google-guest-agent: init at 20211019.00

The guest agent is depending in some bash scripts contained in the google-compute-guest-configs packages to setup the virtio multiqueue support at runtime. We inject those through a wrapper. The oslogin implementation of the guest agent won't work on NixOS as it currently is. On top of that, it's enabled/disabled status exclusively depends on the remote GCE deployment metadata, we can't disable that through the conf file. We add a patch allowing us to disable this feature via the conf file. Co-authored-by: Mark Karpov <[email protected]>
NixOS · Nov 5, 2021 · 2128f17 · 2128f17
1 parent b2d1a7d
commit 2128f17
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 0 deletions.
diff --git a/...tualization/google-compute-guest-agent/0001-oslogin-add-disable-toggle-in-conf-file.patch b/...tualization/google-compute-guest-agent/0001-oslogin-add-disable-toggle-in-conf-file.patch
@@ -0,0 +1,40 @@
+From f318f525149b06365e9f0c7f642f09f401c3e1c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <[email protected]>
+Date: Fri, 5 Nov 2021 15:40:13 +0100
+Subject: [PATCH] oslogin: add disable toggle in conf file
+
+The guest agent is trying to imperatively alter the sshd authorized
+key config, inject some new NSS configuration, and update the PAM
+config. This won't work on NixOS. We already have a "legacy" support
+for the os-login feature that is more declarative, let's keep on using
+that.
+
+Sadly, the guest agent does not provide any way to disable the oslogin
+feature from its configuration file. The only way to prevent the
+daemon from trying to burn our ideal declarative world to the ground
+is to disable oslogin from the GCE metadata. This is obviously not a
+solution for us.
+
+Adding a new oslogin_daemon toggle to the conf file Daemons section
+allowing us to shut down the agent oslogin features.
+---
+ google_guest_agent/oslogin.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/google_guest_agent/oslogin.go b/google_guest_agent/oslogin.go
+index d05f733..d8a5151 100644
+--- a/google_guest_agent/oslogin.go
++++ b/google_guest_agent/oslogin.go
+@@ -76,7 +76,8 @@ func (o *osloginMgr) timeout() bool {
+ }
+
+ func (o *osloginMgr) disabled(os string) bool {
+-	return os == "windows"
++	return os == "windows" ||
++		!config.Section("Daemons").Key("oslogin_daemon").MustBool(true)
+ }
+
+ func (o *osloginMgr) set() error {
+-- 
+2.33.0
+
diff --git a/pkgs/tools/virtualization/google-compute-guest-agent/default.nix b/pkgs/tools/virtualization/google-compute-guest-agent/default.nix
@@ -0,0 +1,37 @@
+{ lib, fetchFromGitHub, buildGoModule, makeWrapper, google-compute-guest-configs }:
+
+let
+  version = "20211019.00";
+
+in buildGoModule {
+  inherit version;
+  pname = "guest-agent";
+
+  src = fetchFromGitHub {
+    owner = "GoogleCloudPlatform";
+    repo = "guest-agent";
+    rev = version;
+    sha256 = "sha256-DHpv6RIXV3Rn/8fuGUWS6nzsEqgyY5+zozsundX9ByM=";
+  };
+
+  patches = [ ./0001-oslogin-add-disable-toggle-in-conf-file.patch ];
+
+  vendorSha256 = "sha256-YcWKSiN715Z9lmNAQx+sHEgxWnhFhenCNXBS7gdMV4M=";
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  doCheck = false;
+
+  postFixup = ''
+    wrapProgram $out/bin/google_guest_agent \
+        --prefix PATH ":" "${lib.makeBinPath [ google-compute-guest-configs ]}"
+  '';
+
+  meta = with lib; {
+    description = "Guest Agent for Google Compute Engine";
+    homepage = "https://github.com/GoogleCloudPlatform/guest-agent";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ mrkkrp ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -5829,6 +5829,8 @@ with pkgs;
     with-gce = true;
   };
 
+  google-compute-guest-agent = callPackage ../tools/virtualization/google-compute-guest-agent { };
+
   google-fonts = callPackage ../data/fonts/google-fonts { };
 
   google-clasp = callPackage ../development/misc/google-clasp { };