1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.osconfig.agentendpoint.v1beta; 18 19import "google/api/field_behavior.proto"; 20 21option go_package = "cloud.google.com/go/osconfig/agentendpoint/apiv1beta/agentendpointpb;agentendpointpb"; 22option java_outer_classname = "GuestPolicies"; 23option java_package = "com.google.cloud.osconfig.agentendpoint.v1beta"; 24option php_namespace = "Google\\Cloud\\OsConfig\\V1beta"; 25 26// The desired state that the OS Config agent will maintain on the VM. 27enum DesiredState { 28 // The default is to ensure the package is installed. 29 DESIRED_STATE_UNSPECIFIED = 0; 30 31 // The agent ensures that the package is installed. 32 INSTALLED = 1; 33 34 // The agent ensures that the package is installed and 35 // periodically checks for and install any updates. 36 UPDATED = 2; 37 38 // The agent ensures that the package is not installed and uninstall it 39 // if detected. 40 REMOVED = 3; 41} 42 43// Package is a reference to the software package to be installed or removed. 44// The agent on the VM instance uses the system package manager to apply the 45// config. 46// 47// 48// These are the commands that the agent uses to install or remove 49// packages. 50// 51// Apt 52// install: `apt-get update && apt-get -y install package1 package2 package3` 53// remove: `apt-get -y remove package1 package2 package3` 54// 55// Yum 56// install: `yum -y install package1 package2 package3` 57// remove: `yum -y remove package1 package2 package3` 58// 59// Zypper 60// install: `zypper install package1 package2 package3` 61// remove: `zypper rm package1 package2` 62// 63// Googet 64// install: `googet -noconfirm install package1 package2 package3` 65// remove: `googet -noconfirm remove package1 package2 package3` 66message Package { 67 // Types of package managers that may be used to manage this package. 68 enum Manager { 69 // The default behavior is ANY. 70 MANAGER_UNSPECIFIED = 0; 71 72 // Apply this package config using the default system package manager. 73 ANY = 1; 74 75 // Apply this package config only if Apt is available on the system. 76 APT = 2; 77 78 // Apply this package config only if Yum is available on the system. 79 YUM = 3; 80 81 // Apply this package config only if Zypper is available on the system. 82 ZYPPER = 4; 83 84 // Apply this package config only if GooGet is available on the system. 85 GOO = 5; 86 } 87 88 // The name of the package. A package is uniquely identified for conflict 89 // validation by checking the package name and the manager(s) that the 90 // package targets. 91 string name = 1; 92 93 // The desired_state the agent should maintain for this package. The 94 // default is to ensure the package is installed. 95 DesiredState desired_state = 2; 96 97 // Type of package manager that can be used to install this package. 98 // If a system does not have the package manager, the package is not 99 // installed or removed no error message is returned. By default, 100 // or if you specify `ANY`, 101 // the agent attempts to install and remove this package using the default 102 // package manager. This is useful when creating a policy that applies to 103 // different types of systems. 104 // 105 // The default behavior is ANY. 106 Manager manager = 3; 107} 108 109// Represents a single Apt package repository. This repository is added to 110// a repo file that is stored at 111// `/etc/apt/sources.list.d/google_osconfig.list`. 112message AptRepository { 113 // Type of archive. 114 enum ArchiveType { 115 // Unspecified. 116 ARCHIVE_TYPE_UNSPECIFIED = 0; 117 118 // DEB indicates that the archive contains binary files. 119 DEB = 1; 120 121 // DEB_SRC indicates that the archive contains source files. 122 DEB_SRC = 2; 123 } 124 125 // Type of archive files in this repository. The default behavior is DEB. 126 ArchiveType archive_type = 1; 127 128 // URI for this repository. 129 string uri = 2; 130 131 // Distribution of this repository. 132 string distribution = 3; 133 134 // List of components for this repository. Must contain at least one item. 135 repeated string components = 4; 136 137 // URI of the key file for this repository. The agent maintains 138 // a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg` containing 139 // all the keys in any applied guest policy. 140 string gpg_key = 5; 141} 142 143// Represents a single Yum package repository. This repository is added to a 144// repo file that is stored at `/etc/yum.repos.d/google_osconfig.repo`. 145message YumRepository { 146 // A one word, unique name for this repository. This is 147 // the `repo id` in the Yum config file and also the `display_name` if 148 // `display_name` is omitted. This id is also used as the unique identifier 149 // when checking for guest policy conflicts. 