diff --git a/daisy_workflows/build_deb_packages.sh b/daisy_workflows/build_deb_packages.sh
old mode 100644
new mode 100755
diff --git a/daisy_workflows/build_el_packages.sh b/daisy_workflows/build_el_packages.sh
old mode 100644
new mode 100755
diff --git a/packages/google-compute-engine-oslogin/Makefile b/packages/google-compute-engine-oslogin/Makefile
index 97d351fa..99de8d1b 100644
--- a/packages/google-compute-engine-oslogin/Makefile
+++ b/packages/google-compute-engine-oslogin/Makefile
@@ -4,7 +4,7 @@ BASENAME = oslogin
 NAME = google-compute-engine-$(BASENAME)
 MAJOR = 1
 MINOR = 5
-REVISION = 1
+REVISION = 2
 
 LIBNSS_CACHE_OSLOGIN = libnss_cache_$(BASENAME)
 LIBNSS_CACHE_OSLOGIN_NAME = libnss_cache_$(NAME)-$(MAJOR).$(MINOR).$(REVISION).so
diff --git a/packages/google-compute-engine-oslogin/bin/google_oslogin_control b/packages/google-compute-engine-oslogin/bin/google_oslogin_control
index 75d43bfd..e81bb5a7 100644
--- a/packages/google-compute-engine-oslogin/bin/google_oslogin_control
+++ b/packages/google-compute-engine-oslogin/bin/google_oslogin_control
@@ -14,7 +14,8 @@
 # limitations under the License.
 
 nss_config="/etc/nsswitch.conf"
-pam_config="/etc/pam.d/sshd"
+pam_sshd_config="/etc/pam.d/sshd"
+pam_su_config="/etc/pam.d/su"
 sshd_config="/etc/ssh/sshd_config"
 group_config="/etc/security/group.conf"
 sudoers_dir="/var/google-sudoers.d"
@@ -125,16 +126,21 @@ restore_sshd_conf() {
 }
 
 # Inserts pam modules to relevant pam stacks if missing.
-modify_pam_sshd() (
+modify_pam_config() (
+  # TODO: idempotency of this function would be better assured if it wiped out
+  # and applied desired changes each time rather than detecting deltas.
+
   set -e
 
-  local pam_config="${1:-${pam_config}}"
+  local pam_sshd_config="${1:-${pam_sshd_config}}"
+  local pam_su_config="${1:-${pam_su_config}}"
 
   local pam_auth_oslogin="auth       [success=done perm_denied=die default=ignore] pam_oslogin_login.so"
   local pam_auth_group="auth       [default=ignore] pam_group.so"
   local pam_account_oslogin="account    [success=ok default=ignore] pam_oslogin_admin.so"
   local pam_account_admin="account    [success=ok ignore=ignore default=die] pam_oslogin_login.so"
   local pam_session_homedir="session    [success=ok default=ignore] pam_mkhomedir.so"
+  local pam_account_su="account    [success=bad ignore=ignore] pam_oslogin_login.so"
 
   # In FreeBSD, the used flags are not supported, replacing them with the
   # previous ones (requisite and optional). This is not an exact feature parity
@@ -148,6 +154,7 @@ modify_pam_sshd() (
   fi
 
   local added_config=""
+  local added_su_config=""
 
   # For COS this file is solely includes, so simply prepend the new config,
   # making each entry the top of its stack.
@@ -155,70 +162,93 @@ modify_pam_sshd() (
     added_config="${added_comment}\n"
     for cfg in "$pam_account_admin" "$pam_account_oslogin" \
         "$pam_session_homedir" "$pam_auth_group"; do
-      grep -qE "^${cfg%% *}.*${cfg##* }" ${pam_config} || added_config="${added_config}${cfg}\n"
+      grep -qE "^${cfg%% *}.*${cfg##* }" ${pam_sshd_config} || added_config="${added_config}${cfg}\n"
     done
 
     if [ -n "$two_factor" ]; then
-      grep -q "$pam_auth_oslogin" "$pam_config" || added_config="${added_config}${pam_auth_oslogin}\n"
+      grep -q "$pam_auth_oslogin" "$pam_sshd_config" || added_config="${added_config}${pam_auth_oslogin}\n"
     fi
 
