You can change the Confidential Space workload VM behavior by passing variables
into the --metadata option when you create the VM.
To pass in multiple variables, first set the delimiter by prefixing the
--metadata value with ^~^. This sets the delimiter to ~, as , is used in
variable values.
Sets environment variables in the workload container. The workload
author must also add the environment variable names to the
allow_env_override
launch policy, or they won't be set.
Defaults to false. When set to true,
enables memory usage monitoring. The metrics collected by the
Confidential VM are of the
guest/memory/bytes_used
type, and can be viewed in Cloud Logging
or
Metrics Explorer.
A list of semicolon-separated mount definitions. A mount
definition consists of a comma-separated list of key-value pairs,
requiring type, source, and
destination. destination must be an
absolute path and type/source must be
tmpfs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-14 UTC."],[[["You can modify the behavior of a Confidential Space workload VM by using the `--metadata` option and passing in specific variables during VM creation."],["The `tee-image-reference` metadata key is required and it specifies the location of the workload container image."],["The `tee-cmd` metadata key allows overriding the `CMD` instructions defined in the workload container's Dockerfile, while other variables allow environment variables, service accounts impersonation, memory monitoring and mount definitions to be modified."],["The `tee-container-log-redirect` key controls the destination of the workload container's `STDOUT` and `STDERR` output, allowing it to be directed to the serial console, Cloud Logging, or both."],["You can define the restart policy for the workload container using `tee-restart-policy`, with options such as `Never`, `Always`, or `OnFailure`, which dictates the container's behavior when it stops."]]],[]]