Move GCE config to google-guest-agent

[abbradar]

Motivation for this change

google-compute-engine package is currently deprecated. Move us to a newer set of packages from Google.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

Tested in production -- works, including both OS Login and fetched keys.

[putchar]

Hello

I tested this pr the following way

i used https://github.com/nix-community/nixos-generators + flake to create my image locally

{
  inputs = {
    nixpkgs.url = "github:abbradar/nixpkgs/google-guest-agent";
    nixos-generators = {
      url = "github:nix-community/nixos-generators";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = { self, nixpkgs, nixos-generators, ... }: {
    packages.x86_64-linux = {
      gce = nixos-generators.nixosGenerate {
        pkgs = nixpkgs.legacyPackages.x86_64-linux;
        format = "gce";
      };
    };
  };
}

then nix build .#gce

i pushed the tar.gz on a bucket. then made a vm image from it

both login from gcp console works (with metadata, with ssh-key)
the agent does push my public keys properly

also it works with
gcloud beta compute ssh --zone "europe-west1-b" "instance-1" --tunnel-through-iap --project "myproject"

[flokli]

@abbradar how is this related to #144761?

[abbradar]

@flokli I didn't see this one -- my patchset was done before #144761, but was used in our production privately. Thanks for the heads up!

After a brief comparison, I see these differences:

1. I moved google-compute-engine-oslogin to google-guest-oslogin, but I don't see any reason to do this now -- it just seems plain wrong. I'll investigate;
2. nixos/google-compute-config: fix module #144761 disables OS Login in google-guest-agent. I didn't see any issues with it back when implementing my patchset, though it was more than half a year ago and I might have missed something. OS Login seems to work now but I'll re-check in case any error messages appear;
3. I use upstream systemd units and as little extra configuration as possible. OTOH nixos/google-compute-config: fix module #144761 might have some interesting configuration options that I missed. Need to compare.

Overall both PRs do the same thing, so I'm okay with closing this one and helping with #144761. First we need to investigate why does my PR work correctly with OS Login (or at least used to work). I also see some interesting comments re:ZFS there.

[picnoir]

Overall both PRs do the same thing, so I'm okay with closing this one and helping with #144761. First we need to investigate why does my PR work correctly with OS Login (or at least used to work). I also see some interesting comments re:ZFS there.

As I was saying in 166761, I currently do not have any bandwidth to move it forward. Let's rather push your PR forward.

WRT. oslogin: the guest agent is going to try to setup the PAM module, NSS config & ssh config (see https://github.com/GoogleCloudPlatform/guest-agent/blob/main/google_guest_agent/oslogin.go#L99). It'll fail on NixOS (these paths are read-only).

Your PR is working fine because you're setting these using the NixOS module system. However, I think we should try to prevent the agent from trying to setup these as we do in #144761. We should upstream the patch allowing us to disable this config.

---

Apart from this, I don't see any major blocker in this PR. Ping me when you fix this and I'll properly review this PR.

[abbradar]

After more investigation I merged two PRs while addressing concerns above. Mainly we still fully support both legacy login via metadata (if users.mutableUsers = true) and OS Login. I added another patch for guest-agent, allowing to disable some parts of accounts daemon that produced errors. With that we now have clean logs without any errors.

While testing I discovered that OS Login test started to fail on newer unstable and sometimes on development machines I tested it on. Turns out we don't always start nscd daemon, which is required for successful OS Login. I split the fix into a separate PR coming soon.

Keep in mind that nixos.patch here is temporary; I intend to submit both patches to upstream in the coming days, but you can already start reviewing this new patchset.

[abbradar]

Opened GoogleCloudPlatform/guest-agent#152.

[abbradar]

I have replaced nixos.patch with links to patches submitted upstream, so no pending tasks remain for this PR before another round of reviews.

[abbradar]

Sadly upstream decided against including our changes. Given that, I propose to simplify the patch and just disable problematic features while changing minimal number of lines. This way the patch will be easier to maintain out-of-tree. @NinjaTrappeur what do you think?