150 string id = 1; 151 152 // The display name of the repository. 153 string display_name = 2; 154 155 // The location of the repository directory. 156 string base_url = 3; 157 158 // URIs of GPG keys. 159 repeated string gpg_keys = 4; 160} 161 162// Represents a single Zypper package repository. This repository is added to a 163// repo file that is stored at `/etc/zypp/repos.d/google_osconfig.repo`. 164message ZypperRepository { 165 // A one word, unique name for this repository. This is 166 // the `repo id` in the zypper config file and also the `display_name` if 167 // `display_name` is omitted. This id is also used as the unique identifier 168 // when checking for guest policy conflicts. 169 string id = 1; 170 171 // The display name of the repository. 172 string display_name = 2; 173 174 // The location of the repository directory. 175 string base_url = 3; 176 177 // URIs of GPG keys. 178 repeated string gpg_keys = 4; 179} 180 181// Represents a Goo package repository. These is added to a repo file 182// that is stored at C:/ProgramData/GooGet/repos/google_osconfig.repo. 183message GooRepository { 184 // The name of the repository. 185 string name = 1; 186 187 // The url of the repository. 188 string url = 2; 189} 190 191// A package repository. 192message PackageRepository { 193 // A specific type of repository. 194 oneof repository { 195 // An Apt Repository. 196 AptRepository apt = 1; 197 198 // A Yum Repository. 199 YumRepository yum = 2; 200 201 // A Zypper Repository. 202 ZypperRepository zypper = 3; 203 204 // A Goo Repository. 205 GooRepository goo = 4; 206 } 207} 208 209// A software recipe is a set of instructions for installing and configuring a 210// piece of software. It consists of a set of artifacts that are 211// downloaded, and a set of steps that install, configure, and/or update the 212// software. 213// 214// Recipes support installing and updating software from artifacts in the 215// following formats: 216// Zip archive, Tar archive, Windows MSI, Debian package, and RPM package. 217// 218// Additionally, recipes support executing a script (either defined in a file or 219// directly in this api) in bash, sh, cmd, and powershell. 220// 221// Updating a software recipe 222// 223// If a recipe is assigned to an instance and there is a recipe with the same 224// name but a lower version already installed and the assigned state 225// of the recipe is `INSTALLED_KEEP_UPDATED`, then the recipe is updated to 226// the new version. 227// 228// Script Working Directories 229// 230// Each script or execution step is run in its own temporary directory which 231// is deleted after completing the step. 232message SoftwareRecipe { 233 // Specifies a resource to be used in the recipe. 234 message Artifact { 235 // Specifies an artifact available via some URI. 236 message Remote { 237 // URI from which to fetch the object. It should contain both the protocol 238 // and path following the format {protocol}://{location}. 239 string uri = 1; 240 241 // Must be provided if `allow_insecure` is `false`. 242 // SHA256 checksum in hex format, to compare to the checksum of the 243 // artifact. If the checksum is not empty and it doesn't match the 244 // artifact then the recipe installation fails before running any of the 245 // steps. 246 string checksum = 2; 247 } 248 249 // Specifies an artifact available as a Cloud Storage object. 250 message Gcs { 251 // Bucket of the Cloud Storage object. 252 // Given an example URL: 253 // `https://storage.googleapis.com/my-bucket/foo/bar#1234567` 254 // this value would be `my-bucket`. 255 string bucket = 1; 256 257 // Name of the Cloud Storage object. 258 // As specified [here] 259 // (https://cloud.google.com/storage/docs/naming#objectnames) 260 // Given an example URL: 261 // `https://storage.googleapis.com/my-bucket/foo/bar#1234567` 262 // this value would be `foo/bar`. 263 string object = 2; 264 265 // Must be provided if allow_insecure is false. 266 // Generation number of the Cloud Storage object. 267 // `https://storage.googleapis.com/my-bucket/foo/bar#1234567` 268 // this value would be `1234567`. 269 int64 generation = 3; 270 } 271 272 // Id of the artifact, which the installation and update steps of this 273 // recipe can reference. Artifacts in a recipe cannot have the same id. 274 string id = 1; 275 276 // A specific type of artifact. 277 oneof artifact { 278 // A generic remote artifact. 279 Remote remote = 2; 280 281 // A Cloud Storage artifact. 282 Gcs gcs = 3; 283 } 284 285 // Defaults to false. When false, recipes are subject to validations 286 // based on the artifact type: 287 // 288 // Remote: A checksum must be specified, and only protocols with 289 // transport-layer security are permitted. 290 // GCS: An object generation number must be specified. 