Merge pull request #150837 from abbradar/google-guest-agent

Move GCE config to google-guest-agent
This commit is contained in:
Florian Klink 2022-02-06 11:27:27 +01:00 committed by GitHub
commit def482e28d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 332 additions and 169 deletions

View File

@ -5,7 +5,7 @@ with lib;
let
cfg = config.security.googleOsLogin;
package = pkgs.google-compute-engine-oslogin;
package = pkgs.google-guest-oslogin;
in
@ -17,7 +17,7 @@ in
type = types.bool;
default = false;
description = ''
Whether to enable Google OS Login
Whether to enable Google OS Login.
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
@ -36,7 +36,7 @@ in
security.pam.services.sshd = {
makeHomeDir = true;
googleOsLoginAccountVerification = true;
# disabled for now: googleOsLoginAuthentication = true;
googleOsLoginAuthentication = true;
};
security.sudo.extraConfig = ''
@ -47,6 +47,9 @@ in
"d /var/google-users.d 750 root root -"
];
systemd.packages = [ package ];
systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ];
# enable the nss module, so user lookups etc. work
system.nssModules = [ package ];
system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];

View File

@ -444,15 +444,15 @@ let
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
'' +
optionalString cfg.googleOsLoginAccountVerification ''
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
''
# Authentication management.
'' +
optionalString cfg.googleOsLoginAuthentication ''
auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
'' +
optionalString cfg.rootOK ''
auth sufficient pam_rootok.so
@ -1091,11 +1091,11 @@ in
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so,
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
'' +
optionalString (config.security.pam.enableSSHAgentAuth
&& isEnabled (cfg: cfg.sshAgentAuth)) ''

View File

@ -1,36 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
WGET() {
wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@"
}
# When dealing with cryptographic keys, we want to keep things private.
umask 077
mkdir -p /root/.ssh
echo "Fetching authorized keys..."
WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
# Read keys one by one, split in case Google decided
# to append metadata (it does sometimes) and add to
# authorized_keys if not already present.
touch /root/.ssh/authorized_keys
while IFS='' read -r line || [[ -n "$line" ]]; do
keyLine=$(echo -n "$line" | cut -d ':' -f2)
IFS=' ' read -r -a array <<<"$keyLine"
if [[ ${#array[@]} -ge 3 ]]; then
echo "${array[@]:0:3}" >>/tmp/new_keys
echo "Added ${array[*]:2} to authorized_keys"
fi
done </tmp/auth_keys
mv /tmp/new_keys /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
echo "Fetching host keys..."
WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 644 /etc/ssh/ssh_host_ed25519_key.pub

