Pre-Installed Daemons on Google Compute Engine

February 23, 2020

I found out that Google Compute Engine instances will come with the Google Guest Environment pre-installed which runs daemons in the background. This is unlike AWS EC2 instances which don't install any daemons (but come with aws-cli pre-installed). We can see the following output when listing the running processes on a new Debian GCE intance:

$ ps ax | grep google

418 ?        Ssl    2:52 /usr/bin/google_osconfig_agent
526 ?        Ss     2:17 /usr/bin/python3 /usr/bin/google_network_daemon
528 ?        Ss     3:32 /usr/bin/python3 /usr/bin/google_accounts_daemon
529 ?        Ss     1:14 /usr/bin/python3 /usr/bin/google_clock_skew_daemon

We can check all installed google packages:

$ apt list --installed | grep google

gce-disk-expand
google-cloud-packages-archive-keyring
google-cloud-sdk
google-compute-engine-oslogin
google-compute-engine
google-osconfig-agent
python-google-compute-engine
python3-google-compute-engine

and systemd services:

$ systemctl list-unit-files | grep google

google-accounts-daemon.service         enabled
google-clock-skew-daemon.service       enabled
google-instance-setup.service          enabled
google-network-daemon.service          enabled
google-osconfig-agent.service          enabled
google-shutdown-scripts.service        enabled
google-startup-scripts.service         enabled

These packages and services are part of the Google Linux Guest Environment and OS Login Guest Environment.

The GCP docs have some information on the Guest Environment but it lacks details on the specifics of each daemon/script. A better source is the GitHub repo where we can find a good explanation for each daemon and script:

google-network-daemon: handles network setup for multiple network interfaces on boot and integrates network load balancing with forwarding rule changes into the guest
google-accounts-daemon: daemon to setup and manage user accounts, and to enable SSH key based authentication
google-clock-skew-daemon: daemon to keep the system clock in sync after VM start and stop events
google-instance-setup: scripts to execute VM configuration scripts during boot
google-startup-scripts/google-shutdown-scripts: run user-provided scripts at VM startup and shutdown

The remaining daemon is the agent for the OS Login Guest Environment. It manages access control when using the OS Login feature by linking linux user accounts to Google accounts (which can then be managed with Cloud IAM). This feature is disabled by default and I'm not sure why the package is installed and the daemon is running.

Uninstall

If all that's needed is a simple VM instance without Google Cloud integration, all daemons and scripts can be uninstalled by removing the packages:

$ apt-get remove python-google-compute-engine python3-google-compute-engine \
                 google-osconfig-agent google-compute-engine-oslogin

I think it's good to at least remove the google-osconfig-agent package and get rid of the google_osconfig_agent daemon running in the background. The package can be re-installed before enabling OS Login.

Each daemon can also be disabled separately:

$ systemctl disable google-accounts-daemon.service