Build Ubuntu Pro golden image

A golden image is a base image that is used as a template for your virtual machines. You can create it from your Google Cloud console’s Cloud Shell (as explained below) or using other tools like Packer.

We’ll be using Ubuntu Pro 22.04 LTS as the base image, although the steps should work fine for all Pro images available in your console.

Create a golden image

In your Google Cloud console, search for the ‘Cloud Shell’ product and open it by selecting Go to console. Once in, look for the available Ubuntu Pro images:

gcloud compute images list --project=ubuntu-os-pro-cloud | grep ubuntu-pro
NAME: ubuntu-pro-1604-xenial-v20230710
FAMILY: ubuntu-pro-1604-lts
NAME: ubuntu-pro-1804-bionic-arm64-v20230921
FAMILY: ubuntu-pro-1804-lts-arm64
NAME: ubuntu-pro-1804-bionic-v20230921
FAMILY: ubuntu-pro-1804-lts
NAME: ubuntu-pro-2004-focal-arm64-v20230920
FAMILY: ubuntu-pro-2004-lts-arm64
NAME: ubuntu-pro-2004-focal-v20230920
FAMILY: ubuntu-pro-2004-lts
NAME: ubuntu-pro-2204-jammy-arm64-v20230921
FAMILY: ubuntu-pro-2204-lts-arm64
NAME: ubuntu-pro-2204-jammy-v20230921
FAMILY: ubuntu-pro-2204-lts
NAME: ubuntu-pro-fips-1804-bionic-v20230530
FAMILY: ubuntu-pro-fips-1804-lts
NAME: ubuntu-pro-fips-2004-focal-v20230920
FAMILY: ubuntu-pro-fips-2004-lts

From the options seen, choose Ubuntu Pro 22.04 LTS and use its family name in the golden image creation command below:

gcloud compute images create golden-image --source-image-family=ubuntu-pro-2204-lts --source-image-project=ubuntu-os-pro-cloud

In a bit you’ll see output similar to the following and the created golden image will be available in your image gallery.

Created [https://www.googleapis.com/compute/v1/projects/[YOUR_PROJECT]/global/images/golden-image].
NAME: golden-image
PROJECT: [YOUR_PROJECT]
FAMILY:
DEPRECATED:
STATUS: READY

Verify that the image contains the Ubuntu Pro license:

gcloud compute images describe golden-image
architecture: X86_64
archiveSizeBytes: '1094443008'
creationTimestamp: '2023-09-29T03:56:22.275-07:00'
diskSizeGb: '10'
guestOsFeatures:
- type: VIRTIO_SCSI_MULTIQUEUE
- type: SEV_CAPABLE
- type: SEV_SNP_CAPABLE
- type: SEV_LIVE_MIGRATABLE
- type: UEFI_COMPATIBLE
- type: GVNIC
id: '8518177910815396794'
kind: compute#image
labelFingerprint: 42WmSpB8rSM=
licenseCodes:
- '2592866803419978320'
licenses:
- https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2204-lts
name: golden-image
selfLink: https://www.googleapis.com/compute/v1/projects/ubuntu-dimple/global/images/golden-image
shieldedInstanceInitialState:
[...]

The line starting with “licenses:” shows the expected Pro license.

Create an instance using the golden image

To create an instance based on this golden image, run:

gcloud compute instances create instance-from-golden-image --image=golden-image
Created [https://www.googleapis.com/compute/v1/projects/ubuntu-dimple/zones/asia-southeast1-a/instances/instance-from-golden-image].
NAME: instance-from-golden-image
ZONE: asia-southeast1-a
MACHINE_TYPE: n1-standard-1
PREEMPTIBLE:
INTERNAL_IP: 10.148.0.2
EXTERNAL_IP: 34.143.153.215
STATUS: RUNNING

Now SSH into this new instance:

gcloud compute ssh instance-from-golden-image

The SSH command might need you to create an SSH key for gcloud if you don’t have one already. Once you complete the steps and reach the prompt of the new instance, check its license by running:

pro status

The output should be similar to the following and indicates that Pro features such as ESM and livepatch are enabled.

SERVICE          ENTITLED  STATUS    DESCRIPTION
anbox-cloud      yes       disabled  Scalable Android in the cloud
esm-apps         yes       enabled   Expanded Security Maintenance for Applications
esm-infra        yes       enabled   Expanded Security Maintenance for Infrastructure
livepatch        yes       enabled   Canonical Livepatch service
usg              yes       disabled  Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>

                Account: ubuntu-dimple
        Subscription: ubuntu-dimple
            Valid until: Fri Dec 31 00:00:00 9999 UTC
Technical support level: essential

Share the golden image

To share this golden image with other users, you’ll need to add them as principals and assign the Compute Image User role to them. This will give them permission to list, read, and use the image but not to modify it.

Go to your image gallery, select the image that you just created. In the INFO PANEL on the right, select PERMISSIONS > ADD PRINCIPAL:

  • In the Add principals field insert the email addresses of all the users that you want to share your image with.

  • In the Assign roles field, select Compute Engine > Compute Image User

On saving these settings, the specified users will have access to the image.

You can also grant users the Viewer IAM role for the project that you used to create the image in. This will ensure that the shared image appears in their image selection list.