From 3a4df096e308042804f604898984a60d707a08f4 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Apr 2024 10:00:37 +0000 Subject: [PATCH] coreos-overlay/app-admin: Import GCP Agent packages from COS Import google-guest-agent, google-guest-configs, google-osconfig-agent and oslogin packages from COS. These are sourced from the Git repo: https://cos.googlesource.com/cos/overlays/board-overlays, commit 8a6d617d85df03028c9c6d51a1bb3a3bc2eb0933, folder project-lakitu. Signed-off-by: Jeremi Piotrowski --- .../app-admin/google-guest-agent/Manifest | 2 + .../20201102-instance_configs.cfg.distro | 38 ++++++ ...0-create-hostkey-and-instanceID-dirs.patch | 42 ++++++ .../files/20231016.00-homedir-gid.patch | 120 ++++++++++++++++++ .../files/get_metadata_value | 76 +++++++++++ .../google-guest-agent-20240314.00-r1.ebuild | 1 + .../google-guest-agent-20240314.00.ebuild | 70 ++++++++++ .../app-admin/google-guest-configs/Manifest | 1 + ...gle-guest-configs-20211116.00-sysctl.patch | 50 ++++++++ ...google-guest-configs-20240304.00-r1.ebuild | 1 + .../google-guest-configs-20240304.00.ebuild | 47 +++++++ .../app-admin/google-osconfig-agent/Manifest | 2 + .../files/google-osconfig-init.service | 11 ++ .../google-osconfig-agent/files/no_ssh.sh | 18 +++ ...oogle-osconfig-agent-20240320.00-r1.ebuild | 1 + .../google-osconfig-agent-20240320.00.ebuild | 52 ++++++++ .../coreos-overlay/app-admin/oslogin/Manifest | 1 + .../files/oslogin-20231004.00-fix-build.patch | 40 ++++++ .../oslogin/oslogin-20231004.00-r1.ebuild | 1 + .../oslogin/oslogin-20231004.00.ebuild | 43 +++++++ 20 files changed, 617 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch create mode 120000 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest new file mode 100644 index 0000000000..0036a5f84c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/Manifest @@ -0,0 +1,2 @@ +DIST google-guest-agent-20240314.00-deps.tar.xz 100146672 BLAKE2B 5d59bad49c536a73f8be83f567cca3018fa1d56a78232e33eaefd1b8472174018da789bc1a432a56686568a01f932e9da2aee8c1f813cee829394037bcf694cd SHA512 1a00e48f54f74449b0289bf826aee5788d40a8406086a2f70f57d5e0d0c0c1bdf448b12e54962020a2dca4ff9d8586d7d94ae3dc3c5372e4622fbb18904cfb77 +DIST google-guest-agent-20240314.00.tar.gz 194225 BLAKE2B 2c3a69507b3a66b7b9e541f021a050bc3b050896fd27726b46307ecb940a72fc287d8b5b8794f6bf5363c5f2ad85b411b352a680f805d50d34836d63caca1d6b SHA512 8cfaa7ed3d7b34ae224b3cb3df7b747e2e2d305b034f53b674fd984b4b609bd67c7a0115c876a7b01e869172d970e4dcd7de2c87f27fff7d46648ef0cf1c32d8 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro new file mode 100644 index 0000000000..40a838bd4f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20201102-instance_configs.cfg.distro @@ -0,0 +1,38 @@ +# +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COS specific settings for the Linux Guest Environment for Google Compute +# Engine. + +[InstanceSetup] +set_boto_config = false +host_key_dir = /mnt/stateful_partition/etc/ssh + +[Instance] +instance_id_dir = /mnt/stateful_partition/etc + +[MetadataScripts] +run_dir = /var/lib/google/ + +[NetworkInterfaces] +setup = false + +[IpForwarding] +ip_aliases = false + +[Accounts] +reuse_homedir = true +# Use usermod instead of gpasswd to avoid race between gpasswd and cloud-init. +gpasswd_add_cmd = usermod -aG {group} {user} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch new file mode 100644 index 0000000000..3e56e92725 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-create-hostkey-and-instanceID-dirs.patch @@ -0,0 +1,42 @@ +From e6ffb5fccf86931a79f551fdc960a659044042ce Mon Sep 17 00:00:00 2001 +From: Oleksandr