Chloé Smith

Merge ~kajiya/+git/google-osconfig-agent:update-master-to-20240524.03 into ~ubuntu-core-dev/+git/google-osconfig-agent:ubuntu/master

Proposed by Chloé Smith on 2024-07-16

Status:

Merged

Merged at revision:

ffe4765a0f0679d706a0535bb2142b87cf180151

Proposed branch:

~kajiya/+git/google-osconfig-agent:update-master-to-20240524.03

Merge into:

~ubuntu-core-dev/+git/google-osconfig-agent:ubuntu/master

Diff against target:

2679 lines (+1679/-190)

43 files modified

.github/dependabot.yml (+10/-0)
.github/workflows/codeql.yml (+92/-0)
OWNERS (+1/-0)
agentconfig/agentconfig.go (+28/-6)
agentendpoint/inventory.go (+4/-1)
config/exec_resource.go (+1/-1)
debian/changelog (+7/-0)
debian/patches/0002-Edit-TestAptRepositories-for-signed-repos.patch (+29/-0)
debian/patches/series (+1/-0)
e2e_tests/test_suites/guestpolicies/guest_policies_utils.go (+9/-4)
e2e_tests/test_suites/inventory/test_setup.go (+24/-8)
e2e_tests/test_suites/inventoryreporting/test_setup.go (+47/-33)
e2e_tests/test_suites/ospolicies/ospolicies_test_data.go (+6/-6)
e2e_tests/test_suites/ospolicies/ospolicies_utils.go (+6/-5)
e2e_tests/test_suites/patch/test_setup.go (+40/-22)
e2e_tests/utils/utils.go (+100/-56)
examples/OSPolicyAssignments/console/CIS/cis-exclude-check-once-a-day.yaml (+3/-4)
examples/OSPolicyAssignments/console/CIS/cis-level1-once-an-hour-policy.yaml (+3/-4)
examples/OSPolicyAssignments/console/CIS/cis-level2-once-a-day-policy.yaml (+3/-4)
go.mod (+8/-9)
go.sum (+16/-18)
main_windows.go (+2/-1)
packagebuild/README.md (+75/-0)
packagebuild/common.sh (+84/-0)
packagebuild/daisy_startupscript_deb.sh (+108/-0)
packagebuild/daisy_startupscript_goo.sh (+61/-0)
packagebuild/daisy_startupscript_rpm.sh (+147/-0)
packagebuild/test_build.sh (+69/-0)
packagebuild/workflows/build_deb10.wf.json (+42/-0)
packagebuild/workflows/build_deb11.wf.json (+42/-0)
packagebuild/workflows/build_deb11_arm64.wf.json (+44/-0)
packagebuild/workflows/build_deb12.wf.json (+42/-0)
packagebuild/workflows/build_deb12_arm64.wf.json (+44/-0)
packagebuild/workflows/build_el6.wf.json (+42/-0)
packagebuild/workflows/build_el7.wf.json (+42/-0)
packagebuild/workflows/build_el8.wf.json (+42/-0)
packagebuild/workflows/build_el8_arm64.wf.json (+44/-0)
packagebuild/workflows/build_el9.wf.json (+42/-0)
packagebuild/workflows/build_el9_arm64.wf.json (+44/-0)
packagebuild/workflows/build_goo.wf.json (+40/-0)
packagebuild/workflows/build_package.wf.json (+101/-0)
policies/apt.go (+56/-8)
policies/apt_test.go (+28/-0)

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Utkarsh Gupta		2024-07-16	Approve on 2024-07-25
Review via email: mp+469484@code.launchpad.net

Commit message

New upstream version 20240524.03

Description of the change

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2024-07-24:

Hey, thank you for the MP. It looks good but it's a bit hard to understand why commit b7a00db is needed. Could you please update the description of the commit and the patch as well?

review: Needs Information

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2024-07-25:

Thank you Chlo. I just noticed a wrong versioning there in the changelog. :(

Whilst at it - can you also add the same description in the changelog for posterity? Many thanks!

review: Needs Fixing

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2024-07-25:

Ok, I can fix this on the go -

```
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,10 @@
-google-osconfig-agent (20240320.00-0ubuntu2) oracular; urgency=medium
+google-osconfig-agent (20240524.03-0ubuntu1) oracular; urgency=medium

* New upstream version for upstream tag 20240524.03. (LP: #2073161)
- * d/patches - Edit TestAptRepositories to avail of GPG signing
+ * d/p/0002-Edit-TestAptRepositories-for-signed-repos.patch: Add patch to
+ fix the failing and the blocking `TestAptRepositories` as it doesn't
+ account for the repo files being signed. This patch adds the expected
+ snippet "[signed-by=<managed-GPG-file>]" to the output.

-- Chloé 'kajiya' Smith <email address hidden> Mon, 15 Jul 2024 21:28:39 +0100

```

Uploading with this fix. :)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Chloé Smith

