Container-Optimized Google Compute Engine Images


This is an Open Preview release of containers on Virtual Machines. As a result, we may make backward-incompatible changes and it is not covered by any SLA or deprecation policy. Customers should take this into account when using this Open Preview release.

Google Compute Engine supports using Docker containers with a Preview release of the Container-VM node image. Container-VM is a container-optimized OS image that includes Docker and a Kubernetes Kubelet—an open source agent to manage containers.

The container OS image includes:

  • Debian 7.
  • The Docker runtime. To learn more about Docker, visit
  • An open-source metadata framework and the Kubernetes Kubelet—a lightweight agent to create and manage containers based on the metadata.

Container VM Support

Container_VM is in the process of being deprecated and will be supported and patched through September 2017. Google has a system that compares the container-vm image against the CVE list and regularly patches it for vulnerabilities.

Get involved

We encourage you to be involved in the development and design of the image and the related open source projects:

Starting a bare container-vm instance

A container VM image is specified like any other Google Compute Engine image, as an argument to the --image flag of the gcloud compute instances create command:

gcloud compute instances create instance-name \
  --image-family=container-vm \
  --image-project=google-containers \
  --zone us-central1-a \
  --machine-type f1-micro

You can list all available versions with:

gcloud compute images list --project google-containers

Once the instance is running, you can SSH into the instance and use the Docker command line tool to create and manage your containers.

Creating containers at time of instance creation

The container VM image includes the Kubernetes Kubelet - an agent that can parse a YAML-formatted list of containers and create those containers at the instance's boot time. The Kubelet also monitors the listed containers, restarting them should they fail at any time.

This manifest is passed to the --metadata-from-file flag of gcloud compute instances create as a key/value pair whose key is always google-container-manifest. The value of the pair is the relative path to a manifest.

--metadata-from-file google-container-manifest=containers.yaml

All of the containers in the group share the same network namespace; you can connect from one container to a service running on another container using localhost and the port of the service. Two containers of the same group cannot run services on the same port.

Quickstart example

The following example creates a new Compute Engine instance with a busybox container. The container responds to incoming streams on port 8080 with "hello world".

Create the manifest

Create a containers.yaml file with the following contents:

apiVersion: v1
kind: Pod
  name: simple-echo
    - name: simple-echo
      command: ['nc', '-p', '8080', '-l', '-l', '-e', 'echo', 'hello world!']
      imagePullPolicy: Always
        - containerPort: 8080
          hostPort: 8080

Create the instance

Create your Google Compute Engine instance with the gcloud compute instances create command, and pass the manifest using the --metadata-from-file flag:

gcloud compute instances create containervm-test-1 \
    --image-family=container-vm \
    --image-project=google-containers \
    --metadata-from-file google-container-manifest=containers.yaml \
    --zone us-central1-a \
    --machine-type f1-micro

Test your app

Your new instance is up and running and contains the Docker container you specified in the manifest. To test it, SSH into your instance:

gcloud compute ssh --zone us-central1-a containervm-test-1

To confirm that the container has been created:

me@containervm-test-1:~$ sudo docker ps
CONTAINER ID   IMAGE                                     COMMAND                CREATED          ...
8a62ff4babd0   "nc -p 8080 -l -l -e   14 seconds ago   ...
f0a3ffb17ac7        "/pause"               15 seconds ago   ...

Use netcat to query the container:

me@containervm-test-1:~$ nc localhost 8080
hello world!

Container manifest

Documentation for the container manifest can be found in the Kubernetes API Pod Specification. The container VM is running a simple Kubelet and not the entire Kubernetes control plane, so the v1.PodSpec honored by the container VM is limited to containers, volumes, and restartPolicy.


February 2, 2017

The image has been updated to container-vm-v20170201.

  • Addresses CVE-2016-9962
January 17, 2017

The image has been updated to container-vm-v20170117.

