app-admin/google-guest-configs: New package for udev rules and scripts

We already have GCE disk rules in coreos-init, but a user has pointed
out that the newer NVMe rules are missing. Let's take the rules directly
from upstream instead. This is loosely based on the ChromiumOS package
of the same name.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

changelog/bugfixes/2025-12-29-gce-udev.md

@@ -0,0 +1 @@
+- Updated the GCE udev disk rules to include NVMe disks.

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest

@@ -0,0 +1 @@
+DIST google-guest-configs-20260116.00.tar.gz 50190 BLAKE2B a9d546c87245114bd650c1b5116a9619b927e9afb0702adb0d3b41efeab680da65055f37490fe88d4923ceb7a5f596a3f59848f74cb9f8ce074d3f2568f40757 SHA512 995b350700feba28cdd6250c2ca0788539f1e58f3bae9d23081671fff82c7ff139ec9a0f56411e9ead6bfca62ced2c4bb729f516352982441c6a769162d9f4f2

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch

@@ -0,0 +1,50 @@
+diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf
+index b40085b..d89d87d 100644
+--- a/src/etc/sysctl.d/60-gce-network-security.conf
++++ b/src/etc/sysctl.d/60-gce-network-security.conf
+@@ -14,45 +14,6 @@
+ #
+ # Google-recommended kernel parameters
+
+-# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
+-# of TCP functionality/features under normal conditions.  When flood
+-# protections kick in under high unanswered-SYN load, the system
+-# should remain more stable, with a trade off of some loss of TCP
+-# functionality/features (e.g. TCP Window scaling).
+-net.ipv4.tcp_syncookies=1
+-
+-# Ignore source-routed packets
+-net.ipv4.conf.all.accept_source_route=0
+-net.ipv4.conf.default.accept_source_route=0
+-
+-# Ignore ICMP redirects from non-GW hosts
+-net.ipv4.conf.all.accept_redirects=0
+-net.ipv4.conf.default.accept_redirects=0
+-net.ipv4.conf.all.secure_redirects=1
+-net.ipv4.conf.default.secure_redirects=1
+-
+-# Don't pass traffic between networks or act as a router
+-net.ipv4.ip_forward=0
+-net.ipv4.conf.all.send_redirects=0
+-net.ipv4.conf.default.send_redirects=0
+-
+-# Turn on Source Address Verification in all interfaces to
+-# prevent some spoofing attacks.
+-net.ipv4.conf.all.rp_filter=1
+-net.ipv4.conf.default.rp_filter=1
+-
+-# Ignore ICMP broadcasts to avoid participating in Smurf attacks
+-net.ipv4.icmp_echo_ignore_broadcasts=1
+-
+-# Ignore bad ICMP errors
+-net.ipv4.icmp_ignore_bogus_error_responses=1
+-
+ # Log spoofed, source-routed, and redirect packets
+ net.ipv4.conf.all.log_martians=1
+ net.ipv4.conf.default.log_martians=1
+-
+-# Addresses of mmap base, heap, stack and VDSO page are randomized
+-kernel.randomize_va_space=2
+-
+-# Reboot the machine soon after a kernel panic.
+-kernel.panic=10

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch

@@ -0,0 +1,25 @@
+From a848f8f181e2a7080a7ee06fb87ffbfe05e66a24 Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Tue, 20 Jan 2026 15:55:29 +0000
+Subject: [PATCH] dracut: Install dd and ln as these are used by google_nvme_id
+
+I found that the disk name symlink was missing on Flatcar due to the
+lack of dd. I thought about using pure Bash, but it can't handle the
+null bytes. I also thought about using tail, but this is just as likely
+to be missing.
+
+I've also added ln for good measure.
+--- a/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh
++++ b/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh
+@@ -4,7 +4,7 @@
+ 
+ # called by dracut
+ install() {
+-  inst_multiple nvme grep sed
++  inst_multiple nvme dd ln grep sed
+   inst_simple /usr/lib/udev/google_nvme_id
+   inst_simple /usr/lib/udev/rules.d/65-gce-disk-naming.rules
+ }
+-- 
+2.51.2
+

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild

@@ -0,0 +1,66 @@
+# Copyright 2026 The Flatcar Container Linux Maintainers
+# Distributed under the terms of the Apache License 2.0
+
+# IMPORTANT! When bumping, ensure that the Dracut modules do not install files
+# that would make runtime changes to systems to other than GCE VMs because the
+# initrd is shared between image types. The udev disk rules are currently safe.
+
+EAPI=8
+
+inherit udev
+
+DESCRIPTION="Configuration and scripts to support the Google Compute Engine guest environment"
+HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/guest-configs-${PV}"
+
+LICENSE="Apache-2.0 BSD ZLIB"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE="flatcar-oem"
+
+RDEPEND="
+	!<app-emulation/google-compute-engine-20190124-r3
+	sys-apps/nvme-cli
+	flatcar-oem? (
+		net-misc/curl
+		sys-apps/ethtool
+		sys-apps/iproute2
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-20211116.00-sysctl.patch
+	"${FILESDIR}"/${PN}-dracut-deps.patch
+)
+
+src_install() {
+	exeinto "$(get_udevdir)"
+	doexe src/lib/udev/google_nvme_id
+
+	udev_dorules src/lib/udev/rules.d/65-gce-disk-naming.rules
+
+	insinto /usr/lib/dracut/modules.d
+	doins -r src/lib/dracut/modules.d/*
+
+	# We want the above files available before the OEM sysext is mounted.
+	# Anything below here only goes into the sysext.
+	use flatcar-oem || return
+
+	udev_dorules src/lib/udev/rules.d/75-gce-network.rules
+
+	insinto /usr/lib/sysctl.d
+	doins src/etc/sysctl.d/60-gce-network-security.conf
+
+	dobin src/usr/bin/google_set_multiqueue
+	dobin src/usr/bin/google_optimize_local_ssd
+	dobin src/usr/bin/gce-nic-naming
+}
+
+pkg_postinst() {
+	udev_reload
+}
+
+pkg_postrm() {
+	udev_reload
+}

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<upstream>
+		<remote-id type="github">GoogleCloudPlatform/guest-configs</remote-id>
+	</upstream>
+</pkgmetadata>

sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r4.ebuild

@@ -28,3 +28,10 @@ RDEPEND="
 	sys-apps/iproute2
 	sys-apps/shadow
 "
+
+src_install() {
+	distutils-r1_src_install
+
+	# Newer versions are installed by app-admin/google-guest-configs.
+	rm -v "${ED}"/usr/bin/google_{optimize_local_ssd,set_multiqueue} || die
+}

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild

@@ -212,6 +212,7 @@ RDEPEND="${RDEPEND}
 # OEM specific bits that need to go in USR
 RDEPEND+="
 	amd64? (
+		app-admin/google-guest-configs[-flatcar-oem]
 		sys-auth/google-oslogin
 	)
 "

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild

@@ -1,42 +0,0 @@
-# Copyright (c) 2013 CoreOS, Inc.. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-# Copyright (c) 2020 Kinvolk GmbH. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit systemd
-
-DESCRIPTION="OEM suite for Google Compute Engine images"
-HOMEPAGE="https://cloud.google.com/products/compute-engine/"
-SRC_URI=""
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64"
-IUSE=""
-
-# no source directory
-S="${WORKDIR}"
-
-RDEPEND="
-    app-emulation/google-compute-engine
-"
-
-OEM_NAME="Google Compute Engine"
-
-src_install() {
-    systemd_dounit "${FILESDIR}/units/oem-gce.service"
-    systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service"
-    systemd_dounit "${FILESDIR}/units/setup-oem.service"
-    systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf"
-    systemd_enable_service "multi-user.target" "ntpd.service"
-
-    dobin "${FILESDIR}/bin/enable-oslogin"
-    dobin "${FILESDIR}/bin/init.sh"
-
-    # These files will be symlinked to /etc via 'setup-oem.service'
-    insinto /usr/share/gce/
-    doins "${FILESDIR}/files/hosts"
-    doins "${FILESDIR}/files/google-cloud-sdk.sh"
-}

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild

@@ -0,0 +1,35 @@
+# Copyright (c) 2013 CoreOS, Inc.. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+# Copyright (c) 2020 Kinvolk GmbH. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd
+
+DESCRIPTION="OEM suite for Google Compute Engine images"
+HOMEPAGE="https://cloud.google.com/products/compute-engine/"
+S="${WORKDIR}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64"
+
+RDEPEND="
+	app-admin/google-guest-configs[flatcar-oem]
+	app-emulation/google-compute-engine
+"
+
+OEM_NAME="Google Compute Engine"
+
+src_install() {
+	systemd_dounit "${FILESDIR}"/units/{oem-gce,oem-gce-enable-oslogin,setup-oem}.service
+	systemd_install_dropin multi-user.target "${FILESDIR}"/units/10-oem-gce.conf
+	systemd_enable_service multi-user.target ntpd.service
+
+	dobin "${FILESDIR}"/bin/{enable-oslogin,init.sh}
+
+	# These files will be symlinked to /etc via 'setup-oem.service'
+	insinto /usr/share/gce
+	doins "${FILESDIR}"/files/{google-cloud-sdk.sh,hosts}
+}

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.66.ebuild

@@ -56,7 +56,10 @@ DEPEND="
 	>=sys-kernel/coreos-firmware-20180103-r1:=
 	sys-process/procps
 	virtual/udev
-	amd64? ( sys-firmware/intel-microcode:= )
+	amd64? (
+		app-admin/google-guest-configs[-flatcar-oem]
+		sys-firmware/intel-microcode:=
+	)
 "
 
 src_prepare() {