app-admin/google-guest-configs: New package for udev rules and scripts

We already have GCE disk rules in coreos-init, but a user has pointed
out that the newer NVMe rules are missing. Let's take the rules directly
from upstream instead. This is loosely based on the ChromiumOS package
of the same name.

Signed-off-by: James Le Cuirot <[email protected]>

Author: chewi

changelog/bugfixes/2025-12-29-gce-udev.md

@@ -0,0 +1 @@
+- Updated the GCE udev disk rules to include NVMe disks.

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest

@@ -0,0 +1 @@
+DIST google-guest-configs-20260112.00.tar.gz 50187 BLAKE2B 467b16fff8bfec7c54ee5daa1921bf51a3da4087d35b4598811fe8f219bc3c5c3b638615cc11a0a9ebe39c42a0ed567e19c03693b85df5cf13a2933b1b1c99a8 SHA512 633d2c5bd840876dbaec211be13b1af20c08c4eb4d3013827968d2c388b93b82f79dbb7eb3946ff3b68f4b27cb5eaf13cb715e091116fd49660e589b5a69c850

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch

@@ -0,0 +1,50 @@
+diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf
+index b40085b..d89d87d 100644
+--- a/src/etc/sysctl.d/60-gce-network-security.conf
++++ b/src/etc/sysctl.d/60-gce-network-security.conf
+@@ -14,45 +14,6 @@
+ #
+ # Google-recommended kernel parameters
+
+-# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
+-# of TCP functionality/features under normal conditions.  When flood
+-# protections kick in under high unanswered-SYN load, the system
+-# should remain more stable, with a trade off of some loss of TCP
+-# functionality/features (e.g. TCP Window scaling).
+-net.ipv4.tcp_syncookies=1
+-
+-# Ignore source-routed packets
+-net.ipv4.conf.all.accept_source_route=0
+-net.ipv4.conf.default.accept_source_route=0
+-
+-# Ignore ICMP redirects from non-GW hosts
+-net.ipv4.conf.all.accept_redirects=0
+-net.ipv4.conf.default.accept_redirects=0
+-net.ipv4.conf.all.secure_redirects=1
+-net.ipv4.conf.default.secure_redirects=1
+-
+-# Don't pass traffic between networks or act as a router
+-net.ipv4.ip_forward=0
+-net.ipv4.conf.all.send_redirects=0
+-net.ipv4.conf.default.send_redirects=0
+-
+-# Turn on Source Address Verification in all interfaces to
+-# prevent some spoofing attacks.
+-net.ipv4.conf.all.rp_filter=1
+-net.ipv4.conf.default.rp_filter=1
+-
+-# Ignore ICMP broadcasts to avoid participating in Smurf attacks
+-net.ipv4.icmp_echo_ignore_broadcasts=1
+-
+-# Ignore bad ICMP errors
+-net.ipv4.icmp_ignore_bogus_error_responses=1
+-
+ # Log spoofed, source-routed, and redirect packets
+ net.ipv4.conf.all.log_martians=1
+ net.ipv4.conf.default.log_martians=1
+-
+-# Addresses of mmap base, heap, stack and VDSO page are randomized
+-kernel.randomize_va_space=2
+-
+-# Reboot the machine soon after a kernel panic.
+-kernel.panic=10

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20260112.00.ebuild

@@ -0,0 +1,65 @@
+# Copyright 2026 The Flatcar Container Linux Maintainers
+# Distributed under the terms of the Apache License 2.0
+
+# IMPORTANT! When bumping, ensure that the Dracut modules do not install files
+# that would make runtime changes to systems to other than GCE VMs because the
+# initrd is shared between image types. The udev disk rules are currently safe.
+
+EAPI=8
+
+inherit udev
+
+DESCRIPTION="Configuration and scripts to support the Google Compute Engine guest environment"
+HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/guest-configs-${PV}"
+
+LICENSE="Apache-2.0 BSD ZLIB"
+SLOT="0"
+KEYWORDS="amd64"
+
+RDEPEND="
+	net-misc/curl
+	sys-apps/ethtool
+	sys-apps/iproute2
+	sys-apps/nvme-cli
+	!<app-emulation/google-compute-engine-20190124-r3
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-20211116.00-sysctl.patch
+)
+
+src_install() {
+	exeinto "$(get_udevdir)"
+	doexe src/lib/udev/google_nvme_id
+
+	udev_dorules src/lib/udev/rules.d/65-gce-disk-naming.rules
+	udev_dorules src/lib/udev/rules.d/75-gce-network.rules
+
+	insinto /usr/lib/sysctl.d
+	doins src/etc/sysctl.d/60-gce-network-security.conf
+
+	dobin src/usr/bin/google_set_multiqueue
+	dobin src/usr/bin/google_optimize_local_ssd
+	dobin src/usr/bin/gce-nic-naming
+
+	insinto /usr/lib/dracut/modules.d
+	doins -r src/lib/dracut/modules.d/*
+
+	# Don't put any sysctl config into the shared initrd. It will still get
+	# applied after switching root anyway.
+	local sysctl=( "${ED}"/usr/lib/sysctl.d/* )
+	insinto /usr/lib/dracut/dracut.conf.d
+	newins - ${PN}.conf <<-EOF
+	remove_items+=" ${sysctl[@]#${ED}} "
+	EOF
+}
+
+pkg_postinst() {
+	udev_reload
+}
+
+pkg_postrm() {
+	udev_reload
+}

sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<upstream>
+		<remote-id type="github">GoogleCloudPlatform/guest-configs</remote-id>
+	</upstream>
+</pkgmetadata>

…google-compute-engine-20190124-r2.ebuild …google-compute-engine-20190124-r3.ebuildsdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r2.ebuild renamed to sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r2.ebuild renamed to sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild

@@ -28,3 +28,10 @@ RDEPEND="
 	sys-apps/iproute2
 	sys-apps/shadow
 "
+
+src_install() {
+	distutils-r1_src_install
+
+	# Newer versions are installed by app-admin/google-guest-configs.
+	rm -v "${ED}"/usr/bin/google_{optimize_local_ssd,set_multiqueue} || die
+}

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild

@@ -0,0 +1,35 @@
+# Copyright (c) 2013 CoreOS, Inc.. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+# Copyright (c) 2020 Kinvolk GmbH. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd
+
+DESCRIPTION="OEM suite for Google Compute Engine images"
+HOMEPAGE="https://cloud.google.com/products/compute-engine/"
+S="${WORKDIR}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64"
+
+RDEPEND="
+	app-admin/google-guest-configs
+	app-emulation/google-compute-engine
+"
+
+OEM_NAME="Google Compute Engine"
+
+src_install() {
+	systemd_dounit "${FILESDIR}"/units/{oem-gce,oem-gce-enable-oslogin,setup-oem}.service
+	systemd_install_dropin multi-user.target "${FILESDIR}"/units/10-oem-gce.conf
+	systemd_enable_service multi-user.target ntpd.service
+
+	dobin "${FILESDIR}"/bin/{enable-oslogin,init.sh}
+
+	# These files will be symlinked to /etc via 'setup-oem.service'
+	insinto /usr/share/gce
+	doins "${FILESDIR}"/files/{google-cloud-sdk.sh,hosts}
+}

sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild

@@ -56,7 +56,10 @@ DEPEND="
 	>=sys-kernel/coreos-firmware-20180103-r1:=
 	sys-process/procps
 	virtual/udev
-	amd64? ( sys-firmware/intel-microcode:= )
+	amd64? (
+		app-admin/google-guest-configs
+		sys-firmware/intel-microcode:=
+	)
 "
 
 src_prepare() {