[abbradar]

Minimized and moved our changes back to nixos.patch. Ready for review.

[andre-vspry]

I'd like to see this merged. It would make upgrading to 21.11 much easier for GCP infra. Does it need more testing?

[flokli]

Some small styling nits to make this a bit more robust in case of upgrades.

Other than that, LGTM. I ran the tests and they still succeed.

[flokli]

Nice, thanks! Should we add some release notes for this - is there things in how this behaves differently from the previous release?

[flokli]

Hold on… the VM tests seem to fail now:

^[[2mserver # [    7.345607] python[856]: 169.254.169.254 - - [05/Feb/2022 20:18:47] "GET /computeMetadata/v1/oslogin/users?username=mockuser_nixos_org HTTP/1.1" 200 -^[[0m
^[[2mserver # [    7.346350] python[856]: b'{"loginProfiles": [{"name": "418156207295006328628", "posixAccounts": [{"primary": true, "username": "mockuser_nixos_org", "uid": "1009719690", "gid": "1009719690", "homeDirectory": "/home/mockuser_nixos_org", "operatingSystemType": "LINUX"}], "sshPublicKeys": {"fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48": {"key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil", "expirationTimeUsec": "1644092927255555.2", "fingerprint": "fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48"}}}]}'^[[0m
^[[2mserver # [    7.349218] python[856]: 169.254.169.254 - - [05/Feb/2022 20:18:47] "GET /computeMetadata/v1/oslogin/users?username=mockuser_nixos_org HTTP/1.1" 200 -^[[0m
^[[2mserver # [    7.350087] python[856]: b'{"loginProfiles": [{"name": "418156207295006328628", "posixAccounts": [{"primary": true, "username": "mockuser_nixos_org", "uid": "1009719690", "gid": "1009719690", "homeDirectory": "/home/mockuser_nixos_org", "operatingSystemType": "LINUX"}], "sshPublicKeys": {"fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48": {"key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil", "expirationTimeUsec": "1644092927256354.2", "fingerprint": "fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48"}}}]}'^[[0m
^[[2mserver # [    7.352931] python[856]: 169.254.169.254 - - [05/Feb/2022 20:18:47] "GET /computeMetadata/v1/oslogin/users?username=mockuser_nixos_org HTTP/1.1" 200 -^[[0m
^[[2mserver # [    7.353733] python[856]: b'{"loginProfiles": [{"name": "418156207295006328628", "posixAccounts": [{"primary": true, "username": "mockuser_nixos_org", "uid": "1009719690", "gid": "1009719690", "homeDirectory": "/home/mockuser_nixos_org", "operatingSystemType": "LINUX"}], "sshPublicKeys": {"fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48": {"key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil", "expirationTimeUsec": "1644092927299759.2", "fingerprint": "fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48"}}}]}'^[[0m
^[[2mserver # [    7.357394] python[856]: 169.254.169.254 - - [05/Feb/2022 20:18:47] "GET /computeMetadata/v1/oslogin/users?username=mockuser_nixos_org HTTP/1.1" 200 -^[[0m
client: output: 
cleanup
kill machine (pid 9)
^[[2mserver # [    7.358662] python[856]: b'{"loginProfiles": [{"name": "418156207295006328628", "posixAccounts": [{"primary": true, "username": "mockuser_nixos_org", "uid": "1009719690", "gid": "1009719690", "homeDirectory": "/home/mockuser_nixos_org", "operatingSystemType": "LINUX"}], "sshPublicKeys": {"fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48": {"key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil", "expirationTimeUsec": "1644092927307183.2", "fingerprint": "fa80819b5035333b770ae3a7cf7f76ada71c2739e87419509064dc4106b91d48"}}}]}'^[[0m
^[[2mserver # [    7.361550] python[856]: Unhandled path: /computeMetadata/v1/oslogin/groups?email=418156207295006328628^[[0m
^[[2mserver # [    7.362276] python[856]: 169.254.169.254 - - [05/Feb/2022 20:18:47] "GET /computeMetadata/v1/oslogin/groups?email=418156207295006328628 HTTP/1.1" 404 -^[[0m
^[[2mserver # [    7.363560] sshd[895]: Received disconnect from 192.168.1.1 port 58964:11: disconnected by user^[[0m
^[[2mclient # qemu-system-x86_64: terminating on signal 15 from pid 6 (/nix/store/dn4fwp0yx6nsa85cr20cwvdmg64xwmcy-python3-3.9.9/bin/python3.9)^[[0m
^[[2mserver # [    7.366536] sshd[895]: Disconnected from user mockuser_nixos_org 192.168.1.1 port 58964^[[0m
kill machine (pid 22)
^[[2mserver # qemu-system-x86_64: terminating on signal 15 from pid 6 (/nix/store/dn4fwp0yx6nsa85cr20cwvdmg64xwmcy-python3-3.9.9/bin/python3.9)^[[0m
(finished: cleanup, in 0.02 seconds)
Traceback (most recent call last):
  File "/nix/store/97nb219kaxqwj94cj596zcyzyw8d4ix7-nixos-test-driver-1.1/bin/.nixos-test-driver-wrapped", line 9, in <module>
    sys.exit(main())
  File "/nix/store/97nb219kaxqwj94cj596zcyzyw8d4ix7-nixos-test-driver-1.1/lib/python3.9/site-packages/test_driver/__init__.py", line 86, in main
    driver.run_tests()
  File "/nix/store/97nb219kaxqwj94cj596zcyzyw8d4ix7-nixos-test-driver-1.1/lib/python3.9/site-packages/test_driver/driver.py", line 121, in run_tests
    self.test_script()
  File "/nix/store/97nb219kaxqwj94cj596zcyzyw8d4ix7-nixos-test-driver-1.1/lib/python3.9/site-packages/test_driver/driver.py", line 117, in test_script
    exec(self.tests, symbols, None)
  File "<string>", line 31, in <module>
  File "/nix/store/97nb219kaxqwj94cj596zcyzyw8d4ix7-nixos-test-driver-1.1/lib/python3.9/site-packages/test_driver/machine.py", line 559, in succeed
    raise Exception(
Exception: command `ssh mockuser_nixos_org@server 'true'` failed (exit code 254)
kill vlan (pid 8)
kill vlan (pid 7)

