coreos-overlay/app-admin: Import GCP Agent packages from COS

Import google-guest-agent, google-guest-configs, google-osconfig-agent
and oslogin packages from COS. These are sourced from the Git repo:
https://cos.googlesource.com/cos/overlays/board-overlays, commit
8a6d617d85df03028c9c6d51a1bb3a3bc2eb0933, folder project-lakitu.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest

@@ -0,0 +1,2 @@
+DIST google-guest-agent-20240314.00-deps.tar.xz 100146672 BLAKE2B 5d59bad49c536a73f8be83f567cca3018fa1d56a78232e33eaefd1b8472174018da789bc1a432a56686568a01f932e9da2aee8c1f813cee829394037bcf694cd SHA512 1a00e48f54f74449b0289bf826aee5788d40a8406086a2f70f57d5e0d0c0c1bdf448b12e54962020a2dca4ff9d8586d7d94ae3dc3c5372e4622fbb18904cfb77
+DIST google-guest-agent-20240314.00.tar.gz 194225 BLAKE2B 2c3a69507b3a66b7b9e541f021a050bc3b050896fd27726b46307ecb940a72fc287d8b5b8794f6bf5363c5f2ad85b411b352a680f805d50d34836d63caca1d6b SHA512 8cfaa7ed3d7b34ae224b3cb3df7b747e2e2d305b034f53b674fd984b4b609bd67c7a0115c876a7b01e869172d970e4dcd7de2c87f27fff7d46648ef0cf1c32d8

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro

@@ -0,0 +1,38 @@
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# COS specific settings for the Linux Guest Environment for Google Compute
+# Engine.
+
+[InstanceSetup]
+set_boto_config = false
+host_key_dir = /mnt/stateful_partition/etc/ssh
+
+[Instance]
+instance_id_dir = /mnt/stateful_partition/etc
+
+[MetadataScripts]
+run_dir = /var/lib/google/
+
+[NetworkInterfaces]
+setup = false
+
+[IpForwarding]
+ip_aliases = false
+
+[Accounts]
+reuse_homedir = true
+# Use usermod instead of gpasswd to avoid race between gpasswd and cloud-init.
+gpasswd_add_cmd = usermod -aG {group} {user}

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch

@@ -0,0 +1,42 @@
+From e6ffb5fccf86931a79f551fdc960a659044042ce Mon Sep 17 00:00:00 2001
+From: Oleksandr Tymoshenko <ovt@google.com>
+Date: Wed, 8 Nov 2023 01:55:51 +0000
+Subject: [PATCH 2/2] Create missing directories
+
+Create missing directories for instance ID file and for SSH host key
+---
+ google_guest_agent/instance_setup.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/google_guest_agent/instance_setup.go b/google_guest_agent/instance_setup.go
+index d8cbc02bf94e..86b91b5c4636 100644
+--- a/google_guest_agent/instance_setup.go
++++ b/google_guest_agent/instance_setup.go
+@@ -171,7 +171,12 @@ func agentInit(ctx context.Context) {
+ 		// Check if instance ID has changed, and if so, consider this
+ 		// the first boot of the instance.
+ 		// TODO Also do this for windows. liamh@13-11-2019
+-		instanceIDFile := config.Instance.InstanceIDDir
++		instanceIDDir := config.Instance.InstanceIDDir
++		// Create the instance ID directory, if it doesn't exist.
++		if err := os.MkdirAll(instanceIDDir, 0755); err != nil {
++			logger.Warningf("Failed to create instance ID directory: %v", err)
++		}
++		instanceIDFile := instanceIDDir + "/google_instance_id"
+ 		instanceID, err := os.ReadFile(instanceIDFile)
+ 		if err != nil && !os.IsNotExist(err) {
+ 			logger.Warningf("Not running first-boot actions, error reading instance ID: %v", err)
+@@ -220,6 +225,10 @@ func agentInit(ctx context.Context) {
+ func generateSSHKeys(ctx context.Context) error {
+ 	config := cfg.Get()
+ 	hostKeyDir := config.InstanceSetup.HostKeyDir
++	// Create the host key directory, if it doesn't exist.
++	if err := os.MkdirAll(hostKeyDir, 0755); err != nil {
++		logger.Warningf("Failed to create host key directory: %v", err)
++	}
+ 	dir, err := os.Open(hostKeyDir)
+ 	if err != nil {
+ 		return err
+-- 
+2.42.0.869.gea05f2083d-goog
+