-    $sed -i"" "1i ${added_config}\n\n" "$pam_config"
+    $sed -i"" "1i ${added_config}\n\n" "$pam_sshd_config"
+
+    added_su_config="${added_comment}\n${pam_account_su}"
+    $sed -i"" "1i ${added_su_config}" "$pam_su_config"
 
     return 0
   fi
 
-  # Find the distro-specific insertion point for auth.
+  # Find the distro-specific insertion point for auth and su.
   if [ -e /etc/debian_version ]; then
     # Get location of common-auth and check if preceding line is a comment.
-    insert=$($sed -rn "/^@include\s+common-auth/=" "$pam_config")
-    $sed -n "$((insert-1))p" "$pam_config" | grep -q '^#' && insert=$((insert-1))
+    insert=$($sed -rn "/^@include\s+common-auth/=" "$pam_sshd_config")
+    $sed -n "$((insert-1))p" "$pam_sshd_config" | grep -q '^#' && insert=$((insert-1))
+    su_insert=$($sed -rn "/^@include\s+common-account/=" "$pam_su_config")
   elif [ -e /etc/redhat-release ]; then
     # Get location of password-auth.
     insert=$($sed -rn "/^auth\s+(substack|include)\s+password-auth/=" \
-      "$pam_config")
+      "$pam_sshd_config")
+    # Get location of system-auth.
+    su_insert=$($sed -rn "/^account\s+include\s+system-auth/=" "$pam_su_config")
   elif [ -e /etc/os-release ] && grep -q 'ID="sles"' /etc/os-release; then
     # Get location of common-auth.
-    insert=$($sed -rn "/^auth\s+include\s+common-auth/=" "$pam_config")
+    insert=$($sed -rn "/^auth\s+include\s+common-auth/=" "$pam_sshd_config")
+    # Get location of common-account.
+    su_insert=$($sed -rn "/^account\s+include\s+common-account/=" "$pam_su_config")
   elif [ -e /etc/arch-release ]; then
     # Get location of system-remote-login.
-    insert=$($sed -rn "/^auth\s+include\s+system-remote-login/=" "$pam_config")
+    insert=$($sed -rn "/^auth\s+include\s+system-remote-login/=" "$pam_sshd_config")
+    # TODO: find su_insert point for arch linux.
   fi
 
   added_config="$added_comment"
-  if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_config"; then
-    added_config="${added_config}\n${pam_auth_oslogin}"
-  fi
-  if ! grep -qE '^auth.*pam_group' "$pam_config"; then
+  if ! grep -qE '^auth.*pam_group' "$pam_sshd_config"; then
     added_config="${added_config}\n${pam_auth_group}"
   fi
 
-  # We can and should insert auth modules at top of `auth` stack.
+  # This auth entry for OS Login+two factor MUST be added last, as it will
+  # short-circuit processing of the auth stack via [success=ok]. auth stack
+  # entries after this one will not be processed.
+  if [ -n "$two_factor" ] && ! grep -qE '^auth.*oslogin' "$pam_sshd_config"; then
+    added_config="${added_config}\n${pam_auth_oslogin}"
+  fi
+
+  # Insert auth modules at top of `sshd:auth` stack.
   if [ -n "$insert" ] && [ "$added_config" != "$added_comment" ]; then
-    $sed -i"" "${insert}i ${added_config}" "$pam_config"
+    $sed -i"" "${insert}i ${added_config}" "$pam_sshd_config"
   fi
 