View File

@ -1,8 +1,5 @@
{ config, lib, pkgs, ... }:
with lib;
let
gce = pkgs.google-compute-engine;
in
{
imports = [
../profiles/headless.nix
@ -40,7 +37,8 @@ in
security.googleOsLogin.enable = true;
# Use GCE udev rules for dynamic disk volumes
services.udev.packages = [ gce ];
services.udev.packages = [ pkgs.google-guest-configs ];
services.udev.path = [ pkgs.google-guest-configs ];
# Force getting the hostname from Google Compute.
networking.hostName = mkDefault "";
@ -48,12 +46,6 @@ in
# Always include cryptsetup so that NixOps can use it.
environment.systemPackages = [ pkgs.cryptsetup ];
# Make sure GCE image does not replace host key that NixOps sets
environment.etc."default/instance_configs.cfg".text = lib.mkDefault ''
[InstanceSetup]
set_host_keys = false
'';
# Rely on GCP's firewall instead
networking.firewall.enable = mkDefault false;
@ -69,105 +61,42 @@ in
# GC has 1460 MTU
networking.interfaces.eth0.mtu = 1460;
# Used by NixOps
systemd.services.fetch-instance-ssh-keys = {
description = "Fetch host keys and authorized_keys for root user";
wantedBy = [ "sshd.service" ];
before = [ "sshd.service" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.wget ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } ''
cp ${./fetch-instance-ssh-keys.bash} $out
chmod +x $out
${pkgs.shfmt}/bin/shfmt -i 4 -d $out
${pkgs.shellcheck}/bin/shellcheck $out
patchShebangs $out
'';
PrivateTmp = true;
StandardError = "journal+console";
StandardOutput = "journal+console";
};
};
systemd.services.google-instance-setup = {
description = "Google Compute Engine Instance Setup";
after = [ "network-online.target" "network.target" "rsyslog.service" ];
before = [ "sshd.service" ];
path = with pkgs; [ coreutils ethtool openssh ];
serviceConfig = {
ExecStart = "${gce}/bin/google_instance_setup";
StandardOutput="journal+console";
Type = "oneshot";
};
wantedBy = [ "sshd.service" "multi-user.target" ];
};
systemd.services.google-network-daemon = {
description = "Google Compute Engine Network Daemon";
after = [ "network-online.target" "network.target" "google-instance-setup.service" ];
path = with pkgs; [ iproute2 ];
serviceConfig = {
ExecStart = "${gce}/bin/google_network_daemon";
StandardOutput="journal+console";
Type="simple";
};
systemd.packages = [ pkgs.google-guest-agent ];
systemd.services.google-guest-agent = {
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."default/instance_configs.cfg".source ];
path = lib.optional config.users.mutableUsers pkgs.shadow;
};
systemd.services.google-startup-scripts.wantedBy = [ "multi-user.target" ];
systemd.services.google-shutdown-scripts.wantedBy = [ "multi-user.target" ];
systemd.services.google-clock-skew-daemon = {
description = "Google Compute Engine Clock Skew Daemon";
after = [ "network.target" "google-instance-setup.service" "google-network-daemon.service" ];
serviceConfig = {
ExecStart = "${gce}/bin/google_clock_skew_daemon";
StandardOutput="journal+console";
Type = "simple";
};
wantedBy = ["multi-user.target"];
};
security.sudo.extraRules = mkIf config.users.mutableUsers [
{ groups = [ "google-sudoers" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
];
users.groups.google-sudoers = mkIf config.users.mutableUsers { };
systemd.services.google-shutdown-scripts = {
description = "Google Compute Engine Shutdown Scripts";
after = [
"network-online.target"
"network.target"
"rsyslog.service"
"google-instance-setup.service"
"google-network-daemon.service"
];
serviceConfig = {
ExecStart = "${pkgs.coreutils}/bin/true";
ExecStop = "${gce}/bin/google_metadata_script_runner --script-type shutdown";
RemainAfterExit = true;
StandardOutput="journal+console";
TimeoutStopSec = "0";
Type = "oneshot";
};
wantedBy = [ "multi-user.target" ];
};
boot.extraModprobeConfig = lib.readFile "${pkgs.google-guest-configs}/etc/modprobe.d/gce-blacklist.conf";
systemd.services.google-startup-scripts = {
description = "Google Compute Engine Startup Scripts";
after = [
"network-online.target"
"network.target"
"rsyslog.service"
"google-instance-setup.service"
"google-network-daemon.service"
];
serviceConfig = {
ExecStart = "${gce}/bin/google_metadata_script_runner --script-type startup";
KillMode = "process";
StandardOutput = "journal+console";
Type = "oneshot";
};
wantedBy = [ "multi-user.target" ];
};
environment.etc."sysctl.d/60-gce-network-security.conf".source = "${pkgs.google-guest-configs}/etc/sysctl.d/60-gce-network-security.conf";
environment.etc."sysctl.d/11-gce-network-security.conf".source = "${gce}/sysctl.d/11-gce-network-security.conf";
environment.etc."default/instance_configs.cfg".text = ''
[Accounts]
useradd_cmd = useradd -m -s /run/current-system/sw/bin/bash -p * {user}
[Daemons]
accounts_daemon = ${boolToString config.users.mutableUsers}
[InstanceSetup]
# Make sure GCE image does not replace host key that NixOps sets.
set_host_keys = false
[MetadataScripts]
default_shell = ${pkgs.stdenv.shell}
[NetworkInterfaces]
dhclient_script = ${pkgs.google-guest-configs}/bin/google-dhclient-script
# We set up network interfaces declaratively.
setup = false
'';
}

View File

@ -31,10 +31,10 @@ in {
# mockserver should return a non-expired ssh key for both mockuser and mockadmin
server.succeed(
f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
)
server.succeed(
f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
)
# install snakeoil ssh key on the client, and provision .ssh/config file