Ubuntu Core Development Team

 diff --git a/.github/dependabot.yml b/.github/dependabot.yml
 new file mode 100644
 index 0000000..07449d1
 --- /dev/null
 +++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
++version: 2
++updates:
++  - package-ecosystem: "gomod"
++    directory: "/"
++    labels:
++      - "dependencies"
++    schedule:
++      interval: "daily"
++    allow:
++      - dependency-type: "all"
 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
 new file mode 100644
 index 0000000..99c27d7
 --- /dev/null
 +++ b/.github/workflows/codeql.yml
@@ -0,0 +1,92 @@
++# For most projects, this workflow file will not need changing; you simply need
++# to commit it to your repository.
++#
++# You may wish to alter this file to override the set of languages analyzed,
++# or to provide custom queries or build logic.
++#
++# ******** NOTE ********
++# We have attempted to detect the languages in your repository. Please check
++# the `language` matrix defined below to confirm you have the correct set of
++# supported CodeQL languages.
++#
++name: "CodeQL"
++
++on:
++  push:
++    branches: [ "master" ]
++  pull_request:
++    branches: [ "master" ]
++  schedule:
++    - cron: '45 4 * * 1'
++
++jobs:
++  analyze:
++    name: Analyze (${{ matrix.language }})
++    # Runner size impacts CodeQL analysis time. To learn more, please see:
++    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
++    #   - https://gh.io/supported-runners-and-hardware-resources
++    #   - https://gh.io/using-larger-runners (GitHub.com only)
++    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
++    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
++    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
++    permissions:
++      # required for all workflows
++      security-events: write
++
++      # required to fetch internal or private CodeQL packs
++      packages: read
++
++      # only required for workflows in private repositories
++      actions: read
++      contents: read
++
++    strategy:
++      fail-fast: false
++      matrix:
++        include:
++        - language: go
++          build-mode: autobuild
++        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
++        # Use `c-cpp` to analyze code written in C, C++ or both
++        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
++        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
++        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
++        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
++        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
++        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
++    steps:
++    - name: Checkout repository
++      uses: actions/checkout@v4
++
++    # Initializes the CodeQL tools for scanning.
++    - name: Initialize CodeQL
++      uses: github/codeql-action/init@v3
++      with:
++        languages: ${{ matrix.language }}
++        build-mode: ${{ matrix.build-mode }}
++        # If you wish to specify custom queries, you can do so here or in a config file.
++        # By default, queries listed here will override any specified in a config file.
++        # Prefix the list here with "+" to use these queries and those in the config file.
++
++        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
++        # queries: security-extended,security-and-quality
++
++    # If the analyze step fails for one of the languages you are analyzing with
++    # "We were unable to automatically build your code", modify the matrix above
++    # to set the build mode to "manual" for that language. Then modify this step
++    # to build your code.
++    # ℹ️ Command-line programs to run using the OS shell.
++    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
++    - if: matrix.build-mode == 'manual'
++      run: |
++        echo 'If you are using a "manual" build mode for one or more of the' \
++          'languages you are analyzing, replace this with the commands to build' \
++          'your code, for example:'
++        echo '  make bootstrap'
++        echo '  make release'
++        exit 1
++
++    - name: Perform CodeQL Analysis
++      uses: github/codeql-action/analyze@v3
++      with:
++        category: "/language:${{matrix.language}}"
 diff --git a/OWNERS b/OWNERS
 index 20cdb27..4b8646c 100644
 --- a/OWNERS
 +++ b/OWNERS
@@ -10,3 +10,4 @@ approvers:
    - ekremenetskii
    - MahmoudOuka
    - savijatv
++  - MarcMarc
 diff --git a/agentconfig/agentconfig.go b/agentconfig/agentconfig.go
 index 05da6fc..7e1fa21 100644
 --- a/agentconfig/agentconfig.go
 +++ b/agentconfig/agentconfig.go
@@ -68,14 +68,12 @@ const (
  	debugEnabledDefault            = false
  	oldConfigDirLinux = "/etc/osconfig"
--	cacheDirWindows   = `C:\Program Files\Google\OSConfig`
  	cacheDirLinux     = "/var/lib/google_osconfig_agent"
++	windowsCacheDir   = `Google\OSConfig`
--	taskStateFileWindows  = cacheDirWindows + `\osconfig_task.state`
  	taskStateFileLinux    = cacheDirLinux + "/osconfig_task.state"
  	oldTaskStateFileLinux = oldConfigDirLinux + "/osconfig_task.state"
--	restartFileWindows  = cacheDirWindows + `\osconfig_agent_restart_required`
  	restartFileLinux    = cacheDirLinux + "/osconfig_agent_restart_required"
  	oldRestartFileLinux = oldConfigDirLinux + "/osconfig_agent_restart_required"
@@ -130,6 +128,7 @@ type config struct {
  	taskNotificationEnabled bool
  	guestPoliciesEnabled    bool
  	osInventoryEnabled      bool
++	guestAttributesEnabled  bool
+ }
  func (c *config) parseFeatures(features string, enabled bool) {
@@ -216,6 +215,7 @@ type attributesJSON struct {
  	OSConfigEndpoint      string       `json:"osconfig-endpoint"`
  	OSConfigEnabled       string       `json:"enable-osconfig"`
  	DisabledFeatures      string       `json:"osconfig-disabled-features"`
++	EnableGuestAttributes string       `json:"enable-guest-attributes"`
+ }
  func createConfigFromMetadata(md metadataJSON) *config {
@@ -334,6 +334,13 @@ func createConfigFromMetadata(md metadataJSON) *config {
  		c.debugEnabled = false
+ 	}
++	if md.Project.Attributes.EnableGuestAttributes != "" {
++		c.guestAttributesEnabled = parseBool(md.Project.Attributes.EnableGuestAttributes)
++	}
++	if md.Instance.Attributes.EnableGuestAttributes != "" {
++		c.guestAttributesEnabled = parseBool(md.Instance.Attributes.EnableGuestAttributes)
++	}
++
  	// Flags take precedence over metadata.
  	if *debug {
  		c.debugEnabled = true
@@ -412,6 +419,15 @@ func getMetadata(suffix string) ([]byte, string, error) {
  	return all, resp.Header.Get("Etag"), nil
+ }
++// GetCacheDirWindows returns the folder for the temp files location on Windows.
++func GetCacheDirWindows() string {
++	cacheDir, dirErr := os.UserCacheDir()
++	if dirErr != nil {
++		cacheDir = os.TempDir()
++	}
++	return filepath.Join(cacheDir, windowsCacheDir)
++}
++
  // WatchConfig looks for changes in metadata keys. Upon receiving successful response,
  // it create a new agent config.
  func WatchConfig(ctx context.Context) error {
@@ -627,6 +643,11 @@ func ID() string {
  	return getAgentConfig().instanceID
+ }
++// GuestAttributesEnabled is a boolean flag that signal that guest attributes feature is enabled.
++func GuestAttributesEnabled() bool {
++	return getAgentConfig().guestAttributesEnabled
++}
++
  type idToken struct {
  	exp *time.Time
  	raw string
@@ -686,7 +707,7 @@ func Capabilities() []string {
  // TaskStateFile is the location of the task state file.
  func TaskStateFile() string {
  	if runtime.GOOS == "windows" {
--		return taskStateFileWindows
++		return filepath.Join(GetCacheDirWindows(), "osconfig_task.state")
+ 	}
  	return taskStateFileLinux
@@ -700,7 +721,8 @@ func OldTaskStateFile() string {
  // RestartFile is the location of the restart required file.
  func RestartFile() string {
  	if runtime.GOOS == "windows" {
--		return restartFileWindows
++		return filepath.Join(
++			GetCacheDirWindows(), "osconfig_agent_restart_required")
+ 	}
  	return restartFileLinux
@@ -714,7 +736,7 @@ func OldRestartFile() string {
  // CacheDir is the location of the cache directory.
  func CacheDir() string {
  	if runtime.GOOS == "windows" {
--		return cacheDirWindows
++		return GetCacheDirWindows()
+ 	}
  	return cacheDirLinux
 diff --git a/agentendpoint/inventory.go b/agentendpoint/inventory.go
 index 9239fbc..28ae6b3 100644
 --- a/agentendpoint/inventory.go
 +++ b/agentendpoint/inventory.go
@@ -26,9 +26,12 @@ const (
  // ReportInventory writes inventory to guest attributes and reports it to agent endpoint.
  func (c *Client) ReportInventory(ctx context.Context) {
  	state := inventory.Get(ctx)
--	if !agentconfig.DisableInventoryWrite() {
++
++	if agentconfig.GuestAttributesEnabled() && !agentconfig.DisableInventoryWrite() {
++		clog.Infof(ctx, "Writing inventory to guest attributes")
  		write(ctx, state, inventoryURL)
+ 	}
++
  	c.report(ctx, state)
+ }
 diff --git a/config/exec_resource.go b/config/exec_resource.go
 index 18eaac9..a51416d 100644
 --- a/config/exec_resource.go
 +++ b/config/exec_resource.go
@@ -31,7 +31,7 @@ import (
  	agentendpointpb "google.golang.org/genproto/googleapis/cloud/osconfig/agentendpoint/v1"
+ )
--const maxExecOutputSize = 100 * 1024
++const maxExecOutputSize = 500 * 1024
  var runner = util.CommandRunner(&util.DefaultRunner{})
 diff --git a/debian/changelog b/debian/changelog
 index 1aae5cb..2a86e29 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,10 @@
++google-osconfig-agent (20240320.00-0ubuntu2) oracular; urgency=medium
++
++  * New upstream version for upstream tag 20240524.03. (LP: #2073161)
++    * d/patches - Edit TestAptRepositories to avail of GPG signing
++
++ -- Chloé 'kajiya' Smith <chloe.smith@canonical.com>  Mon, 15 Jul 2024 21:28:39 +0100
++
  google-osconfig-agent (20240320.00-0ubuntu1) oracular; urgency=medium
    [ Chloé 'kajiya' Smith ]
 diff --git a/debian/patches/0002-Edit-TestAptRepositories-for-signed-repos.patch b/debian/patches/0002-Edit-TestAptRepositories-for-signed-repos.patch
 new file mode 100644
 index 0000000..f0f7def
 --- /dev/null
 +++ b/debian/patches/0002-Edit-TestAptRepositories-for-signed-repos.patch
@@ -0,0 +1,29 @@
++Subject: Edit TestAptRepositories to avail of "[signed-by=<managed-GPG-file>]"
++Description: The test `TestAptRepositories` was not taking into account that
++the managed repo files are signed by a (managed) .gpg file. This patch
++adds that snippet into the expected output so the tests pass and the
++package can build.
++Author: Chloé 'kajiya' Smith <chloe.smith@canonical.com>
++Forwarded: not-needed
++Last-Update: 2024-07-15
++---
++--- a/policies/apt_test.go
+++++ b/policies/apt_test.go
++@@ -58,7 +58,7 @@
++ 			[]*agentendpointpb.AptRepository{
++ 				{Uri: "http://repo1-url/", Distribution: "distribution", Components: []string{"component1"}},
++ 			},
++-			"# Repo file managed by Google OSConfig agent\n\ndeb http://repo1-url/ distribution component1\n",
+++			"# Repo file managed by Google OSConfig agent\n\ndeb [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo1-url/ distribution component1\n",
++ 		},
++ 		{
++ 			"2 repos",
++@@ -66,7 +66,7 @@
++ 				{Uri: "http://repo1-url/", Distribution: "distribution", Components: []string{"component1"}, ArchiveType: agentendpointpb.AptRepository_DEB_SRC},
++ 				{Uri: "http://repo2-url/", Distribution: "distribution", Components: []string{"component1", "component2"}, ArchiveType: agentendpointpb.AptRepository_DEB},
++ 			},
++-			"# Repo file managed by Google OSConfig agent\n\ndeb-src http://repo1-url/ distribution component1\n\ndeb http://repo2-url/ distribution component1 component2\n",
+++			"# Repo file managed by Google OSConfig agent\n\ndeb-src [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo1-url/ distribution component1\n\ndeb [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo2-url/ distribution component1 component2\n",
++ 		},
++ 	}
++
 diff --git a/debian/patches/series b/debian/patches/series
 index 8ec831e..e5f81ee 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -1 +1,2 @@
 -Disable-TestGetAptGPGKey-for-LP-build-environment.patch
++0002-Edit-TestAptRepositories-for-signed-repos.patch
 diff --git a/e2e_tests/test_suites/guestpolicies/guest_policies_utils.go b/e2e_tests/test_suites/guestpolicies/guest_policies_utils.go
 index cc5eb98..0fcd991 100644
 --- a/e2e_tests/test_suites/guestpolicies/guest_policies_utils.go
 +++ b/e2e_tests/test_suites/guestpolicies/guest_policies_utils.go
@@ -67,7 +67,7 @@ while true; do
    sleep 5
  done`
