GoogleCloudPlatform / guest-agent

Apache License 2.0
132 stars 81 forks source link

Add `oslogin_daemon` configuration option #277

Open ericnorris opened 1 year ago

ericnorris commented 1 year ago

It's possible to disable the "accounts daemon" via the accounts_daemon configuration setting, but as far as I can tell there is no way to disable OS Login via configuration. If enable-oslogin is present in the metadata, the guest-agent will immediately make changes to sshd, etc.

We manage sshd and other system-level configuration options, and would like to have direct control over modifications to those files. Right now we're not using OS Login, but even if we were, I think we'd still prefer to make the necessary changes, in order to avoid having the guest agent and our configuration management tool fight each other.

I'm not tied to oslogin_daemon as an option specifically, but some way of ensuring that the guest agent doesn't modify the system configuration would be ideal.

dorileo commented 1 year ago

Why not disable via metadata? Are you considering disabling sshd config management only? Or are you also considering the disabling config management of pam modules?

ericnorris commented 1 year ago

Hey @dorileo! At Etsy, developers are free to spin up infrastructure as they wish, for the most part. This means that someone could enable OS Login via the metadata, which would conflict with the sssd, etc. configuration that we've deployed via our configuration management tool. There may be ways for us to prevent that via policy, but we're not in a position to do that at the moment.

Ideally I'd like this flag to disable all configuration management, if we wanted to enable OS Login we'd configure sshd, PAM, etc. on our own.