View File

@ -23,7 +23,5 @@ in {
security.googleOsLogin.enable = true;
# Mock google service
networking.extraHosts = ''
127.0.0.1 metadata.google.internal
'';
networking.interfaces.lo.ipv4.addresses = [ { address = "169.254.169.254"; prefixLength = 32; } ];
}

0
nixos/tests/google-oslogin/server.py Normal file → Executable file
View File

View File

@ -10,6 +10,6 @@ pkgs:
snakeOilPublicKey = pkgs.lib.concatStrings [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"
"yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
"9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil"
"9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil"
];
}

View File

@ -0,0 +1,53 @@
{ buildGoModule, fetchFromGitHub, fetchpatch, lib, coreutils, makeWrapper
, google-guest-configs, google-guest-oslogin, iproute2, dhcp, procps
}:
buildGoModule rec {
pname = "guest-agent";
version = "20220104.00";
src = fetchFromGitHub {
owner = "GoogleCloudPlatform";
repo = pname;
rev = version;
sha256 = "sha256-BC2qpnGJU/D0z8jlmAEwvmFwBk1n0ZvqPBB6Zon9N/U=";
};
vendorSha256 = "sha256-YcWKSiN715Z9lmNAQx+sHEgxWnhFhenCNXBS7gdMV4M=";
patches = [ ./disable-etc-mutation.patch ];
nativeBuildInputs = [ makeWrapper ];
postPatch = ''
substitute ${./fix-paths.patch} fix-paths.patch \
--subst-var out \
--subst-var-by true "${coreutils}/bin/true"
patch -p1 < ./fix-paths.patch
'';
# We don't add `shadow` here; it's added to PATH if `mutableUsers` is enabled.
binPath = lib.makeBinPath [ google-guest-configs google-guest-oslogin iproute2 dhcp procps ];
# Skip tests which require networking.
preCheck = ''
rm google_guest_agent/wsfc_test.go
'';
postInstall = ''
mkdir -p $out/etc/systemd/system
cp *.service $out/etc/systemd/system
install -Dm644 instance_configs.cfg $out/etc/default/instance_configs.cfg
wrapProgram $out/bin/google_guest_agent \
--prefix PATH ":" "$binPath"
'';
meta = with lib; {
homepage = "https://github.com/GoogleCloudPlatform/guest-agent";
description = "Guest Agent for Google Compute Engine";
license = licenses.asl20;
platforms = platforms.linux;
maintainers = with maintainers; [ abbradar ];
};
}

View File

@ -0,0 +1,54 @@
From 2e8060f9ade13ba18ae5930c0781227bfcce11a5 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Mon, 10 Jan 2022 22:16:38 +0300
Subject: [PATCH] Disable accounts setup phase and oslogin
On NixOS we set up necessary groups and sudoers rules declaratively,
and have most of `/etc` directory read-only. This creates (harmless)
error messages when trying to create google-sudoers file.
"oslogin" daemon sets up configuration necessary for OS Login to
work, including PAM, NSS and sudoers. On NixOS we perform all this
configuration declaratively and have most of /etc mounted read-only.
This creates (harmless) error messages when running the daemon.
---
google_guest_agent/non_windows_accounts.go | 9 ---------
google_guest_agent/oslogin.go | 2 +-
2 files changed, 1 insertion(+), 10 deletions(-)
diff --git a/google_guest_agent/non_windows_accounts.go b/google_guest_agent/non_windows_accounts.go
index 81013e3..05b830f 100644
--- a/google_guest_agent/non_windows_accounts.go
+++ b/google_guest_agent/non_windows_accounts.go
@@ -104,15 +104,6 @@ func (a *accountsMgr) set() error {
sshKeys = make(map[string][]string)
}
- logger.Debugf("create sudoers file if needed")
- if err := createSudoersFile(); err != nil {
- logger.Errorf("Error creating google-sudoers file: %v.", err)
- }
- logger.Debugf("create sudoers group if needed")
- if err := createSudoersGroup(); err != nil {
- logger.Errorf("Error creating google-sudoers group: %v.", err)
- }
-
mdkeys := newMetadata.Instance.Attributes.SSHKeys
if !newMetadata.Instance.Attributes.BlockProjectKeys {
mdkeys = append(mdkeys, newMetadata.Project.Attributes.SSHKeys...)
diff --git a/google_guest_agent/oslogin.go b/google_guest_agent/oslogin.go
index d05f733..980e84c 100644
--- a/google_guest_agent/oslogin.go
+++ b/google_guest_agent/oslogin.go
@@ -76,7 +76,7 @@ func (o *osloginMgr) timeout() bool {
}
func (o *osloginMgr) disabled(os string) bool {
- return os == "windows"
+ return true
}
func (o *osloginMgr) set() error {
--
2.34.1

View File

@ -0,0 +1,43 @@
diff --git a/google-guest-agent.service b/google-guest-agent.service
index 79b8e39..a39097b 100644
--- a/google-guest-agent.service
+++ b/google-guest-agent.service
@@ -14,7 +14,7 @@ PartOf=network.service networking.service NetworkManager.service systemd-network
[Service]
Type=notify
-ExecStart=/usr/bin/google_guest_agent
+ExecStart=@out@/bin/google_guest_agent
OOMScoreAdjust=-999
Restart=always
diff --git a/google-shutdown-scripts.service b/google-shutdown-scripts.service
index 16bb9c2..ae02067 100644
--- a/google-shutdown-scripts.service
+++ b/google-shutdown-scripts.service
@@ -5,10 +5,10 @@ After=network-online.target rsyslog.service
[Service]
Type=oneshot
-ExecStart=/bin/true
+ExecStart=@true@
RemainAfterExit=true
# This service does nothing on start, and runs shutdown scripts on stop.
-ExecStop=/usr/bin/google_metadata_script_runner shutdown
+ExecStop=@out@/bin/google_metadata_script_runner shutdown
TimeoutStopSec=0
KillMode=process
diff --git a/google-startup-scripts.service b/google-startup-scripts.service
index dfc9838..2465265 100644
--- a/google-startup-scripts.service
+++ b/google-startup-scripts.service
@@ -6,7 +6,7 @@ Before=apt-daily.service
[Service]
Type=oneshot
-ExecStart=/usr/bin/google_metadata_script_runner startup
+ExecStart=@out@/bin/google_metadata_script_runner startup
#TimeoutStartSec is ignored for Type=oneshot service units.
KillMode=process

View File

@ -0,0 +1,52 @@
{ stdenv, lib, fetchFromGitHub, makeWrapper, substituteAll
, ipcalc, iproute2, util-linux, coreutils, ethtool, gnugrep, gnused, nvme-cli }:
stdenv.mkDerivation rec {
pname = "google-guest-configs";
version = "20211116.00";
src = fetchFromGitHub {
owner = "GoogleCloudPlatform";
repo = "guest-configs";
rev = version;
sha256 = "sha256-0SRu6p/DsHNNI20mkXJitt/Ee5S2ooiy5hNmD+ndecM=";
};
binDeps = lib.makeBinPath [ coreutils util-linux gnugrep gnused ethtool ipcalc iproute2 ];
nativeBuildInputs = [ makeWrapper ];
dontConfigure = true;
dontBuild = true;
postPatch = ''
substitute ${./fix-paths.patch} fix-paths.patch \
--subst-var out \
--subst-var-by nvme "${nvme-cli}/bin/nvme" \
--subst-var-by sh "${stdenv.shell}" \
--subst-var-by umount "${util-linux}/bin/umount" \
--subst-var-by logger "${util-linux}/bin/logger"
patch -p1 < ./fix-paths.patch
'';
installPhase = ''
mkdir -p $out/{bin,etc,lib}
cp -r src/etc/{modprobe.d,sysctl.d} $out/etc
cp -r src/lib/udev $out/lib
cp -r src/sbin/* $out/bin
cp -r src/usr/bin/* $out/bin
for i in $out/bin/* $out/lib/udev/google_nvme_id; do
wrapProgram "$i" \
--prefix "PATH" ":" "$binDeps"
done
'';
meta = with lib; {
homepage = "https://github.com/GoogleCloudPlatform/guest-configs";
description = "Linux Guest Environment for Google Compute Engine";
license = licenses.asl20;
platforms = platforms.linux;
maintainers = with maintainers; [ abbradar ];
};
}