--		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(), waitForRestartLinux, packageName, packageInstalled, packageNotInstalled)
++		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(image), waitForRestartLinux, packageName, packageInstalled, packageNotInstalled)
  		key = "startup-script"
  	case "yum":
@@ -150,6 +150,11 @@ func getUpdateStartupScript(image, pkgManager string) *computeApi.MetadataItems
  	case "apt":
  		ss = `
  echo 'Adding test repo'
++
++# install gnupg2 if not exist
++apt-get update
++apt-get install -y gnupg2
++
  echo 'deb http://packages.cloud.google.com/apt osconfig-agent-test-repository main' >> /etc/apt/sources.list
  curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  while fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1; do
@@ -171,7 +176,7 @@ while true; do
    sleep 5;
  done`
--		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(), waitForRestartLinux, packageInstalled, packageNotInstalled)
++		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(image), waitForRestartLinux, packageInstalled, packageNotInstalled)
  		key = "startup-script"
  	case "yum":
@@ -304,7 +309,7 @@ while ($true) {
  	case "cos":
  		script = fmt.Sprintf("%s\n%s\n%s", utils.CurlPost, waitForRestartLinux, scriptLinux)
  	case "apt":
--		script = fmt.Sprintf("%s\n%s\n%s", utils.InstallOSConfigDeb(), waitForRestartLinux, scriptLinux)
++		script = fmt.Sprintf("%s\n%s\n%s", utils.InstallOSConfigDeb(image), waitForRestartLinux, scriptLinux)
  	case "yum":
  		script = fmt.Sprintf("%s\n%s\n%s", utils.InstallOSConfigEL(image), waitForRestartLinux, scriptLinux)
  	case "zypper":
@@ -397,7 +402,7 @@ while ($true) {
  	case "cos":
  		script = fmt.Sprintf("%s\n%s\n%s", utils.CurlPost, waitForRestartLinux, scriptLinux)
  	case "apt":
--		script = fmt.Sprintf("%s\n%s\n%s", utils.InstallOSConfigDeb(), waitForRestartLinux, scriptLinux)
++		script = fmt.Sprintf("%s\n%s\n%s", utils.InstallOSConfigDeb(image), waitForRestartLinux, scriptLinux)
  	case "yum":
  		// A dependancy package for ed-1.1-3.3.el6.x86_64.rpm which is used in Enterprise-Linux Recipe steps tests
  		yumInstallInfoPackage := fmt.Sprintf("\n%s\n", "yum install -y info")
 diff --git a/e2e_tests/test_suites/inventory/test_setup.go b/e2e_tests/test_suites/inventory/test_setup.go
 index 05580c2..d75e8ad 100644
 --- a/e2e_tests/test_suites/inventory/test_setup.go
 +++ b/e2e_tests/test_suites/inventory/test_setup.go
@@ -45,9 +45,23 @@ var (
  		timeout:     30 * time.Minute,
+ 	}
--	aptSetup = &inventoryTestSetup{
++	busterAptSetup = &inventoryTestSetup{
  		packageType: []string{"deb"},
--		startup:     compute.BuildInstanceMetadataItem("startup-script", utils.InstallOSConfigDeb()),
++		startup:     compute.BuildInstanceMetadataItem("startup-script", utils.InstallOSConfigDeb("debian-10")),
++		machineType: "e2-standard-2",
++		timeout:     25 * time.Minute,
++	}
++
++	bullseyeAptSetup = &inventoryTestSetup{
++		packageType: []string{"deb"},
++		startup:     compute.BuildInstanceMetadataItem("startup-script", utils.InstallOSConfigDeb("debian-11")),
++		machineType: "e2-standard-2",
++		timeout:     25 * time.Minute,
++	}
++
++	bookwormAptSetup = &inventoryTestSetup{
++		packageType: []string{"deb"},
++		startup:     compute.BuildInstanceMetadataItem("startup-script", utils.InstallOSConfigDeb("debian-12")),
  		machineType: "e2-standard-2",
  		timeout:     25 * time.Minute,
+ 	}
@@ -90,12 +104,14 @@ var (
  func headImageTestSetup() (setup []*inventoryTestSetup) {
  	// This maps a specific inventoryTestSetup to test setup names and associated images.
  	headTestSetupMapping := map[*inventoryTestSetup]map[string]string{
--		windowsSetup: utils.HeadWindowsImages,
--		el7Setup:     utils.HeadEL7Images,
--		el8Setup:     utils.HeadEL8Images,
--		el9Setup:     utils.HeadEL9Images,
--		aptSetup:     utils.HeadAptImages,
--		suseSetup:    utils.HeadSUSEImages,
++		windowsSetup:     utils.HeadWindowsImages,
++		el7Setup:         utils.HeadEL7Images,
++		el8Setup:         utils.HeadEL8Images,
++		el9Setup:         utils.HeadEL9Images,
++		busterAptSetup:   utils.HeadBusterAptImages,
++		bullseyeAptSetup: utils.HeadBullseyeAptImages,
++		bookwormAptSetup: utils.HeadBookwormAptImages,
++		suseSetup:        utils.HeadSUSEImages,
+ 	}
  	// TODO: remove this hack and setup specific test suites for each test type.
 diff --git a/e2e_tests/test_suites/inventoryreporting/test_setup.go b/e2e_tests/test_suites/inventoryreporting/test_setup.go
 index 319ebf4..21f6a6e 100644
 --- a/e2e_tests/test_suites/inventoryreporting/test_setup.go
 +++ b/e2e_tests/test_suites/inventoryreporting/test_setup.go
@@ -110,31 +110,10 @@ var (
  		},
+ 	}
--	aptSetup = &inventoryTestSetup{
--		packageType: []string{"deb"},
--		startup:     compute.BuildInstanceMetadataItem("startup-script", getStartupScriptDeb()),
--		machineType: "e2-medium",
--		timeout:     25 * time.Minute,
--		itemCheck: func(items map[string]*osconfigpb.Inventory_Item) error {
--			var bashFound bool
--			var cowsayFound bool
--			for _, item := range items {
--				if item.GetInstalledPackage().GetAptPackage().GetPackageName() == "bash" {
--					bashFound = true
--				}
--				if item.GetAvailablePackage().GetAptPackage().GetPackageName() == "cowsay" {
--					cowsayFound = true
--				}
--			}
--			if !bashFound {
--				return errors.New("did not find 'bash' in installed packages")
--			}
--			if !cowsayFound {
--				return errors.New("did not find 'cowsay' in available packages")
--			}
--			return nil
--		},
--	}
++	// apt setup
++	busterAptSetup   = createAptSetup("debian-10")
++	bullseyeAptSetup = createAptSetup("debian-11")
++	bookwormAptSetup = createAptSetup("debian-12")
  	yumBashInstalledCheck = func(items map[string]*osconfigpb.Inventory_Item) error {
  		var bashFound bool
@@ -221,6 +200,34 @@ var (
+ 	}
+ )
++func createAptSetup(image string) *inventoryTestSetup {
++	return &inventoryTestSetup{
++		packageType: []string{"deb"},
++		startup:     compute.BuildInstanceMetadataItem("startup-script", getStartupScriptDeb(image)),
++		machineType: "e2-medium",
++		timeout:     25 * time.Minute,
++		itemCheck: func(items map[string]*osconfigpb.Inventory_Item) error {
++			var bashFound bool
++			var cowsayFound bool
++			for _, item := range items {
++				if item.GetInstalledPackage().GetAptPackage().GetPackageName() == "bash" {
++					bashFound = true
++				}
++				if item.GetAvailablePackage().GetAptPackage().GetPackageName() == "cowsay" {
++					cowsayFound = true
++				}
++			}
++			if !bashFound {
++				return errors.New("did not find 'bash' in installed packages")
++			}
++			if !cowsayFound {
++				return errors.New("did not find 'cowsay' in available packages")
++			}
++			return nil
++		},
++	}
++}
++
  func getStartupScriptEL(image string) string {
  	ss := `
  echo 'Adding test repo'
@@ -243,9 +250,14 @@ done
  	return fmt.Sprintf(ss, utils.InstallOSConfigEL(image))
+ }
--func getStartupScriptDeb() string {
++func getStartupScriptDeb(image string) string {
  	ss := `
  echo 'Adding test repo'
++
++# install gnupg2 if not exist
++apt-get update
++apt-get install -y gnupg2
++
  echo 'deb http://packages.cloud.google.com/apt osconfig-agent-test-repository main' >> /etc/apt/sources.list
  curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  while fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1; do
@@ -254,7 +266,7 @@ done
  apt-get update
  apt-get -y install cowsay=3.03+dfsg1-10 || exit 1
  %s`
--	return fmt.Sprintf(ss, utils.InstallOSConfigDeb())
++	return fmt.Sprintf(ss, utils.InstallOSConfigDeb(image))
+ }
  func getStartupScriptGoo() string {
@@ -284,12 +296,14 @@ zypper -n --no-gpg-checks install cowsay-3.03-20.el7
  func headImageTestSetup() (setup []*inventoryTestSetup) {
  	// This maps a specific inventoryTestSetup to test setup names and associated images.
  	headTestSetupMapping := map[*inventoryTestSetup]map[string]string{
--		windowsSetup: utils.HeadWindowsImages,
--		el7Setup:     utils.HeadEL7Images,
--		el8Setup:     utils.HeadEL8Images,
--		el9Setup:     utils.HeadEL9Images,
--		aptSetup:     utils.HeadAptImages,
--		suseSetup:    utils.HeadSUSEImages,
++		windowsSetup:     utils.HeadWindowsImages,
++		el7Setup:         utils.HeadEL7Images,
++		el8Setup:         utils.HeadEL8Images,
++		el9Setup:         utils.HeadEL9Images,
++		busterAptSetup:   utils.HeadBusterAptImages,
++		bullseyeAptSetup: utils.HeadBullseyeAptImages,
++		bookwormAptSetup: utils.HeadBookwormAptImages,
++		suseSetup:        utils.HeadSUSEImages,
+ 	}
  	// TODO: remove this hack and setup specific test suites for each test type.
 diff --git a/e2e_tests/test_suites/ospolicies/ospolicies_test_data.go b/e2e_tests/test_suites/ospolicies/ospolicies_test_data.go
 index 59bf937..da99bde 100644
 --- a/e2e_tests/test_suites/ospolicies/ospolicies_test_data.go
 +++ b/e2e_tests/test_suites/ospolicies/ospolicies_test_data.go
@@ -1383,7 +1383,7 @@ func buildLinuxExecResourceTests(name, image, pkgManager, key string) *osPolicyT
  										},
  										Enforce: &osconfigpb.OSPolicy_Resource_ExecResource_Exec{
  											Source: &osconfigpb.OSPolicy_Resource_ExecResource_Exec_Script{
--												Script: fmt.Sprintf("head -c 200KB /dev/zero > %s\nexit 100", checkPaths[5]),
++												Script: fmt.Sprintf("head -c 1000KB /dev/zero > %s\nexit 100", checkPaths[5]),
  											},
  											Interpreter:    osconfigpb.OSPolicy_Resource_ExecResource_Exec_SHELL,
  											OutputFilePath: checkPaths[5],
@@ -1457,7 +1457,7 @@ func buildLinuxExecResourceTests(name, image, pkgManager, key string) *osPolicyT
  						},
+ 						{
  							Type:         osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_OSPolicyResourceConfigStep_DESIRED_STATE_ENFORCEMENT,
--							ErrorMessage: `Enforce state: resource "exec-output-too-large" error: contents of OutputFilePath greater than 100K`,
++							ErrorMessage: `Enforce state: resource "exec-output-too-large" error: contents of OutputFilePath greater than 500K`,
  						},
+ 						{
  							Type: osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_OSPolicyResourceConfigStep_DESIRED_STATE_CHECK_POST_ENFORCEMENT,
@@ -1466,7 +1466,7 @@ func buildLinuxExecResourceTests(name, image, pkgManager, key string) *osPolicyT
  					ComplianceState: osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_COMPLIANT,
  					Output: &osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_ExecResourceOutput_{
  						ExecResourceOutput: &osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_ExecResourceOutput{
--							EnforcementOutput: make([]byte, 100*1024),
++							EnforcementOutput: make([]byte, 500*1024),
  						},
  					},
  				},
@@ -1725,7 +1725,7 @@ func buildWindowsExecResourceTests(name, image, pkgManager, key string) *osPolic
  										},
  										Enforce: &osconfigpb.OSPolicy_Resource_ExecResource_Exec{
  											Source: &osconfigpb.OSPolicy_Resource_ExecResource_Exec_Script{
--												Script: fmt.Sprintf("fsutil file createnew %s 200000\nexit 100", checkPaths[7]),
++												Script: fmt.Sprintf("fsutil file createnew %s 1000000\nexit 100", checkPaths[7]),
  											},
  											Interpreter:    osconfigpb.OSPolicy_Resource_ExecResource_Exec_SHELL,
  											OutputFilePath: checkPaths[7],
@@ -1809,7 +1809,7 @@ func buildWindowsExecResourceTests(name, image, pkgManager, key string) *osPolic
  						},
+ 						{
  							Type:         osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_OSPolicyResourceConfigStep_DESIRED_STATE_ENFORCEMENT,
--							ErrorMessage: `Enforce state: resource "exec-output-too-large" error: contents of OutputFilePath greater than 100K`,
++							ErrorMessage: `Enforce state: resource "exec-output-too-large" error: contents of OutputFilePath greater than 500K`,
  						},
+ 						{
  							Type: osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_OSPolicyResourceConfigStep_DESIRED_STATE_CHECK_POST_ENFORCEMENT,
@@ -1818,7 +1818,7 @@ func buildWindowsExecResourceTests(name, image, pkgManager, key string) *osPolic
  					ComplianceState: osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_COMPLIANT,
  					Output: &osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_ExecResourceOutput_{
  						ExecResourceOutput: &osconfigpb.OSPolicyAssignmentReport_OSPolicyCompliance_OSPolicyResourceCompliance_ExecResourceOutput{
--							EnforcementOutput: make([]byte, 100*1024),
++							EnforcementOutput: make([]byte, 500*1024),
  						},
  					},
  				},
 diff --git a/e2e_tests/test_suites/ospolicies/ospolicies_utils.go b/e2e_tests/test_suites/ospolicies/ospolicies_utils.go
