Skip to content

app-admin/google-guest-configs: New package for udev rules and scripts #3606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
chewi wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

app-admin/google-guest-configs: New package for udev rules and scripts #3606

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bccda56
coreos-devel/board-packages: Drop the OEM sysext dependencies
chewi Jan 27, 2026
fa6d111
Replace per-OEM USE flags with a single flatcar-oem USE flag
chewi Jan 28, 2026
8846f00
app-admin/google-guest-configs: New package for udev rules and scripts
chewi Jan 13, 2026
f9cc497
sys-kernel/bootengine: Bump for sysctl rerun fix
chewi Jan 20, 2026
97f90fb
sys-apps/systemd: Rerun sysctl after the sysexts have been mounted
chewi Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion build_library/oem_sysexts.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ get_oem_sysext_matrix() {
local -a matrix=()
local oem_id
for oem_id in "${oem_ids[@]}"; do
matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|${oem_id}")
matrix+=("oem-${oem_id}|coreos-base/oem-${oem_id}|flatcar-oem")
done

local -n matrix_ref="${list_var_name}"
Expand Down
7 changes: 6 additions & 1 deletion build_packages
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,13 +307,17 @@ build_sysext_packages() {
IFS=,
for package in $package_atoms; do
# --buildpkgonly does not install dependencies, so we install them
# separately before building the binary package
# separately before building the binary package. --ignore-world is needed
# to allow packages to be installed to both /usr and sysexts with
# conflicting USE flags. This will "break" the board root, but it's not
# used for execution, and affected packages will be rebuilt as needed.
sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
env USE="$useflags" FEATURES="-ebuild-locks binpkg-multi-instance" "${EMERGE_CMD[@]}" \
"${EMERGE_FLAGS[@]}" \
--quiet \
--onlydeps \
--binpkg-respect-use=y \
--ignore-world=y \
"${package}"

sudo --preserve-env=MODULES_SIGN_KEY,MODULES_SIGN_CERT \
Expand All @@ -322,6 +326,7 @@ build_sysext_packages() {
--quiet \
--buildpkgonly \
--binpkg-respect-use=y \
--ignore-world=y \
"${package}"
done
unset IFS
Expand Down
1 change: 1 addition & 0 deletions changelog/bugfixes/2025-12-29-gce-udev.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Updated the GCE udev disk rules to include NVMe disks.
7 changes: 3 additions & 4 deletions sdk_container/src/third_party/coreos-overlay/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,12 @@ gets built into a developer image and is not OEM specific.
gets built into the Container Linux SDK.

`coreos-devel/board-packages` is everything that could be built into a
development or production image, plus any OEM specific packages.
development or production image.

`coreos-base/oem-*` are the OEM specific packages. They mostly install things
that belong in the OEM partition. Any RDEPENDS from these packages should
be copied to the RDEPENDS in `board-packages` to ensure they are built.
that belong in the OEM partition.

`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs.
`coreos-base/coreos-oem-*` are metapackages for OEM specific ACIs.

# Updating

Expand Down
1 change: 1 addition & 0 deletions sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
DIST google-guest-configs-20260116.00.tar.gz 50190 BLAKE2B a9d546c87245114bd650c1b5116a9619b927e9afb0702adb0d3b41efeab680da65055f37490fe88d4923ceb7a5f596a3f59848f74cb9f8ce074d3f2568f40757 SHA512 995b350700feba28cdd6250c2ca0788539f1e58f3bae9d23081671fff82c7ff139ec9a0f56411e9ead6bfca62ced2c4bb729f516352982441c6a769162d9f4f2
50 changes: 50 additions & 0 deletions ...verlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf
index b40085b..d89d87d 100644
--- a/src/etc/sysctl.d/60-gce-network-security.conf
+++ b/src/etc/sysctl.d/60-gce-network-security.conf
@@ -14,45 +14,6 @@
#
# Google-recommended kernel parameters

-# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
-# of TCP functionality/features under normal conditions. When flood
-# protections kick in under high unanswered-SYN load, the system
-# should remain more stable, with a trade off of some loss of TCP
-# functionality/features (e.g. TCP Window scaling).
-net.ipv4.tcp_syncookies=1
-
-# Ignore source-routed packets
-net.ipv4.conf.all.accept_source_route=0
-net.ipv4.conf.default.accept_source_route=0
-
-# Ignore ICMP redirects from non-GW hosts
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.all.secure_redirects=1
-net.ipv4.conf.default.secure_redirects=1
-
-# Don't pass traffic between networks or act as a router
-net.ipv4.ip_forward=0
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.default.send_redirects=0
-
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks.
-net.ipv4.conf.all.rp_filter=1
-net.ipv4.conf.default.rp_filter=1
-
-# Ignore ICMP broadcasts to avoid participating in Smurf attacks
-net.ipv4.icmp_echo_ignore_broadcasts=1
-
-# Ignore bad ICMP errors
-net.ipv4.icmp_ignore_bogus_error_responses=1
-
# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
-
-# Addresses of mmap base, heap, stack and VDSO page are randomized
-kernel.randomize_va_space=2
-
-# Reboot the machine soon after a kernel panic.
-kernel.panic=10
25 changes: 25 additions & 0 deletions ...oreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-dracut-deps.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
From a848f8f181e2a7080a7ee06fb87ffbfe05e66a24 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <[email protected]>
Date: Tue, 20 Jan 2026 15:55:29 +0000
Subject: [PATCH] dracut: Install dd and ln as these are used by google_nvme_id

