Create different instance types on GCP¶
The procedure for creating different instance types on GCP basically boils down to choosing the correct options on your google console. Some specific examples are given below.
Create an Ubuntu LTS instance¶
On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE INSTANCE:
select
Ubuntu
andUbuntu 22.04 LTS
in Boot disk > CHANGE > Operating system and Version
Create an Ubuntu Pro instance¶
On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE INSTANCE:
select
Ubuntu Pro
andUbuntu 22.04 LTS Pro Server
in Boot disk > CHANGE > Operating system and Version
Once the instance is up, ssh into it and run
pro status
to check that livepatch
, esm-apps
and esm-infra
are enabled.
Create an Ubuntu Pro FIPS instance¶
On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE INSTANCE:
select
Ubuntu Pro
andUbuntu 20.04 LTS Pro FIPS Server
in Boot disk > CHANGE > Operating system and Version
Once the instance is up, ssh into it and run
uname -r
The kernel version will include fips
in the name. To check the FIPS packages, run:
dpkg-query -l | grep fips
It should show you a long list of packages with fips
in the name or version.
Create an ARM-based instance¶
On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE INSTANCE:
choose the ARM CPU platform
T2A
in Machine configuration > Serieschoose an ARM compatible OS and version, say
Ubuntu
andUbuntu 22.04 LTS Minimal
in Boot disk > CHANGE > Operating system and Version
Create an AMD SEV based confidential computing VM¶
On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE INSTANCE:
select Confidential VM service > ENABLE
It’ll show you the available machine type - n2d-standard-2
and boot disk image - Ubuntu 20.04 LTS
. Select ENABLE again and the changes will be reflected under the Machine configuration and Boot disk sections. However, we need to change the disk image to one with Pro FIPS:
Go to Boot disk > CHANGE > Confidential Images and filter using ‘ubuntu’ to select
Ubuntu 20.04 LTS Pro FIPS Server
. Select that and create the instance.
To check that confidential computing has been enabled correctly, once the instance is up, ssh into it and run
dmesg | grep SEV
A statement containing: AMD Secure Encryption Virtulization (SEV) active
should be displayed.
Back on the google console, open the instance details and go to Logs > Logging. In the list of logs, look for one that mentions sevLaunchAttestationReportEvent
and expand it. In the resulting JSON, check that the field integrityEvaluationPassed
is set to true
, under sevLaunchAttestationReportEvent
, something like:
insertId: "0",
jsonPayload: {
@type: "type.googleapis.com/cloud_integrity.IntegrityEvent",
bootCounter: "0",
sevLaunchAttestationReportEvent: {
integrityEvaluationPassed: true
sevPolicy: {0}
[...]
Create an Intel® TDX based confidential computing VM¶
In GCE, Intel® TDX is supported in the C3 machine series since they use the 4th Gen Intel® Xeon CPUs. To create the VM, in the Google Cloud CLI, use the instances create
command with confidential-compute-type=TDX
:
gcloud alpha compute instances create INSTANCE_NAME \
--machine-type MACHINE_TYPE --zone us-central1-a \
--confidential-compute-type=TDX \
--on-host-maintenance=TERMINATE \
--image-family=IMAGE_FAMILY_NAME \
--image-project=IMAGE_PROJECT \
--project PROJECT_NAME
where:
MACHINE_TYPE: is the C3 machine type to use and
IMAGE_FAMILY_NAME: is the name of the confidential VM supported image family to use, such as Ubuntu 22.04 LTS or Ubuntu 22.04 LTS Pro Server