$ 0 0 Posted by Aditya Kali and Amey Deshpande, Software EngineersThis spring, we announced Container-VM Image as a beta product under Google Cloud Platform (GCP). If you're a developer interested in deploying your application or a service provider on Google Compute Engine, we recommend taking a few moments to understand how it can help you.Linux containers help developers to focus on their application without worrying about the underlying infrastructure. A secure and up-to-date base image is a critical building block of any container-based infrastructure. Container-VM Image represents the best practices we here at Google have learned over the past decade running containers at scale. Container-VM Image design philosophy Container-VM Image is designed from the ground up to be a modern operating system for running containers on GCP. Read on for more information about the design choices behind Container-VM Image and its attributes. Build environment Container-VM Image is based on the open-source Chromium OS project. Chromium OS is a reliable and vetted source code base for this new operating system. In addition, its allows us to use the powerful build and test infrastructure built by the ChromeOS team.Designed for containers The Docker container runtime is pre-installed on Container-VM Image. A key feature of containers is that the software dependencies can be packaged in the container image along with the application. With this in mind, Container-VM Image’s root file system is kept to a minimum by only including the software that's necessary to run containers. More secure by design Container-VM Image is designed with security in mind, rather than as an afterthought. The minimal root file system keeps the attack surface small. The root file system is mounted as read-only, and its integrity is verified by the kernel during boot up. Such hardening features make it difficult for attackers to permanently exploit the system. Software updates Having full control over the build infrastructure combined with a minimal root file system allows us to patch vulnerabilities and ship updated software versions very quickly. Container-VM Image also ships with an optional “in-place update” feature that allows users to stay up-to-date with minimal manual intervention. Getting started The Container-VM Images are available in the “google-containers” GCP project. Here are a few commands to get you started:Here’s how to list currently available images:$ gcloud compute images list --project google-containers --no-standard-imagesNote: All new Container-VM Images have “gci-” prefix in their names.Here’s how to start a new instance:$ gcloud compute instances create \ --zone us-central1-a \ --image-family gci-stable --image-project google-containersOnce the instance is ready, you can ssh into it:$ gcloud compute ssh --zone us-central1-aYou can also start an instance using Cloud-Config, the primary API for configuring an instance running Container-VM Image. You can create users, configure firewalls, start Docker containers and even run arbitrary commands required to configure your instance from the Cloud-Config file. You can specify Cloud-Config as Compute Engine metadata at the time of instance creation with the special `user-data` key:$ gcloud compute instances create \ --zone us-central1-a \ --image-family gci-stable --image-project google-containers \ --metadata-from-file user-data=<cloud-config-file> What’s next We're working hard on improving and adding new features to Container-VM Image to make it the best way to run containers on GCP. Stay tuned for future blogs and announcements. In the meantime, you can find more documentation and examples at the Container-VM Image homepage, and send us your feedback at google-containers@google.com .