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch

@@ -0,0 +1,120 @@
+From a28e8fa46b5ef09c8a83763a6163d7b63d04f156 Mon Sep 17 00:00:00 2001
+From: Oleksandr Tymoshenko <ovt@google.com>
+Date: Thu, 2 Nov 2023 00:23:19 +0000
+Subject: [PATCH 1/2] Add stable gid for added users
+
+Use gid obtained from the home directory to create users with a
+volatile /etc directory.
+---
+ google_guest_agent/accounts_unix.go        | 17 +++++++++++++----
+ google_guest_agent/accounts_windows.go     |  6 +++---
+ google_guest_agent/non_windows_accounts.go |  6 +++---
+ google_guest_agent/windows_accounts.go     |  4 ++--
+ 4 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/google_guest_agent/accounts_unix.go b/google_guest_agent/accounts_unix.go
+index 94cedd3d480a..0cc6470f15f2 100644
+--- a/google_guest_agent/accounts_unix.go
++++ b/google_guest_agent/accounts_unix.go
+@@ -27,21 +27,30 @@ import (
+ 	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/run"
+ )
+ 
+-func getUID(path string) string {
++func getUIDAndGID(path string) (string, string) {
+ 	if dir, err := os.Stat(path); err == nil {
+ 		if stat, ok := dir.Sys().(*syscall.Stat_t); ok {
+-			return fmt.Sprintf("%d", stat.Uid)
++			return fmt.Sprintf("%d", stat.Uid), fmt.Sprintf("%d", stat.Gid)
+ 		}
+ 	}
+-	return ""
++	return "", ""
+ }
+ 
+-func createUser(ctx context.Context, username, uid string) error {
++func createUser(ctx context.Context, username, uid, gid string) error {
+ 	config := cfg.Get()
+ 	useradd := config.Accounts.UserAddCmd
+ 	if uid != "" {
+ 		useradd = fmt.Sprintf("%s -u %s", useradd, uid)
+ 	}
++	if gid != "" {
++		groupadd := config.Accounts.GroupAddCmd
++		groupadd = fmt.Sprintf("%s -g %s", groupadd, gid)
++		cmd, args := createUserGroupCmd(groupadd, "", username)
++		if err := run.Quiet(ctx, cmd, args...); err != nil {
++			return err
++		}
++		useradd = fmt.Sprintf("%s -g %s", useradd, gid)
++	}
+ 	cmd, args := createUserGroupCmd(useradd, username, "")
+ 	return run.Quiet(ctx, cmd, args...)
+ }
+diff --git a/google_guest_agent/accounts_windows.go b/google_guest_agent/accounts_windows.go
+index 5f0087afd6eb..c66b3e6cc211 100644
+--- a/google_guest_agent/accounts_windows.go
++++ b/google_guest_agent/accounts_windows.go
+@@ -138,7 +138,7 @@ func addUserToGroup(ctx context.Context, username, group string) error {
+ 	return nil
+ }
+ 
+-func createUser(ctx context.Context, username, pwd string) error {
++func createUser(ctx context.Context, username, pwd, _ string) error {
+ 	uPtr, err := syscall.UTF16PtrFromString(username)
+ 	if err != nil {
+ 		return fmt.Errorf("error encoding username to UTF16: %v", err)
+@@ -184,6 +184,6 @@ func userExists(name string) (bool, error) {
+ 	return true, nil
+ }
+ 
+-func getUID(path string) string {
+-	return ""
++func getUIDAndGID(path string) (string, string) {
++	return "", ""
+ }
+diff --git a/google_guest_agent/non_windows_accounts.go b/google_guest_agent/non_windows_accounts.go
+index 2fa6f5de6487..c8640624064c 100644
+--- a/google_guest_agent/non_windows_accounts.go
++++ b/google_guest_agent/non_windows_accounts.go
+@@ -343,12 +343,12 @@ func createUserGroupCmd(cmd, user, group string) (string, []string) {
+ // createGoogleUser creates a Google managed user account if needed and adds it
+ // to the configured groups.
+ func createGoogleUser(ctx context.Context, config *cfg.Sections, user string) error {
+-	var uid string
++	var uid, gid string
+ 	if config.Accounts.ReuseHomedir {
+-		uid = getUID(fmt.Sprintf("/home/%s", user))
++		uid, gid = getUIDAndGID(fmt.Sprintf("/home/%s", user))
+ 	}
+ 
+-	if err := createUser(ctx, user, uid); err != nil {
++	if err := createUser(ctx, user, uid, gid); err != nil {
+ 		return err
+ 	}
+ 	groups := config.Accounts.Groups
+diff --git a/google_guest_agent/windows_accounts.go b/google_guest_agent/windows_accounts.go
+index 248bf399e436..a46b60759129 100644
+--- a/google_guest_agent/windows_accounts.go
++++ b/google_guest_agent/windows_accounts.go
+@@ -133,7 +133,7 @@ func createOrResetPwd(ctx context.Context, k metadata.WindowsKey) (*credsJSON, e
+ 		}
+ 	} else {
+ 		logger.Infof("Creating user %s", k.UserName)
+-		if err := createUser(ctx, k.UserName, pwd); err != nil {
++		if err := createUser(ctx, k.UserName, pwd, ""); err != nil {
+ 			return nil, fmt.Errorf("error running createUser: %v", err)
+ 		}
+ 		if k.AddToAdministrators == nil || *k.AddToAdministrators {
+@@ -155,7 +155,7 @@ func createSSHUser(ctx context.Context, user string) error {
+ 		return nil
+ 	}
+ 	logger.Infof("Creating user %s", user)
+-	if err := createUser(ctx, user, pwd); err != nil {
++	if err := createUser(ctx, user, pwd, ""); err != nil {
+ 		return fmt.Errorf("error running createUser: %v", err)
+ 	}
+ 
+-- 
+2.42.0.869.gea05f2083d-goog
+

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value

@@ -0,0 +1,76 @@
+#! /bin/bash
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Get a metadata value from the metadata server.
+# curl exit codes: https://everything.curl.dev/usingcurl/returns
+declare -r VARNAME=$1
+declare -r MDS_PREFIX=http://metadata.google.internal/computeMetadata/v1
+declare -r MDS_TRIES=${MDS_TRIES:-100}
+
+function print_metadata_value() {
+  local readonly tmpfile=$(mktemp)
+  http_code=$(curl -f "${1}" -H "Metadata-Flavor: Google" -w "%{http_code}" \
+    -s -o ${tmpfile} 2>/dev/null)
+  local readonly return_code=$?
+  # If the command completed successfully, print the metadata value to stdout.
+  if [[ ${return_code} == 0 && ${http_code} == 200 ]]; then
+    cat ${tmpfile}
+  fi
+  rm -f ${tmpfile}
+  return ${return_code}
+}
+
+function print_metadata_value_if_exists() {
+  local return_code=1
+  local readonly url=$1
+  print_metadata_value ${url}
+  return_code=$?
+  return ${return_code}
+}
+
+function get_metadata_value() {
+  local readonly varname=$1
+  # Print the instance metadata value.
+  print_metadata_value_if_exists ${MDS_PREFIX}/instance/${varname}
+  return_code=$?
+  # If the instance doesn't have the value, try the project.
+  if [[ ${return_code} != 0 && ${return_code} != 6 && ${return_code} != 7 ]];
+  then
+    print_metadata_value_if_exists ${MDS_PREFIX}/project/${varname}
+    return_code=$?
+  fi
+  return ${return_code}
+}
+
+function get_metadata_value_with_retries() {
+  local return_code=1  # General error code.
+  for ((count=0; count <= ${MDS_TRIES}; count++)); do
+    get_metadata_value $VARNAME
+    return_code=$?
+    case $return_code in
+      # No error.  We're done.
+      0) exit ${return_code};;
+      # Failed to resolve host or connect to host.  Retry.
+      6|7) sleep 0.3; continue;;
+      # A genuine error.  Exit.
+      *) exit ${return_code};
+    esac
+  done
+  # Exit with the last return code we got.
+  exit ${return_code}
+}
+
+get_metadata_value_with_retries

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild

@@ -0,0 +1 @@
+google-guest-agent-20240314.00.ebuild

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild

@@ -0,0 +1,70 @@
+#
+# Copyright 2023 Google LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+EAPI=7
+
+inherit go-module systemd
+
+DESCRIPTION="Google Guest Agent"
+HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-agent"
+
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-agent/archive/${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" ${P}-deps.tar.xz"
+
+LICENSE="Apache-2.0 BSD ZLIB"
+SLOT="0"
+KEYWORDS="*"
+IUSE=""
+RDEPEND="!app-admin/compute-image-packages
+	>=app-admin/oslogin-20231004.00
+"
+
+S=${WORKDIR}/guest-agent-${PV}
+
+PATCHES=(
+	"${FILESDIR}/20231016.00-homedir-gid.patch"
+	"${FILESDIR}/20231016.00-create-hostkey-and-instanceID-dirs.patch"
+)
+
+src_compile() {
+	export GOTRACEBACK="crash"
+	GO=$(tc-getGO)
+	pushd google_guest_agent || die
+	CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \
+		-mod=readonly || die
+	popd || die
+	pushd google_metadata_script_runner || die
+	CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \
+		-mod=readonly || die
+	popd || die
+}
+
+src_install() {
+	dobin google_guest_agent/google_guest_agent
+	dobin google_metadata_script_runner/google_metadata_script_runner
+	systemd_dounit google-guest-agent.service
+	systemd_dounit google-startup-scripts.service
+	systemd_dounit google-shutdown-scripts.service
+	systemd_enable_service multi-user.target google-guest-agent.service
+	systemd_enable_service multi-user.target google-startup-scripts.service
+	systemd_enable_service multi-user.target google-shutdown-scripts.service
+
+	# Backports the get_metadata_value script from compute-image-packages.
+	# We have users that still rely on this script, so we need to continue
+	# to install it.
+	exeinto /usr/share/google/
+	newexe "${FILESDIR}/get_metadata_value" get_metadata_value
+
+	# Install COS specific configuration
+	insinto /etc/default
+	newins "${FILESDIR}/20201102-instance_configs.cfg.distro" instance_configs.cfg.distro
+}

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest

@@ -0,0 +1 @@
+DIST google-guest-configs-20240304.00.tar.gz 24918 BLAKE2B 08f8e5b8c2abd720f5af6682e110b78579e4c8788dfe3b0f243de5aaf98b40f03bcb885d1706d166e08b6e987ed4d86dc4140d444173f0c03aee82ce4d8759ea SHA512 6ae4335c31e1265dcf1bf9b45532571276a50103b482662e8d8ff393a11783a51c5ce0fd266ed41342a1db046114be3b1fe1675b9c4d3e97e52486d7ededcf41

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch

@@ -0,0 +1,50 @@
+diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf
+index b40085b..d89d87d 100644
+--- a/src/etc/sysctl.d/60-gce-network-security.conf
++++ b/src/etc/sysctl.d/60-gce-network-security.conf
+@@ -14,45 +14,6 @@
+ #
+ # Google-recommended kernel parameters
+
+-# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
+-# of TCP functionality/features under normal conditions.  When flood
+-# protections kick in under high unanswered-SYN load, the system
+-# should remain more stable, with a trade off of some loss of TCP
+-# functionality/features (e.g. TCP Window scaling).
+-net.ipv4.tcp_syncookies=1
+-
+-# Ignore source-routed packets
+-net.ipv4.conf.all.accept_source_route=0
+-net.ipv4.conf.default.accept_source_route=0
+-
+-# Ignore ICMP redirects from non-GW hosts
+-net.ipv4.conf.all.accept_redirects=0
+-net.ipv4.conf.default.accept_redirects=0
+-net.ipv4.conf.all.secure_redirects=1
+-net.ipv4.conf.default.secure_redirects=1
+-
+-# Don't pass traffic between networks or act as a router
+-net.ipv4.ip_forward=0
+-net.ipv4.conf.all.send_redirects=0
+-net.ipv4.conf.default.send_redirects=0
+-
+-# Turn on Source Address Verification in all interfaces to
+-# prevent some spoofing attacks.
+-net.ipv4.conf.all.rp_filter=1
+-net.ipv4.conf.default.rp_filter=1
+-
+-# Ignore ICMP broadcasts to avoid participating in Smurf attacks
+-net.ipv4.icmp_echo_ignore_broadcasts=1
+-
+-# Ignore bad ICMP errors
+-net.ipv4.icmp_ignore_bogus_error_responses=1
+-
+ # Log spoofed, source-routed, and redirect packets
+ net.ipv4.conf.all.log_martians=1
+ net.ipv4.conf.default.log_martians=1
+-
+-# Addresses of mmap base, heap, stack and VDSO page are randomized
+-kernel.randomize_va_space=2
+-
+-# Reboot the machine soon after a kernel panic.
+-kernel.panic=10

