How to export google compute engine instance image ?. I want to reuse the instance in another google cloud account. Is that possible?
Here's the documentation for exporting an image, and here for importing an image.
You can also share images across projects by granting the “compute.imageUser” IAM role. As explained in this article:
“For example, assume that a User A owns Project A and wants to create VM instances using images owned by Project B. The owner of Project B must grant User A the compute.imageUser role on Project B. This grants User A the ability to use the images from Project B to create instances in Project A.”
Yes it is possible.
First of all, Instance and Image are two different things. Image is more like an install-able package and Instance is the actual installed version.
What might be confusing here, w.r.t. Google Cloud is that Google refers to creating an instance from image as Exporting an Image which is contrary to VMWare or other hypervisor based virtualization terminology where creating an instance is done by Importing a VM (template) and Exporting a VM is basically reverse of installation i.e. creating a re-loadable package from installed version of VM.
This process of creating an Image from VM Instance is called Creating an Image in Google Cloud and the process for same is documented here
Related
I'm trying to make an API call in Python (inside a Cloud Function) to do some various things and as part of the information I'd like to pass along is whether the VM was created from something in the Marketplace.
The use case is this: The user is in the GCP Console in Compute Engine. They click on Marketplace in the left column of the display which then brings up VMs to choose from. The user picks one (say "Ubuntu 20.4 LTS (Focal)"). The display shows information about the VM with a "Launch" button. When they click that, they are then taken to the "Create an instance" page and they continue making choices and eventually create the VM.
This creates a log entry that the client's security group checks inside of a cloud function. When I look at the log entry for beta.compute.instances.insert, I don't see anything about it being created via Marketplace. If I make an API call to get the instance, there's nothing in the object returned that shows that either. Anyone know of any way to determine this?
It depends on what you mean by "via Marketplace". In general, the Marketplace offer is usually a Deployment Manager template and an image in a public project (public projects are available only to partners publishing to Marketplace). So if you deploy a Marketplace VM solution you will have:
a VM with source image in some project outside your org; but this will also match VMs created manually using that image (does it match your "via Marketplace" definition?) and VMs created from custom images your individual users have access to. Hint: your service account assigned to function will also have access to all public images, but usually not to images shared between users.
Deployment Manager deployment - that's a nice one as such deployments have some marketplace-specific labels. The problem is that deployment metadata can be deleted without deleting the deployed resources. And there's the case you mentioned with some marketplace listings being just redirections to deploying a single VM.
I'm afraid there's no way to detect if an Ubuntu VM was deployed after visiting Marketplace, or after clicking add VM button or using CLI or terraform - for the GCE it was simply an API call to insert a new instance.
Me and my colleague have a two independent google accounts. If possible, I want to migrate one of my VM instance into his account, where he can start using it with the disk that contains the applications and operating system needed to start the VM that I want to migrate.
On my account, I have created a custom image and afterwards I give an Owner permission to my college's account using IAM & Admin.
Then my college(from different google account) created an Instance by using the custom image under My First Project section. But when he connected into created instance, its home directory was empty even its created from the custom image that I created from my disk.
Boot Disk => Custom Images => Select my shared Project => Selected the Custom Image that is created on my shared Project => Create
I observe that even I was able to create a image from different project, its contents was not migrated.
I was wondering is it possible to migrate a google VM instance from one account to another? If yes, how can I do it?
Related:
Is it possible to migrate a google VM instance from one account to another keeping its external IP?
I would suggest creating a snapshot of your VM's boot disk. Then create an image from that snapshot and share it with your colleague.
As John Hanley pointed out in the comments to your question, you might be looking in the wrong place! Google will create separate user home directories based on the username.
I want to move some VMs across projects on GCP using the Cloud SDK.
I'd like the process on a high level, and then possibly also some links out to the relevant docs, although I can RTFM when I know what the general high-level steps are.
I think what I want to do is
Create a snapshot
Save it somewhere
Create two Cloud SDK contexts?
Prepare a destination in the context for the new project
Copy the snapshots over to the new context and its associated storage
Rehydrate from the copied snapshot in the new project once everything is copied.
Please help. I'm new with this stuff and want to know whether this is really how it should be done.
Thanks!
You can use this guide
Quick summary of steps needed
Detach the boot disk from the VM that you intend to move by deselecting “Delete boot disk on instance delete” and terminating the VM
Create an image from the detached boot disk
Upload the image to Google Cloud Storage and share it with the new project
Create a custom image under the new project based on the image you uploaded to Google Cloud Storage
Create a new VM instance under the new project based on the custom image
In compute engine, How can I move an instance from project A to project B?
I have two projects, and both have the same owner.
I looked at all the interfaces inside the console, but I could not find a way.
This can be done fairly easily now, with the caveat that when you create the VM in the other project it cannot be done through the UI but rather must be done using the gcloud tool. And google even has a page to document how.
First, you need to either create an image or a snapshot of the disk used in the VM. You can do this through the Console UI or the gcloud utility. Google's documentation does a good job of explaining how to do it, but the TLDR is:
stop VM if possible, or reduce number of writes by shutting down services if not
go to Compute Engine -> Images
select create
choose the disk as source
set any other properties you need
press create
Once that has been completed, use the gcloud tool with the other project to create your new VM. To find out/verify the name of the disk image:
gcloud compute images list --project [IMAGE_PROJECT]
then create the vm (add any additional options you need):
gcloud compute instances create [INSTANCE_NAME] --image [IMAGE_NAME] --image-project [IMAGE_PROJECT]
There isn't any tool in GCP that allows migrating one Compute Engine instance from one project to another.
However, it is still possible to recreate one instance from one project to another, by creating a snapshot of the disk, creating a custom image, and create a new VM from it in the second project.
This article gives a nice step by step guide on how to do it.
There is a newer doc page to copy VM between projects
I have a question regarding Google Cloud custom images and how/if credentials are stored. Namely, if I customize a VM and save the machine image with public access, am I possibly exposing credentials??
In particular, I'm working on a cloud-based application that relies on a "custom" image which has both gsutil and docker installed. Basic GCE VMs have gsutil pre-installed but do not have docker. On the other hand, the container-optimized OS have docker, but do not have gsutil. Hence, I'm just starting from a basic debian image and installing docker to get what I need.
Ideally, when I distribute my application, I would like to just expose that customized image for public use; this way, users will not have to spend extra effort to make their own images.
My concern, however, is that since I have used gsutil on the customized VM, persisting this disk to an image will inadvertently save some credentials related to my project (if so, where are they??). Hence, anyone using my image will also get those credentials.
I tried to reproduce your situation. I created a customer image from the disk of an instance who could access my project Storage buckets. Then, I shared the image for another user in a different project. The user could create an instance out of that shared image. However, when he tried to access my project buckets, he encountered AccessDeniedException error.
According to this reproduction and my investigations, your credentials are not exposed with the image. IAM grant permissions are based on roles given to a user, a group, or a service account. Sharing images can't grant them to others.
Furthermore, (as Patrick W mentioned below) any thing you run from within a GCE VM instance will use the VM's service account (unless otherwise specified). As long as the service account has access to the bucket, so will your applications (including docker containers.