291 bool allow_insecure = 4; 292 } 293 294 // An action that can be taken as part of installing or updating a recipe. 295 message Step { 296 // Copies the artifact to the specified path on the instance. 297 message CopyFile { 298 // The id of the relevant artifact in the recipe. 299 string artifact_id = 1; 300 301 // The absolute path on the instance to put the file. 302 string destination = 2; 303 304 // Whether to allow this step to overwrite existing files. If this is 305 // false and the file already exists the file is not overwritten 306 // and the step is considered a success. Defaults to false. 307 bool overwrite = 3; 308 309 // Consists of three octal digits which represent, in 310 // order, the permissions of the owner, group, and other users for the 311 // file (similarly to the numeric mode used in the linux chmod utility). 312 // Each digit represents a three bit number with the 4 bit 313 // corresponding to the read permissions, the 2 bit corresponds to the 314 // write bit, and the one bit corresponds to the execute permission. 315 // Default behavior is 755. 316 // 317 // Below are some examples of permissions and their associated values: 318 // read, write, and execute: 7 319 // read and execute: 5 320 // read and write: 6 321 // read only: 4 322 string permissions = 4; 323 } 324 325 // Extracts an archive of the type specified in the specified directory. 326 message ExtractArchive { 327 // Specifying the type of archive. 328 enum ArchiveType { 329 // Indicates that the archive type isn't specified. 330 ARCHIVE_TYPE_UNSPECIFIED = 0; 331 332 // Indicates that the archive is a tar archive with no encryption. 333 TAR = 1; 334 335 // Indicates that the archive is a tar archive with gzip encryption. 336 TAR_GZIP = 2; 337 338 // Indicates that the archive is a tar archive with bzip encryption. 339 TAR_BZIP = 3; 340 341 // Indicates that the archive is a tar archive with lzma encryption. 342 TAR_LZMA = 4; 343 344 // Indicates that the archive is a tar archive with xz encryption. 345 TAR_XZ = 5; 346 347 // Indicates that the archive is a zip archive. 348 ZIP = 11; 349 } 350 351 // The id of the relevant artifact in the recipe. 352 string artifact_id = 1; 353 354 // Directory to extract archive to. 355 // Defaults to `/` on Linux or `C:\` on Windows. 356 string destination = 2; 357 358 // The type of the archive to extract. 359 ArchiveType type = 3; 360 } 361 362 // Installs an MSI file. 363 message InstallMsi { 364 // The id of the relevant artifact in the recipe. 365 string artifact_id = 1; 366 367 // The flags to use when installing the MSI 368 // defaults to ["/i"] (i.e. the install flag). 369 repeated string flags = 2; 370 371 // Return codes that indicate that the software installed or updated 372 // successfully. Behaviour defaults to [0] 373 repeated int32 allowed_exit_codes = 3; 374 } 375 376 // Installs a deb via dpkg. 377 message InstallDpkg { 378 // The id of the relevant artifact in the recipe. 379 string artifact_id = 1; 380 } 381 382 // Installs an rpm file via the rpm utility. 383 message InstallRpm { 384 // The id of the relevant artifact in the recipe. 385 string artifact_id = 1; 386 } 387 388 // Executes an artifact or local file. 389 message ExecFile { 390 // Location of the file to execute. 391 oneof location_type { 392 // The id of the relevant artifact in the recipe. 393 string artifact_id = 1; 394 395 // The absolute path of the file on the local filesystem. 396 string local_path = 2; 397 } 398 399 // Arguments to be passed to the provided executable. 400 repeated string args = 3; 401 402 // Defaults to [0]. A list of possible return values that the program 403 // can return to indicate a success. 404 repeated int32 allowed_exit_codes = 4; 405 } 406 407 // Runs a script through an interpreter. 408 message RunScript { 409 // The interpreter used to execute a script. 410 enum Interpreter { 411 // Default value for ScriptType. 412 INTERPRETER_UNSPECIFIED = 0; 413 414 // Indicates that the script is run with `/bin/sh` on Linux and `cmd` 415 // on windows. 416 SHELL = 1; 417 418 // Indicates that the script is run with powershell. 419 POWERSHELL = 3; 420 } 421 422 // The shell script to be executed. 423 string script = 1; 424 425 // Return codes that indicate that the software installed or updated 426 // successfully. Behaviour defaults to [0] 427 repeated int32 allowed_exit_codes = 2; 428 429 // The script interpreter to use to run the script. If no interpreter is 430 // specified the script is executed directly, which likely 431 // only succeed for scripts with 432 // [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)). 433 Interpreter interpreter = 3; 434 } 435 436 // A specific type of step. 437 oneof step { 438 // Copies a file onto the instance. 439 CopyFile file_copy = 1; 440 441 // Extracts an archive into the specified directory. 