 index 21c7cd4..af91080 100644
 --- a/e2e_tests/test_suites/ospolicies/ospolicies_utils.go
 +++ b/e2e_tests/test_suites/ospolicies/ospolicies_utils.go
@@ -31,6 +31,7 @@ func getStartupScriptPackage(image, pkgManager string) *computeApi.MetadataItems
  		wantRemove := "vim"
  		ss = `set -x
  # install the package we want removed
++apt-get update
  apt-get -y install %[2]s
  # remove the package we want installed
  apt-get -y remove %[3]s
@@ -57,7 +58,7 @@ while true; do
    sleep 10
  done`
--		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(), wantRemove, wantInstall, packageInstalled, packageNotInstalled)
++		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(image), wantRemove, wantInstall, packageInstalled, packageNotInstalled)
  		key = "startup-script"
  	case "deb":
@@ -81,7 +82,7 @@ while true; do
    fi
    sleep 10
  done`
--		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(), wantInstall[0], wantInstall[1], packageInstalled)
++		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(image), wantInstall[0], wantInstall[1], packageInstalled)
  		key = "startup-script"
  	case "yum":
@@ -241,7 +242,7 @@ while true; do
    sleep 10
  done`
--		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(), packageName, packageInstalled)
++		ss = fmt.Sprintf(ss, utils.InstallOSConfigDeb(image), packageName, packageInstalled)
  		key = "startup-script"
  	case "yum":
@@ -331,7 +332,7 @@ curl -X PUT --data "1" $uri -H "Metadata-Flavor: Google"`, fileExists)
  	switch pkgManager {
  	case "apt":
--		ss = fmt.Sprintf(linux, dnePath, utils.InstallOSConfigDeb(), fileDNE)
++		ss = fmt.Sprintf(linux, dnePath, utils.InstallOSConfigDeb(image), fileDNE)
  		for _, p := range wantPaths {
  			ss += fmt.Sprintf(linuxCheck, p)
+ 		}
@@ -424,7 +425,7 @@ curl -X PUT --data "1" $uri -H "Metadata-Flavor: Google"`, fileExists)
  	switch pkgManager {
  	case "apt":
--		ss = linux + utils.InstallOSConfigDeb() + linuxChecks + linuxEnd
++		ss = linux + utils.InstallOSConfigDeb(image) + linuxChecks + linuxEnd
  		key = "startup-script"
  	case "yum":
 diff --git a/e2e_tests/test_suites/patch/test_setup.go b/e2e_tests/test_suites/patch/test_setup.go
 index f2b701c..3728501 100644
 --- a/e2e_tests/test_suites/patch/test_setup.go
 +++ b/e2e_tests/test_suites/patch/test_setup.go
@@ -100,61 +100,76 @@ echo 'Pin-priority: 9999' >> /etc/apt/preferences
  		},
  		machineType: "e2-standard-4",
+ 	}
--	aptSetup = &patchTestSetup{
++
++	// apt setup
++	busterAptSetup   = createAptPatchTestSetup("debian-10")
++	bullseyeAptSetup = createAptPatchTestSetup("debian-11")
++	bookwormAptSetup = createAptPatchTestSetup("debian-12")
++
++	// apt Downgrade setup
++	bullseyeAptDowngradeSetup = createAptDowngradeSetup("debian-11")
++
++	el7Setup = &patchTestSetup{
  		assertTimeout: 30 * time.Minute,
  		metadata: []*computeApi.MetadataItems{
--			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigDeb()+linuxLocalPrePatchScript),
++			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigEL7()+linuxLocalPrePatchScript),
  			enableOsconfig,
  			disableFeatures,
  		},
  		machineType: "e2-medium",
+ 	}
--	aptDowngradeSetup = &patchTestSetup{
++	el8Setup = &patchTestSetup{
  		assertTimeout: 30 * time.Minute,
  		metadata: []*computeApi.MetadataItems{
--			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigDeb()+linuxLocalPrePatchScript+setUpDowngradeState),
++			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigEL8()+linuxLocalPrePatchScript),
  			enableOsconfig,
  			disableFeatures,
  		},
  		machineType: "e2-medium",
+ 	}
--	el7Setup = &patchTestSetup{
++	el9Setup = &patchTestSetup{
  		assertTimeout: 30 * time.Minute,
  		metadata: []*computeApi.MetadataItems{
--			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigEL7()+linuxLocalPrePatchScript),
++			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigEL9()+linuxLocalPrePatchScript),
  			enableOsconfig,
  			disableFeatures,
  		},
  		machineType: "e2-medium",
+ 	}
--	el8Setup = &patchTestSetup{
++	suseSetup = &patchTestSetup{
  		assertTimeout: 30 * time.Minute,
  		metadata: []*computeApi.MetadataItems{
--			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigEL8()+linuxLocalPrePatchScript),
++			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigSUSE()+linuxLocalPrePatchScript),
  			enableOsconfig,
  			disableFeatures,
  		},
  		machineType: "e2-medium",
+ 	}
--	el9Setup = &patchTestSetup{
++)
++
++func createAptPatchTestSetup(image string) *patchTestSetup {
++	return &patchTestSetup{
  		assertTimeout: 30 * time.Minute,
  		metadata: []*computeApi.MetadataItems{
--			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigEL9()+linuxLocalPrePatchScript),
++			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigDeb(image)+linuxLocalPrePatchScript),
  			enableOsconfig,
  			disableFeatures,
  		},
  		machineType: "e2-medium",
+ 	}
--	suseSetup = &patchTestSetup{
++}
++
++func createAptDowngradeSetup(image string) *patchTestSetup {
++	return &patchTestSetup{
  		assertTimeout: 30 * time.Minute,
  		metadata: []*computeApi.MetadataItems{
--			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigSUSE()+linuxLocalPrePatchScript),
++			compute.BuildInstanceMetadataItem("startup-script", linuxRecordBoot+utils.InstallOSConfigDeb(image)+linuxLocalPrePatchScript+setUpDowngradeState),
  			enableOsconfig,
  			disableFeatures,
  		},
  		machineType: "e2-medium",
+ 	}
--)
++}
  func imageTestSetup(mapping map[*patchTestSetup]map[string]string) (setup []*patchTestSetup) {
  	for s, m := range mapping {
@@ -171,12 +186,14 @@ func imageTestSetup(mapping map[*patchTestSetup]map[string]string) (setup []*pat
  func headImageTestSetup() []*patchTestSetup {
  	// This maps a specific patchTestSetup to test setup names and associated images.
  	mapping := map[*patchTestSetup]map[string]string{
--		windowsSetup: utils.HeadWindowsImages,
--		el7Setup:     utils.HeadEL7Images,
--		el8Setup:     utils.HeadEL8Images,
--		el9Setup:     utils.HeadEL9Images,
--		aptSetup:     utils.HeadAptImages,
--		suseSetup:    utils.HeadSUSEImages,
++		windowsSetup:     utils.HeadWindowsImages,
++		el7Setup:         utils.HeadEL7Images,
++		el8Setup:         utils.HeadEL8Images,
++		el9Setup:         utils.HeadEL9Images,
++		busterAptSetup:   utils.HeadBusterAptImages,
++		bullseyeAptSetup: utils.HeadBullseyeAptImages,
++		bookwormAptSetup: utils.HeadBookwormAptImages,
++		suseSetup:        utils.HeadSUSEImages,
+ 	}
  	return imageTestSetup(mapping)
@@ -189,7 +206,6 @@ func oldImageTestSetup() []*patchTestSetup {
  		el7Setup:     utils.OldEL7Images,
  		el8Setup:     utils.OldEL8Images,
  		el9Setup:     utils.OldEL9Images,
--		aptSetup:     utils.OldAptImages,
  		suseSetup:    utils.OldSUSEImages,
+ 	}
@@ -199,7 +215,9 @@ func oldImageTestSetup() []*patchTestSetup {
  func aptHeadImageTestSetup() []*patchTestSetup {
  	// This maps a specific patchTestSetup to test setup names and associated images.
  	mapping := map[*patchTestSetup]map[string]string{
--		aptSetup: utils.HeadAptImages,
++		busterAptSetup:   utils.HeadBusterAptImages,
++		bullseyeAptSetup: utils.HeadBullseyeAptImages,
++		busterAptSetup:   utils.HeadBookwormAptImages,
+ 	}
  	return imageTestSetup(mapping)
@@ -208,7 +226,7 @@ func aptHeadImageTestSetup() []*patchTestSetup {
  func aptDowngradeImageTestSetup() []*patchTestSetup {
  	// This maps a specific patchTestSetup to test setup names and associated images.
  	mapping := map[*patchTestSetup]map[string]string{
--		aptDowngradeSetup: utils.DowngradeAptImages,
++		bullseyeAptDowngradeSetup: utils.DowngradeBullseyeAptImages,
+ 	}
  	return imageTestSetup(mapping)
 diff --git a/e2e_tests/utils/utils.go b/e2e_tests/utils/utils.go
 index c37619d..d288a3f 100644
 --- a/e2e_tests/utils/utils.go
 +++ b/e2e_tests/utils/utils.go
@@ -108,18 +108,24 @@ EOM`
+ )
  // InstallOSConfigDeb installs the osconfig agent on deb based systems.
--func InstallOSConfigDeb() string {
++func InstallOSConfigDeb(image string) string {
  	if config.AgentRepo() == "" {
  		return CurlPost
+ 	}
++	osName := getDebOsName(image)
  	return fmt.Sprintf(`
  sleep 10
  systemctl stop google-osconfig-agent
--echo 'deb http://packages.cloud.google.com/apt google-osconfig-agent-%s main' >> /etc/apt/sources.list
++
++# install gnupg2 if not exist
++apt-get update
++apt-get install -y gnupg2
++
++echo 'deb http://packages.cloud.google.com/apt google-osconfig-agent-%s-%s main' >> /etc/apt/sources.list
  curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
  apt-get update
  apt-get install -y google-osconfig-agent
--systemctl start google-osconfig-agent`+CurlPost, config.AgentRepo())
++systemctl start google-osconfig-agent`+CurlPost, osName, config.AgentRepo())
+ }
  // InstallOSConfigGooGet installs the osconfig agent on Windows systems.
@@ -191,58 +197,78 @@ func InstallOSConfigEL7() string {
  	return fmt.Sprintf(yumRepoSetup+yumInstallAgent, "el7", config.AgentRepo(), 0)
+ }
++// containsAnyOf checks if a string contains any substring from a given list.
++func containsAnyOf(str string, substrings []string) bool {
++	for _, substring := range substrings {
++		if strings.Contains(str, substring) {
++			return true
++		}
++	}
++	return false
++}
++
  // InstallOSConfigEL installs the osconfig agent on el based systems.
  func InstallOSConfigEL(image string) string {
++	imageName := path.Base(image)
  	switch {
--	case strings.Contains(path.Base(image), "9"):
++	case image == "9" || containsAnyOf(imageName, []string{"rhel-9", "rhel-sap-9", "centos-stream-9", "rocky-linux-9"}):
  		return InstallOSConfigEL9()
--	case strings.Contains(path.Base(image), "8"):
++	case image == "8" || containsAnyOf(imageName, []string{"rhel-8", "rhel-sap-8", "centos-stream-8", "rocky-linux-8"}):
  		return InstallOSConfigEL8()
--	case strings.Contains(path.Base(image), "7"):
++	case image == "7" || containsAnyOf(imageName, []string{"rhel-7", "rhel-sap-7", "centos-7"}):
  		return InstallOSConfigEL7()
+ 	}
  	return ""
+ }
--// DowngradeAptImages is a single image that are used for testing downgrade case with apt-get
--var DowngradeAptImages = map[string]string{
--	"debian-cloud/debian-10": "projects/debian-cloud/global/images/debian-10-buster-v20231010",
++// getDebOsType returns the equivalent os_name for deb version (e.g. debian-11 --> bullseye)
++func getDebOsName(image string) string {
++	imageName := path.Base(image)
++	switch {
++	case image == "10" || containsAnyOf(imageName, []string{"debian-10", "buster"}):
++		return "buster"
++	case image == "11" || containsAnyOf(imageName, []string{"debian-11", "bullseye"}):
++		return "bullseye"
++	case image == "12" || containsAnyOf(imageName, []string{"debian-12", "bookworm"}):
++		return "bookworm"
++	}
++	return ""
+ }
--// HeadAptImages is a map of names to image paths for public image families that use APT.
--var HeadAptImages = map[string]string{
--	// Debian images.
++// DowngradeBullseyeAptImages is a single image that are used for testing downgrade case with apt-get
++var DowngradeBullseyeAptImages = map[string]string{
  	"debian-cloud/debian-11": "projects/debian-cloud/global/images/debian-11-bullseye-v20231010",
--	"debian-cloud/debian-12": "projects/debian-cloud/global/images/debian-12-bookworm-v20231010",
++}
--	// Ubuntu images.
--	"ubuntu-os-cloud/ubuntu-2304": "projects/ubuntu-os-cloud/global/images/ubuntu-2304-lunar-amd64-v20231020",
--	"ubuntu-os-cloud/ubuntu-2314": "projects/ubuntu-os-cloud/global/images/ubuntu-2310-mantic-amd64-v20231011",
++// HeadBusterAptImages empty for now as debian-10 wil reach EOL and some of its repos are not reachable anymore.
++var HeadBusterAptImages = map[string]string{
++	// Debian images.
+ }
--// OldAptImages is a map of names to image paths for old (deprecated) images that use APT.
--var OldAptImages = map[string]string{
++// HeadBullseyeAptImages is a map of names to image paths for public debian-11 images
++var HeadBullseyeAptImages = map[string]string{
  	// Debian images.
--	"old/debian-10": "projects/debian-cloud/global/images/debian-10-buster-v20231010",
++	"debian-cloud/debian-11": "projects/debian-cloud/global/images/family/debian-11",
++}
--	// Ubuntu images.
--	"old/ubuntu-2004": "projects/ubuntu-os-cloud/global/images/ubuntu-2004-focal-v20230918",
++// HeadBookwormAptImages is a map of names to image paths for public debian-12 images
++var HeadBookwormAptImages = map[string]string{
++	// Debian images.
++	"debian-cloud/debian-12": "projects/debian-cloud/global/images/family/debian-12",
