it, GitLab has built in CI so I want to see if i can switch to that and get off Jenkins for my pet project.

Signing up for GitLab

You can register with a new account for GitLab or use your credentials for other services including Google, Twitter, GitHub and BitBucket. It feels weird to me to sign in for a version control system with the credentials for another version control system so I created a new account.

While signing up, it automatically imported my gravatar. I had an old picture on there so fixed that. I then added some basic information to my GitLab profile

I set up an SSH key to make it easy to commit from my home computer:

  1. Settings
  2. SSH Keys
  3. Paste in key

I also set up two factor:

  1. Settings
  2. Account
  3. The very first option is “Enable two factor authentication”
  4. It uses Google Authenticator which is my first choice of two factor. They also supply backup codes.

Migrating a repository from GitHub

GitLab has a page about migrating from GitHub. The most important pre-requisite is to make sure each committer to the GitHub project has an account on GitLab. Conveniently, I am the only person who has ever committed to this project!

I then migrated in:

  1. Create a personal access token on GitHub just for this migration
  2. Click “Create a project”
  3. Choose “Import a project” tab
  4. Enter personal access token for github and choose “List your repositories”. Note that this lists both your personal repositories and all of these for GitHub organizations you have access to
  5. Click “Import” on the row next to the repository to migrate. (There’s also an “Import all” on top. I’m not looking to migrate all my repositories though!). Nothing appeared to happen for a minute. I must have missed a status warning. But then the page refreshed and had a “done” checkbox.
  6. Delete the personal access token from GitHub. I don’t like to leave extra access laying around enabled

I confirmed the same number of commits (including the latest), branches and tags are all there.

Jenkins integration

I’ve been running this job on Jenkins each night to check for changes. Since this is a public repository, accessing it for polling is easy and worked on the first shot. While I’d like to switch to GitLab CI, I’m going with incremental progress. GitLab has a good page on interacting with Jenkins.

I temporarily made this a private project to re-test. I confirmed that I could commit and that Jenkins failed to pull. Then I tried to set up Jenkins to be able to interact with project.

When using my own account, I can set up a token with read access to all my projects, but not a specific one. I think I’d have to create an extra account on GitLab for Jenkins if I wanted it to have only access to specific projects. Since this is just an experiment, I’ll use my own token for now.

Failing with the GitLab plugin

  1. Installed the GitLab plugin on Jenkins
  2. In GitLab, went to Settings > Access Tokens
  3. Created a token with read_repository permissions
  4. In Jenkins, manage > Configure System
  5. Add a GitLab Connection. I like that it uses Jenkins Credentials for securing the token
  6. Click “Test Connection”
  7. Using https://gitlab.com/boyarsky gives Client error: HTTP 401 Unauthorized
  8. Using https://gitlab.com/ gives Client error: HTTP 403 Forbidden

I noticed that the Jenkins GitLab plugin is not well supported. The primary committer wrote that he doesn’t use GitLab daily anymore and this affects his time spent on this project.

At this point, I gave up and just set up polling. I created a credential with the username boyarsky and the password as my personal access token. (That I set up while attempting to get GitLab working.) This worked on the first shot.

Now time to start looking at GitLab Ci…

two factor and google voice

I’ve been using two factor authentication for a number of years.  I like when services offer a choice of two factor options. Or the common Google Authenticator app. Less of a fan of SMS required two factor. If I lose my phone or number, I can’t two factor authenticate to a few services. The most recent being Venmo. Ironically, Venmo wouldn’t let me change.

One of my friends has used Google Voice for phone for years. I decided to switch to a Google Voice number. This gives me a few advantages:

  • phone rings on multiple devices
  • texts get turned into email which means I can view them on multiple devices (nice for two factor)
  • I’m decoupled from my cell phone number for two factor

Today I’m switching over a bunch of services to use a different phone number for two factor. This table shows the services I can think of where I use two factor.

Interestingly, having possession of the original phone number was not necessary for any of the services. So I could have done this even if I had lost my phone. I had enough other options set up for two factor. Also ironically, I couldn’t switch Venmo which motivated all this. I can close the account though so if this ever becomes a problem…

Service Two Factor Options How Switching Went
Google

(original blog post)

Authenticator, SMS, phone, codes, key, Google prompt Google knew my number in my profile, but I still had to verify to set in profile. And again when wetting as my two factor option. Emailed that changed number.
Amazon

(original blog post)

Authenticator, phone, SMS Under my account added a mobile number. Confirmed with SMS text verification.
Twitter

(original blog post)

Authenticator, SMS, security key, backup code Went to mobile and clicked edit to change number. I didn’t enable SMS, but now it has the right number in case I need it as a one off. Confirmed with SMS text verification.
Facebook Authenticator, SMS, codes, key Went to security and use two factor. Added Google voice and backup. Emailed that added number.

(Only allowed SMS last I looked. Good improvement).