  • Addresses CVE-2016-8655, CVE-2016-9555, CVE-2016-9793
December 8, 2016

The image has been updated to container-vm-v20161208.

  • Enables softlockup detection in the kernel.
  • Removes iSCSI support.
October 25, 2016

The image has been updated to container-vm-v20161025.

  • Addresses CVE-2016-5195 (Dirty COW).
February 17, 2016

The image has been updated to container-vm-v20160217.

  • Upgrade glibc to address CVE-2015-7547.
January 27, 2016

The image has been updated to container-vm-v20160127.

  • Upgrade kernel to address a kernel hang related to aufs.
January 21, 2016

The image has been updated to container-vm-v20160121.

  • Upgrade kernel to address CVE-2016-0728.
December 15, 2015

The image has been updated to container-vm-v20151215.

  • Upgrade kubelet (kubernetes agent) to 1.1.3
  • Add panic=10 to kernel command line to enable reboot-on-panic earlier
November 3, 2015

The image has been updated to container-vm-v20151103.

  • Upgrade docker to 1.8.3
  • Upgrade kubelet (kubernetes agent) to 1.1.1-beta.1
October 20, 2015

Updated the sample manifest to correct errors.

version updated to apiVersion throughout.

July 17, 2015

The image has been updated to container-vm-v20150715.

Added missing field to examples and manifest description.

July 6, 2015

Removed a reference to v1beta3 API as the current version is v1.

June 14, 2015

Updated to use v1beta3 API.

June 11, 2015

The image has been updated to container-vm-v20150611.

  • BREAKING CHANGE: This image drops support for the Kubernetes v1beta1 and v1beta2 API objects. Like container-vm-v20150505, this image still supports v1beta3, but support for v1beta3 will be dropped soon.
  • This is the first ContainerVM image shipping with the Kubernetes v1 API. You can explore the v1 objects here: v1beta3 objects from container-vm-v20150505 should migrate seamlessly.
January 12, 2015

The image has been updated to container-vm-v20150112.

  • Upgrade docker to 1.4.1
  • Upgrade kubelet (kubernetes agent) to 0.7.4
  • Reduced size of initramfs for faster boot.
  • Bundled docker images for kubernetes/pause and cAdvisor.
  • The "container-vm" alias automatically points to this image.
December 8, 2014

The image has been updated to container-vm-v20141208.

  • Upgrade docker to 1.3.2
  • Upgrade kubelet (kubernetes agent) to 0.5.4
  • "container-vm" image alias has been created. Specifying --image container-vm when creating an instance starts up the most recent version of the container-optimized image.
October 16, 2014

The image has been updated to container-vm-v20141016.

September 29, 2014

The image has been updated to container-vm-v20140929.

  • Upgrade bash to 4.2+dfsg-0.1+deb7u1 to fix vulnerability CVE-2014-7169.
September 25, 2014

The image has been updated to container-vm-v20140925.

  • Upgrade bash to 4.2+dfsg-0.1+deb7u1 to fix vulnerability CVE-2014-6271.
August 26, 2014

The image has been updated to container-vm-v20140826.

  • Kubelet built from Kubernetes source code, trunk head as of 2014-08-22.
  • hostPort is required to be explicitly specified if a port mapping between container port and host port is required.
  • Docker 1.2 is included.
  • nsinit is included.
  • Google Cloud SDK is included.
August 1, 2014

The image has been updated to container-vm-v20140731.

  • The new image uses Docker 1.1.2.
  • cAdvisor is started by default, listening on port 4194.
July 17, 2014

The image has been updated to container-vm-v20140710.

  • The new image uses the Kubernetes Kubelet instead of container-agent.
  • version is incremented to v1beta2.
  • containers[].env[].key becomes containers[].env[].name
  • containers[].volumeMounts[].path becomes containers[].volumeMounts[].mountPath

The v1beta1 format can still be used with the original container-vm-v20140522 image.

Send feedback about...

Compute Engine Documentation