+ }
  // HeadSUSEImages is a map of names to image paths for public SUSE images.
  var HeadSUSEImages = map[string]string{
--	"suse-cloud/sles-12-sp5": "projects/suse-cloud/global/images/sles-12-sp5-v20230807-x86-64",
--	"suse-cloud/sles-15-sp5": "projects/suse-cloud/global/images/sles-15-sp5-v20230921-x86-64",
++	"suse-cloud/sles-12-sp5": "projects/suse-cloud/global/images/family/sles-12",
++	"suse-cloud/sles-15-sp5": "projects/suse-cloud/global/images/family/sles-15",
--	"suse-sap-cloud/sles-12-sp5-sap": "projects/suse-sap-cloud/global/images/sles-12-sp5-sap-v20231019-x86-64",
--	"suse-sap-cloud/sles-15-sp5-sap": "projects/suse-sap-cloud/global/images/sles-15-sp5-sap-v20230921-x86-64",
++	"suse-sap-cloud/sles-12-sp5-sap": "projects/suse-sap-cloud/global/images/family/sles-12-sp5-sap",
++	"suse-sap-cloud/sles-15-sp5-sap": "projects/suse-sap-cloud/global/images/family/sles-15-sp5-sap",
--	"suse-sap-cloud/sles-15-sp4-hardened-sap": "projects/suse-sap-cloud/global/images/sles-sap-15-sp4-hardened-v20230828-x86-64",
--	"suse-sap-cloud/sles-15-sp5-hardened-sap": "projects/suse-sap-cloud/global/images/sles-sap-15-sp5-hardened-v20230921-x86-64",
++	"suse-sap-cloud/sles-15-sp5-hardened-sap": "projects/suse-sap-cloud/global/images/family/sles-sap-15-sp5-hardened",
--	"opensuse-cloud/opensuse-leap-15-4": "projects/opensuse-cloud/global/images/opensuse-leap-15-4-v20230907-x86-64",
--	"opensuse-cloud/opensuse-leap-15-5": "projects/opensuse-cloud/global/images/opensuse-leap-15-5-v20230908-x86-64",
++	"opensuse-cloud/opensuse-leap-15": "projects/opensuse-cloud/global/images/family/opensuse-leap",
+ }
  // OldSUSEImages is a map of names to image paths for old SUSE images.
@@ -255,11 +281,11 @@ var OldSUSEImages = map[string]string{
  // HeadEL7Images is a map of names to image paths for public EL7 image families. (RHEL, CentOS)
  var HeadEL7Images = map[string]string{
--	"centos-cloud/centos-7": "projects/centos-cloud/global/images/centos-7-v20231010",
++	"centos-cloud/centos-7": "projects/centos-cloud/global/images/family/centos-7",
--	"rhel-cloud/rhel-7": "projects/rhel-cloud/global/images/rhel-7-v20231010",
++	"rhel-cloud/rhel-7": "projects/rhel-cloud/global/images/family/rhel-7",
--	"rhel-sap-cloud/rhel-7-sap": "projects/rhel-sap-cloud/global/images/rhel-7-9-sap-v20231011",
++	"rhel-sap-cloud/rhel-7-9-sap": "projects/rhel-sap-cloud/global/images/family/rhel-7-9-sap-ha",
+ }
  // OldEL7Images is a map of names to image paths for old EL7 images.
@@ -269,18 +295,16 @@ var OldEL7Images = map[string]string{
  // HeadEL8Images is a map of names to image paths for public EL8 image families. (RHEL, CentOS, Rocky)
  var HeadEL8Images = map[string]string{
--	"centos-cloud/centos-stream-8": "projects/centos-cloud/global/images/centos-stream-8-v20231010",
++	"centos-cloud/centos-stream-8": "projects/centos-cloud/global/images/family/centos-stream-8",
--	"rhel-cloud/rhel-8": "projects/rhel-cloud/global/images/rhel-8-v20231010",
++	"rhel-cloud/rhel-8": "projects/rhel-cloud/global/images/family/rhel-8",
--	"rhel-sap-cloud/rhel-8-1-sap": "projects/rhel-sap-cloud/global/images/rhel-8-1-sap-v20231010",
--	"rhel-sap-cloud/rhel-8-2-sap": "projects/rhel-sap-cloud/global/images/rhel-8-2-sap-v20231010",
--	"rhel-sap-cloud/rhel-8-4-sap": "projects/rhel-sap-cloud/global/images/rhel-8-4-sap-v20231010",
--	"rhel-sap-cloud/rhel-8-6-sap": "projects/rhel-sap-cloud/global/images/rhel-8-6-sap-v20231010",
--	"rhel-sap-cloud/rhel-8-8-sap": "projects/rhel-sap-cloud/global/images/rhel-8-8-sap-v20231010",
++	"rhel-sap-cloud/rhel-8-4-sap": "projects/rhel-sap-cloud/global/images/family/rhel-8-4-sap-ha",
++	"rhel-sap-cloud/rhel-8-6-sap": "projects/rhel-sap-cloud/global/images/family/rhel-8-6-sap-ha",
++	"rhel-sap-cloud/rhel-8-8-sap": "projects/rhel-sap-cloud/global/images/family/rhel-8-8-sap-ha",
--	"rocky-linux-cloud/rocky-linux-8":         "projects/rocky-linux-cloud/global/images/rocky-linux-8-v20231010",
--	"rocky-linux-cloud/rocky-linux-8-opt-gcp": "projects/rocky-linux-cloud/global/images/rocky-linux-8-optimized-gcp-v20231010",
++	"rocky-linux-cloud/rocky-linux-8":               "projects/rocky-linux-cloud/global/images/family/rocky-linux-8",
++	"rocky-linux-cloud/rocky-linux-8-optimized-gcp": "projects/rocky-linux-cloud/global/images/family/rocky-linux-8-optimized-gcp",
+ }
  // OldEL8Images is a map of names to image paths for old EL8 images. (RHEL, CentOS, Rocky)
@@ -290,15 +314,15 @@ var OldEL8Images = map[string]string{
  // HeadEL9Images is a map of names to image paths for public EL9 image families. (RHEL, CentOS, Rocky)
  var HeadEL9Images = map[string]string{
--	"centos-cloud/centos-stream-9": "projects/centos-cloud/global/images/centos-stream-9-v20231010",
++	"centos-cloud/centos-stream-9": "projects/centos-cloud/global/images/family/centos-stream-9",
--	"rhel-cloud/rhel-9": "projects/rhel-cloud/global/images/rhel-9-v20231010",
++	"rhel-cloud/rhel-9": "projects/rhel-cloud/global/images/family/rhel-9",
--	"rhel-sap-cloud/rhel-9-0-sap": "projects/rhel-sap-cloud/global/images/rhel-9-0-sap-v20231010",
--	"rhel-sap-cloud/rhel-9-2-sap": "projects/rhel-sap-cloud/global/images/rhel-9-2-sap-v20231010",
++	"rhel-sap-cloud/rhel-9-0-sap": "projects/rhel-sap-cloud/global/images/family/rhel-9-0-sap-ha",
++	"rhel-sap-cloud/rhel-9-2-sap": "projects/rhel-sap-cloud/global/images/family/rhel-9-2-sap-ha",
--	"rocky-linux-cloud/rocky-linux-9":         "projects/rocky-linux-cloud/global/images/rocky-linux-9-v20231010",
--	"rocky-linux-cloud/rocky-linux-9-opt-gcp": "projects/rocky-linux-cloud/global/images/rocky-linux-9-optimized-gcp-v20231010",
++	"rocky-linux-cloud/rocky-linux-9":               "projects/rocky-linux-cloud/global/images/family/rocky-linux-9",
++	"rocky-linux-cloud/rocky-linux-9-optimized-gcp": "projects/rocky-linux-cloud/global/images/family/rocky-linux-9-optimized-gcp",
+ }
  // OldEL9Images is a map of names to image paths for old EL9 images. (RHEL, CentOS, Rocky)
@@ -321,14 +345,34 @@ var HeadELImages = func() (newMap map[string]string) {
  	return
  }()
++// HeadAptImages is a map of names to image paths for public EL image families. (RHEL, CentOS, Rocky)
++var HeadAptImages = func() (newMap map[string]string) {
++	newMap = make(map[string]string)
++	for k, v := range HeadBusterAptImages {
++		newMap[k] = v
++	}
++	for k, v := range HeadBullseyeAptImages {
++		newMap[k] = v
++	}
++	for k, v := range HeadBookwormAptImages {
++		newMap[k] = v
++	}
++	return
++}()
++
  // HeadWindowsImages is a map of names to image paths for public Windows image families.
  var HeadWindowsImages = map[string]string{
--	"windows-cloud/win-2016-dc-core": "projects/windows-cloud/global/images/windows-server-2016-dc-core-v20231011",
--	"windows-cloud/win-2016-dc":      "projects/windows-cloud/global/images/windows-server-2016-dc-v20231011",
--	"windows-cloud/win-2019-dc-core": "projects/windows-cloud/global/images/windows-server-2019-dc-core-v20231011",
--	"windows-cloud/win-2019-dc":      "projects/windows-cloud/global/images/windows-server-2019-dc-v20231011",
--	"windows-cloud/win-2022-dc-core": "projects/windows-cloud/global/images/windows-server-2022-dc-core-v20231011",
--	"windows-cloud/win-2022-dc":      "projects/windows-cloud/global/images/windows-server-2022-dc-v20231011",
++	"windows-cloud/windows-2016":      "projects/windows-cloud/global/images/family/windows-2016",
++	"windows-cloud/windows-2016-core": "projects/windows-cloud/global/images/family/windows-2016-core",
++	"windows-cloud/windows-2019":      "projects/windows-cloud/global/images/family/windows-2019",
++	"windows-cloud/windows-2019-core": "projects/windows-cloud/global/images/family/windows-2019-core",
++
++	// Testing of win-2022-dc disabled because of https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/faulty-patches-on-server-2022/m-p/4028125
++
++	/*
++		"windows-cloud/windows-2022":         "projects/windows-cloud/global/images/family/windows-2022",
++		"windows-cloud/windows-2022-core":    "projects/windows-cloud/global/images/family/windows-2022-core",
++	*/
+ }
  // OldWindowsImages is a map of names to image paths for old Windows images.
@@ -338,9 +382,9 @@ var OldWindowsImages = map[string]string{
  // HeadCOSImages is a map of names to image paths for public COS image families.
  var HeadCOSImages = map[string]string{
--	"cos-cloud/cos-stable": "projects/cos-cloud/global/images/cos-stable-109-17800-0-51",
--	"cos-cloud/cos-beta":   "projects/cos-cloud/global/images/cos-beta-109-17800-0-51",
--	"cos-cloud/cos-dev":    "projects/cos-cloud/global/images/cos-dev-113-17965-0-0",
++	"cos-cloud/cos-stable": "projects/cos-cloud/global/images/family/cos-stable",
++	"cos-cloud/cos-beta":   "projects/cos-cloud/global/images/family/cos-beta",
++	"cos-cloud/cos-dev":    "projects/cos-cloud/global/images/family/cos-dev",
+ }
  // RandString generates a random string of n length.
 diff --git a/examples/OSPolicyAssignments/console/CIS/cis-exclude-check-once-a-day.yaml b/examples/OSPolicyAssignments/console/CIS/cis-exclude-check-once-a-day.yaml
 index ed675d8..d1c74b7 100644
 --- a/examples/OSPolicyAssignments/console/CIS/cis-exclude-check-once-a-day.yaml
 +++ b/examples/OSPolicyAssignments/console/CIS/cis-exclude-check-once-a-day.yaml
@@ -1,8 +1,7 @@
  # An OS policy to opt-out of CIS check and check compliance status once a day.
--osPolicies:
--- id: exclude-cis-check-and-check-compliance-once-a-day-policy
--  mode: ENFORCEMENT
--  resourceGroups:
++id: exclude-cis-check-and-check-compliance-once-a-day-policy
++mode: ENFORCEMENT
++resourceGroups:
    - resources:
        id: exclude-cis-check-and-check-compliance-once-a-day
        exec:
 diff --git a/examples/OSPolicyAssignments/console/CIS/cis-level1-once-an-hour-policy.yaml b/examples/OSPolicyAssignments/console/CIS/cis-level1-once-an-hour-policy.yaml
 index 2b393b6..9b56f07 100644
 --- a/examples/OSPolicyAssignments/console/CIS/cis-level1-once-an-hour-policy.yaml
 +++ b/examples/OSPolicyAssignments/console/CIS/cis-level1-once-an-hour-policy.yaml
@@ -1,8 +1,7 @@
  # An OS policy to check CIS level 1 compliance once an hour.
--osPolicies:
--- id: ensure-cis-level1-compliance-once-an-hour-policy
--  mode: ENFORCEMENT
--  resourceGroups:
++id: ensure-cis-level1-compliance-once-an-hour-policy
++mode: ENFORCEMENT
++resourceGroups:
    - resources:
        id: ensure-cis-level1-compliance-once-an-hour
        exec:
 diff --git a/examples/OSPolicyAssignments/console/CIS/cis-level2-once-a-day-policy.yaml b/examples/OSPolicyAssignments/console/CIS/cis-level2-once-a-day-policy.yaml
 index 81314be..c77f451 100644
 --- a/examples/OSPolicyAssignments/console/CIS/cis-level2-once-a-day-policy.yaml
 +++ b/examples/OSPolicyAssignments/console/CIS/cis-level2-once-a-day-policy.yaml
@@ -1,8 +1,7 @@
  # An OS policy to check CIS level 2 compliance once a day.
--osPolicies:
--- id: ensure-cis-level2-compliance-once-a-day-policy
--  mode: ENFORCEMENT
--  resourceGroups:
++id: ensure-cis-level2-compliance-once-a-day-policy
++mode: ENFORCEMENT
++resourceGroups:
    - resources:
        id: ensure-cis-level2-compliance-once-a-day
        exec:
 diff --git a/go.mod b/go.mod
 index 7e6c171..88e1d72 100644
 --- a/go.mod
 +++ b/go.mod
@@ -1,6 +1,6 @@
  module github.com/GoogleCloudPlatform/osconfig
--go 1.21
++go 1.21.9
  require (
  	cloud.google.com/go/compute/metadata v0.2.3
@@ -11,16 +11,16 @@ require (
  	github.com/StackExchange/wmi v1.2.1
  	github.com/go-ole/go-ole v1.2.6
  	github.com/golang/mock v1.6.0
--	github.com/google/go-cmp v0.5.9
++	github.com/google/go-cmp v0.6.0
  	github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07
  	github.com/ulikunitz/xz v0.5.11
--	golang.org/x/crypto v0.17.0
++	golang.org/x/crypto v0.22.0
  	golang.org/x/oauth2 v0.7.0
--	golang.org/x/sys v0.15.0
++	golang.org/x/sys v0.19.0
  	google.golang.org/api v0.114.0
  	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
  	google.golang.org/grpc v1.56.3
--	google.golang.org/protobuf v1.30.0
++	google.golang.org/protobuf v1.33.0
+ )
  require (
@@ -31,17 +31,16 @@ require (
  	cloud.google.com/go/longrunning v0.4.1 // indirect
  	github.com/golang/glog v1.1.0 // indirect
  	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
--	github.com/golang/protobuf v1.5.3 // indirect
++	github.com/golang/protobuf v1.5.4 // indirect
  	github.com/google/uuid v1.3.0 // indirect
  	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
  	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
  	github.com/julienschmidt/httprouter v1.3.0 // indirect
--	github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
  	github.com/pkg/errors v0.9.1 // indirect
--	github.com/sirupsen/logrus v1.6.0 // indirect
++	github.com/sirupsen/logrus v1.9.3 // indirect
  	go.chromium.org/luci v0.0.0-20201204084249-3e81ee3e83fe // indirect
  	go.opencensus.io v0.24.0 // indirect
--	golang.org/x/net v0.17.0 // indirect
++	golang.org/x/net v0.23.0 // indirect
  	golang.org/x/sync v0.1.0 // indirect
  	golang.org/x/text v0.14.0 // indirect
  	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 diff --git a/go.sum b/go.sum
 index ac7a2ba..e8b587e 100644
 --- a/go.sum
 +++ b/go.sum
@@ -111,9 +111,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
  github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
  github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
  github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
--github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
--github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
--github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
++github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
++github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
  github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
  github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
  github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -124,9 +123,8 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
  github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
  github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
  github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
--github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
--github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
--github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
++github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
++github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
  github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
  github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
  github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -164,7 +162,6 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV
  github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
  github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
  github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
--github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
  github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
  github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
  github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -177,8 +174,9 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:
  github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
  github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
  github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
--github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
  github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
++github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
++github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
  github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
  github.com/smartystreets/assertions v1.1.1 h1:T/YLemO5Yp7KPzS+lVtu+WsHn8yoSwTfItdAd1r3cck=
  github.com/smartystreets/assertions v1.1.1/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
@@ -189,6 +187,7 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
  github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
  github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
  github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
++github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
  github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
  github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
  github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
@@ -216,8 +215,8 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
  golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
  golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
  golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
--golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
--golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
++golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
++golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
  golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
  golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
  golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -277,8 +276,8 @@ golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/
  golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
  golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
  golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
--golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
--golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
++golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
++golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
  golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
  golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
  golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -327,8 +326,9 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
  golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
  golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
  golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
--golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
--golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
++golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
++golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
++golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
  golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
  golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
  golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -469,10 +469,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
  google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
  google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
  google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
--google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
--google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
--google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
--google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
++google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
++google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
  gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
  gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
  gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 diff --git a/main_windows.go b/main_windows.go
 index 831069e..c65b4dc 100644
 --- a/main_windows.go
 +++ b/main_windows.go
@@ -25,6 +25,7 @@ import (
  	"unsafe"
  	"github.com/GoogleCloudPlatform/guest-logging-go/logger"
++	"github.com/GoogleCloudPlatform/osconfig/agentconfig"
  	"github.com/GoogleCloudPlatform/osconfig/packages"
  	"golang.org/x/sys/windows"
  	"golang.org/x/sys/windows/svc"
@@ -76,7 +77,7 @@ func unlockFileEx(hFile uintptr, nNumberOfBytesToLockLow, nNumberOfBytesToLockHi
+ }
  func obtainLock() {
--	lockFile := `C:\Program Files\Google\OSConfig\lock`
++	lockFile := filepath.Join(agentconfig.GetCacheDirWindows(), "lock")
  	err := os.MkdirAll(filepath.Dir(lockFile), 0755)
  	if err != nil && !os.IsExist(err) {
 diff --git a/packagebuild/README.md b/packagebuild/README.md
 new file mode 100644
 index 0000000..7999450
 --- /dev/null
 +++ b/packagebuild/README.md
@@ -0,0 +1,75 @@
++# Package build workflows
++
++This directory contains the 'package builder', which is a set of [Daisy]
++workflows and startup scripts. A package build workflow will accept a git
++repository set up for package building, build it and produce a system package.
++
++We use these packagebuild workflows from our Concourse pipelines and Prow jobs.
++
++[Daisy]: https://github.com/GoogleCloudPlatform/compute-daisy
++
++## Repo layout for package building
++
++The package builder expects to check out a git repository that contains a
++`packaging/` directory. This directory may contain one or more of:
++
++* 1 or more RPM spec files.
++* A `debian/` directory, following Debian packaging standards
++* A `googet/` directory, containing [GooGet] specs and scripts
++
++[GooGet]: https://github.com/google/googet
++
++## Workflow invocation
++
++Build workflows accept the following parameters:
++
++* gcs\_path - where to uploaded the resulting package, e.g. gs://my-bucket/
++* repo\_owner - the repo owner, for example 'GoogleCloudPlatform'
++* repo\_name - the repo name, for example 'guest-agent'
++* git\_ref - the git ref to check out, for example 'main'
++* version - the version for the resulting package, for example '20221025.00'
++* build\_dir - (optional) the subdirectory in the repo to `cd` into before
++  starting the build
++
++## Supported types
++
++Each packagebuild workflow corresponds to a single package type. All builds
++default to the x86\_64 architecture unless otherwise specified.
++
++### Debian
++
++Debian workflows launch an instance of the specified Debian release and produce
++.deb packages.
++
++Available workflows:
++
++* build\_deb9.wf.json
++* build\_deb10.wf.json
++* build\_deb11.wf.json
++
++An ARM64 workflow is also included:
++
++* build\_deb11\_arm64.wf.json
++
++### Enterprise Linux
++
++EL (Enterprise Linux) workflows launch an instance of a predefined EL type and
++produce .rpm packages. The workflows use the OS that was best suited at the time
++of development.
++
++Available workflows:
++
++* build\_el6.wf.json - uses CentOS 6
++* build\_el7.wf.json - uses CentOS 7
++* build\_el8.wf.json - uses RHEL 8
++* build\_el9.wf.json - uses CentOS Stream 9
++
++ARM64 workflows are also included:
++
++* build\_el8\_arm64.wf.json - uses the GCP optimized version of Rocky Linux 8
++* build\_el9\_arm64.wf.json - uses RHEL 9
++
++### GooGet
++
++The `build_goo.wf.json` (GooGet) workflow launches a Debian 10 instance and
++produces .goo packages.
 diff --git a/packagebuild/common.sh b/packagebuild/common.sh
 new file mode 100644
 index 0000000..c16e504
 --- /dev/null
 +++ b/packagebuild/common.sh
@@ -0,0 +1,84 @@
++#!/bin/bash
++# Copyright 2019 Google Inc. All Rights Reserved.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++function build_success() {
++  echo "Build succeeded: $@"
++  exit 0
++}
++
++function build_fail() {
++  echo "Build failed: $@"
++  exit 1
++}
++
++function exit_error() {
++  build_fail "$0:$1 \"$BASH_COMMAND\" returned $?"
++}
++
++trap 'exit_error $LINENO' ERR
++
++function install_go() {
++  # Installs a specific version of go for compilation, since availability varies
++  # across linux distributions. Needs curl and tar to be installed.
++  local arch="amd64"
++  if [[ `uname -m` == "aarch64" ]]; then
++    arch="arm64"
++  fi
++
++  local GOLANG="go1.22.2.linux-${arch}.tar.gz"
++  export GOPATH=/usr/share/gocode
++  export GOCACHE=/tmp/.cache
++
++  # Golang setup
++  [[ -d /tmp/go ]] && rm -rf /tmp/go
++  mkdir -p /tmp/go/
++  curl -s "https://dl.google.com/go/${GOLANG}" -o /tmp/go/go.tar.gz
++  tar -C /tmp/go/ --strip-components=1 -xf /tmp/go/go.tar.gz
++
++  export PATH="/tmp/go/bin:${GOPATH}/bin:${PATH}"  # set path for whoever invokes this function.
++  export GO=/tmp/go/bin/go  # reference this go explicitly.
++}
++
++function git_checkout() {
++  # Checks out a repo at a specified commit or ref into a specified directory.
++
++  BASE_REPO="$1"
++  REPO="$2"
++  PULL_REF="$3"
++
++  # pull the repository from github - start
++  mkdir -p $REPO
++  cd $REPO
++  git init
++
++  # fetch only the branch that we want to build
++  git_command="git fetch https://github.com/${BASE_REPO}/${REPO}.git ${PULL_REF:-"master"}"
++  echo "Running ${git_command}"
++  $git_command
++
++  git checkout FETCH_HEAD
++}
++
++function try_command() {
++  n=0
++  while ! "$@"; do
++    echo "try $n to run $@"
++    if [[ n -gt 3 ]]; then
++      return 1
++    fi
++    ((n++))
++    sleep 5
++  done
++}
 diff --git a/packagebuild/daisy_startupscript_deb.sh b/packagebuild/daisy_startupscript_deb.sh
 new file mode 100644
 index 0000000..449c665
 --- /dev/null
 +++ b/packagebuild/daisy_startupscript_deb.sh
@@ -0,0 +1,108 @@
++#!/bin/bash
++# Copyright 2019 Google Inc. All Rights Reserved.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++URL="http://169.254.169.254/computeMetadata/v1/instance/attributes"
