2013-12-08 18:02:03 -05:00
---
2017-06-14 21:04:16 -04:00
description: |
The googlecompute Packer builder is able to create images for use with
Google Cloud Compute Engine (GCE) based on existing images.
2015-07-28 18:30:32 -04:00
layout: docs
2017-06-14 21:04:16 -04:00
page_title: 'Google Compute - Builders'
sidebar_current: 'docs-builders-googlecompute'
2017-03-25 18:13:52 -04:00
---
2013-12-08 18:02:03 -05:00
# Google Compute Builder
Type: `googlecompute`
2015-07-28 18:30:32 -04:00
The `googlecompute` Packer builder is able to create
[images ](https://developers.google.com/compute/docs/images ) for use with [Google
2018-07-31 16:08:07 -04:00
Compute Engine](https://cloud.google.com/products/compute-engine) (GCE) based on
existing images.
Building images from scratch is possible, but not with the `googlecompute` Packer builder.
The process is recommended only for advanced users, please see [Building GCE Images from Scratch]
(https://cloud.google.com/compute/docs/tutorials/building-images)
and the [Google Compute Import Post-Processor ](/docs/post-processors/googlecompute-import.html )
for more information.
2017-06-14 21:04:16 -04:00
2014-09-05 12:49:40 -04:00
## Authentication
2013-12-12 22:59:29 -05:00
2015-07-28 18:30:32 -04:00
Authenticating with Google Cloud services requires at most one JSON file, called
the *account file* . The *account file* is **not** required if you are running
the `googlecompute` Packer builder from a GCE instance with a
properly-configured [Compute Engine Service
Account](https://cloud.google.com/compute/docs/authentication).
2013-12-12 22:59:29 -05:00
2014-11-17 13:06:22 -05:00
### Running With a Compute Engine Service Account
2015-07-28 18:30:32 -04:00
If you run the `googlecompute` Packer builder from a GCE instance, you can
configure that instance to use a [Compute Engine Service
Account](https://cloud.google.com/compute/docs/authentication). This will allow
Packer to authenticate to Google Cloud without having to bake in a separate
credential/authentication file.
To create a GCE instance that uses a service account, provide the required
scopes when launching the instance.
2014-11-17 13:06:22 -05:00
For `gcloud` , do this via the `--scopes` parameter:
2017-06-14 21:04:16 -04:00
``` shell
2017-03-25 18:13:52 -04:00
$ gcloud compute --project YOUR_PROJECT instances create "INSTANCE-NAME" ... \
--scopes "https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/devstorage.full_control" \
2014-11-17 13:06:22 -05:00
```
For the [Google Developers Console ](https://console.developers.google.com ):
2017-06-14 21:04:16 -04:00
1. Choose "Show advanced options"
2. Tick "Enable Compute Engine service account"
3. Choose "Read Write" for Compute
4. Chose "Full" for "Storage"
2014-11-17 13:06:22 -05:00
**The service account will be used automatically by Packer as long as there is
2015-07-28 18:30:32 -04:00
no *account file* specified in the Packer configuration file.**
2014-11-17 13:06:22 -05:00
### Running Without a Compute Engine Service Account
2015-07-28 18:30:32 -04:00
The [Google Developers Console ](https://console.developers.google.com ) allows
you to create and download a credential file that will let you use the
`googlecompute` Packer builder anywhere. To make the process more
straightforwarded, it is documented here.
2013-12-12 22:59:29 -05:00
2017-06-14 21:04:16 -04:00
1. Log into the [Google Developers
2015-07-28 18:30:32 -04:00
Console](https://console.developers.google.com) and select a project.
2013-12-12 22:59:29 -05:00
2017-06-17 00:41:18 -04:00
2. Under the "API Manager" section, click "Credentials."
2013-12-12 22:59:29 -05:00
2017-06-17 00:41:18 -04:00
3. Click the "Create credentials" button, select "Service account key"
2013-12-13 00:52:25 -05:00
2017-06-17 00:41:18 -04:00
4. Create new service account that at least has `Compute Engine Instance Admin (v1)` and `Service Account User` roles.
2017-11-15 07:02:08 -05:00
5. Choose `JSON` as Key type and click "Create".
2017-06-17 00:41:18 -04:00
A JSON file will be downloaded automatically. This is your *account file* .
2013-12-08 18:02:03 -05:00
2016-08-26 21:12:55 -04:00
### Precedence of Authentication Methods
Packer looks for credentials in the following places, preferring the first location found:
2017-06-14 21:04:16 -04:00
1. A `account_file` option in your packer file.
2017-03-25 18:13:52 -04:00
2017-06-14 21:04:16 -04:00
2. A JSON file (Service Account) whose path is specified by the `GOOGLE_APPLICATION_CREDENTIALS` environment variable.
2017-03-25 18:13:52 -04:00
2017-06-14 21:04:16 -04:00
3. A JSON file in a location known to the `gcloud` command-line tool. (`gcloud` creates it when it's configured)
2016-08-26 21:12:55 -04:00
2017-03-25 18:13:52 -04:00
On Windows, this is:
2016-08-26 21:12:55 -04:00
2017-06-14 21:04:16 -04:00
%APPDATA%/gcloud/application_default_credentials.json
2016-08-26 21:12:55 -04:00
2017-03-25 18:13:52 -04:00
On other systems:
2016-08-26 21:12:55 -04:00
2017-06-14 21:04:16 -04:00
$HOME/.config/gcloud/application_default_credentials.json
2016-08-26 21:12:55 -04:00
2017-06-14 21:04:16 -04:00
4. On Google Compute Engine and Google App Engine Managed VMs, it fetches credentials from the metadata server. (Needs a correct VM authentication scope configuration, see above)
2016-08-26 21:12:55 -04:00
2018-02-03 16:56:29 -05:00
## Examples
### Basic Example
2013-12-08 18:02:03 -05:00
2015-07-28 18:30:32 -04:00
Below is a fully functioning example. It doesn't do anything useful, since no
2016-05-24 20:13:36 -04:00
provisioners or startup-script metadata are defined, but it will effectively
2017-06-14 21:04:16 -04:00
repackage an existing GCE image. The account\_file is obtained in the previous
2016-05-24 20:13:36 -04:00
section. If it parses as JSON it is assumed to be the file itself, otherwise it
is assumed to be the path to the file containing the JSON.
2013-12-08 18:02:03 -05:00
2017-06-14 21:04:16 -04:00
``` json
2013-12-08 18:02:03 -05:00
{
2017-03-25 18:13:52 -04:00
"builders": [
{
"type": "googlecompute",
"account_file": "account.json",
"project_id": "my project",
"source_image": "debian-7-wheezy-v20150127",
2018-02-03 16:32:10 -05:00
"ssh_username": "packer",
2017-03-25 18:13:52 -04:00
"zone": "us-central1-a"
}
]
2013-12-08 18:02:03 -05:00
}
2014-10-20 13:55:16 -04:00
```
2013-12-08 18:02:03 -05:00
2017-03-28 11:27:57 -04:00
### Windows Example
2018-08-17 06:41:37 -04:00
Before you can provision using the winrm communicator, you need to allow traffic
2018-04-23 17:52:00 -04:00
through google's firewall on the winrm port (tcp:5986).
2018-08-17 06:41:37 -04:00
You can do so using the gcloud command.
```
gcloud compute firewall-rules create allow-winrm --allow tcp:5986
```
Or alternatively by navigating to https://console.cloud.google.com/networking/firewalls/list.
2018-04-23 17:52:00 -04:00
Once this is set up, the following is a complete working packer config after
setting a valid `account_file` and `project_id` :
2017-03-28 11:27:57 -04:00
``` {.json}
{
2018-02-03 16:56:29 -05:00
"builders": [
{
"type": "googlecompute",
"account_file": "account.json",
"project_id": "my project",
"source_image": "windows-server-2016-dc-v20170227",
"disk_size": "50",
"machine_type": "n1-standard-1",
"communicator": "winrm",
"winrm_username": "packer_user",
"winrm_insecure": true,
"winrm_use_ssl": true,
"metadata": {
"windows-startup-script-cmd": "winrm quickconfig -quiet & net user /add packer_user & net localgroup administrators packer_user /add & winrm set winrm/config/service/auth @{Basic=\"true\"}"
},
"zone": "us-central1-a"
}
]
}
```
2018-08-17 06:41:37 -04:00
This build can take up to 15 min.
2018-02-03 16:56:29 -05:00
### Nested Hypervisor Example
This is an example of using the `image_licenses` configuration option to create a GCE image that has nested virtualization enabled. See
[Enabling Nested Virtualization for VM Instances ](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances )
for details.
``` json
{
"builders": [
{
"type": "googlecompute",
"account_file": "account.json",
"project_id": "my project",
"source_image_family": "centos-7",
"ssh_username": "packer",
"zone": "us-central1-a",
"image_licenses": ["projects/vm-options/global/licenses/enable-vmx"]
}
]
2017-03-28 11:27:57 -04:00
}
```
2013-12-08 18:02:03 -05:00
## Configuration Reference
2015-07-28 18:30:32 -04:00
Configuration options are organized below into two categories: required and
optional. Within each category, the available options are alphabetized and
described.