-  # Append account modules at end of `account` stack.
-  if ! grep -qE '^account.*oslogin' "$pam_config"; then
+  # Insert su blocker at top of `su:account` stack.
+  if [ -n "$su_insert" ] && ! grep -qE "$pam_account_su" "$pam_su_config"; then
+    added_su_config="${added_comment}\n${pam_account_su}"
+    sed -i"" "${su_insert}i ${added_su_config}" "$pam_su_config"
+  fi
+
+  # Append account modules at end of `sshd:account` stack.
+  if ! grep -qE '^account.*oslogin' "$pam_sshd_config"; then
     added_config="\\\n${added_comment}\n${pam_account_admin}\n${pam_account_oslogin}"
-    account_end=$($sed -n '/^account/=' "$pam_config" | tail -1)
-    $sed -i"" "${account_end}a ${added_config}" "$pam_config"
+    account_end=$($sed -n '/^account/=' "$pam_sshd_config" | tail -1)
+    $sed -i"" "${account_end}a ${added_config}" "$pam_sshd_config"
   fi
 
-  # Append mkhomedir module at end of `session` stack.
-  if ! grep -qE '^session.*mkhomedir' "$pam_config"; then
+  # Append mkhomedir module at end of `sshd:session` stack.
+  if ! grep -qE '^session.*mkhomedir' "$pam_sshd_config"; then
     added_config="\\\n${added_comment}\n${pam_session_homedir}"
-    session_end=$($sed -n '/^session/=' "$pam_config" | tail -1)
-    $sed -i"" "${session_end}a ${added_config}" "$pam_config"
+    session_end=$($sed -n '/^session/=' "$pam_sshd_config" | tail -1)
+    $sed -i"" "${session_end}a ${added_config}" "$pam_sshd_config"
   fi
 )
 
-restore_pam_sshd() {
-  local pam_config="${1:-${pam_config}}"
+restore_pam_config() {
+  local pam_sshd_config="${1:-${pam_sshd_config}}"
+  local pam_su_config="${1:-${pam_su_config}}"
+
+  $sed -i"" "/${added_comment}/d" "$pam_sshd_config"
+  $sed -i"" "/pam_oslogin/d" "$pam_sshd_config"
+  $sed -i"" "/^session.*mkhomedir/d" "$pam_sshd_config"
+  $sed -i"" "/^auth.*pam_group/d" "$pam_sshd_config"
 
-  $sed -i"" "/${added_comment}/d" "$pam_config"
-  $sed -i"" "/pam_oslogin/d" "$pam_config"
-  $sed -i"" "/^session.*mkhomedir/d" "$pam_config"
-  $sed -i"" "/^auth.*pam_group/d" "$pam_config"
+  $sed -i"" "/${added_comment}/d" "$pam_su_config"
+  $sed -i"" "/pam_oslogin/d" "$pam_su_config"
 }
 
 modify_group_conf() {
@@ -288,7 +318,7 @@ restart_sshd() {
 
 restart_svcs() {
   echo "Restarting optional services."
-  for svc in "nscd" "unscd" "systemd-logind"; do
+  for svc in "nscd" "unscd" "systemd-logind" "cron" "crond"; do
     restart_service "$svc"
   done
 }
@@ -315,7 +345,7 @@ remove_google_dirs() {
 
 activate() {
   for func in modify_sshd_conf modify_nsswitch_conf \
-              modify_pam_sshd setup_google_dirs restart_svcs restart_sshd \
+              modify_pam_config setup_google_dirs restart_svcs restart_sshd \
               modify_group_conf; do
     $func
     [ $? -eq 0 ] || return 1
@@ -324,7 +354,7 @@ activate() {
 
 deactivate() {
   for func in remove_google_dirs restore_nsswitch_conf \
-              restore_sshd_conf restore_pam_sshd restart_svcs restart_sshd \
+              restore_sshd_conf restore_pam_config restart_svcs restart_sshd \
               restore_group_conf; do
     $func
   done
@@ -335,11 +365,11 @@ deactivate() {
 get_status() (
   set -e
 