++GCS_PATH=$(curl -f -H Metadata-Flavor:Google ${URL}/daisy-outs-path)
++SRC_PATH=$(curl -f -H Metadata-Flavor:Google ${URL}/daisy-sources-path)
++REPO_OWNER=$(curl -f -H Metadata-Flavor:Google ${URL}/repo-owner)
++REPO_NAME=$(curl -f -H Metadata-Flavor:Google ${URL}/repo-name)
++GIT_REF=$(curl -f -H Metadata-Flavor:Google ${URL}/git-ref)
++BUILD_DIR=$(curl -f -H Metadata-Flavor:Google ${URL}/build-dir)
++VERSION=$(curl -f -H Metadata-Flavor:Google ${URL}/version)
++VERSION=${VERSION:="1dummy"}
++
++DEBIAN_FRONTEND=noninteractive
++
++echo "Started build..."
++
++gsutil cp "${SRC_PATH}/common.sh" ./
++. common.sh
++
++# disable the backports repo for debian-10
++sed -i 's/^.*debian buster-backports main.*$//g' /etc/apt/sources.list
++
++try_command apt-get -y update
++try_command apt-get install -y --no-install-{suggests,recommends} git-core \
++  debhelper devscripts build-essential equivs libdistro-info-perl
++
++git_checkout "$REPO_OWNER" "$REPO_NAME" "$GIT_REF"
++
++if [[ -n "$BUILD_DIR" ]]; then
++    cd "$BUILD_DIR"
++fi
++
++PKGNAME="$(grep "^Package:" ./packaging/debian/control|cut -d' ' -f2-)"
++
++# Install build deps
++mk-build-deps -t "apt-get -o Debug::pkgProblemResolver=yes \
++  --no-install-recommends --yes" --install packaging/debian/control
++dpkg-checkbuilddeps packaging/debian/control
++
++if grep -q '+deb' packaging/debian/changelog; then
++  DEB=$(</etc/debian_version)
++  # Currently Debian 11 doesn't use a numerical version number in its release.
++  if [[ "${DEB}" =~ "bullseye" ]]; then
++    DEB="11"
++  elif [[ "${DEB}" =~ "bookworm" ]]; then
++    DEB="12"
++  fi
++  DEB="+deb${DEB/.*}"
++fi
++
++if grep -q 'golang' packaging/debian/control; then
++  echo "Installing go"
++  install_go
++
++  echo "Installing go dependencies"
++  $GO mod download
++fi
++
++COMMITURL="https://github.com/$REPO_OWNER/$REPO_NAME/tree/$(git rev-parse HEAD)"
++
++echo "Building package(s)"
++
++# Create build dir.
++BUILD_DIR="/tmp/debpackage"
++[[ -d $BUILD_DIR ]] || mkdir $BUILD_DIR
++
++# Create 'upstream' tarball.
++TAR="${PKGNAME}_${VERSION}.orig.tar.gz"
++tar czvf "${BUILD_DIR}/${TAR}" --exclude .git --exclude packaging \
++  --transform "s/^\./${PKGNAME}-${VERSION}/" .
++
++# Extract tarball and build.
++tar -C "$BUILD_DIR" -xzvf "${BUILD_DIR}/${TAR}"
++PKGDIR="${BUILD_DIR}/${PKGNAME}-${VERSION}"
++cp -r packaging/debian "${BUILD_DIR}/${PKGNAME}-${VERSION}/"
++
++cd "${BUILD_DIR}/${PKGNAME}-${VERSION}"
++
++sed -i"" "/^Source:/aXB-Git: ${COMMITURL}" debian/control
++
++# We generate this to enable auto-versioning.
++[[ -f debian/changelog ]] && rm debian/changelog
++RELEASE="g1${DEB}"
++dch --create -M -v 1:${VERSION}-${RELEASE} --package $PKGNAME -D stable \
++  "Debian packaging for ${PKGNAME}"
++DEB_BUILD_OPTIONS="noautodbgsym nocheck" debuild -e "VERSION=${VERSION}" -e "RELEASE=${RELEASE}" -us -uc
++
++for deb in $BUILD_DIR/*.deb; do
++  dpkg-deb -I $deb
++  dpkg-deb -c $deb
++done
++
++echo "copying $BUILD_DIR/*.deb to $GCS_PATH/"
++gsutil cp -n $BUILD_DIR/*.deb "$GCS_PATH/"
++build_success Built $BUILD_DIR/*.deb
 diff --git a/packagebuild/daisy_startupscript_goo.sh b/packagebuild/daisy_startupscript_goo.sh
 new file mode 100644
 index 0000000..1fe2583
 --- /dev/null
 +++ b/packagebuild/daisy_startupscript_goo.sh
@@ -0,0 +1,61 @@
++#!/bin/bash
++# Copyright 2019 Google Inc. All Rights Reserved.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++URL="http://metadata/computeMetadata/v1/instance/attributes"
++GCS_PATH=$(curl -f -H Metadata-Flavor:Google ${URL}/daisy-outs-path)
++SRC_PATH=$(curl -f -H Metadata-Flavor:Google ${URL}/daisy-sources-path)
++REPO_OWNER=$(curl -f -H Metadata-Flavor:Google ${URL}/repo-owner)
++REPO_NAME=$(curl -f -H Metadata-Flavor:Google ${URL}/repo-name)
++GIT_REF=$(curl -f -H Metadata-Flavor:Google ${URL}/git-ref)
++BUILD_DIR=$(curl -f -H Metadata-Flavor:Google ${URL}/build-dir)
++VERSION=$(curl -f -H Metadata-Flavor:Google ${URL}/version)
++
++echo "Started build..."
++
++gsutil cp "${SRC_PATH}/common.sh" ./
++. common.sh
++
++# disable the backports repo for debian-10
++sed -i 's/^.*debian buster-backports main.*$//g' /etc/apt/sources.list
++
++try_command apt-get -y update
++try_command apt-get install -y --no-install-{suggests,recommends} git-core
++
++# We always install go, needed for goopack.
++echo "Installing go"
++install_go
++
++# Install goopack.
++GO111MODULE=on $GO install -v github.com/google/googet/v2/goopack@latest
++
++git_checkout "$REPO_OWNER" "$REPO_NAME" "$GIT_REF"
++if [[ -n "$BUILD_DIR" ]]; then
++    cd "$BUILD_DIR"
++fi
++
++if find . -type f -iname '*.go' >/dev/null; then
++  echo "Installing go dependencies"
++  $GO mod download
++fi
++
++echo "Building package(s)"
++for spec in packaging/googet/*.goospec; do
++  goopack -var:version="$VERSION" "$spec"
++  name=$(basename "${spec}")
++  pref=${name%.*}
++done
++
++gsutil cp -n *.goo "$GCS_PATH/"
++build_success "Built `ls *.goo|xargs`"
 diff --git a/packagebuild/daisy_startupscript_rpm.sh b/packagebuild/daisy_startupscript_rpm.sh
 new file mode 100644
 index 0000000..804fab8
 --- /dev/null
 +++ b/packagebuild/daisy_startupscript_rpm.sh
@@ -0,0 +1,147 @@
++#!/bin/bash
++# Copyright 2019 Google Inc. All Rights Reserved.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++# This script is expected to be run on an Enterprise Linux system (RHEL, CentOS)
++# on GCE with various flags set in the instance metadata including the git
++# repository to clone. The script produces an RPM defined by an RPM spec in the
++# packaging/ directory from the cloned repo.
++
++URL="http://metadata/computeMetadata/v1/instance/attributes"
++function get_md() {
++  curl -f -H Metadata-Flavor:Google "${URL}/${1}"
++}
++GCS_PATH=$(get_md daisy-outs-path)
++SRC_PATH=$(get_md daisy-sources-path)
++REPO_OWNER=$(get_md repo-owner)
++REPO_NAME=$(get_md repo-name)
++GIT_REF=$(get_md git-ref)
++BUILD_DIR=$(get_md build-dir)
++VERSION=$(get_md version)
++VERSION=${VERSION:-"dummy"}
++
++echo "Started build..."
++
++# common.sh contains functions common to all builds.
++gsutil cp "${SRC_PATH}/common.sh" ./
++. common.sh
++
++# Install git2 as this is not available in centos 6/7
++VERSION_ID=6
++if [[ -f /etc/os-release ]]; then
++  eval $(grep VERSION_ID /etc/os-release)
++  VERSION_ID=${VERSION_ID:0:1}
++fi
++
++GIT="git"
++if [[ ${VERSION_ID} =~ 6|7 ]]; then
++  try_command yum install -y "https://repo.ius.io/ius-release-el${VERSION_ID}.rpm"
++  rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-IUS-${VERSION_ID}
++  GIT="git236"
++fi
++
++# Install DevToolSet with gcc 10 for EL7.
++# Centos 7 has only gcc 4.8.5 available.
++if (( ${VERSION_ID} == 7 )); then
++  try_command yum install -y centos-release-scl
++  try_command yum install -y devtoolset-10-gcc-c++.x86_64
++fi
++
++# Enable CRB repo on EL9.
++if [[ ${VERSION_ID} = 9 ]]; then
++  eval $(grep ID /etc/os-release)
++  # RHEL has a different CRB repo than Rocky/CentOS.
++  if [[ ${ID} == "rhel" ]]; then
++    dnf config-manager --set-enabled rhui-codeready-builder-for-rhel-9-$(uname -m)-rhui-rpms
++  else
++    dnf config-manager --set-enabled crb
++  fi
++fi
++
++try_command yum install -y $GIT rpmdevtools yum-utils python3-devel
++
++git_checkout "$REPO_OWNER" "$REPO_NAME" "$GIT_REF"
++
++if [[ -n "$BUILD_DIR" ]]; then
++  cd "$BUILD_DIR"
++fi
++
++if grep -q '%{_go}' ./packaging/*.spec; then
++  echo "Installing go"
++  install_go
++
++  echo "Installing go dependencies"
++  $GO mod download
++fi
++
++# Make build dirs as needed.
++RPMDIR=/usr/src/redhat
++for dir in ${RPMDIR}/{SOURCES,SPECS}; do
++  [[ -d "$dir" ]] || mkdir -p "$dir"
++done
++
++# Find the RPM specs to build for this version.
++TOBUILD=""
++SPECS=$(ls ./packaging/*.spec | sed -re 's/(\.el.)?.spec//' | sort -ru)
++echo "all specs $SPECS"
++for spec in $SPECS; do
++  spec=$(basename "$spec")
++  distspec="${spec}.el${VERSION_ID}.spec"
++  echo checking $spec and $distspec
++  if [[ -f "./packaging/$distspec" ]]; then
++    TOBUILD="${TOBUILD} ${distspec}"
++  else
++    TOBUILD="${TOBUILD} ${spec}.spec"
++  fi
++done
++
++[[ -z "$TOBUILD" ]] && build_fail "No RPM specs found"
++
++COMMITURL="https://github.com/$REPO_OWNER/$REPO_NAME/tree/$(git rev-parse HEAD)"
++
++echo "Building package(s)"
++
++# Enable gcc 10 for EL7 only and before rpmbuild
++if (( ${VERSION_ID} == 7 )); then
++  source /opt/rh/devtoolset-10/enable
++fi
++
++for spec in $TOBUILD; do
++  PKGNAME="$(grep Name: "./packaging/${spec}"|cut -d' ' -f2-|tr -d ' ')"
++  yum-builddep -y "./packaging/${spec}"
++
++  cp "./packaging/${spec}" "${RPMDIR}/SPECS/"
++  cp ./packaging/*.tar.gz "${RPMDIR}/SOURCES/" || :
++  cp ./packaging/*.patch "${RPMDIR}/SOURCES/" || :
++
++  sed -i"" "/^Version/aVcs: ${COMMITURL}" "${RPMDIR}/SPECS/${spec}"
++
++  tar czvf "${RPMDIR}/SOURCES/${PKGNAME}_${VERSION}.orig.tar.gz" \
++    --exclude .git --exclude packaging \
++    --transform "s/^\./${PKGNAME}-${VERSION}/" .
++
++  rpmbuild --define "_topdir ${RPMDIR}/" --define "_version ${VERSION}" \
++    --define "_go ${GO:-"UNSET"}" --define "_gopath ${GOPATH:-"UNSET"}" \
++    -ba "${RPMDIR}/SPECS/${spec}"
++
++  SRPM_FILE=$(find ${RPMDIR}/SRPMS -iname "${PKGNAME}*.src.rpm")
++done
++
++rpms=$(find ${RPMDIR}/{S,}RPMS -iname "${PKGNAME}*.rpm")
++for rpm in $rpms; do
++  rpm -qpilR $rpm
++done
++echo "copying ${rpms} to $GCS_PATH/"
++gsutil cp -n ${rpms} "$GCS_PATH/"
++build_success "Built $(echo ${rpms}|xargs)"
 diff --git a/packagebuild/test_build.sh b/packagebuild/test_build.sh
 new file mode 100755
 index 0000000..0ee7432
 --- /dev/null
 +++ b/packagebuild/test_build.sh
@@ -0,0 +1,69 @@
++#!/bin/bash
++#
++# Produce a single package build with a custom version.
++#
++# - Package TYPEs can be found in the 'workflows/' directory as
++#   a filename pattern  build_{{type}}.wf.json
++# - Package Version should start with a digit
++#
++# Example (requires daisy tool somewhere in the PATH):
++#  build rpm package for el9 like distributions and version 0.0.1 for
++#  the last commit in the 'trustca-sync' branch of vorakl/guest-oslogin
++#  fork on Github and save results to gs://vorakl-dev-builds/packages/ bucket.
++#
++#    env TYPE=el9 \
++#        PROJECT=vorakl-dev \
++#        ZONE=us-west1-a \
++#        OWNER=vorakl \
++#        REPO=guest-oslogin \
++#        GIT_REF=trustca-sync \
++#        GCS_PATH=gs://vorakl-dev-builds/packages \
++#        VERSION=0.01 \
++#        BUILD_DIR=. \
++#    ./test_build.sh
++
++DEFAULT_TYPE='deb11'
++DEFAULT_PROJECT='gcp-guest'
++DEFAULT_ZONE='us-west1-a'
++DEFAULT_OWNER='GoogleCloudPlatform'
++DEFAULT_GIT_REF='master'
++DEFAULT_GCS_PATH='${SCRATCHPATH}/packages'
++DEFAULT_BUILD_DIR='.'
++DEFAULT_VERSION='1dummy'
++
++[[ -z "${TYPE}" ]] && read -p "Build type [${DEFAULT_TYPE}]: " TYPE
++[[ -z "${PROJECT}" ]] && read -p "Build project [${DEFAULT_PROJECT}]: " PROJECT
++[[ -z "${ZONE}" ]] && read -p "Build zone [${DEFAULT_ZONE}]: " ZONE
++[[ -z "${OWNER}" ]] && read -p "Repo owner or org [${DEFAULT_OWNER}]: " OWNER
++[[ -z "${GIT_REF}" ]] && read -p "Ref [${DEFAULT_GIT_REF}]: " GIT_REF
++[[ -z "${GCS_PATH}" ]] && read -p "GCS Path to upload to [${DEFAULT_GCS_PATH}]: " GCS_PATH
++[[ -z "${BUILD_DIR}" ]] && read -p "Directory to build from [${DEFAULT_BUILD_DIR}]: " BUILD_DIR
++[[ -z "${REPO}" ]] && read -p "Repo name: " REPO
++
++[[ -z "${TYPE}" ]] && TYPE=${DEFAULT_TYPE}
++[[ -z "${PROJECT}" ]] && PROJECT=${DEFAULT_PROJECT}
++[[ -z "${ZONE}" ]] && ZONE=${DEFAULT_ZONE}
++[[ -z "${OWNER}" ]] && OWNER=${DEFAULT_OWNER}
++[[ -z "${GIT_REF}" ]] && GIT_REF=${DEFAULT_GIT_REF}
++[[ -z "${GCS_PATH}" ]] && GCS_PATH=${DEFAULT_GCS_PATH}
++[[ -z "${BUILD_DIR}" ]] && BUILD_DIR=${DEFAULT_BUILD_DIR}
++[[ -z "${VERSION}" ]] && VERSION=${DEFAULT_VERSION}
++
++WF="workflows/build_${TYPE}.wf.json"
++
++if [[ ! -f "${WF}" ]]; then
++  echo "Unknown build type ${TYPE}"
++  exit 1
++fi
++
++set -x
++daisy \
++  -project ${PROJECT} \
++  -zone ${ZONE} \
++  -var:gcs_path=${GCS_PATH} \
++  -var:repo_owner=${OWNER} \
++  -var:repo_name=${REPO} \
++  -var:git_ref=${GIT_REF} \
++  -var:build_dir=${BUILD_DIR} \
++  -var:version=${VERSION} \
++  "${WF}"
 diff --git a/packagebuild/workflows/build_deb10.wf.json b/packagebuild/workflows/build_deb10.wf.json
 new file mode 100644
 index 0000000..8976dcf
 --- /dev/null
 +++ b/packagebuild/workflows/build_deb10.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "deb10",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "deb",
++          "sourceImage": "projects/debian-cloud/global/images/family/debian-10",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_deb11.wf.json b/packagebuild/workflows/build_deb11.wf.json
