From 10aeb07efcbe067e9898527be197f20eb1038193 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Mon, 29 Dec 2025 10:45:33 +0000
Subject: [PATCH] app-admin/google-guest-configs: New package for udev rules
 and scripts

We already have GCE disk rules in coreos-init, but a user has pointed
out that the newer NVMe rules are missing. Let's take the rules directly
from upstream instead. This is loosely based on the ChromiumOS package
of the same name.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 changelog/bugfixes/2025-12-29-gce-udev.md     |  1 +
 .../app-admin/google-guest-configs/Manifest   |  1 +
 ...gle-guest-configs-20211116.00-sysctl.patch | 50 +++++++++++++++++
 .../google-guest-configs-20251014.00.ebuild   | 56 +++++++++++++++++++
 .../google-guest-configs/metadata.xml         |  7 +++
 ... google-compute-engine-20190124-r3.ebuild} |  7 +++
 .../oem-gce/oem-gce-20180823-r7.ebuild        | 42 --------------
 .../oem-gce/oem-gce-20260102.ebuild           | 35 ++++++++++++
 .../coreos-kernel-6.12.62.ebuild              |  5 +-
 9 files changed, 161 insertions(+), 43 deletions(-)
 create mode 100644 changelog/bugfixes/2025-12-29-gce-udev.md
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20251014.00.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml
 rename sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/{google-compute-engine-20190124-r2.ebuild => google-compute-engine-20190124-r3.ebuild} (81%)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild

diff --git a/changelog/bugfixes/2025-12-29-gce-udev.md b/changelog/bugfixes/2025-12-29-gce-udev.md
new file mode 100644
index 00000000000..d8458d9f4db
--- /dev/null
+++ b/changelog/bugfixes/2025-12-29-gce-udev.md
@@ -0,0 +1 @@
+- Updated the GCE udev disk rules to include NVMe disks.
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest
new file mode 100644
index 00000000000..02b3af8f09d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/Manifest
@@ -0,0 +1 @@
+DIST google-guest-configs-20251014.00.tar.gz 49030 BLAKE2B 20330b57868814e2e4278a15355d8b8a2d6f065049bbe876f8fa48c70f54f65ed98537c5a6a5603e38967c12fd4953c6d06232d6dae691ae81e0f5111108e9c6 SHA512 0040ca6cc6b18c0cb0afaa2febd1bef61a1a62e6f277ef8c9ed01254194a7802ff19baa99bcb8ba64c96e1113f6686a63a23116aa1c7cd5b6caa787ae4e107fa
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch
new file mode 100644
index 00000000000..4ac9d275cbc
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/files/google-guest-configs-20211116.00-sysctl.patch
@@ -0,0 +1,50 @@
+diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf
+index b40085b..d89d87d 100644
+--- a/src/etc/sysctl.d/60-gce-network-security.conf
++++ b/src/etc/sysctl.d/60-gce-network-security.conf
+@@ -14,45 +14,6 @@
+ #
+ # Google-recommended kernel parameters
+
+-# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
+-# of TCP functionality/features under normal conditions.  When flood
+-# protections kick in under high unanswered-SYN load, the system
+-# should remain more stable, with a trade off of some loss of TCP
+-# functionality/features (e.g. TCP Window scaling).
+-net.ipv4.tcp_syncookies=1
+-
+-# Ignore source-routed packets
+-net.ipv4.conf.all.accept_source_route=0
+-net.ipv4.conf.default.accept_source_route=0
+-
+-# Ignore ICMP redirects from non-GW hosts
+-net.ipv4.conf.all.accept_redirects=0
+-net.ipv4.conf.default.accept_redirects=0
+-net.ipv4.conf.all.secure_redirects=1
+-net.ipv4.conf.default.secure_redirects=1
+-
+-# Don't pass traffic between networks or act as a router
+-net.ipv4.ip_forward=0
+-net.ipv4.conf.all.send_redirects=0
+-net.ipv4.conf.default.send_redirects=0
+-
+-# Turn on Source Address Verification in all interfaces to
+-# prevent some spoofing attacks.
+-net.ipv4.conf.all.rp_filter=1
+-net.ipv4.conf.default.rp_filter=1
+-
+-# Ignore ICMP broadcasts to avoid participating in Smurf attacks
+-net.ipv4.icmp_echo_ignore_broadcasts=1
+-
+-# Ignore bad ICMP errors
+-net.ipv4.icmp_ignore_bogus_error_responses=1
+-
+ # Log spoofed, source-routed, and redirect packets
+ net.ipv4.conf.all.log_martians=1
+ net.ipv4.conf.default.log_martians=1
+-
+-# Addresses of mmap base, heap, stack and VDSO page are randomized
+-kernel.randomize_va_space=2
+-
+-# Reboot the machine soon after a kernel panic.
+-kernel.panic=10
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20251014.00.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20251014.00.ebuild
new file mode 100644
index 00000000000..9e79d49929c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/google-guest-configs-20251014.00.ebuild
@@ -0,0 +1,56 @@
+# Copyright 2025 The Flatcar Container Linux Maintainers
+# Distributed under the terms of the Apache License 2.0
+
+# IMPORTANT! When bumping, ensure that the Dracut modules do not install files
+# that would make runtime changes to systems to other than GCE VMs because the
+# initrd is shared between image types. The udev disk rules are currently safe.
+
+EAPI=8
+
+inherit udev
+
+DESCRIPTION="Configuration and scripts to support the Google Compute Engine guest environment"
+HOMEPAGE="http://github.com/GoogleCloudPlatform/guest-configs"
+SRC_URI="https://github.com/GoogleCloudPlatform/guest-configs/archive/${PV}.tar.gz -> ${P}.tar.gz"
+S="${WORKDIR}/guest-configs-${PV}"
+
+LICENSE="Apache-2.0 BSD ZLIB"
+SLOT="0"
+KEYWORDS="amd64"
+
+RDEPEND="
+	sys-apps/ethtool
+	sys-apps/iproute2
+	sys-apps/nvme-cli
+	!<app-emulation/google-compute-engine-20190124-r3
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-20211116.00-sysctl.patch
+)
+
+src_install() {
+	exeinto "$(get_udevdir)"
+	doexe src/lib/udev/google_nvme_id
+
+	udev_dorules src/lib/udev/rules.d/65-gce-disk-naming.rules
+	udev_dorules src/lib/udev/rules.d/75-gce-network.rules
+
+	insinto /usr/lib/sysctl.d
+	doins src/etc/sysctl.d/60-gce-network-security.conf
+
+	dobin src/usr/bin/google_set_multiqueue
+	dobin src/usr/bin/google_optimize_local_ssd
+	dobin src/usr/bin/gce-nic-naming
+
+	insinto /usr/lib/dracut/modules.d
+	doins -r src/lib/dracut/modules.d/*
+}
+
+pkg_postinst() {
+	udev_reload
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml
new file mode 100644
index 00000000000..3abd52a6f70
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/google-guest-configs/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<upstream>
+		<remote-id type="github">GoogleCloudPlatform/guest-configs</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild
similarity index 81%
rename from sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild
index 40a7a10e63c..59a394f58f8 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/google-compute-engine/google-compute-engine-20190124-r3.ebuild
@@ -28,3 +28,10 @@ RDEPEND="
 	sys-apps/iproute2
 	sys-apps/shadow
 "
+
+src_install() {
+	distutils-r1_src_install
+
+	# Newer versions are installed by app-admin/google-guest-configs.
+	rm -v "${ED}"/usr/bin/google_{optimize_local_ssd,set_multiqueue} || die
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild
deleted file mode 100644
index 5baa71325b6..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20180823-r7.ebuild
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (c) 2013 CoreOS, Inc.. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-# Copyright (c) 2020 Kinvolk GmbH. All rights reserved.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit systemd
-
-DESCRIPTION="OEM suite for Google Compute Engine images"
-HOMEPAGE="https://cloud.google.com/products/compute-engine/"
-SRC_URI=""
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64"
-IUSE=""
-
-# no source directory
-S="${WORKDIR}"
-
-RDEPEND="
-    app-emulation/google-compute-engine
-"
-
-OEM_NAME="Google Compute Engine"
-
-src_install() {
-    systemd_dounit "${FILESDIR}/units/oem-gce.service"
-    systemd_dounit "${FILESDIR}/units/oem-gce-enable-oslogin.service"
-    systemd_dounit "${FILESDIR}/units/setup-oem.service"
-    systemd_install_dropin "multi-user.target" "${FILESDIR}/units/10-oem-gce.conf"
-    systemd_enable_service "multi-user.target" "ntpd.service"
-
-    dobin "${FILESDIR}/bin/enable-oslogin"
-    dobin "${FILESDIR}/bin/init.sh"
-
-    # These files will be symlinked to /etc via 'setup-oem.service'
-    insinto /usr/share/gce/
-    doins "${FILESDIR}/files/hosts"
-    doins "${FILESDIR}/files/google-cloud-sdk.sh"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild
new file mode 100644
index 00000000000..e9decae604b
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/oem-gce/oem-gce-20260102.ebuild
@@ -0,0 +1,35 @@
+# Copyright (c) 2013 CoreOS, Inc.. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+# Copyright (c) 2020 Kinvolk GmbH. All rights reserved.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd
+
+DESCRIPTION="OEM suite for Google Compute Engine images"
+HOMEPAGE="https://cloud.google.com/products/compute-engine/"
+S="${WORKDIR}"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64"
+
+RDEPEND="
+	app-admin/google-guest-configs
+	app-emulation/google-compute-engine
+"
+
+OEM_NAME="Google Compute Engine"
+
+src_install() {
+	systemd_dounit "${FILESDIR}"/units/{oem-gce,oem-gce-enable-oslogin,setup-oem}.service
+	systemd_install_dropin multi-user.target "${FILESDIR}"/units/10-oem-gce.conf
+	systemd_enable_service multi-user.target ntpd.service
+
+	dobin "${FILESDIR}"/bin/{enable-oslogin,init.sh}
+
+	# These files will be symlinked to /etc via 'setup-oem.service'
+	insinto /usr/share/gce
+	doins "${FILESDIR}"/files/{google-cloud-sdk.sh,hosts}
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild
index 8b9cea19187..c3d5342b163 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.62.ebuild
@@ -52,7 +52,10 @@ DEPEND="
 	>=sys-kernel/bootengine-0.0.38-r37:=
 	>=sys-kernel/coreos-firmware-20180103-r1:=
 	virtual/udev
-	amd64? ( sys-firmware/intel-microcode:= )
+	amd64? (
+		app-admin/google-guest-configs
+		sys-firmware/intel-microcode:=
+	)
 "
 
 src_prepare() {