-  grep -Eq '^account.*oslogin' "$pam_config"
+  grep -Eq '^account.*oslogin' "$pam_sshd_config"
   grep -Eq 'google_authorized_keys' "$sshd_config"
   grep -Eq 'passwd:.*oslogin' "$nss_config"
   if [ -n "$two_factor" ]; then
-    grep -Eq '^auth.*oslogin' "$pam_config"
+    grep -Eq '^auth.*oslogin' "$pam_sshd_config"
     grep -Eq '^(AuthenticationMethods|RequiredAuthentications2).*publickey,keyboard-interactive' "$sshd_config"
   fi
 )
diff --git a/packages/google-compute-engine-oslogin/packaging/debian/changelog b/packages/google-compute-engine-oslogin/packaging/debian/changelog
index 37e87b20..5f8759fa 100644
--- a/packages/google-compute-engine-oslogin/packaging/debian/changelog
+++ b/packages/google-compute-engine-oslogin/packaging/debian/changelog
@@ -1,3 +1,11 @@
+google-compute-engine-oslogin (1.5.2-1) unstable; urgency=low
+
+  * Fix pam_group ordering detection.
+  * Restart cron on OS Login control.
+  * Add PAM entry to su:account stack.
+
+ -- Google Cloud Team <gc-team@google.com>  Tue, 16 Apr 2019 12:00:00 -0700
+
 google-compute-engine-oslogin (1.5.1-1) unstable; urgency=low
 
   * Fix two factor auth action name.
diff --git a/packages/google-compute-engine-oslogin/packaging/setup_deb.sh b/packages/google-compute-engine-oslogin/packaging/setup_deb.sh
index d5fee1ff..0129066f 100755
--- a/packages/google-compute-engine-oslogin/packaging/setup_deb.sh
+++ b/packages/google-compute-engine-oslogin/packaging/setup_deb.sh
@@ -14,7 +14,7 @@
 # limitations under the License.
 
 NAME="google-compute-engine-oslogin"
-VERSION="1.5.1"
+VERSION="1.5.2"
 
 working_dir=${PWD}
 if [[ $(basename "$working_dir") != $NAME ]]; then
diff --git a/packages/google-compute-engine-oslogin/packaging/setup_rpm.sh b/packages/google-compute-engine-oslogin/packaging/setup_rpm.sh
index b7b53bfd..f174efe7 100755
--- a/packages/google-compute-engine-oslogin/packaging/setup_rpm.sh
+++ b/packages/google-compute-engine-oslogin/packaging/setup_rpm.sh
@@ -15,7 +15,7 @@
 
 
 NAME="google-compute-engine-oslogin"
-VERSION="1.5.1"
+VERSION="1.5.2"
 
 rpm_working_dir=/tmp/rpmpackage/${NAME}-${VERSION}
 working_dir=${PWD}
diff --git a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc b/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc
index 49695679..0c31aa84 100644
--- a/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc
+++ b/packages/google-compute-engine-oslogin/pam_module/pam_oslogin_login.cc
@@ -29,8 +29,6 @@
 #include "../compat.h"
 #include "../utils/oslogin_utils.h"
 
-using std::string;
-
 using oslogin_utils::ContinueSession;
 using oslogin_utils::GetUser;
 using oslogin_utils::HttpGet;
@@ -47,47 +45,49 @@ using oslogin_utils::ValidateUserName;
 static const char kUsersDir[] = "/var/google-users.d/";
 
 extern "C" {
-
 PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
                                 const char **argv) {
-  int pam_result = PAM_PERM_DENIED;
   const char *user_name;
-  if ((pam_result = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) {
+  if (pam_get_user(pamh, &user_name, NULL) != PAM_SUCCESS) {
     PAM_SYSLOG(pamh, LOG_INFO, "Could not get pam user.");
-    return pam_result;
+    return PAM_AUTH_ERR;
   }
-  string str_user_name(user_name);
+
   if (!ValidateUserName(user_name)) {
-    // If the user name is not a valid oslogin user, don't bother continuing.
-    return PAM_SUCCESS;
+    // Not a valid OS Login username.
+    return PAM_IGNORE;
   }
-  string users_filename = kUsersDir;
+
+  std::string users_filename = kUsersDir;
   users_filename.append(user_name);
   struct stat buffer;
   bool file_exists = !stat(users_filename.c_str(), &buffer);
 
+  std::string str_user_name(user_name);
   std::stringstream url;
   url << kMetadataServerUrl << "users?username=" << UrlEncode(str_user_name);
-  string response;
+
+  std::string response;
   long http_code = 0;
   if (!HttpGet(url.str(), &response, &http_code) || response.empty() ||
       http_code != 200) {
     if (http_code == 404) {
-      // Return success on non-oslogin users.
-      return PAM_SUCCESS;
+      // This module is only consulted for OS Login users.
+      return PAM_IGNORE;
     }
-    // If we can't reliably tell if this is an oslogin user, check if there is
-    // a local file for that user as a last resort.
+
+    // Check local file for that user as a last resort.
     if (file_exists) {
       return PAM_PERM_DENIED;
     }
-    // Otherwise, fall back on success to allow local users to log in.
-    return PAM_SUCCESS;
+
+    // We can't confirm this is an OS Login user, ignore module.
+    return PAM_IGNORE;
   }
 
-  string email;
+  std::string email;
   if (!ParseJsonToEmail(response, &email) || email.empty()) {
-    return PAM_PERM_DENIED;
+    return PAM_AUTH_ERR;
   }
 
   url.str("");
@@ -101,28 +101,26 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
       chmod(users_filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP);
     }
     PAM_SYSLOG(pamh, LOG_INFO,
-               "Granting login permission for organization user %s.",
+               "Organization user %s has login permission.",
                user_name);
-    pam_result = PAM_SUCCESS;
+    return PAM_SUCCESS;
   } else {
     if (file_exists) {
       remove(users_filename.c_str());
     }
     PAM_SYSLOG(pamh, LOG_INFO,
-               "Denying login permission for organization user %s.",
+               "Organization user %s does not have login permission.",
                user_name);
 
-    pam_result = PAM_PERM_DENIED;
+    return PAM_PERM_DENIED;
   }
-  return pam_result;
 }
+
 PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
-                              const char **argv)
-{
+                              const char **argv) {
   return PAM_SUCCESS;
 }
 
-
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
                                    int argc, const char **argv)
 {
@@ -132,23 +130,23 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
     return PAM_PERM_DENIED;
   }
 
-  string str_user_name(user_name);
+  std::string str_user_name(user_name);
   if (!ValidateUserName(user_name)) {
     return PAM_PERM_DENIED;
   }
 
-  string response;
+  std::string response;
   if (!(GetUser(str_user_name, &response))) {
     return PAM_PERM_DENIED;
   }
 
   // System accounts begin with the prefix `sa_`.
-  string sa_prefix = "sa_";
+  std::string sa_prefix = "sa_";
   if (str_user_name.compare(0, sa_prefix.size(), sa_prefix) == 0) {
     return PAM_SUCCESS;
   }
 
-  string email;
+  std::string email;
   if (!ParseJsonToEmail(response, &email) || email.empty()) {
     return PAM_PERM_DENIED;
   }
@@ -161,7 +159,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
     return PAM_PERM_DENIED;
   }
 
-  string status;
+  std::string status;
   if (!ParseJsonToKey(response, "status", &status)) {
     PAM_SYSLOG(pamh, LOG_ERR,
                "Failed to parse status from start session response");
@@ -172,7 +170,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
     return PAM_SUCCESS; // User is not two-factor enabled.
   }
 
-  string session_id;
+  std::string session_id;
   if (!ParseJsonToKey(response, "sessionId", &session_id)) {
     return PAM_PERM_DENIED;
   }
@@ -184,7 +182,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
     return PAM_PERM_DENIED;
   }
 