Tymoshenko +Date: Wed, 8 Nov 2023 01:55:51 +0000 +Subject: [PATCH 2/2] Create missing directories + +Create missing directories for instance ID file and for SSH host key +--- + google_guest_agent/instance_setup.go | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/google_guest_agent/instance_setup.go b/google_guest_agent/instance_setup.go +index d8cbc02bf94e..86b91b5c4636 100644 +--- a/google_guest_agent/instance_setup.go ++++ b/google_guest_agent/instance_setup.go +@@ -171,7 +171,12 @@ func agentInit(ctx context.Context) { + // Check if instance ID has changed, and if so, consider this + // the first boot of the instance. + // TODO Also do this for windows. liamh@13-11-2019 +- instanceIDFile := config.Instance.InstanceIDDir ++ instanceIDDir := config.Instance.InstanceIDDir ++ // Create the instance ID directory, if it doesn't exist. ++ if err := os.MkdirAll(instanceIDDir, 0755); err != nil { ++ logger.Warningf("Failed to create instance ID directory: %v", err) ++ } ++ instanceIDFile := instanceIDDir + "/google_instance_id" + instanceID, err := os.ReadFile(instanceIDFile) + if err != nil && !os.IsNotExist(err) { + logger.Warningf("Not running first-boot actions, error reading instance ID: %v", err) +@@ -220,6 +225,10 @@ func agentInit(ctx context.Context) { + func generateSSHKeys(ctx context.Context) error { + config := cfg.Get() + hostKeyDir := config.InstanceSetup.HostKeyDir ++ // Create the host key directory, if it doesn't exist. ++ if err := os.MkdirAll(hostKeyDir, 0755); err != nil { ++ logger.Warningf("Failed to create host key directory: %v", err) ++ } + dir, err := os.Open(hostKeyDir) + if err != nil { + return err +-- +2.42.0.869.gea05f2083d-goog + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch new file mode 100644 index 0000000000..a2bd9de505 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/20231016.00-homedir-gid.patch @@ -0,0 +1,120 @@ +From a28e8fa46b5ef09c8a83763a6163d7b63d04f156 Mon Sep 17 00:00:00 2001 +From: Oleksandr Tymoshenko +Date: Thu, 2 Nov 2023 00:23:19 +0000 +Subject: [PATCH 1/2] Add stable gid for added users + +Use gid obtained from the home directory to create users with a +volatile /etc directory. +--- + google_guest_agent/accounts_unix.go | 17 +++++++++++++---- + google_guest_agent/accounts_windows.go | 6 +++--- + google_guest_agent/non_windows_accounts.go | 6 +++--- + google_guest_agent/windows_accounts.go | 4 ++-- + 4 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/google_guest_agent/accounts_unix.go b/google_guest_agent/accounts_unix.go +index 94cedd3d480a..0cc6470f15f2 100644 +--- a/google_guest_agent/accounts_unix.go ++++ b/google_guest_agent/accounts_unix.go +@@ -27,21 +27,30 @@ import ( + "github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/run" + ) + +-func getUID(path string) string { ++func getUIDAndGID(path string) (string, string) { + if dir, err := os.Stat(path); err == nil { + if stat, ok := dir.Sys().(*syscall.Stat_t); ok { +- return fmt.Sprintf("%d", stat.Uid) ++ return fmt.Sprintf("%d", stat.Uid), fmt.Sprintf("%d", stat.Gid) + } + } +- return "" ++ return "", "" + } + +-func createUser(ctx context.Context, username, uid string) error { ++func createUser(ctx context.Context, username, uid, gid string) error { + config := cfg.Get() + useradd := config.Accounts.UserAddCmd + if uid != "" { + useradd = fmt.Sprintf("%s -u %s", useradd, uid) + } ++ if gid != "" { ++ groupadd := config.Accounts.GroupAddCmd ++ groupadd = fmt.Sprintf("%s -g %s", groupadd, gid) ++ cmd, args := createUserGroupCmd(groupadd, "", username) ++ if err := run.Quiet(ctx, cmd, args...); err != nil { ++ return err ++ } ++ useradd = fmt.Sprintf("%s -g %s", useradd, gid) ++ } + cmd, args := createUserGroupCmd(useradd, username, "") + return run.Quiet(ctx, cmd, args...) + } +diff --git a/google_guest_agent/accounts_windows.go b/google_guest_agent/accounts_windows.go +index 5f0087afd6eb..c66b3e6cc211 100644 +--- a/google_guest_agent/accounts_windows.go ++++ b/google_guest_agent/accounts_windows.go +@@ -138,7 +138,7 @@ func addUserToGroup(ctx context.Context, username, group string) error { + return nil + } + +-func createUser(ctx context.Context, username, pwd string) error { ++func createUser(ctx context.Context, username, pwd, _ string) error { + uPtr, err := syscall.UTF16PtrFromString(username) + if err != nil { + return fmt.Errorf("error encoding username to UTF16: %v", err) +@@ -184,6 +184,6 @@ func userExists(name string) (bool, error) { + return true, nil + } + +-func getUID(path string) string { +- return "" ++func getUIDAndGID(path string) (string, string) { ++ return "", "" + } +diff --git a/google_guest_agent/non_windows_accounts.go b/google_guest_agent/non_windows_accounts.go +index 2fa6f5de6487..c8640624064c 100644 +--- a/google_guest_agent/non_windows_accounts.go ++++ b/google_guest_agent/non_windows_accounts.go +@@ -343,12 +343,12 @@ func createUserGroupCmd(cmd, user, group string) (string, []string) { + // createGoogleUser creates a Google managed user account if needed and adds it + // to the configured groups. + func createGoogleUser(ctx context.Context, config *cfg.Sections, user string) error { +- var uid string ++ var uid, gid string + if config.Accounts.ReuseHomedir { +- uid = getUID(fmt.Sprintf("/home/%s", user)) ++ uid, gid = getUIDAndGID(fmt.Sprintf("/home/%s", user)) + } + +- if err := createUser(ctx, user, uid); err != nil { ++ if err := createUser(ctx, user, uid, gid); err != nil { + return err + } + groups := config.Accounts.Groups +diff --git a/google_guest_agent/windows_accounts.go b/google_guest_agent/windows_accounts.go +index 248bf399e436..a46b60759129 100644 +--- a/google_guest_agent/windows_accounts.go ++++ b/google_guest_agent/windows_accounts.go +@@ -133,7 +133,7 @@ func createOrResetPwd(ctx context.Context, k metadata.WindowsKey) (*credsJSON, e + } + } else { + logger.Infof("Creating user %s", k.UserName) +- if err := createUser(ctx, k.UserName, pwd); err != nil { ++ if err := createUser(ctx, k.UserName, pwd, ""); err != nil { + return nil, fmt.Errorf("error running createUser: %v", err) + } + if k.AddToAdministrators == nil || *k.AddToAdministrators { +@@ -155,7 +155,7 @@ func createSSHUser(ctx context.Context, user string) error { + return nil + } + logger.Infof("Creating user %s", user) +- if err := createUser(ctx, user, pwd); err != nil { ++ if err := createUser(ctx, user, pwd, ""); err != nil { + return fmt.Errorf("error running createUser: %v", err) + } + +-- +2.42.0.869.gea05f2083d-goog + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value new file mode 100644 index 0000000000..4ffd7e6bf5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/files/get_metadata_value @@ -0,0 +1,76 @@ +#! /bin/bash +# +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Get a metadata value from the metadata server. +# curl exit codes: https://everything.curl.dev/usingcurl/returns +declare -r VARNAME=$1 +declare -r MDS_PREFIX=http://metadata.google.internal/computeMetadata/v1 +declare -r MDS_TRIES=${MDS_TRIES:-100} + +function print_metadata_value() { + local readonly tmpfile=$(mktemp) + http_code=$(curl -f "${1}" -H "Metadata-Flavor: Google" -w "%{http_code}" \ + -s -o ${tmpfile} 2>/dev/null) + local readonly