442 ExtractArchive archive_extraction = 2; 443 444 // Installs an MSI file. 445 InstallMsi msi_installation = 3; 446 447 // Installs a deb file via dpkg. 448 InstallDpkg dpkg_installation = 4; 449 450 // Installs an rpm file via the rpm utility. 451 InstallRpm rpm_installation = 5; 452 453 // Executes an artifact or local file. 454 ExecFile file_exec = 6; 455 456 // Runs commands in a shell. 457 RunScript script_run = 7; 458 } 459 } 460 461 // Unique identifier for the recipe. Only one recipe with a given name is 462 // installed on an instance. 463 // 464 // Names are also used to identify resources which helps to determine whether 465 // guest policies have conflicts. This means that requests to create multiple 466 // recipes with the same name and version are rejected since they 467 // could potentially have conflicting assignments. 468 string name = 1; 469 470 // The version of this software recipe. Version can be up to 4 period 471 // separated numbers (e.g. 12.34.56.78). 472 string version = 2; 473 474 // Resources available to be used in the steps in the recipe. 475 repeated Artifact artifacts = 3; 476 477 // Actions to be taken for installing this recipe. On failure it stops 478 // executing steps and does not attempt another installation. Any steps taken 479 // (including partially completed steps) are not rolled back. Install steps 480 // must be specified and are used on first installation. 481 repeated Step install_steps = 4; 482 483 // Actions to be taken for updating this recipe. On failure it stops 484 // executing steps and does not attempt another update for this recipe. Any 485 // steps taken (including partially completed steps) are not rolled back. 486 // Upgrade steps are not mandatory and are only used when upgrading. 487 repeated Step update_steps = 5; 488 489 // Default is INSTALLED. The desired state the agent should maintain for this 490 // recipe. 491 // 492 // INSTALLED: The software recipe is installed on the instance but won't be 493 // updated to new versions. 494 // UPDATED: The software recipe is installed on the instance. The recipe is 495 // updated to a higher version, if a higher version of 496 // the recipe is assigned to this instance. 497 // REMOVE: Remove is unsupported for software recipes and attempts to 498 // create or update a recipe to the REMOVE state is rejected. 499 DesiredState desired_state = 6; 500} 501 502// A request message for getting effective policy assigned to the instance. 503message LookupEffectiveGuestPolicyRequest { 504 // Required. This is the GCE instance identity token described in 505 // https://cloud.google.com/compute/docs/instances/verifying-instance-identity 506 // where the audience is 'osconfig.googleapis.com' and the format is 'full'. 507 string instance_id_token = 1 [(google.api.field_behavior) = REQUIRED]; 508 509 // Short name of the OS running on the instance. The OS Config agent only 510 // provideS this field for targeting if OS Inventory is enabled for that 511 // instance. 512 string os_short_name = 2; 513 514 // Version of the OS running on the instance. The OS Config agent only 515 // provide this field for targeting if OS Inventory is enabled for that 516 // VM instance. 517 string os_version = 3; 518 519 // Architecture of OS running on the instance. The OS Config agent only 520 // provide this field for targeting if OS Inventory is enabled for that 521 // instance. 522 string os_architecture = 4; 523} 524 525// The effective guest policy assigned to the instance. 526message EffectiveGuestPolicy { 527 // A guest policy package including its source. 528 message SourcedPackage { 529 // Name of the guest policy providing this config. 530 string source = 1; 531 532 // A software package to configure on the VM instance. 533 Package package = 2; 534 } 535 536 // A guest policy package repository including its source. 537 message SourcedPackageRepository { 538 // Name of the guest policy providing this config. 539 string source = 1; 540 541 // A software package repository to configure on the VM instance. 542 PackageRepository package_repository = 2; 543 } 544 545 // A guest policy recipe including its source. 546 message SourcedSoftwareRecipe { 547 // Name of the guest policy providing this config. 548 string source = 1; 549 550 // A software recipe to configure on the VM instance. 551 SoftwareRecipe software_recipe = 2; 552 } 553 554 // List of package configurations assigned to the VM instance. 555 repeated SourcedPackage packages = 1; 556 557 // List of package repository configurations assigned to the VM instance. 558 repeated SourcedPackageRepository package_repositories = 2; 559 560 // List of recipes assigned to the VM instance. 561 repeated SourcedSoftwareRecipe software_recipes = 3; 562} 563