I found that the disk name symlink was missing on Flatcar due to the
lack of dd. I thought about using pure Bash, but it can't handle the
null bytes. I also thought about using tail, but this is just as likely
to be missing.

I've also added ln for good measure.
--- a/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh
+++ b/src/lib/dracut/modules.d/30gcp-udev-rules/module-setup.sh
@@ -4,7 +4,7 @@

# called by dracut
install() {
- inst_multiple nvme grep sed
+ inst_multiple nvme dd ln grep sed
inst_simple /usr/lib/udev/google_nvme_id
inst_simple /usr/lib/udev/rules.d/65-gce-disk-naming.rules
}
--
2.51.2

66 changes: 66 additions & 0 deletions ...rty/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260116.00.ebuild
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Copyright 2026 The Flatcar Container Linux Maintainers
# Distributed under the terms of the Apache License 2.0

# IMPORTANT! When bumping, ensure that the Dracut modules do not install files
# that would make runtime changes to systems to other than GCE VMs because the
# initrd is shared between image types. The udev disk rules are currently safe.

EAPI=8

inherit udev

DESCRIPTION="Configuration and scripts to support the Google Compute Engine guest environment"
HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs"
SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz"
S="${WORKDIR}/guest-configs-${PV}"

LICENSE="Apache-2.0 BSD ZLIB"
SLOT="0"
KEYWORDS="amd64"
IUSE="flatcar-oem"

RDEPEND="
!<app-emulation/google-compute-engine-20190124-r3
sys-apps/nvme-cli
flatcar-oem? (
net-misc/curl
sys-apps/ethtool
sys-apps/iproute2
)
"

PATCHES=(
"${FILESDIR}"/${PN}-20211116.00-sysctl.patch
"${FILESDIR}"/${PN}-dracut-deps.patch
)

src_install() {
exeinto "$(get_udevdir)"
doexe src/lib/udev/google_nvme_id

udev_dorules src/lib/udev/rules.d/65-gce-disk-naming.rules

insinto /usr/lib/dracut/modules.d
doins -r src/lib/dracut/modules.d/*

# We want the above files available before the OEM sysext is mounted.
# Anything below here only goes into the sysext.
use flatcar-oem || return

udev_dorules src/lib/udev/rules.d/75-gce-network.rules

insinto /usr/lib/sysctl.d
doins src/etc/sysctl.d/60-gce-network-security.conf

dobin src/usr/bin/google_set_multiqueue
dobin src/usr/bin/google_optimize_local_ssd
dobin src/usr/bin/gce-nic-naming
}

pkg_postinst() {
udev_reload
}

pkg_postrm() {
udev_reload
}
7 changes: 7 additions & 0 deletions sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<upstream>
<remote-id type="github">GoogleCloudPlatform/guest-configs</remote-id>
</upstream>
</pkgmetadata>
7 changes: 7 additions & 0 deletions .../google-compute-engine-20190124-r3.ebuild → .../google-compute-engine-20190124-r4.ebuild
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,10 @@ RDEPEND="
sys-apps/iproute2
sys-apps/shadow
"

src_install() {
distutils-r1_src_install

# Newer versions are installed by app-admin/google-guest-configs.
rm -v "${ED}"/usr/bin/google_{optimize_local_ssd,set_multiqueue} || die
}
1 change: 1 addition & 0 deletions sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ RDEPEND="${RDEPEND}
# OEM specific bits that need to go in USR
RDEPEND+="
amd64? (
app-admin/google-guest-configs[-flatcar-oem]
sys-auth/google-oslogin
)
"
Expand Down
42 changes: 0 additions & 42 deletions sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild
View file
Open in desktop

This file was deleted.