Full log

[abbradar]

Ugh. I'll check this, thanks for noticing.

re release notes: I'm honestly not sure if OS Login and old login path (via adding mutable users) worked well before. If they didn't, we effectively fixed a bug. Other than that -- should have no visible changes.

[abbradar]

It works for me when I rebase atop unstable. I think it was caused by #157112.

[flokli]

RIght, with the rebase, the test succeeds again. Thanks!

[andre-vspry]

Is this suitable for backporting to 21.11 also?

[flokli]

This is a bit too scary to backport IMHO. People who want this before the next release can just stick to unstable for the time being.

[jonringer]

Agreed. If these changes expect a user to react, then it should be postponed. Stable should allow for users to determine "when" to eat the upgrade cost going between release branches, rather than some update.

[andre-vspry]

Wouldn't it only impact people running 21.11 on GCP? I'm stuck on 21.05 for GCP because the agent doesn't start and therefore doesn't get project provided ssh keys. If I build a custom image with keys then I can log in but the metadata service is borked. Unless I've made some error in deploying an image, I would say not many, if any, are running 21.11 on GCP with a working agent.

[picnoir]

Hmm, strange. The #148467 revert (backported to 21.11 via #148936) should have fixed the agent startup failure. It looks like we have another problem here. That's unrelated to this PR though. Could you open a new issue w/ the full error logs?

[andre-vspry]

I didn't realise that the google cloud console "Equivalent command line" button omits the --metadata switch. This lead to the instance not getting ssh keys from oslogin. Since the console log was all I could see and it showed the fetch ssh keys failing, I assumed this was the issue.

My mistake. I've opened an issue for the misleading service failure. #159921