Introducing Google Container-VM Image
Aditya Kali and Amey Deshpande
This spring, we announced Container-VM Image as a beta product under Google Cloud Platform (GCP). If you're a developer interested in deploying your application or a service provider on Google Compute Engine, we recommend taking a few moments to understand how it can help you.
Linux containers help developers to focus on their application without worrying about the underlying infrastructure. A secure and up-to-date base image is a critical building block of any container-based infrastructure. Container-VM Image represents the best practices we here at Google have learned over the past decade running containers at scale.
Container-VM Image design philosophyContainer-VM Image is designed from the ground up to be a modern operating system for running containers on GCP. Read on for more information about the design choices behind Container-VM Image and its attributes.
Build environmentContainer-VM Image is based on the open-source Chromium OS project. Chromium OS is a reliable and vetted source code base for this new operating system. In addition, its allows us to use the powerful build and test infrastructure built by the ChromeOS team.
The Docker container runtime is pre-installed on Container-VM Image. A key feature of containers is that the software dependencies can be packaged in the container image along with the application. With this in mind, Container-VM Image’s root file system is kept to a minimum by only including the software that's necessary to run containers.
Designed for containers
More secure by designContainer-VM Image is designed with security in mind, rather than as an afterthought. The minimal root file system keeps the attack surface small. The root file system is mounted as read-only, and its integrity is verified by the kernel during boot up. Such hardening features make it difficult for attackers to permanently exploit the system.
Software updatesHaving full control over the build infrastructure combined with a minimal root file system allows us to patch vulnerabilities and ship updated software versions very quickly. Container-VM Image also ships with an optional “in-place update” feature that allows users to stay up-to-date with minimal manual intervention.
Getting startedThe Container-VM Images are available in the “google-containers” GCP project. Here are a few commands to get you started:
Here’s how to list currently available images:
Note: All new Container-VM Images have “gci-” prefix in their names.
Here’s how to start a new instance:
Once the instance is ready, you can ssh into it:
You can also start an instance using Cloud-Config, the primary API for configuring an instance running Container-VM Image. You can create users, configure firewalls, start Docker containers and even run arbitrary commands required to configure your instance from the Cloud-Config file.
You can specify Cloud-Config as Compute Engine metadata at the time of instance creation with the special `user-data` key: