Google Cloud Updating googet packages behind a proxy

To make sure Windows runs well on Compute Engine, it’s necessary to apply a few customizations to the operating system. When you create a VM instance by using one of the public images, these customizations are applied by default. If you take the alternative route and import an existing image from a VHD or VMDK file, then the import process takes care of applying the same changes.

The customizations fall into two categories: (1) settings and (2) pre-installed drivers and software. The drivers and software is packaged and installed as googet packages, and you can list them by running googet installed:

Installed packages:
  certgen.x86_64 [email protected]
  googet.x86_64 [email protected]
  google-compute-engine-auto-updater.noarch [email protected]
  google-compute-engine-diagnostics.x86_64 [email protected]
  google-compute-engine-driver-balloon.x86_64 [email protected]
  google-compute-engine-driver-gga.x86_64 [email protected]
  google-compute-engine-driver-gvnic.x86_64 [email protected]
  google-compute-engine-driver-netkvm.x86_64 [email protected]
  google-compute-engine-driver-pvpanic.x86_64 [email protected]
  google-compute-engine-driver-vioscsi.x86_64 [email protected]
  google-compute-engine-metadata-scripts.x86_64 [email protected]
  google-compute-engine-powershell.noarch [email protected]
  google-compute-engine-sysprep.noarch [email protected]
  google-compute-engine-windows.x86_64 [email protected]
  google-osconfig-agent.x86_64 [email protected]

As with all software, it’s typically a good idea to keep these packages up to date. Thankfully, the google-compute-engine-auto-updater takes care of that automatically by installing a scheduled task that runs C:\Program Files\Google\Compute Engine\tools\auto\_updater.ps1 (source) once a day. This PowerShell script checks if the most important googet packages are up to date and updates them if necessary.

Internet access… or lack thereof

To check for updates, googet queries the package repository Unlike many other Google services, this repository is not accessible over Private Google Access, but only over the internet.

If your VM instance has a public IP address or is configured to use NAT, then accessing the googet package repository is not a problem. But if you’re using a proxy server to access the internet, then the googet update checks will simply fail:

PS C:\WINDOWS\system32> googet update
ERROR: 2021/01/11 11:31:45.608948 client.go:103: error reading repo "": Get "": dial tcp i/o timeout
Searching for available updates...
No updates available for any installed packages.

Manually configure a proxy server

googet does support HTTP proxy servers, but unlike many Windows tools, it does not automatically pick up proxy settings from WinInet or WinHTTP. Instead, you have to provide a googet.conf file:

  1. Open an elevated PowerShell prompt
  2. Create a file googet.conf:

    proxyserver: http://[PROXY]:3128
    "@ | Out-File -Encoding ASCII $Env:ProgramData\GooGet\googet.conf

    Replace [PROXY] with the fully-qualified name or IP address of your proxy server and adjust the port number if necessary.

  3. To verify that the configuration works, run googet to check for updates:

    googet latest

    You should now see the list of available packages.

Because googet.conf is global, it also applies to the auto-updater. The next time the scheduled task runs, it should therefore successfully pull down and install updates.

Using a group policy to configure a proxy server

If your VM instances are joined to an Active Directory domain, then you can use a group policy object to distribute the googet.conf file:

  1. In the Group Policy Management Console, create or select a group policy object (GPO).
  2. Open the Details tab. Notice the Unique ID (a GUID), you will need this in a bit.
  3. Open File Explorer and navigate to \\[DOMAIN]\SYSVOL\[DOMAIN]\Policies\[GPO-UNIQUE]ID\Machine\Applications
  4. Create a new folder Googet.
  5. In the Googet folder, create a file named googet.conf.
  6. Open the file and paste the following content:

    proxyserver: http://[PROXY]:3128

    Replace [PROXY] with the fully-qualified name or IP address of your proxy server and adjust the port number if necessary.

  7. Return to the Group Policy Management Console.

  8. Right-click the GPO and select Edit.

  9. Navigate to Computer Configuration > Preferences > Windows Settings > Files

  10. In the right window pane, right click on the empty list and select New > File.

  11. In the menu bar, click the +.

  12. In the New Ini File Properties dialog, configure the following settings:

    • Action: Update
    • Source file: Enter the UNC path to the googet.conf file on the SYSVOL share.
    • Destination file: c:\ProgramData\GooGet\googet.conf
  13. Click OK.

  14. Close the Group Policy Management Editor window.

Keep in mind that Group Policy treats INI file settings as a preference, not as a policy, so the file will stay in place even if the Group Policy object goes out of scope.

Thanks to Marco Ferrari for reviewing this blog post.

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home