Posted by Aditya Kali and Amey Deshpande, Software Engineers
This spring, we announced Container-VM Image as a beta product under Google Cloud Platform (GCP). If you’re a developer interested in deploying your application or a service provider on Google Compute Engine, we recommend taking a few moments to understand how it can help you.
Linux containers help developers to focus on their application without worrying about the underlying infrastructure. A secure and up-to-date base image is a critical building block of any container-based infrastructure. Container-VM Image represents the best practices we here at Google have learned over the past decade running containers at scale.
Container-VM Image design philosophy
Container-VM Image is designed from the ground up to be a modern operating system for running containers on GCP. Read on for more information about the design choices behind Container-VM Image and its attributes.
Container-VM Image is based on the open-source Chromium OS project. Chromium OS is a reliable and vetted source code base for this new operating system. In addition, its allows us to use the powerful build and test infrastructure built by the ChromeOS team.
Designed for containers
The Docker container runtime is pre-installed on Container-VM Image. A key feature of containers is that the software dependencies can be packaged in the container image along with the application. With this in mind, Container-VM Image’s root file system is kept to a minimum by only including the software that’s necessary to run containers.
More secure by design
Container-VM Image is designed with security in mind, rather than as an afterthought. The minimal root file system keeps the attack surface small. The root file system is mounted as read-only, and its integrity is verified by the kernel during boot up. Such hardening features make it difficult for attackers to permanently exploit the system.
Having full control over the build infrastructure combined with a minimal root file system allows us to patch vulnerabilities and ship updated software versions very quickly. Container-VM Image also ships with an optional “in-place update” feature that allows users to stay up-to-date with minimal manual intervention.
The Container-VM Images are available in the “google-containers” GCP project. Here are a few commands to get you started:
Here’s how to list currently available images:
$ gcloud compute images list --project google-containers --no-standard-images
Note: All new Container-VM Images have “gci-” prefix in their names.
Here’s how to start a new instance:
$ gcloud compute instances create --zone us-central1-a --image-family gci-stable --image-project google-containers
Once the instance is ready, you can ssh into it:
$ gcloud compute ssh --zone us-central1-a
You can also start an instance using Cloud-Config, the primary API for configuring an instance running Container-VM Image. You can create users, configure firewalls, start Docker containers and even run arbitrary commands required to configure your instance from the Cloud-Config file.
You can specify Cloud-Config as Compute Engine metadata at the time of instance creation with the special `user-data` key:
$ gcloud compute instances create --zone us-central1-a --image-family gci-stable --image-project google-containers --metadata-from-file user-data=<cloud-config-file>
We’re working hard on improving and adding new features to Container-VM Image to make it the best way to run containers on GCP. Stay tuned for future blogs and announcements. In the meantime, you can find more documentation and examples at the Container-VM Image homepage, and send us your feedback at firstname.lastname@example.org .