Running Containers on Instances

You can run a Docker container on a machine running Container-Optimized OS in much the same way as you would on most other node image distributions: by using the docker run command. For example:

$ docker run --rm busybox echo "hello world"
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
. . .
Status: Downloaded newer image for busybox:latest
hello world

All user accounts on the cos image are added to the docker group by default. This lets any user run docker commands without root privileges.

Accessing Public Google Container Registry

Google Container Registry support is built in to the cos node image. To start a container from Google Container Registry, run:

$ docker run --rm echo "hello world"
Unable to find image '' locally
Pulling repository
. . .
Status: Downloaded newer image for
hello world

Accessing Private Google Container Registry

Starting with milestone 60 releases, docker-credential-gcr is pre-installed in Container-Optimized OS images. It is the recommended way to access private Google Container Registry. To use docker-credential-gcr:

$ docker-credential-gcr configure-docker
/home/username/.docker/config.json configured to use this credential helper
for GCR registries
$ docker run --rm<your-project>/<your-image>

On releases before milestone 60, Container-Optimized OS images provide a /usr/share/google/ script, which fetches and stores the necessary OAuth access tokens. The script stores the tokens in the instance's home directory, where Docker looks for access tokens by default.

$ /usr/share/google/
$ docker run …

Alternately, you can fetch appropriate OAuth access tokens from Google Compute Engine metadata and use them with the docker login command manually, as shown in the following example:

$ SVC_ACCT=$METADATA/instance/service-accounts/default
$ ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' $SVC_ACCT/token \
    | cut -d'"' -f 4)
$ docker login -u _token -p $ACCESS_TOKEN
$ docker run …

Supported GCR hostnames are:


Starting a Docker container via Cloud-Config

The Cloud-Config example explains how to start a docker container. It can be extended to start a container from Google Container Registry as follows:


- name: cloudservice
  uid: 2000

- path: /etc/systemd/system/cloudservice.service
  permissions: 0644
  owner: root
  content: |
    Description=Start a simple docker container

    ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
    ExecStart=/usr/bin/docker run --rm -u 2000 --name=mycloudservice /bin/sleep 3600
    ExecStop=/usr/bin/docker stop mycloudservice
    ExecStopPost=/usr/bin/docker rm mycloudservice

- systemctl daemon-reload
- systemctl start cloudservice.service

Running a Kubernetes cluster

The recommended approach to running a Kubernetes cluster on Google Cloud Platform is using Container Engine. However, if you want to run a self-managed version of open-source Kubernetes, follow these instructions.

First, make sure that your Kubernetes master can be reached by opening port 443 in your firewall.

Then, download Kubernetes release binaries, unpack, and bring up the cluster as follows:

# Download and extract the latest kubernetes release.
cd <empty-dir>
curl -sSL -o kubernetes.tar.gz${KUBERNETES_VERSION}/kubernetes.tar.gz
tar xzf kubernetes.tar.gz
cd kubernetes

# Configure environment to use Container-Optimized OS.

# Start up a cluster and verify that it is running:
cluster/ get nodes
cluster/ get pods --namespace=kube-system

Now you can run your application on the cluster. For example, you can start a Redis cluster using the example below.

cluster/ create -f \
cluster/ get pods
cluster/ describe pods <redis-master-pod-name>

Once your cluster is no longer needed, you can tear it down:


Send feedback about...

Container-Optimized OS