View File

@ -0,0 +1,61 @@
diff -ru3 source.old/src/lib/udev/google_nvme_id source.new/src/lib/udev/google_nvme_id
--- source.old/src/lib/udev/google_nvme_id 1970-01-01 03:00:01.000000000 +0300
+++ source.new/src/lib/udev/google_nvme_id 2022-02-05 13:30:00.986242869 +0300
@@ -17,7 +17,7 @@
# the metadata server
# Locations of the script's dependencies
-readonly nvme_cli_bin=/usr/sbin/nvme
+readonly nvme_cli_bin=@nvme@
# Bash regex to parse device paths and controller identification
readonly NAMESPACE_NUMBER_REGEX="/dev/nvme[[:digit:]]+n([[:digit:]]+).*"
diff -ru3 source.old/src/lib/udev/rules.d/64-gce-disk-removal.rules source.new/src/lib/udev/rules.d/64-gce-disk-removal.rules
--- source.old/src/lib/udev/rules.d/64-gce-disk-removal.rules 1970-01-01 03:00:01.000000000 +0300
+++ source.new/src/lib/udev/rules.d/64-gce-disk-removal.rules 2022-02-05 13:27:42.635300567 +0300
@@ -14,4 +14,4 @@
#
# When a disk is removed, unmount any remaining attached volumes.
-ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*|vd*|nvme*", RUN+="/bin/sh -c '/bin/umount -fl /dev/$name && /usr/bin/logger -p daemon.warn -s WARNING: hot-removed /dev/$name that was still mounted, data may have been corrupted'"
+ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*|vd*|nvme*", RUN+="@sh@ -c '@umount@ -fl /dev/$name && @logger@ -p daemon.warn -s WARNING: hot-removed /dev/$name that was still mounted, data may have been corrupted'"
diff -ru3 source.old/src/lib/udev/rules.d/65-gce-disk-naming.rules source.new/src/lib/udev/rules.d/65-gce-disk-naming.rules
--- source.old/src/lib/udev/rules.d/65-gce-disk-naming.rules 1970-01-01 03:00:01.000000000 +0300
+++ source.new/src/lib/udev/rules.d/65-gce-disk-naming.rules 2022-02-05 13:27:05.053107964 +0300
@@ -21,11 +21,11 @@
KERNEL=="sd*|vd*", IMPORT{program}="scsi_id --export --whitelisted -d $tempnode"
# NVME Local SSD naming
-KERNEL=="nvme*n*", ATTRS{model}=="nvme_card", PROGRAM="/bin/sh -c 'nsid=$$(echo %k|sed -re s/nvme[0-9]+n\([0-9]+\).\*/\\1/); echo $$((nsid-1))'", ENV{ID_SERIAL_SHORT}="local-nvme-ssd-%c"
+KERNEL=="nvme*n*", ATTRS{model}=="nvme_card", PROGRAM="@sh@ -c 'nsid=$$(echo %k|sed -re s/nvme[0-9]+n\([0-9]+\).\*/\\1/); echo $$((nsid-1))'", ENV{ID_SERIAL_SHORT}="local-nvme-ssd-%c"
KERNEL=="nvme*", ATTRS{model}=="nvme_card", ENV{ID_SERIAL}="Google_EphemeralDisk_$env{ID_SERIAL_SHORT}"
# NVME Persistent Disk Naming
-KERNEL=="nvme*n*", ATTRS{model}=="nvme_card-pd", IMPORT{program}="google_nvme_id -d $tempnode"
+KERNEL=="nvme*n*", ATTRS{model}=="nvme_card-pd", IMPORT{program}="@out@/lib/udev/google_nvme_id -d $tempnode"
# Symlinks
KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}"
diff -ru3 source.old/src/sbin/google-dhclient-script source.new/src/sbin/google-dhclient-script
--- source.old/src/sbin/google-dhclient-script 1970-01-01 03:00:01.000000000 +0300
+++ source.new/src/sbin/google-dhclient-script 2022-02-05 13:29:37.430058984 +0300
@@ -31,7 +31,6 @@
# This script is found in EL 7 and used to fix local routing in EL 6.
# ----------
-PATH=/bin:/usr/bin:/sbin
# scripts in dhclient.d/ use $SAVEDIR (#833054)
SAVEDIR=/var/lib/dhclient
@@ -58,9 +57,9 @@
if need_hostname; then
status=1
if [ -n "${new_ip_address}" ]; then
- eval $(/bin/ipcalc --silent --hostname ${new_ip_address} ; echo "status=$?")
+ eval $(ipcalc --silent --hostname ${new_ip_address} ; echo "status=$?")
elif [ -n "${new_ip6_address}" ]; then
- eval $(/bin/ipcalc --silent --hostname ${new_ip6_address} ; echo "status=$?")
+ eval $(ipcalc --silent --hostname ${new_ip6_address} ; echo "status=$?")
fi
if [ ${status} -eq 0 ]; then