return_code=$? + # If the command completed successfully, print the metadata value to stdout. + if [[ ${return_code} == 0 && ${http_code} == 200 ]]; then + cat ${tmpfile} + fi + rm -f ${tmpfile} + return ${return_code} +} + +function print_metadata_value_if_exists() { + local return_code=1 + local readonly url=$1 + print_metadata_value ${url} + return_code=$? + return ${return_code} +} + +function get_metadata_value() { + local readonly varname=$1 + # Print the instance metadata value. + print_metadata_value_if_exists ${MDS_PREFIX}/instance/${varname} + return_code=$? + # If the instance doesn't have the value, try the project. + if [[ ${return_code} != 0 && ${return_code} != 6 && ${return_code} != 7 ]]; + then + print_metadata_value_if_exists ${MDS_PREFIX}/project/${varname} + return_code=$? + fi + return ${return_code} +} + +function get_metadata_value_with_retries() { + local return_code=1 # General error code. + for ((count=0; count <= ${MDS_TRIES}; count++)); do + get_metadata_value $VARNAME + return_code=$? + case $return_code in + # No error. We're done. + 0) exit ${return_code};; + # Failed to resolve host or connect to host. Retry. + 6|7) sleep 0.3; continue;; + # A genuine error. Exit. + *) exit ${return_code}; + esac + done + # Exit with the last return code we got. + exit ${return_code} +} + +get_metadata_value_with_retries diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild new file mode 120000 index 0000000000..e07d85119e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00-r1.ebuild @@ -0,0 +1 @@ +google-guest-agent-20240314.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild new file mode 100644 index 0000000000..c3cf46b3ee --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-agent/google-guest-agent-20240314.00.ebuild @@ -0,0 +1,70 @@ +# +# Copyright 2023 Google LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +EAPI=7 + +inherit go-module systemd + +DESCRIPTION="Google Guest Agent" +HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-agent" + +SRC_URI="https://github.com/GoogleCloudPlatform/guest-agent/archive/${PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" ${P}-deps.tar.xz" + +LICENSE="Apache-2.0 BSD ZLIB" +SLOT="0" +KEYWORDS="*" +IUSE="" +RDEPEND="!app-admin/compute-image-packages + >=app-admin/oslogin-20231004.00 +" + +S=${WORKDIR}/guest-agent-${PV} + +PATCHES=( + "${FILESDIR}/20231016.00-homedir-gid.patch" + "${FILESDIR}/20231016.00-create-hostkey-and-instanceID-dirs.patch" +) + +src_compile() { + export GOTRACEBACK="crash" + GO=$(tc-getGO) + pushd google_guest_agent || die + CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + -mod=readonly || die + popd || die + pushd google_metadata_script_runner || die + CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + -mod=readonly || die + popd || die +} + +src_install() { + dobin google_guest_agent/google_guest_agent + dobin google_metadata_script_runner/google_metadata_script_runner + systemd_dounit google-guest-agent.service + systemd_dounit google-startup-scripts.service + systemd_dounit google-shutdown-scripts.service + systemd_enable_service multi-user.target google-guest-agent.service + systemd_enable_service multi-user.target google-startup-scripts.service + systemd_enable_service multi-user.target google-shutdown-scripts.service + + # Backports the get_metadata_value script from compute-image-packages. + # We have users that still rely on this script, so we need to continue + # to install it. + exeinto /usr/share/google/ + newexe "${FILESDIR}/get_metadata_value" get_metadata_value + + # Install COS specific configuration + insinto /etc/default + newins "${FILESDIR}/20201102-instance_configs.cfg.distro" instance_configs.cfg.distro +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest new file mode 100644 index 0000000000..2f6cac0268 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest @@ -0,0 +1 @@ +DIST google-guest-configs-20240304.00.tar.gz 24918 BLAKE2B 08f8e5b8c2abd720f5af6682e110b78579e4c8788dfe3b0f243de5aaf98b40f03bcb885d1706d166e08b6e987ed4d86dc4140d444173f0c03aee82ce4d8759ea SHA512 6ae4335c31e1265dcf1bf9b45532571276a50103b482662e8d8ff393a11783a51c5ce0fd266ed41342a1db046114be3b1fe1675b9c4d3e97e52486d7ededcf41 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch new file mode 100644 index 0000000000..4ac9d275cb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch @@ -0,0 +1,50 @@ +diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf +index b40085b..d89d87d 100644 +--- a/src/etc/sysctl.d/60-gce-network-security.conf ++++ b/src/etc/sysctl.d/60-gce-network-security.conf +@@ -14,45 +14,6 @@ + # + # Google-recommended kernel parameters + +-# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss +-# of TCP functionality/features under normal conditions. When flood +-# protections kick in under high unanswered-SYN load, the system +-# should remain more stable, with a trade off of some loss of TCP +-# functionality/features (e.g. TCP Window scaling). +-net.ipv4.tcp_syncookies=1 +- +-# Ignore source-routed packets +-net.ipv4.conf.all.accept_source_route=0 +-net.ipv4.conf.default.accept_source_route=0 +- +-# Ignore ICMP redirects from non-GW hosts +-net.ipv4.conf.all.accept_redirects=0 +-net.ipv4.conf.default.accept_redirects=0 +-net.ipv4.conf.all.secure_redirects=1 +-net.ipv4.conf.default.secure_redirects=1 +- +-# Don't pass traffic between networks or act as a router +-net.ipv4.ip_forward=0 +-net.ipv4.conf.all.send_redirects=0 +-net.ipv4.conf.default.send_redirects=0 +- +-# Turn on Source Address Verification in all interfaces to +-# prevent some spoofing attacks. +-net.ipv4.conf.all.rp_filter=1 +-net.ipv4.conf.default.rp_filter=1 +- +-# Ignore ICMP broadcasts to avoid participating in Smurf attacks +-net.ipv4.icmp_echo_ignore_broadcasts=1 +- +-# Ignore bad ICMP errors +-net.ipv4.icmp_ignore_bogus_error_responses=1 +- + # Log spoofed, source-routed, and redirect packets + net.ipv4.conf.all.log_martians=1 + net.ipv4.conf.default.log_martians=1 +- +-# Addresses of mmap base, heap, stack and VDSO page are randomized +-kernel.randomize_va_space=2 +- +-# Reboot the machine soon after a kernel panic. +-kernel.panic=10 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild new file mode 120000 index 0000000000..ae939291df --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00-r1.ebuild @@ -0,0 +1 @@ +google-guest-configs-20240304.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild new file mode 100644 index 0000000000..7d960aa1a5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20240304.00.ebuild @@ -0,0 +1,47 @@ +# +# Copyright 2021 Google LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +EAPI=7 + +inherit udev + +DESCRIPTION="Google Guest Configs" +HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs" + +SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0 BSD ZLIB" +KEYWORDS="*" +SLOT="0" +IUSE="" + +S=${WORKDIR}/guest-configs-${PV} + +src_prepare() { + eapply "${FILESDIR}"/google-guest-configs-20211116.00-sysctl.patch + + eapply_user +} + +src_install() { + exeinto /lib/udev + doexe "${S}"/src/lib/udev/google_nvme_id + + udev_dorules "${S}"/src/lib/udev/rules.d/65-gce-disk-naming.rules + + insinto /etc/sysctl.d + doins "${S}"/src/etc/sysctl.d/60-gce-network-security.conf + + exeinto /usr/bin + doexe "${S}"/src/usr/bin/google_set_multiqueue +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest new file mode 100644 index 0000000000..c3ff780f96 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/Manifest @@ -0,0 +1,2 @@ +DIST google-osconfig-agent-20240320.00-deps.tar.xz 116159132 BLAKE2B 3d1ed39518de1a58ca1c157c2d4ccca714548027e4d7f044dbcb28017d0adafbfdba441f7a15235de268cbabf2547817482ac52e6ad5d458e45a3f7121b89f8e SHA512 18956585bf8af490cbea75bdc201d100f18ba9e2795a9c4188f3dd95b7ad966af390747f945971f349f3a8b370c91f4facb2408abc62954fcee16d3c608e7575 +DIST google-osconfig-agent-20240320.00.tar.gz 380118 BLAKE2B 96d1ba4c3be376159c786045ceef07f961656422b6c9e4eab9d5da94814002eb53e2aaffdb1b4671c54d13b8bf7d8036a5728688bddb9e8138e36bd9145e0740 SHA512 c9fb4fd17a4e6f8a8333baa37c97015e1468cd58f9f85a856c47ce202d24f53b7b0e746738aacbbd3c5727954978b23544a1060e190513f7a9c80e9298b09ecc diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service new file mode 100644 index 0000000000..3e2b0c2689 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/google-osconfig-init.service @@ -0,0 +1,11 @@ +[Unit] +Description=Delete recipe database used by osconfig-agent before it starts +Before=google-osconfig-agent.service + +[Service] +Type=oneshot +ExecStart=/bin/rm -f /var/lib/google/osconfig_recipedb +RemainAfterExit=yes + +[Install] +WantedBy=google-osconfig-agent.service diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh new file mode 100644 index 0000000000..dcccbe66cf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/files/no_ssh.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# Copyright 2020 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# Disables ssh. +systemctl stop sshd.service +systemctl mask sshd.service +systemctl -q is-active sshd.service +IS_ACTIVE=$? +IS_ENABLED=$(systemctl is-enabled sshd.service) + +if [[ "$IS_ACTIVE" -eq 0 ]] || [[ "$IS_ENABLED" != "masked" ]]; then + echo "Failed to disable sshd.service" + exit 1 +else + echo "sshd.service is disabled" +fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild new file mode 120000 index 0000000000..7c06007232 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00-r1.ebuild @@ -0,0 +1 @@ +google-osconfig-agent-20240320.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild new file mode 100644 index 0000000000..ae125ebe0a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-osconfig-agent/google-osconfig-agent-20240320.00.ebuild @@ -0,0 +1,52 @@ +# +# Copyright 2023 Google LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +EAPI=7 + +inherit go-module systemd + +DESCRIPTION="Google OS Config Agent" +HOMEPAGE="https://github.com/GoogleCloudPlatform/osconfig" + +SRC_URI="https://github.com/GoogleCloudPlatform/osconfig/archive/${PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" ${P}-deps.tar.xz" + +LICENSE="Apache-2.0 BSD" +SLOT="0" +KEYWORDS="*" +IUSE="" + +S="${WORKDIR}/osconfig-${PV}" + +src_compile() { + export GOTRACEBACK="crash" + GO=$(tc-getGO) + export GO + # These compilation flags are from packaging/debian/rules, + # packaging/google-osconfig-agent.spec, and + # packaging/googet/google-osconfig-agent.goospec in the osconfig source tree. + CGO_ENABLED=0 ${GO} build -ldflags="-s -w -X main.version=${PV}" \ + -mod=readonly -o google_osconfig_agent || die +} + +src_install() { + dobin google_osconfig_agent + systemd_dounit google-osconfig-agent.service + systemd_enable_service multi-user.target google-osconfig-agent.service + + systemd_dounit "${FILESDIR}"/google-osconfig-init.service + systemd_enable_service