Pre-Installed Daemons on Google Compute Engine

I found out that Google Compute Engine instances will come with the Google Guest Environment pre-installed which runs daemons in the background. This is unlike AWS EC2 instances which don't install any daemons (but come with aws-cli pre-installed). We can see the following output when listing the running processes on a new Debian GCE intance:

$ ps ax | grep google

418 ?        Ssl    2:52 /usr/bin/google_osconfig_agent
526 ?        Ss     2:17 /usr/bin/python3 /usr/bin/google_network_daemon
528 ?        Ss     3:32 /usr/bin/python3 /usr/bin/google_accounts_daemon
529 ?        Ss     1:14 /usr/bin/python3 /usr/bin/google_clock_skew_daemon

We can check all installed google packages:

$ apt list --installed | grep google


and systemd services:

$ systemctl list-unit-files | grep google

google-accounts-daemon.service         enabled
google-clock-skew-daemon.service       enabled
google-instance-setup.service          enabled
google-network-daemon.service          enabled
google-osconfig-agent.service          enabled
google-shutdown-scripts.service        enabled
google-startup-scripts.service         enabled

These packages and services are part of the Google Linux Guest Environment and OS Login Guest Environment.

The GCP docs have some information on the Guest Environment but it lacks details on the specifics of each daemon/script. A better source is the GitHub repo where we can find a good explanation for each daemon and script:

The remaining daemon is the agent for the OS Login Guest Environment. It manages access control when using the OS Login feature by linking linux user accounts to Google accounts (which can then be managed with Cloud IAM). This feature is disabled by default and I'm not sure why the package is installed and the daemon is running.


If all that's needed is a simple VM instance without Google Cloud integration, all daemons and scripts can be uninstalled by removing the packages:

$ apt-get remove python-google-compute-engine python3-google-compute-engine \
                 google-osconfig-agent google-compute-engine-oslogin

I think it's good to at least remove the google-osconfig-agent package and get rid of the google_osconfig_agent daemon running in the background. The package can be re-installed before enabling OS Login.

Each daemon can also be disabled separately:

$ systemctl disable google-accounts-daemon.service