This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

I used python google cloud api sdk creating a confidential vm, but it didn't run a container.

Posted on 10-10-2023 04:06 AM
jianlinjiang
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

 

 

from google.cloud import compute_v1
PROJECT_ID=""
DOCKER_REPOSITORY=""
DOCKER_IMAGE=""
WORKLOAD_SERVICE_ACCOUNT=""
ZONE=""
INSTANCE_NAME=""
SERVICE_ACCOUNT_EMAIL="{service_account}@{project_id}.iam.gserviceaccount.com".format(service_account=WORKLOAD_SERVICE_ACCOUNT, project_id=PROJECT_ID)
def create_confidential_instance(project_id):
    client = compute_v1.InstancesClient()
    disk = compute_v1.AttachedDisk(
        disk_size_gb=20,
        auto_delete=True,
        boot=True,
        initialize_params=compute_v1.AttachedDiskInitializeParams(
            source_image="projects/confidential-space-images/global/images/confidential-space-debug-230600"
        )
    )
    instance_resource = compute_v1.Instance(
        confidential_instance_config=compute_v1.ConfidentialInstanceConfig(enable_confidential_compute=True),
        shielded_instance_config=compute_v1.ShieldedInstanceConfig(enable_secure_boot=True),
        metadata=compute_v1.Metadata(items=[compute_v1.Items(key="tee-image-reference", value=DOCKER_IMAGE), compute_v1.Items(key="tee-container-log-redirect", value="true")]),
        service_accounts=[compute_v1.ServiceAccount(email=SERVICE_ACCOUNT_EMAIL, scopes=["https://www.googleapis.com/auth/cloud-platform"])],
        name=INSTANCE_NAME,
        machine_type="zones/{zone}/machineTypes/n2d-standard-2".format(zone=ZONE),
        disks=[disk],
        scheduling=compute_v1.Scheduling(on_host_maintenance="TERMINATE"),
        network_interfaces=[compute_v1.NetworkInterface()]
    )
    
    request = compute_v1.InsertInstanceRequest(instance_resource=instance_resource, zone=ZONE, project=PROJECT_ID)

    # Make the request
    response = client.insert(request=request)

    # Handle the response
    print(response)

if __name__ == "__main__":
    create_confidential_instance(PROJECT_ID)

 

 

I used the above code creating a confidential vm, and the script returned successfully. I can see the vm on the vm instances web page and the status of the vm is running. However, the logs of the vm only has four entries which are "type.googleapis.com/cloud_integrity.IntegrityEvent". It seems that the vm didn't pull a docker image and run a docker container. 

In the last week, I followed the tutorial (https://cloud.google.com/confidential-computing/confidential-vm/docs/analyze-with-confidential-space...) and successfully created a confidential vm by "gcloud compute instance create" .  The logs of this vm shows it pull the docker image and run the container.

I compared the "Serial port 1 (console) " of the two vms and the mainly difference of two vms is whether the vm starts container-runner.service. I paste the log of the correct vm (first) and the unusual one (second).

 

 

[  100.635030] cloud-init[947]: Created symlink /etc/systemd/system/multi-user.target.wants/container-runner.service → /etc/systemd/system/container-runner.service.
[  OK  ] Started container-runner.service.
<14>Oct 10 07:35:30 cloud-init: #############################################################
<14>Oct 10 07:35:30 cloud-init: -----BEGIN SSH HOST KEY FINGERPRINTS-----
<14>Oct 10 07:35:30 cloud-init: 1024 SHA256:FVKD588IPIWUGYjSUNtUjfT4bE+wKJwvoO7RdLv7zdc root@jianlin-workload-5 (DSA)
<14>Oct 10 07:35:30 cloud-init: 256 SHA256:rICZ/xgRAfkUa/6RjJHY+LwFYnHmSHlSMGELzjvTb8o root@jianlin-workload-5 (ECDSA)
<14>Oct 10 07:35:30 cloud-init: 256 SHA256:CYdFY6GttXdJd//pcA6/SIBpgjVm2uLjJ6lgsA8qxoQ root@jianlin-workload-5 (ED25519)
<14>Oct 10 07:35:30 cloud-init: 3072 SHA256:3Bn/puatFPON5jm5O21VnTGNQZVxMfPAEduX/ynscZ0 root@jianlin-workload-5 (RSA)
<14>Oct 10 07:35:30 cloud-init: -----END SSH HOST KEY FINGERPRINTS-----
<14>Oct 10 07:35:30 cloud-init: #############################################################
-----BEGIN SSH HOST KEY KEYS-----
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDikgIFtXw3oQF06rohU61aSGiPshJTB+DrkGQiKUEBY9XNrNoaFLtY24DVWiNqdLRpkmQK/xuzFzVmTAuge1Es= root@jianlin-workload-5
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLkkXaaXd0ApwqWKzRwf2/cASlXmAefS4V1Gj/81GfH root@jianlin-workload-5
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3LZ5+f+k5GGuxUo5VunPj0P0+rFxGf5On33mJN8mkgr7RwEmm5BzZ2zcdxocuGKo6MilAlfk2NCMarS5hdEe8YsXEIJybVxS9hExGCJMahXqBfk9QOdy0Zq6cz7e2yPTxDIx7T9TUjxV4pS0PysYWVlEyWg7TLhNRzknzQ8OWPYmWXhBMZ7wXlSvyt1yBS7Atsipl80qLhtE3mn8TtLpwqF4xpv2cBtnh070iAW4gKXaOrDkVq2YSgr82UStbemVbrcJAvHLz2cwqu0JHkbz9+3zVeBC9ejUPiDUZciLbmcsVA5hwbSN5Yp5wrYqa7osrkC/yFai//IKeFoi4tyGrgXSLQUXhIhLhDzziRj+TFqCvU3ILxFYPG/SOOUABNWFZux25mOgGPxgUBw9XIuOB65XV2ExpQGUssxI3nhpYztnpVg7n171XO8xobE85V7DTjzdsaWKaMJlbsaLE11XYCeR8YWS2y+cQrmZznxtTzxRCYwAfcJkcx80xQVi37Hk= root@jianlin-workload-5
-----END SSH HOST KEY KEYS-----
[  100.939707] cloud-init[947]: Cloud-init v. 23.1.2 running 'modules:final' at Tue, 10 Oct 2023 07:35:29 +0000. Up 100.29 seconds.
[  100.939808] cloud-init[947]: Cloud-init v. 23.1.2 finished at Tue, 10 Oct 2023 07:35:30 +0000. Datasource DataSourceNoCloud [seed=cmdline,/usr/share/oem/][dsmode=local].  Up 100.93 seconds
[  OK  ] Finished cloud-final.service.
[  OK  ] Reached target multi-user.target.
[  OK  ] Reached target cloud-init.target.
         Starting systemd-update-utmp-runlevel.service...
[  OK  ] Finished systemd-update-utmp-runlevel.service.
[  101.127667] cs_container_launcher[1033]: 2023/10/10 07:35:30 TEE container launcher initiating

 

 

[  100.767747] cloud-init[879]: Created symlink /etc/systemd/system/multi-user.target.wants/container-runner.service → /etc/systemd/system/container-runner.service.
         Starting systemd-tmpfiles-clean.service...
[  OK  ] Finished systemd-tmpfiles-clean.service.
         Starting crash-sender.service...
[  OK  ] Finished crash-sender.service.

The unusual vm stops after "Created symlink"  without starting the container-runner.service, so the vm doesn't pull the docker image and runs a docker container.

If anyone can helps me to figure out why the vm created by python sdk behaves abnormally? 

1 1 1,198
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @jianlinjiang,

Welcome to the Google Cloud Community!

I'd like to clarify how the Python code relates to pulling a Docker image upon creation. From my observation, the DOCKER_IMAGE variable is referenced only in the metadata. This doesn't necessarily imply that a Docker image is pulled.

I've also experimented with the guide you linked. While I was able to successfully create a confidential VM, the command does not appear designed to pull a Docker image upon creation.

To summarize, I believe that neither the provided Python code nor the gcloud command line instruction directly pull a Docker image during the VM's creation process.

I hope this provides clarity on the matter.

Best,
Lawrence

 

Top Labels in this Space
Top Solution Authors
View all