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild

@@ -0,0 +1 @@
+google-guest-configs-20240304.00.ebuild

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild

@@ -0,0 +1,47 @@
+#
+# Copyright 2021 Google LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+
+EAPI=7
+
+inherit udev
+
+DESCRIPTION="Google Guest Configs"
+HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs"
+
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0 BSD ZLIB"
+KEYWORDS="*"
+SLOT="0"
+IUSE=""
+
+S=${WORKDIR}/guest-configs-${PV}
+
+src_prepare() {
+	eapply "${FILESDIR}"/google-guest-configs-20211116.00-sysctl.patch
+
+	eapply_user
+}
+
+src_install() {
+	exeinto /lib/udev
+	doexe "${S}"/src/lib/udev/google_nvme_id
+
+	udev_dorules "${S}"/src/lib/udev/rules.d/65-gce-disk-naming.rules
+
+	insinto /etc/sysctl.d
+	doins "${S}"/src/etc/sysctl.d/60-gce-network-security.conf
+
+	exeinto /usr/bin
+	doexe "${S}"/src/usr/bin/google_set_multiqueue
+}

sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest

@@ -0,0 +1,2 @@
+DIST google-osconfig-agent-20240320.00-deps.tar.xz 116159132 BLAKE2B 3d1ed39518de1a58ca1c157c2d4ccca714548027e4d7f044dbcb28017d0adafbfdba441f7a15235de268cbabf2547817482ac52e6ad5d458e45a3f7121b89f8e SHA512 18956585bf8af490cbea75bdc201d100f18ba9e2795a9c4188f3dd95b7ad966af390747f945971f349f3a8b370c91f4facb2408abc62954fcee16d3c608e7575
+DIST google-osconfig-agent-20240320.00.tar.gz 380118 BLAKE2B 96d1ba4c3be376159c786045ceef07f961656422b6c9e4eab9d5da94814002eb53e2aaffdb1b4671c54d13b8bf7d8036a5728688bddb9e8138e36bd9145e0740 SHA512 c9fb4fd17a4e6f8a8333baa37c97015e1468cd58f9f85a856c47ce202d24f53b7b0e746738aacbbd3c5727954978b23544a1060e190513f7a9c80e9298b09ecc

sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Delete recipe database used by osconfig-agent before it starts
+Before=google-osconfig-agent.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/rm -f /var/lib/google/osconfig_recipedb
+RemainAfterExit=yes
+
+[Install]
+WantedBy=google-osconfig-agent.service

sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2020 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Disables ssh.
+systemctl stop sshd.service
+systemctl mask sshd.service
+systemctl -q is-active sshd.service
+IS_ACTIVE=$?
+IS_ENABLED=$(systemctl is-enabled sshd.service)
+
+if [[ "$IS_ACTIVE" -eq 0 ]] || [[ "$IS_ENABLED" != "masked" ]]; then
+   echo "Failed to disable sshd.service"
+   exit 1
+else
+   echo "sshd.service is disabled"
+fi

sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild

@@ -0,0 +1 @@
+google-osconfig-agent-20240320.00.ebuild

sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild

@@ -0,0 +1,52 @@
+#
+# Copyright 2023 Google LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+
+EAPI=7
+
+inherit go-module systemd
+
+DESCRIPTION="Google OS Config Agent"
+HOMEPAGE="https://github.com/GoogleCloudPlatform/osconfig"
+
+SRC_URI="https://github.com/GoogleCloudPlatform/osconfig/archive/${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" ${P}-deps.tar.xz"
+
+LICENSE="Apache-2.0 BSD"
+SLOT="0"
+KEYWORDS="*"
+IUSE=""
+
+S="${WORKDIR}/osconfig-${PV}"
+
+src_compile() {
+	export GOTRACEBACK="crash"
+	GO=$(tc-getGO)
+	export GO
+	# These compilation flags are from packaging/debian/rules,
+	# packaging/google-osconfig-agent.spec, and
+	# packaging/googet/google-osconfig-agent.goospec in the osconfig source tree.
+	CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \
+		-mod=readonly -o google_osconfig_agent || die
+}
+
+src_install() {
+	dobin google_osconfig_agent
+	systemd_dounit google-osconfig-agent.service
+	systemd_enable_service multi-user.target google-osconfig-agent.service
+
+	systemd_dounit "${FILESDIR}"/google-osconfig-init.service
+	systemd_enable_service google-osconfig-agent.service google-osconfig-init.service
+
+	exeinto /usr/share/google
+	doexe "${FILESDIR}"/no_ssh.sh
+}

sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest

@@ -0,0 +1 @@
+DIST oslogin-20231004.00.tar.gz 57637 BLAKE2B 836148239f7ffc302ea39b51cb1940ae190d63134552f2487820dd7516977df41bd53893717aba01709cd2c9767a17d5e023c17813596a7db085e215d2ce1f5a SHA512 1f9d31c26ebe33c6e02a7f59d77ce71212244a3bdc20c5b8de32b9ceb1c523bdfe1332f0a095e7383eebab5172bf9a7a76c87d8e02f339b58f151ca9f801b83a

sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch

@@ -0,0 +1,40 @@
+From 9de91cfab8fc31fb043da1b15f7b2ce632a0e9ee Mon Sep 17 00:00:00 2001
+From: Oleksandr Tymoshenko <ovt@google.com>
+Date: Wed, 1 Nov 2023 05:01:59 +0000
+Subject: [PATCH] Make json-c include dir configurable
+
+---
+ src/Makefile | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index a633c7ca61cf..04d90d24a281 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -1,7 +1,7 @@
+ SHELL = /bin/sh
+ TOPDIR = $(realpath ..)
+ 
+-CPPFLAGS = -Iinclude -I/usr/include/json-c -I$(TOPDIR)/third_party/include
++CPPFLAGS = -Iinclude -I$(JSON_INCLUDE_PATH) -I$(TOPDIR)/third_party/include
+ FLAGS = -fPIC -Wall -g
+ CFLAGS = $(FLAGS) -Wstrict-prototypes
+ CXXFLAGS = $(FLAGS)
+@@ -52,12 +52,12 @@ $(NSS_CACHE_OSLOGIN): nss/nss_cache_oslogin.o nss/compat/getpwent_r.o oslogin_ut
+ 
+ # PAM modules
+ 
+-$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o include/oslogin_sshca.h
++$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o
+ 	$(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS)
+ 
+ # Utilities.
+ 
+-google_authorized_principals: authorized_principals/authorized_principals.o oslogin_utils.o oslogin_sshca.o include/oslogin_sshca.h
++google_authorized_principals: authorized_principals/authorized_principals.o oslogin_utils.o oslogin_sshca.o
+ 	$(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS)
+ 
+ google_authorized_keys: authorized_keys/authorized_keys.o oslogin_utils.o
+-- 
+2.42.0.820.g83a721a137-goog
+

sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild

@@ -0,0 +1 @@
+oslogin-20231004.00.ebuild

sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild

@@ -0,0 +1,43 @@
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+EAPI=7
+
+inherit eutils pam flag-o-matic
+
+DESCRIPTION="Google Compute Engine OS Login libraries, applications and configurations."
+HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin"
+
+# Release tag of compute-image-packages.
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> oslogin-${PV}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="*"
+
+DEPEND="
+	net-misc/curl
+	dev-libs/json-c
+	sys-libs/pam
+"
+RDEPEND="${DEPEND}
+	>=app-admin/google-guest-agent-20231016.00
+"
+
+S="${WORKDIR}/guest-oslogin-${PV}"
+
+PATCHES=(
+	"${FILESDIR}/oslogin-20231004.00-fix-build.patch"
+)
+
+src_compile() {
+	emake JSON_INCLUDE_PATH="${SYSROOT}/usr/include/json-c" VERSION="${PV}"
+}
+
+src_install() {
+	emake DESTDIR="${D}/" LIBDIR="$(get_libdir)" VERSION="${PV}" \
+		PAMDIR="$(getpam_mod_dir)" install
+	dosym libnss_oslogin-"${PV}".so \
+		"$(get_libdir)"/libnss_oslogin.so.2
+}