View File

@ -9,38 +9,39 @@
}:
stdenv.mkDerivation rec {
pname = "google-compute-engine-oslogin";
version = "20210429.00";
pname = "google-guest-oslogin";
version = "20211213.00";
src = fetchFromGitHub {
owner = "GoogleCloudPlatform";
repo = "guest-oslogin";
rev = version;
sha256 = "eHAg9K5oxcygEzqaac81jSFHF+zsW6uB7q2Kfo9hSrA=";
sha256 = "sha256-8RuLYdWfk8zPfoF06r5E/6eHQ7tziZbgGhZlLCUW600=";
};
postPatch = ''
# change sudoers dir from /var/google-sudoers.d to /run/google-sudoers.d (managed through systemd-tmpfiles)
substituteInPlace src/pam/pam_oslogin_admin.cc --replace /var/google-sudoers.d /run/google-sudoers.d
# fix "User foo not allowed because shell /bin/bash does not exist"
substituteInPlace src/include/compat.h --replace /bin/bash ${bashInteractive}/bin/bash
substituteInPlace src/include/compat.h --replace /bin/bash /run/current-system/sw/bin/bash
'';
buildInputs = [ curl.dev pam ];
buildInputs = [ curl.dev pam json_c ];
NIX_CFLAGS_COMPILE = "-I${json_c.dev}/include/json-c";
NIX_CFLAGS_LINK = "-L${json_c}/lib";
NIX_CFLAGS_COMPILE = [ "-I${json_c.dev}/include/json-c" ];
makeFlags = [
"VERSION=${version}"
"DESTDIR=${placeholder "out"}"
"PREFIX=/"
"BINDIR=/bin"
"LIBDIR=/lib"
"PAMDIR=/lib"
"MANDIR=/share/man"
"PREFIX=$(out)"
"MANDIR=$(out)/share/man"
"SYSTEMDDIR=$(out)/etc/systemd/system"
"PRESETDIR=$(out)/etc/systemd/system-preset"
];
postInstall = ''
sed -i "s,/usr/bin/,$out/bin/,g" $out/etc/systemd/system/google-oslogin-cache.service
'';
enableParallelBuilding = true;
passthru.tests = {
@ -51,6 +52,7 @@ stdenv.mkDerivation rec {
homepage = "https://github.com/GoogleCloudPlatform/compute-image-packages";
description = "OS Login Guest Environment for Google Compute Engine";
license = licenses.asl20;
platforms = platforms.linux;
maintainers = with maintainers; [ flokli ];
};
}

View File

@ -6119,12 +6119,16 @@ with pkgs;
google-compute-engine = with python38.pkgs; toPythonApplication google-compute-engine;
google-compute-engine-oslogin = callPackage ../tools/virtualization/google-compute-engine-oslogin { };
google-guest-oslogin = callPackage ../tools/virtualization/google-guest-oslogin { };
google-cloud-cpp = callPackage ../development/libraries/google-cloud-cpp { };
google-java-format = callPackage ../development/tools/google-java-format { };
google-guest-agent = callPackage ../tools/virtualization/google-guest-agent { };
google-guest-configs = callPackage ../tools/virtualization/google-guest-configs { };
gdown = with python3Packages; toPythonApplication gdown;
gopro = callPackage ../tools/video/gopro { };