 new file mode 100644
 index 0000000..53e4c79
 --- /dev/null
 +++ b/packagebuild/workflows/build_deb11.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "deb11",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "deb",
++          "sourceImage": "projects/debian-cloud/global/images/family/debian-11",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_deb11_arm64.wf.json b/packagebuild/workflows/build_deb11_arm64.wf.json
 new file mode 100644
 index 0000000..8c0c04a
 --- /dev/null
 +++ b/packagebuild/workflows/build_deb11_arm64.wf.json
@@ -0,0 +1,44 @@
++{
++  "Name": "deb11",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "deb",
++          "sourceImage": "projects/debian-cloud/global/images/family/debian-11-arm64",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "machine_type": "t2a-standard-2",
++          "zone": "us-central1-a",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_deb12.wf.json b/packagebuild/workflows/build_deb12.wf.json
 new file mode 100644
 index 0000000..9b90b92
 --- /dev/null
 +++ b/packagebuild/workflows/build_deb12.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "deb12",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "deb",
++          "sourceImage": "projects/debian-cloud/global/images/family/debian-12",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_deb12_arm64.wf.json b/packagebuild/workflows/build_deb12_arm64.wf.json
 new file mode 100644
 index 0000000..8f6f68f
 --- /dev/null
 +++ b/packagebuild/workflows/build_deb12_arm64.wf.json
@@ -0,0 +1,44 @@
++{
++  "Name": "deb12",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "deb",
++          "sourceImage": "projects/debian-cloud/global/images/family/debian-12-arm64",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "machine_type": "t2a-standard-2",
++          "zone": "us-central1-a",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_el6.wf.json b/packagebuild/workflows/build_el6.wf.json
 new file mode 100644
 index 0000000..fbbc600
 --- /dev/null
 +++ b/packagebuild/workflows/build_el6.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "el6",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "rpm",
++          "sourceImage": "projects/centos-cloud/global/images/family/centos-6",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_el7.wf.json b/packagebuild/workflows/build_el7.wf.json
 new file mode 100644
 index 0000000..ce75870
 --- /dev/null
 +++ b/packagebuild/workflows/build_el7.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "el7",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "rpm",
++          "sourceImage": "projects/centos-cloud/global/images/family/centos-7",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_el8.wf.json b/packagebuild/workflows/build_el8.wf.json
 new file mode 100644
 index 0000000..61dba50
 --- /dev/null
 +++ b/packagebuild/workflows/build_el8.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "el8",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "rpm",
++          "sourceImage": "projects/rhel-cloud/global/images/family/rhel-8",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_el8_arm64.wf.json b/packagebuild/workflows/build_el8_arm64.wf.json
 new file mode 100644
 index 0000000..f97ed8e
 --- /dev/null
 +++ b/packagebuild/workflows/build_el8_arm64.wf.json
@@ -0,0 +1,44 @@
++{
++  "Name": "el8",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "rpm",
++          "sourceImage": "projects/rocky-linux-cloud/global/images/family/rocky-linux-8-optimized-gcp-arm64",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "machine_type": "t2a-standard-2",
++          "zone": "us-central1-a",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_el9.wf.json b/packagebuild/workflows/build_el9.wf.json
 new file mode 100644
 index 0000000..682297e
 --- /dev/null
 +++ b/packagebuild/workflows/build_el9.wf.json
@@ -0,0 +1,42 @@
++{
++  "Name": "el9",
++  "Timeout": "40m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "40m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "rpm",
++          "sourceImage": "projects/rhel-cloud/global/images/family/rhel-9",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_el9_arm64.wf.json b/packagebuild/workflows/build_el9_arm64.wf.json
 new file mode 100644
 index 0000000..5c41c89
 --- /dev/null
 +++ b/packagebuild/workflows/build_el9_arm64.wf.json
@@ -0,0 +1,44 @@
++{
++  "Name": "el9",
++  "Timeout": "20m",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "Timeout": "20m",
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "rpm",
++          "sourceImage": "projects/rhel-cloud/global/images/family/rhel-9-arm64",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "machine_type": "t2a-standard-2",
++          "zone": "us-central1-a",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_goo.wf.json b/packagebuild/workflows/build_goo.wf.json
 new file mode 100644
 index 0000000..31efd40
 --- /dev/null
 +++ b/packagebuild/workflows/build_goo.wf.json
@@ -0,0 +1,40 @@
++{
++  "Name": "goo",
++  "Vars": {
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    }
++  },
++  "Steps": {
++    "build-package": {
++      "SubWorkflow": {
++        "Path": "./build_package.wf.json",
++        "Vars": {
++          "type": "goo",
++          "sourceImage": "projects/debian-cloud/global/images/family/debian-10",
++          "gcs_path": "${gcs_path}",
++          "repo_owner": "${repo_owner}",
++          "repo_name": "${repo_name}",
++          "git_ref": "${git_ref}",
++          "build_dir": "${build_dir}",
++          "version": "${version}"
++        }
++      }
++    }
++  }
++}
 diff --git a/packagebuild/workflows/build_package.wf.json b/packagebuild/workflows/build_package.wf.json
 new file mode 100644
 index 0000000..7a90994
 --- /dev/null
 +++ b/packagebuild/workflows/build_package.wf.json
@@ -0,0 +1,101 @@
++{
++  "Name": "build-package",
++  "DefaultTimeout": "30m",
++  "Sources": {
++    "startup.sh": "../daisy_startupscript_${type}.sh",
++    "common.sh": "../common.sh"
++  },
++  "Vars": {
++    "type": {
++      "Description": "Type of workflow: rpm,deb, or goo",
++      "Required": true
++    },
++    "sourceImage": {
++      "Description": "Source image to use for instance",
++      "Required": true
++    },
++    "gcs_path": {
++      "Required": true
++    },
++    "repo_owner": {
++      "Required": true
++    },
++    "repo_name": {
++      "Required": true
++    },
++    "git_ref": {
++      "Required": true
++    },
++    "version": {
++      "Required": true
++    },
++    "build_dir": {
++      "Required": true
++    },
++    "machine_type": {
++      "Value": "e2-standard-2",
++      "Description": "machine type"
++    },
++    "zone": {
++      "Value": "us-central1-a",
++      "Description": "zone"
++    }
++  },
++  "Steps": {
++    "build-packages": {
++      "CreateInstances": [
++        {
++          "disks": [
++            {
++              "initializeParams": {
++                "diskType": "pd-ssd",
++                "sourceImage": "${sourceImage}"
++              }
++            }
++          ],
++          "Metadata": {
++            "repo-owner": "${repo_owner}",
++            "repo-name": "${repo_name}",
++            "git-ref": "${git_ref}",
++            "build-dir": "${build_dir}",
++            "version": "${version}"
++          },
++          "machineType": "${machine_type}",
++          "zone": "${zone}",
++          "name": "inst-build-pkg",
++          "StartupScript": "startup.sh",
++          "Scopes": ["https://www.googleapis.com/auth/devstorage.read_write"]
++        }
++      ]
++    },
++    "wait-for-build": {
++      "Timeout": "30m",
++      "WaitForInstancesSignal": [
++        {
++          "Name": "inst-build-pkg",
++          "SerialOutput": {
++            "Port": 1,
++            "SuccessMatch": "Build succeeded",
++            "FailureMatch": "Build failed"
++          }
++        }
++      ]
++    },
++    "copy-packages": {
++      "CopyGCSObjects": [
++        {
++          "Source": "${OUTSPATH}/",
++          "Destination": "${gcs_path}/"
++        }
++      ]
++    }
++  },
++  "Dependencies": {
++    "wait-for-build": [
++      "build-packages"
++    ],
++    "copy-packages": [
++      "wait-for-build"
++    ]
++  }
++}
 diff --git a/policies/apt.go b/policies/apt.go
 index d326398..74d619f 100644
 --- a/policies/apt.go
 +++ b/policies/apt.go
@@ -22,9 +22,11 @@ import (
  	"io"
  	"net/http"
  	"sort"
++	"strconv"
  	"strings"
  	"github.com/GoogleCloudPlatform/osconfig/clog"
++	"github.com/GoogleCloudPlatform/osconfig/osinfo"
  	"github.com/GoogleCloudPlatform/osconfig/packages"
  	"golang.org/x/crypto/openpgp"
  	"golang.org/x/crypto/openpgp/armor"
@@ -83,6 +85,52 @@ func containsEntity(es []*openpgp.Entity, e *openpgp.Entity) bool {
  	return false
+ }
++func readInstanceOsInfo() (string, float64, error) {
++	oi, err := osinfo.Get()
++	if err != nil {
++		return "", 0, fmt.Errorf("error getting osinfo: %v", err)
++	}
++
++	osVersion, err := strconv.ParseFloat(oi.Version, 64)
++	if err != nil {
++		osVersion = 0
++	}
++
++	return oi.ShortName, osVersion, nil
++}
++
++func shouldUseSignedBy() bool {
++	osShortName, osVersion, err := readInstanceOsInfo()
++	if err != nil {
++		return false // Default to not using signed-by approach
++	}
++
++	if (osShortName == "debian" && osVersion >= 12) || (osShortName == "ubuntu" && osVersion >= 24) {
++		return true
++	}
++	return false
++}
++
++func getAptRepoLine(repo *agentendpointpb.AptRepository, useSignedBy bool) string {
++	archiveType, ok := debArchiveTypeMap[repo.ArchiveType]
++	if !ok {
++		archiveType = "deb"
++	}
++
++	line := fmt.Sprintf("\n%s", archiveType)
++
++	if useSignedBy {
++		line = fmt.Sprintf("%s [signed-by=%s]", line, aptGPGFile)
++	}
++
++	line = fmt.Sprintf("%s %s %s", line, repo.Uri, repo.Distribution)
++	for _, c := range repo.Components {
++		line = fmt.Sprintf("%s %s", line, c)
++	}
++
++	return line
++}
++
  func aptRepositories(ctx context.Context, repos []*agentendpointpb.AptRepository, repoFile string) error {
  	var es []*openpgp.Entity
  	var keys []string
@@ -124,18 +172,18 @@ func aptRepositories(ctx context.Context, repos []*agentendpointpb.AptRepository
  		# Repo file managed by Google OSConfig agent
  		deb http://repo1-url/ repo1 main
  		deb http://repo1-url/ repo2 main contrib non-free
++
++		# For now, 'signed-by' keyring approach will be used for Debian 12+ and Ubuntu 24+ only.
++		  To avoid conflicting repos for old stable OSes versions
++		  e.g. deb [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo1-url/ repo1 main
++		  NOTE: suggested by ofca@
  	*/
  	var buf bytes.Buffer
  	buf.WriteString("# Repo file managed by Google OSConfig agent\n")
++
++	shouldUseSignedByBool := shouldUseSignedBy()
  	for _, repo := range repos {
--		archiveType, ok := debArchiveTypeMap[repo.ArchiveType]
--		if !ok {
--			archiveType = "deb"
--		}
--		line := fmt.Sprintf("\n%s %s %s", archiveType, repo.Uri, repo.Distribution)
--		for _, c := range repo.Components {
--			line = fmt.Sprintf("%s %s", line, c)
--		}
++		line := getAptRepoLine(repo, shouldUseSignedByBool)
  		buf.WriteString(line + "\n")
+ 	}
 diff --git a/policies/apt_test.go b/policies/apt_test.go
 index fc9f651..6a8c2d3 100644
 --- a/policies/apt_test.go
 +++ b/policies/apt_test.go
@@ -108,3 +108,31 @@ func TestGetAptGPGKey(t *testing.T) {
  		t.Errorf("Expected to find Artifact Registry key in Google Cloud Public GPG key, but its missed.")
+ 	}
+ }
++
++func TestUseSignedBy(t *testing.T) {
++	tests := []struct {
++		desc string
++		repo *agentendpointpb.AptRepository
++		want string
++	}{
++		{
++			"1 repo",
++			&agentendpointpb.AptRepository{Uri: "http://repo1-url/", Distribution: "distribution", Components: []string{"component1"}},
++			"\ndeb [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo1-url/ distribution component1",
++		},
++		{
++			"2 components",
++			&agentendpointpb.AptRepository{Uri: "http://repo2-url/", Distribution: "distribution", Components: []string{"component1", "component2"}, ArchiveType: agentendpointpb.AptRepository_DEB},
++			"\ndeb [signed-by=/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg] http://repo2-url/ distribution component1 component2",
++		},
++	}
++
++	useSignedBy := true
++	for _, tt := range tests {
++		aptRepoLine := getAptRepoLine(tt.repo, useSignedBy)
++
++		if aptRepoLine != tt.want {
++			t.Errorf("%s: got:\n%q\nwant:\n%q", tt.desc, aptRepoLine, tt.want)
++		}
++	}
++}