-  std::map<string,string> user_prompts;
+  std::map<std::string,std::string> user_prompts;
   user_prompts[AUTHZEN] = "Google phone prompt";
   user_prompts[TOTP] = "Security code from Google Authenticator application";
   user_prompts[INTERNAL_TWO_FACTOR] = "Security code from security key";
diff --git a/packages/google-compute-engine/packaging/debian/changelog b/packages/google-compute-engine/packaging/debian/changelog
index a5f32aae..a9e93965 100644
--- a/packages/google-compute-engine/packaging/debian/changelog
+++ b/packages/google-compute-engine/packaging/debian/changelog
@@ -1,3 +1,9 @@
+google-compute-engine (2.8.14-1) stable; urgency=low
+
+  * Upstart systems: only run startup scripts at boot.
+
+ -- Google Cloud Team <gc-team@google.com>  Tue, 16 Apr 2019 12:00:00 -0700
+
 google-compute-engine (2.8.13-1) stable; urgency=low
 
   * Fix metadata script retrieval to support Python 3.
diff --git a/packages/google-compute-engine/packaging/setup_deb.sh b/packages/google-compute-engine/packaging/setup_deb.sh
index dad66d3b..76cce07a 100755
--- a/packages/google-compute-engine/packaging/setup_deb.sh
+++ b/packages/google-compute-engine/packaging/setup_deb.sh
@@ -14,7 +14,7 @@
 # limitations under the License.
 
 NAME="google-compute-engine"
-VERSION="2.8.13"
+VERSION="2.8.14"
 
 working_dir=${PWD}
 if [[ $(basename "$working_dir") != $NAME ]]; then
diff --git a/packages/google-compute-engine/packaging/setup_rpm.sh b/packages/google-compute-engine/packaging/setup_rpm.sh
index d0d93ea0..d98c2aa3 100755
--- a/packages/google-compute-engine/packaging/setup_rpm.sh
+++ b/packages/google-compute-engine/packaging/setup_rpm.sh
@@ -14,7 +14,7 @@
 # limitations under the License.
 
 NAME="google-compute-engine"
-VERSION="2.8.13"
+VERSION="2.8.14"
 
 rpm_working_dir=/tmp/rpmpackage/${NAME}-${VERSION}
 working_dir=${PWD}
diff --git a/packages/google-compute-engine/src/etc/init/google-startup-scripts.conf b/packages/google-compute-engine/src/etc/init/google-startup-scripts.conf
index 3bda5040..664297c4 100644
--- a/packages/google-compute-engine/src/etc/init/google-startup-scripts.conf
+++ b/packages/google-compute-engine/src/etc/init/google-startup-scripts.conf
@@ -1,4 +1,4 @@
 # Runs a startup script from metadata.
-start on started google-network-daemon
+start on started google-network-daemon and startup
 
 exec /usr/bin/google_metadata_script_runner --script-type startup
diff --git a/packages/python-google-compute-engine/README.md b/packages/python-google-compute-engine/README.md
index af5b7632..f1ffe8e3 100644
--- a/packages/python-google-compute-engine/README.md
+++ b/packages/python-google-compute-engine/README.md
@@ -241,8 +241,7 @@ MetadataScripts   | startup                | `false` disables startup script exe
 MetadataScripts   | shutdown               | `false` disables shutdown script execution.
 NetworkInterfaces | setup                  | `false` skips network interface setup.
 NetworkInterfaces | ip\_forwarding         | `false` skips IP forwarding.
-NetworkInterfaces | dhclient\_script       | String path to a dhclient script used by dhclient.
-NetworkInterfaces | dhcp\_command          | String to execute to enable network interfaces.
+NetworkInterfaces | dhcp\_command          | String path for alternate dhcp executable used to enable network interfaces.
 
 Setting `network_enabled` to `false` will skip setting up host keys and the
 `boto` config in the guest. The setting may also prevent startup and shutdown
diff --git a/packages/python-google-compute-engine/google_compute_engine/compat.py b/packages/python-google-compute-engine/google_compute_engine/compat.py
index 53dab99e..eb697631 100644
--- a/packages/python-google-compute-engine/google_compute_engine/compat.py
+++ b/packages/python-google-compute-engine/google_compute_engine/compat.py
@@ -25,11 +25,17 @@
   import platform as distro
 
