Pre-Installed Daemons on Google Compute Engine
I found out that Google Compute Engine instances will come with the Google Guest Environment pre-installed which runs daemons in the background. This is unlike AWS EC2 instances which don't install any daemons (but come with aws-cli pre-installed). We can see the following output when listing the running processes on a new Debian GCE intance:
$ ps ax | grep google 418 ? Ssl 2:52 /usr/bin/google_osconfig_agent 526 ? Ss 2:17 /usr/bin/python3 /usr/bin/google_network_daemon 528 ? Ss 3:32 /usr/bin/python3 /usr/bin/google_accounts_daemon 529 ? Ss 1:14 /usr/bin/python3 /usr/bin/google_clock_skew_daemon
We can check all installed google packages:
$ apt list --installed | grep google gce-disk-expand google-cloud-packages-archive-keyring google-cloud-sdk google-compute-engine-oslogin google-compute-engine google-osconfig-agent python-google-compute-engine python3-google-compute-engine
and systemd services:
$ systemctl list-unit-files | grep google google-accounts-daemon.service enabled google-clock-skew-daemon.service enabled google-instance-setup.service enabled google-network-daemon.service enabled google-osconfig-agent.service enabled google-shutdown-scripts.service enabled google-startup-scripts.service enabled
These packages and services are part of the Google Linux Guest Environment and OS Login Guest Environment.
The GCP docs have some information on the Guest Environment but it lacks details on the specifics of each daemon/script. A better source is the GitHub repo where we can find a good explanation for each daemon and script:
- google-network-daemon: handles network setup for multiple network interfaces on boot and integrates network load balancing with forwarding rule changes into the guest
- google-accounts-daemon: daemon to setup and manage user accounts, and to enable SSH key based authentication
- google-clock-skew-daemon: daemon to keep the system clock in sync after VM start and stop events
- google-instance-setup: scripts to execute VM configuration scripts during boot
- google-startup-scripts/google-shutdown-scripts: run user-provided scripts at VM startup and shutdown
The remaining daemon is the agent for the OS Login Guest Environment. It manages access control when using the OS Login feature by linking linux user accounts to Google accounts (which can then be managed with Cloud IAM). This feature is disabled by default and I'm not sure why the package is installed and the daemon is running.
If all that's needed is a simple VM instance without Google Cloud integration, all daemons and scripts can be uninstalled by removing the packages:
$ apt-get remove python-google-compute-engine python3-google-compute-engine \ google-osconfig-agent google-compute-engine-oslogin
I think it's good to at least remove the
google-osconfig-agent package and get rid of the
google_osconfig_agent daemon running in the background. The package can be re-installed before enabling OS Login.
Each daemon can also be disabled separately:
$ systemctl disable google-accounts-daemon.service