Introducing Google Container-VM Image

Posted by Aditya Kali and Amey Deshpande, Software Engineers

This spring, we announced Container-VM Image as a beta product under Google Cloud Platform (GCP). If you’re a developer interested in deploying your application or a service provider on Google Compute Engine, we recommend taking a few moments to understand how it can help you.

Linux containers help developers to focus on their application without worrying about the underlying infrastructure. A secure and up-to-date base image is a critical building block of any container-based infrastructure. Container-VM Image represents the best practices we here at Google have learned over the past decade running containers at scale.

Container-VM Image design philosophy
Container-VM Image is designed from the ground up to be a modern operating system for running containers on GCP. Read on for more information about the design choices behind Container-VM Image and its attributes.

Build environment
Container-VM Image is based on the open-source Chromium OS project. Chromium OS is a reliable and vetted source code base for this new operating system. In addition, its allows us to use the powerful build and test infrastructure built by the ChromeOS team.

Designed for containers
The Docker container runtime is pre-installed on Container-VM Image. A key feature of containers is that the software dependencies can be packaged in the container image along with the application. With this in mind, Container-VM Image’s root file system is kept to a minimum by only including the software that’s necessary to run containers.

More secure by design
Container-VM Image is designed with security in mind, rather than as an afterthought. The minimal root file system keeps the attack surface small. The root file system is mounted as read-only, and its integrity is verified by the kernel during boot up. Such hardening features make it difficult for attackers to permanently exploit the system.

Software updates
Having full control over the build infrastructure combined with a minimal root file system allows us to patch vulnerabilities and ship updated software versions very quickly. Container-VM Image also ships with an optional “in-place update” feature that allows users to stay up-to-date with minimal manual intervention.

Getting started
The Container-VM Images are available in the “google-containers” GCP project. Here are a few commands to get you started:

Here’s how to list currently available images:

$ gcloud compute images list –project google-containers –no-standard-images

Note: All new Container-VM Images have “gci-” prefix in their names.

Here’s how to start a new instance:
$ gcloud compute instances create
zone us-central1-a
–image-family gci-stable –image-project google-containers

Once the instance is ready, you can ssh into it:

$ gcloud compute ssh –zone us-central1-a

You can also start an instance using Cloud-Config, the primary API for configuring an instance running Container-VM Image. You can create users, configure firewalls, start Docker containers and even run arbitrary commands required to configure your instance from the Cloud-Config file.

You can specify Cloud-Config as Compute Engine metadata at the time of instance creation with the special `user-data` key:

$ gcloud compute instances create
zone us-central1-a
–image-family gci-stable –image-project google-containers
–metadata-from-file user-data=

What’s next
We’re working hard on improving and adding new features to Container-VM Image to make it the best way to run containers on GCP.  Stay tuned for future blogs and announcements. In the meantime, you can find more documentation and examples at the Container-VM Image homepage, and send us your feedback at google-containers@google.com .
Quelle: Google Cloud Platform

Published by