// Copyright 2020 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.osconfig.agentendpoint.v1beta; import "google/api/field_behavior.proto"; option go_package = "cloud.google.com/go/osconfig/agentendpoint/apiv1beta/agentendpointpb;agentendpointpb"; option java_outer_classname = "GuestPolicies"; option java_package = "com.google.cloud.osconfig.agentendpoint.v1beta"; option php_namespace = "Google\\Cloud\\OsConfig\\V1beta"; // The desired state that the OS Config agent will maintain on the VM. enum DesiredState { // The default is to ensure the package is installed. DESIRED_STATE_UNSPECIFIED = 0; // The agent ensures that the package is installed. INSTALLED = 1; // The agent ensures that the package is installed and // periodically checks for and install any updates. UPDATED = 2; // The agent ensures that the package is not installed and uninstall it // if detected. REMOVED = 3; } // Package is a reference to the software package to be installed or removed. // The agent on the VM instance uses the system package manager to apply the // config. // // // These are the commands that the agent uses to install or remove // packages. // // Apt // install: `apt-get update && apt-get -y install package1 package2 package3` // remove: `apt-get -y remove package1 package2 package3` // // Yum // install: `yum -y install package1 package2 package3` // remove: `yum -y remove package1 package2 package3` // // Zypper // install: `zypper install package1 package2 package3` // remove: `zypper rm package1 package2` // // Googet // install: `googet -noconfirm install package1 package2 package3` // remove: `googet -noconfirm remove package1 package2 package3` message Package { // Types of package managers that may be used to manage this package. enum Manager { // The default behavior is ANY. MANAGER_UNSPECIFIED = 0; // Apply this package config using the default system package manager. ANY = 1; // Apply this package config only if Apt is available on the system. APT = 2; // Apply this package config only if Yum is available on the system. YUM = 3; // Apply this package config only if Zypper is available on the system. ZYPPER = 4; // Apply this package config only if GooGet is available on the system. GOO = 5; } // The name of the package. A package is uniquely identified for conflict // validation by checking the package name and the manager(s) that the // package targets. string name = 1; // The desired_state the agent should maintain for this package. The // default is to ensure the package is installed. DesiredState desired_state = 2; // Type of package manager that can be used to install this package. // If a system does not have the package manager, the package is not // installed or removed no error message is returned. By default, // or if you specify `ANY`, // the agent attempts to install and remove this package using the default // package manager. This is useful when creating a policy that applies to // different types of systems. // // The default behavior is ANY. Manager manager = 3; } // Represents a single Apt package repository. This repository is added to // a repo file that is stored at // `/etc/apt/sources.list.d/google_osconfig.list`. message AptRepository { // Type of archive. enum ArchiveType { // Unspecified. ARCHIVE_TYPE_UNSPECIFIED = 0; // DEB indicates that the archive contains binary files. DEB = 1; // DEB_SRC indicates that the archive contains source files. DEB_SRC = 2; } // Type of archive files in this repository. The default behavior is DEB. ArchiveType archive_type = 1; // URI for this repository. string uri = 2; // Distribution of this repository. string distribution = 3; // List of components for this repository. Must contain at least one item. repeated string components = 4; // URI of the key file for this repository. The agent maintains // a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg` containing // all the keys in any applied guest policy. string gpg_key = 5; } // Represents a single Yum package repository. This repository is added to a // repo file that is stored at `/etc/yum.repos.d/google_osconfig.repo`. message YumRepository { // A one word, unique name for this repository. This is // the `repo id` in the Yum config file and also the `display_name` if // `display_name` is omitted. This id is also used as the unique identifier // when checking for guest policy conflicts. string id = 1; // The display name of the repository. string display_name = 2; // The location of the repository directory. string base_url = 3; // URIs of GPG keys. repeated string gpg_keys = 4; } // Represents a single Zypper package repository. This repository is added to a // repo file that is stored at `/etc/zypp/repos.d/google_osconfig.repo`. message ZypperRepository { // A one word, unique name for this repository. This is // the `repo id` in the zypper config file and also the `display_name` if // `display_name` is omitted. This id is also used as the unique identifier // when checking for guest policy conflicts. string id = 1; // The display name of the repository. string display_name = 2; // The location of the repository directory. string base_url = 3; // URIs of GPG keys. repeated string gpg_keys = 4; } // Represents a Goo package repository. These is added to a repo file // that is stored at C:/ProgramData/GooGet/repos/google_osconfig.repo. message GooRepository { // The name of the repository. string name = 1; // The url of the repository. string url = 2; } // A package repository. message PackageRepository { // A specific type of repository. oneof repository { // An Apt Repository. AptRepository apt = 1; // A Yum Repository. YumRepository yum = 2; // A Zypper Repository. ZypperRepository zypper = 3; // A Goo Repository. GooRepository goo = 4; } } // A software recipe is a set of instructions for installing and configuring a // piece of software. It consists of a set of artifacts that are // downloaded, and a set of steps that install, configure, and/or update the // software. // // Recipes support installing and updating software from artifacts in the // following formats: // Zip archive, Tar archive, Windows MSI, Debian package, and RPM package. // // Additionally, recipes support executing a script (either defined in a file or // directly in this api) in bash, sh, cmd, and powershell. // // Updating a software recipe // // If a recipe is assigned to an instance and there is a recipe with the same // name but a lower version already installed and the assigned state // of the recipe is `INSTALLED_KEEP_UPDATED`, then the recipe is updated to // the new version. // // Script Working Directories // // Each script or execution step is run in its own temporary directory which // is deleted after completing the step. message SoftwareRecipe { // Specifies a resource to be used in the recipe. message Artifact { // Specifies an artifact available via some URI. message Remote { // URI from which to fetch the object. It should contain both the protocol // and path following the format {protocol}://{location}. string uri = 1; // Must be provided if `allow_insecure` is `false`. // SHA256 checksum in hex format, to compare to the checksum of the // artifact. If the checksum is not empty and it doesn't match the // artifact then the recipe installation fails before running any of the // steps. string checksum = 2; } // Specifies an artifact available as a Cloud Storage object. message Gcs { // Bucket of the Cloud Storage object. // Given an example URL: // `https://storage.googleapis.com/my-bucket/foo/bar#1234567` // this value would be `my-bucket`. string bucket = 1; // Name of the Cloud Storage object. // As specified [here] // (https://cloud.google.com/storage/docs/naming#objectnames) // Given an example URL: // `https://storage.googleapis.com/my-bucket/foo/bar#1234567` // this value would be `foo/bar`. string object = 2; // Must be provided if allow_insecure is false. // Generation number of the Cloud Storage object. // `https://storage.googleapis.com/my-bucket/foo/bar#1234567` // this value would be `1234567`. int64 generation = 3; } // Id of the artifact, which the installation and update steps of this // recipe can reference. Artifacts in a recipe cannot have the same id. string id = 1; // A specific type of artifact. oneof artifact { // A generic remote artifact. Remote remote = 2; // A Cloud Storage artifact. Gcs gcs = 3; } // Defaults to false. When false, recipes are subject to validations // based on the artifact type: // // Remote: A checksum must be specified, and only protocols with // transport-layer security are permitted. // GCS: An object generation number must be specified. bool allow_insecure = 4; } // An action that can be taken as part of installing or updating a recipe. message Step { // Copies the artifact to the specified path on the instance. message CopyFile { // The id of the relevant artifact in the recipe. string artifact_id = 1; // The absolute path on the instance to put the file. string destination = 2; // Whether to allow this step to overwrite existing files. If this is // false and the file already exists the file is not overwritten // and the step is considered a success. Defaults to false. bool overwrite = 3; // Consists of three octal digits which represent, in // order, the permissions of the owner, group, and other users for the // file (similarly to the numeric mode used in the linux chmod utility). // Each digit represents a three bit number with the 4 bit // corresponding to the read permissions, the 2 bit corresponds to the // write bit, and the one bit corresponds to the execute permission. // Default behavior is 755. // // Below are some examples of permissions and their associated values: // read, write, and execute: 7 // read and execute: 5 // read and write: 6 // read only: 4 string permissions = 4; } // Extracts an archive of the type specified in the specified directory. message ExtractArchive { // Specifying the type of archive. enum ArchiveType { // Indicates that the archive type isn't specified. ARCHIVE_TYPE_UNSPECIFIED = 0; // Indicates that the archive is a tar archive with no encryption. TAR = 1; // Indicates that the archive is a tar archive with gzip encryption. TAR_GZIP = 2; // Indicates that the archive is a tar archive with bzip encryption. TAR_BZIP = 3; // Indicates that the archive is a tar archive with lzma encryption. TAR_LZMA = 4; // Indicates that the archive is a tar archive with xz encryption. TAR_XZ = 5; // Indicates that the archive is a zip archive. ZIP = 11; } // The id of the relevant artifact in the recipe. string artifact_id = 1; // Directory to extract archive to. // Defaults to `/` on Linux or `C:\` on Windows. string destination = 2; // The type of the archive to extract. ArchiveType type = 3; } // Installs an MSI file. message InstallMsi { // The id of the relevant artifact in the recipe. string artifact_id = 1; // The flags to use when installing the MSI // defaults to ["/i"] (i.e. the install flag). repeated string flags = 2; // Return codes that indicate that the software installed or updated // successfully. Behaviour defaults to [0] repeated int32 allowed_exit_codes = 3; } // Installs a deb via dpkg. message InstallDpkg { // The id of the relevant artifact in the recipe. string artifact_id = 1; } // Installs an rpm file via the rpm utility. message InstallRpm { // The id of the relevant artifact in the recipe. string artifact_id = 1; } // Executes an artifact or local file. message ExecFile { // Location of the file to execute. oneof location_type { // The id of the relevant artifact in the recipe. string artifact_id = 1; // The absolute path of the file on the local filesystem. string local_path = 2; } // Arguments to be passed to the provided executable. repeated string args = 3; // Defaults to [0]. A list of possible return values that the program // can return to indicate a success. repeated int32 allowed_exit_codes = 4; } // Runs a script through an interpreter. message RunScript { // The interpreter used to execute a script. enum Interpreter { // Default value for ScriptType. INTERPRETER_UNSPECIFIED = 0; // Indicates that the script is run with `/bin/sh` on Linux and `cmd` // on windows. SHELL = 1; // Indicates that the script is run with powershell. POWERSHELL = 3; } // The shell script to be executed. string script = 1; // Return codes that indicate that the software installed or updated // successfully. Behaviour defaults to [0] repeated int32 allowed_exit_codes = 2; // The script interpreter to use to run the script. If no interpreter is // specified the script is executed directly, which likely // only succeed for scripts with // [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)). Interpreter interpreter = 3; } // A specific type of step. oneof step { // Copies a file onto the instance. CopyFile file_copy = 1; // Extracts an archive into the specified directory. ExtractArchive archive_extraction = 2; // Installs an MSI file. InstallMsi msi_installation = 3; // Installs a deb file via dpkg. InstallDpkg dpkg_installation = 4; // Installs an rpm file via the rpm utility. InstallRpm rpm_installation = 5; // Executes an artifact or local file. ExecFile file_exec = 6; // Runs commands in a shell. RunScript script_run = 7; } } // Unique identifier for the recipe. Only one recipe with a given name is // installed on an instance. // // Names are also used to identify resources which helps to determine whether // guest policies have conflicts. This means that requests to create multiple // recipes with the same name and version are rejected since they // could potentially have conflicting assignments. string name = 1; // The version of this software recipe. Version can be up to 4 period // separated numbers (e.g. 12.34.56.78). string version = 2; // Resources available to be used in the steps in the recipe. repeated Artifact artifacts = 3; // Actions to be taken for installing this recipe. On failure it stops // executing steps and does not attempt another installation. Any steps taken // (including partially completed steps) are not rolled back. Install steps // must be specified and are used on first installation. repeated Step install_steps = 4; // Actions to be taken for updating this recipe. On failure it stops // executing steps and does not attempt another update for this recipe. Any // steps taken (including partially completed steps) are not rolled back. // Upgrade steps are not mandatory and are only used when upgrading. repeated Step update_steps = 5; // Default is INSTALLED. The desired state the agent should maintain for this // recipe. // // INSTALLED: The software recipe is installed on the instance but won't be // updated to new versions. // UPDATED: The software recipe is installed on the instance. The recipe is // updated to a higher version, if a higher version of // the recipe is assigned to this instance. // REMOVE: Remove is unsupported for software recipes and attempts to // create or update a recipe to the REMOVE state is rejected. DesiredState desired_state = 6; } // A request message for getting effective policy assigned to the instance. message LookupEffectiveGuestPolicyRequest { // Required. This is the GCE instance identity token described in // https://cloud.google.com/compute/docs/instances/verifying-instance-identity // where the audience is 'osconfig.googleapis.com' and the format is 'full'. string instance_id_token = 1 [(google.api.field_behavior) = REQUIRED]; // Short name of the OS running on the instance. The OS Config agent only // provideS this field for targeting if OS Inventory is enabled for that // instance. string os_short_name = 2; // Version of the OS running on the instance. The OS Config agent only // provide this field for targeting if OS Inventory is enabled for that // VM instance. string os_version = 3; // Architecture of OS running on the instance. The OS Config agent only // provide this field for targeting if OS Inventory is enabled for that // instance. string os_architecture = 4; } // The effective guest policy assigned to the instance. message EffectiveGuestPolicy { // A guest policy package including its source. message SourcedPackage { // Name of the guest policy providing this config. string source = 1; // A software package to configure on the VM instance. Package package = 2; } // A guest policy package repository including its source. message SourcedPackageRepository { // Name of the guest policy providing this config. string source = 1; // A software package repository to configure on the VM instance. PackageRepository package_repository = 2; } // A guest policy recipe including its source. message SourcedSoftwareRecipe { // Name of the guest policy providing this config. string source = 1; // A software recipe to configure on the VM instance. SoftwareRecipe software_recipe = 2; } // List of package configurations assigned to the VM instance. repeated SourcedPackage packages = 1; // List of package repository configurations assigned to the VM instance. repeated SourcedPackageRepository package_repositories = 2; // List of recipes assigned to the VM instance. repeated SourcedSoftwareRecipe software_recipes = 3; }