Venmo Just SMS Won’t accept my Google voice number and gave an error that it needs a mobile number. 
GitHub (original blog post) Choice of authenticator, SMS, security keys, recovery tokens (other site), and recovery codes (strings) Clear existing number. Set new Google voice number. Enter code texted to new number. GitHub also emailed me that I added and removed a SMS number.
PayPal

(original blog post)

SMS, phone Confirming my landline number, it had me type a code when they called instead of supplying a code read to me. This seems more secure. Good! The new number was added as unconfirmed. I clicked confirm to get a text to confirm it.
LinkedIn

(original blog post)

SMS I couldn’t find the two factor page without a direct link. I scrolled up and added a phone number. After confirming the verification code, it automatically made the new phone number primary. I couldn’t delete the original since it is used for two factor. So I went to the two factor section and changed the number. it sent me a code again. Then I finally went back and deleted the original number. And for every one of those operations, I had to enter my linked in password. This felt excessive.
DropBox

(original blog post)

Authenticator, SMS, codes, physical device Went to settings and changed my number. I had to enter my authenticator code but not verify possession of the phone number. Emailed that changed two factor settings.
Yahoo

(original blog post)

Email, phone, text Went to account to try to change number. Got an error that it can’t accept a VOIP number. I was able to change it my land line. I use Yahoo almost never so it doesn’t matter whether this is convenient. Emailed that removed and added number.
Slack Authenticator Added my phone number. No verification required.
Apple

(original blog post)

Various Added a trusted phone number and confirmed code. Verified with my computer as well as the code. Removed original number. Emailed that number changed

twitter and two factor take two

In 2014, I tried to enable two factor on Twitter and had to turn it off. Given the recent news that Twitter encourages everyone to change passwords, I decided to take another stab at it. I also learned that Twitter has more options for two factor now like Google authenticator.

Step 1: Changing the password

First, I changed the password. I clicked on the drop down with my picture and chose “settings and privacy”. Then I choose password and changed it. I got an email letting me know the password changed. Good.

Step 2: Surprise step – review apps

Twitter then reminded me that I have 18 applications that can access my account and asked if I wanted to review them. 18 sounds high so I said yes. There were a few general categories:

  • Apps with read only access – given that pretty much everything on twitter is public, I don’t mind that I gave a few sites access to read my profile. I did find one that was just for a one time test and doesn’t need it anymore.
  • Piping my tweets to Facebook – yes. I definitely want this.
  • Various twitter clients – some I don’t use anymore so cleaned this up a bit as well.
  • “social reputation monitoring” – it says I gave this site read/write/direct message access in 2015.  I don’t remember this and I certainly don’t want them to have it anymore. Revoke!
  • Linked in – While I don’t mind them having read access, I don’t want them having write access. Revoke. Same with Disqus. I wasn’t nearly paranoid enough in 2013.

Now I have 13 apps with read (or read/write) access. Still a lot, but at least I know what they are. It’ll be interesting to see which of the read only ones break. “I don’t mind” is different from “I really want it to work”

Step 3: Login verification (two factor)

As I was looking for two factor, I saw “login verification” under account options. That turns out to be what Twitter is calling two factor. I guess it sounds less scary.

However “setup login verification” was disabled. It says I need to confirm my email to turn this on. Ok. So how do I do that? It appears the only way to get a confirmation email is to change your email address. It was a bunch of steps, but I did:

  1. Change to myRealEmail+twitter@gmail.com (because gmail lets you add a plus and more text and still sends to you)
  2. Enter twitter password to confirm it is me
  3. In email, click confirmation
  4. Repeat these three steps to switch back to and confirm my “short form” email. (so I remember what I gave them)

Ok time to turn on two factor with SMS

  1. In account settings, click “setup login verification”
  2. Click start
  3. Enter twitter password to confirm it is me
  4. Send SMS code
  5. Enter SMS code from phone
  6. Generate a backup code in case I ever have issues

Now I have the option to setup alternate two factor methods

  1. In account settings, click “review your login verification methods”
  2. Click “setup” next to mobile security app
  3. Use google authenticator to scan the barcode
  4. Enter the generated code from google authenticator into twitter

Finally, I clicked “edit” next to text message verification so I am just using google authenticator and not text message.

Step 4: My twitter clients

Ok. Now for the test. Can I use Twitter in the devices I care about most? Things seem to work. Will post an update if that no longer stays the case!

Updates:

  • I can still use twitter on all my devices. So I don’t get prompted to login after the password change or two factor. It only takes effect for new logins. (This is good; I have a lot of places that I am logged into twitter.)
  • I got an email from an identify monitoring service that they no longer have access to my twitter. This service only told me about my own tweets so I’m leaving them without access. I was hoping they would tell me about other people’s tweets. I know what I tweet. And as fun as it is to be told I used the word “password” in my twitter…