35 changes: 35 additions & 0 deletions sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Copyright (c) 2013 CoreOS, Inc.. All rights reserved.
# Distributed under the terms of the GNU General Public License v2
# Copyright (c) 2020 Kinvolk GmbH. All rights reserved.
# Distributed under the terms of the GNU General Public License v2

EAPI=8

inherit systemd

DESCRIPTION="OEM suite for Google Compute Engine images"
HOMEPAGE="https://cloud.google.com/products/compute-engine/"
S="${WORKDIR}"

LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="amd64"

RDEPEND="
app-admin/google-guest-configs[flatcar-oem]
app-emulation/google-compute-engine
"

OEM_NAME="Google Compute Engine"

src_install() {
systemd_dounit "${FILESDIR}"/units/{oem-gce,oem-gce-enable-oslogin,setup-oem}.service
systemd_install_dropin multi-user.target "${FILESDIR}"/units/10-oem-gce.conf
systemd_enable_service multi-user.target ntpd.service

dobin "${FILESDIR}"/bin/{enable-oslogin,init.sh}

# These files will be symlinked to /etc via 'setup-oem.service'
insinto /usr/share/gce
doins "${FILESDIR}"/files/{google-cloud-sdk.sh,hosts}
}
0 ...-packages/board-packages-0.0.1-r17.ebuild → ...-packages/board-packages-0.0.1-r18.ebuild
View file
Open in desktop
File renamed without changes.
40 changes: 6 additions & 34 deletions ...er/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,47 +2,19 @@
# Distributed under the terms of the GNU General Public License v2
# $Header: $

EAPI=7
EAPI=8

DESCRIPTION="Meta ebuild for building all binary packages."
HOMEPAGE="http://coreos.com/docs/sdk/"
SRC_URI=""
DESCRIPTION="Meta ebuild for building all binary packages"
HOMEPAGE="https://www.flatcar.org/"

LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 arm64"
IUSE=""

# Depend on everything OEMs need, but not the OEMs themselves.
# This makes the built packages available for image_vm_util.sh but
# avoids copying the oem specific files (e.g. grub configs) before
# the oem partition is set up.
DEPEND=""
RDEPEND="
amd64? (
app-emulation/google-compute-engine
app-emulation/open-vm-tools
coreos-base/nova-agent-container
coreos-base/nova-agent-watcher
)
coreos-base/coreos
coreos-base/coreos-dev
sys-boot/grub
sys-boot/shim
sys-boot/shim-signed
app-containers/containerd
app-containers/docker
app-containers/docker-buildx
app-containers/docker-cli
app-containers/incus
app-emulation/amazon-ssm-agent
app-emulation/hv-daemons
app-emulation/wa-linux-agent
coreos-base/coreos
coreos-base/coreos-dev
coreos-base/flatcar-eks
net-misc/chrony
sys-fs/zfs
app-containers/podman
net-misc/passt
dev-lang/python
dev-python/pip
"
"
10 changes: 10 additions & 0 deletions sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,16 @@ After=ensure-sysext.service
EOF
)

(
insinto "$(systemd_get_systemunitdir)/systemd-sysctl.service.d"
newins - flatcar.conf <<'EOF'
# sysctl runs early from the initrd, so wait for sysexts with additional
# configuration to be mounted before running it again.
[Unit]
After=ensure-sysext.service
EOF
)

(
# Allow @mount syscalls for systemd-udevd.service
insinto "$(systemd_get_systemunitdir)/systemd-udevd.service.d"
Expand Down
1 change: 1 addition & 0 deletions sdk_container/src/third_party/coreos-overlay/profiles/use.desc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
flatcar-oem - Configure for use in a Flatcar OEM sysext
2 changes: 1 addition & 1 deletion sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
DIST bootengine-7d9895ce55617b18a78294975197975ac17b5bc3.tar.gz 36752 BLAKE2B 88c0478fd368203f3184f3e98ef8b277b725b6a7da6f39198c8366e71cb587705eb3859ccd92f701b4f7da4ed9571d645ddebc32293671477fed524fe31429e7 SHA512 6f8551e9b9fac5cedd8ee9fcb6d958092032b636f64c9d15f954a64c76ad9cbd8648bbb480bc92a6e98f7503d26f49e6c47989537cb1bdfb35d21eb2859e7923
DIST bootengine-8854e0fd9fb77bf10eb8484a989d1b76a635264c.tar.gz 36865 BLAKE2B 71d9173321eae6856fc33f01f761864f2827e445d1671d9cd8cb8563fd76c06c3361df898b902448efe0bc1661ba42fc9167d71b164ba92daddac0fa2203d130 SHA512 3fd9575e22d5808caa099425beb0911d429ff4cec6b9d86a1371cf6f437306c693cae7d6e39e4814f5d15207d9ec82c95aa037a1ad0c5bb05c675ba13137b81b
0 ...l/bootengine/bootengine-0.0.38-r39.ebuild → ...l/bootengine/bootengine-0.0.38-r40.ebuild
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ if [[ ${PV} == 9999 ]]; then
EGIT_REPO_URI="https://github.com/flatcar/bootengine.git"
inherit git-r3
else
EGIT_VERSION="7d9895ce55617b18a78294975197975ac17b5bc3" # flatcar-master
EGIT_VERSION="8854e0fd9fb77bf10eb8484a989d1b76a635264c" # chewi/sysctl-rerun
SRC_URI="https://github.com/flatcar/bootengine/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz"
S="${WORKDIR}/${PN}-${EGIT_VERSION}"
KEYWORDS="amd64 arm arm64 x86"
Expand Down
Loading