google-osconfig-agent.service google-osconfig-init.service + + exeinto /usr/share/google + doexe "${FILESDIR}"/no_ssh.sh +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest new file mode 100644 index 0000000000..7d4152dca5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/Manifest @@ -0,0 +1 @@ +DIST oslogin-20231004.00.tar.gz 57637 BLAKE2B 836148239f7ffc302ea39b51cb1940ae190d63134552f2487820dd7516977df41bd53893717aba01709cd2c9767a17d5e023c17813596a7db085e215d2ce1f5a SHA512 1f9d31c26ebe33c6e02a7f59d77ce71212244a3bdc20c5b8de32b9ceb1c523bdfe1332f0a095e7383eebab5172bf9a7a76c87d8e02f339b58f151ca9f801b83a diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch new file mode 100644 index 0000000000..2c2b919175 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/files/oslogin-20231004.00-fix-build.patch @@ -0,0 +1,40 @@ +From 9de91cfab8fc31fb043da1b15f7b2ce632a0e9ee Mon Sep 17 00:00:00 2001 +From: Oleksandr Tymoshenko +Date: Wed, 1 Nov 2023 05:01:59 +0000 +Subject: [PATCH] Make json-c include dir configurable + +--- + src/Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index a633c7ca61cf..04d90d24a281 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -1,7 +1,7 @@ + SHELL = /bin/sh + TOPDIR = $(realpath ..) + +-CPPFLAGS = -Iinclude -I/usr/include/json-c -I$(TOPDIR)/third_party/include ++CPPFLAGS = -Iinclude -I$(JSON_INCLUDE_PATH) -I$(TOPDIR)/third_party/include + FLAGS = -fPIC -Wall -g + CFLAGS = $(FLAGS) -Wstrict-prototypes + CXXFLAGS = $(FLAGS) +@@ -52,12 +52,12 @@ $(NSS_CACHE_OSLOGIN): nss/nss_cache_oslogin.o nss/compat/getpwent_r.o oslogin_ut + + # PAM modules + +-$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o include/oslogin_sshca.h ++$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS) + + # Utilities. + +-google_authorized_principals: authorized_principals/authorized_principals.o oslogin_utils.o oslogin_sshca.o include/oslogin_sshca.h ++google_authorized_principals: authorized_principals/authorized_principals.o oslogin_utils.o oslogin_sshca.o + $(CXX) $(CXXFLAGS) $(CPPFLAGS) $^ -o $@ $(LDLIBS) + + google_authorized_keys: authorized_keys/authorized_keys.o oslogin_utils.o +-- +2.42.0.820.g83a721a137-goog + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild new file mode 120000 index 0000000000..f87620f271 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00-r1.ebuild @@ -0,0 +1 @@ +oslogin-20231004.00.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild new file mode 100644 index 0000000000..1cc83a4b75 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/oslogin/oslogin-20231004.00.ebuild @@ -0,0 +1,43 @@ +# Copyright 2018 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +EAPI=7 + +inherit eutils pam flag-o-matic + +DESCRIPTION="Google Compute Engine OS Login libraries, applications and configurations." +HOMEPAGE="https://github.com/GoogleCloudPlatform/guest-oslogin" + +# Release tag of compute-image-packages. +SRC_URI="https://github.com/GoogleCloudPlatform/guest-oslogin/archive/${PV}.tar.gz -> oslogin-${PV}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="*" + +DEPEND=" + net-misc/curl + dev-libs/json-c + sys-libs/pam +" +RDEPEND="${DEPEND} + >=app-admin/google-guest-agent-20231016.00 +" + +S="${WORKDIR}/guest-oslogin-${PV}" + +PATCHES=( + "${FILESDIR}/oslogin-20231004.00-fix-build.patch" +) + +src_compile() { + emake JSON_INCLUDE_PATH="${SYSROOT}/usr/include/json-c" VERSION="${PV}" +} + +src_install() { + emake DESTDIR="${D}/" LIBDIR="$(get_libdir)" VERSION="${PV}" \ + PAMDIR="$(getpam_mod_dir)" install + dosym libnss_oslogin-"${PV}".so \ + "$(get_libdir)"/libnss_oslogin.so.2 +}