 if 'freebsd' in sys.platform:
-  distribution = distro.version().split()
+  # Note: Do not use .version() method which is from either platform or distro.
+  # platform.version() and distro.version() return different values.
+  # platform.version() returns 'FreeBSD 11.2-RELEASE-p9.....'.
+  # distro.version() returns '11.2'.
+  distro_name = 'freebsd'
+  # distro_version is not used for FreeBSD later in this code.
+  distro_version = None
 else:
   distribution = distro.linux_distribution()
-distro_name = distribution[0].lower()
-distro_version = distribution[1].split('.')[0]
+  distro_name = distribution[0].lower()
+  distro_version = distribution[1].split('.')[0]
 distro_utils = None
 
 if 'centos' in distro_name and distro_version == '6':
diff --git a/packages/python-google-compute-engine/google_compute_engine/constants.py b/packages/python-google-compute-engine/google_compute_engine/constants.py
index d908275c..cfe87c49 100644
--- a/packages/python-google-compute-engine/google_compute_engine/constants.py
+++ b/packages/python-google-compute-engine/google_compute_engine/constants.py
@@ -21,20 +21,23 @@
 OSLOGIN_NSS_CACHE_SCRIPT = 'google_oslogin_nss_cache'
 
 if platform.system() == 'FreeBSD':
-    LOCALBASE = '/usr/local'
-    BOTOCONFDIR = '/usr/local'
-    SYSCONFDIR = '/usr/local/etc'
-    LOCALSTATEDIR = '/var/spool'
-    OSLOGIN_NSS_CACHE = '/usr/local/etc/oslogin_passwd.cache'
+  BOTOCONFDIR = '/usr/local'
+  LOCALBASE = '/usr/local'
+  LOCALSTATEDIR = '/var/spool'
+  OSLOGIN_NSS_CACHE = '/usr/local/etc/oslogin_passwd.cache'
+  SYSCONFDIR = '/usr/local/etc'
+  SYSLOG_SOCKET = '/var/run/log'
 elif platform.system() == 'OpenBSD':
-    LOCALBASE = '/usr/local'
-    BOTOCONFDIR = ''
-    SYSCONFDIR = '/usr/local/etc'
-    LOCALSTATEDIR = '/var/spool'
-    OSLOGIN_NSS_CACHE = '/usr/local/etc/oslogin_passwd.cache'
+  BOTOCONFDIR = ''
+  LOCALBASE = '/usr/local'
+  LOCALSTATEDIR = '/var/spool'
+  OSLOGIN_NSS_CACHE = '/usr/local/etc/oslogin_passwd.cache'
+  SYSCONFDIR = '/usr/local/etc'
+  SYSLOG_SOCKET = '/dev/log'
 else:
-    LOCALBASE = ''
-    BOTOCONFDIR = ''
-    SYSCONFDIR = '/etc/default'
-    LOCALSTATEDIR = '/var'
-    OSLOGIN_NSS_CACHE = '/etc/oslogin_passwd.cache'
+  BOTOCONFDIR = ''
+  LOCALBASE = ''
+  LOCALSTATEDIR = '/var'
+  OSLOGIN_NSS_CACHE = '/etc/oslogin_passwd.cache'
+  SYSCONFDIR = '/etc/default'
+  SYSLOG_SOCKET = '/dev/log'
diff --git a/packages/python-google-compute-engine/google_compute_engine/logger.py b/packages/python-google-compute-engine/google_compute_engine/logger.py
index a075eaea..5599570f 100644
--- a/packages/python-google-compute-engine/google_compute_engine/logger.py
+++ b/packages/python-google-compute-engine/google_compute_engine/logger.py
@@ -15,6 +15,7 @@
 
 """A library for logging text to SysLog and the serial console."""
 
+from google_compute_engine import constants
 from google_compute_engine.compat import logging
 
 
@@ -46,7 +47,7 @@ def Logger(name, debug=False, facility=None):
   if facility:
     # Create a handler for sending logs to SysLog.
     syslog_handler = logging.handlers.SysLogHandler(
-        address='/dev/log', facility=facility)
+        address=constants.SYSLOG_SOCKET, facility=facility)
     syslog_handler.setLevel(logging.INFO)
     syslog_handler.setFormatter(formatter)
     logger.addHandler(syslog_handler)
diff --git a/packages/python-google-compute-engine/google_compute_engine/metadata_scripts/script_executor.py b/packages/python-google-compute-engine/google_compute_engine/metadata_scripts/script_executor.py
index 3523f725..e5e5ec16 100644
--- a/packages/python-google-compute-engine/google_compute_engine/metadata_scripts/script_executor.py
+++ b/packages/python-google-compute-engine/google_compute_engine/metadata_scripts/script_executor.py
@@ -19,8 +19,6 @@
 import stat
 import subprocess
 
-from google_compute_engine import constants
-
 
 class ScriptExecutor(object):
   """A class for executing user provided metadata scripts."""
diff --git a/packages/python-google-compute-engine/google_compute_engine/tests/compat_test.py b/packages/python-google-compute-engine/google_compute_engine/tests/compat_test.py
index ec283237..803efefc 100644
--- a/packages/python-google-compute-engine/google_compute_engine/tests/compat_test.py
+++ b/packages/python-google-compute-engine/google_compute_engine/tests/compat_test.py
@@ -109,10 +109,8 @@ def testDistroCompatLinux(self, mock_call):
       self.assertEqual(
           test_cases[distro], google_compute_engine.compat.distro_utils)
 
-  @mock.patch('google_compute_engine.compat.sys.platform', 'freebsd')
-  @mock.patch('google_compute_engine.compat.distro.version')
-  def testDistroCompatFreeBSD(self, mock_call):
-    mock_call.return_value = 'FreeBSD 11.1-RELEASE-p4 #0: Tue Nov 14 06:12:40'
+  @mock.patch('google_compute_engine.compat.sys.platform', 'freebsd11')
+  def testDistroCompatFreeBSD(self):
     reload_import(google_compute_engine.compat)
     self.assertEqual(
         google_compute_engine.distro_lib.freebsd_11.utils,
diff --git a/packages/python-google-compute-engine/packaging/debian/changelog b/packages/python-google-compute-engine/packaging/debian/changelog
index 3d98cb12..822bcb92 100644
--- a/packages/python-google-compute-engine/packaging/debian/changelog
+++ b/packages/python-google-compute-engine/packaging/debian/changelog
@@ -1,3 +1,9 @@
+python-google-compute-engine (2.8.14-1) stable; urgency=low
+
+  * FreeBSD fixes: syslog socket location and OS detection.
+
+ -- Google Cloud Team <gc-team@google.com>  Tue, 16 Apr 2019 12:00:00 -0700
+
 python-google-compute-engine (2.8.13-1) stable; urgency=low
 
   * Fix metadata script retrieval to support Python 3.
diff --git a/packages/python-google-compute-engine/packaging/setup_deb.sh b/packages/python-google-compute-engine/packaging/setup_deb.sh
index 4d600ed7..b47c54de 100755
--- a/packages/python-google-compute-engine/packaging/setup_deb.sh
+++ b/packages/python-google-compute-engine/packaging/setup_deb.sh
@@ -14,7 +14,7 @@
 # limitations under the License.
 
 NAME="python-google-compute-engine"
-VERSION="2.8.13"
+VERSION="2.8.14"
 
 working_dir=${PWD}
 if [[ $(basename "$working_dir") != $NAME ]]; then
diff --git a/packages/python-google-compute-engine/packaging/setup_rpm.sh b/packages/python-google-compute-engine/packaging/setup_rpm.sh
index ce180b5d..d1eccc31 100755
--- a/packages/python-google-compute-engine/packaging/setup_rpm.sh
+++ b/packages/python-google-compute-engine/packaging/setup_rpm.sh
@@ -14,7 +14,7 @@
 # limitations under the License.
 
 NAME="python-google-compute-engine"
-VERSION="2.8.13"
+VERSION="2.8.14"
 
 rpm_working_dir=/tmp/rpmpackage/${NAME}-${VERSION}
 working_dir=${PWD}