2013-12-08 18:02:03 -05:00
2015-06-23 17:44:57 -04:00
In addition to the options listed here, a
2015-07-28 18:30:32 -04:00
[communicator ](/docs/templates/communicator.html ) can be configured for this
builder.
2015-06-23 17:44:57 -04:00
2014-05-04 13:47:40 -04:00
### Required:
2013-12-08 18:02:03 -05:00
2017-06-14 21:04:16 -04:00
- `project_id` (string) - The project ID that will be used to launch instances
2015-07-28 18:30:32 -04:00
and store images.
2013-12-12 22:59:29 -05:00
2017-06-14 21:04:16 -04:00
- `source_image` (string) - The source image to use to create the new image
2016-11-14 07:06:41 -05:00
from. You can also specify `source_image_family` instead. If both
`source_image` and `source_image_family` are specified, `source_image`
takes precedence. Example: `"debian-8-jessie-v20161027"`
2017-06-14 21:04:16 -04:00
- `source_image_family` (string) - The source image family to use to create
2016-11-14 07:06:41 -05:00
the new image from. The image family always returns its latest image that
is not deprecated. Example: `"debian-8"` .
2013-12-12 22:59:29 -05:00
2017-06-14 21:04:16 -04:00
- `zone` (string) - The zone in which to launch the instance used to create
2015-07-28 18:30:32 -04:00
the image. Example: `"us-central1-a"`
2013-12-08 18:02:03 -05:00
2014-05-04 13:47:40 -04:00
### Optional:
2013-12-08 18:02:03 -05:00
2017-06-14 21:04:16 -04:00
- `account_file` (string) - The JSON file containing your account credentials.
2015-07-28 18:30:32 -04:00
Not required if you run Packer on a GCE instance with a service account.
Instructions for creating file or using service accounts are above.
2014-11-17 13:06:22 -05:00
2017-10-16 14:23:33 -04:00
- `accelerator_count` (number) - Number of guest accelerator cards to add to the launched instance.
2017-07-18 06:14:36 -04:00
2017-07-18 06:53:00 -04:00
- `accelerator_type` (string) - Full or partial URL of the guest accelerator type. GPU accelerators can only be used with
`"on_host_maintenance": "TERMINATE"` option set.
2017-07-18 06:14:36 -04:00
Example: `"projects/project_id/zones/europe-west1-b/acceleratorTypes/nvidia-tesla-k80"`
2017-06-14 21:04:16 -04:00
- `address` (string) - The name of a pre-allocated static external IP address.
2016-02-18 00:40:31 -05:00
Note, must be the name and not the actual IP address.
2016-01-04 17:25:39 -05:00
2018-03-07 18:35:01 -05:00
- `disable_default_service_account` (bool) - If true, the default service account will not be used if `service_account_email`
is not specified. Set this value to true and omit `service_account_email` to provision a VM with no service account.
2017-06-14 21:04:16 -04:00
- `disk_name` (string) - The name of the disk, if unset the instance name will be
2017-03-08 13:47:08 -05:00
used.
2017-10-16 14:23:33 -04:00
- `disk_size` (number) - The size of the disk in GB. This defaults to `10` ,
2015-07-28 18:30:32 -04:00
which is 10GB.
2014-08-07 15:34:08 -04:00
2017-06-14 21:04:16 -04:00
- `disk_type` (string) - Type of disk used to back your instance, like `pd-ssd` or `pd-standard` . Defaults to `pd-standard` .
2016-03-10 17:53:37 -05:00
2017-06-14 21:04:16 -04:00
- `image_description` (string) - The description of the resulting image.
2016-05-06 07:43:39 -04:00
2017-06-14 21:04:16 -04:00
- `image_family` (string) - The name of the image family to which the
2016-11-13 10:53:45 -05:00
resulting image belongs. You can create disks by specifying an image family
instead of a specific image name. The image family always returns its
latest image that is not deprecated.
2016-05-06 07:43:39 -04:00
2017-09-18 12:53:40 -04:00
- `image_labels` (object of key/value strings) - Key/value pair labels to
apply to the created image.
2018-02-03 16:56:29 -05:00
- `image_licenses` (array of strings) - Licenses to apply to the created image.
2017-06-14 21:04:16 -04:00
- `image_name` (string) - The unique name of the resulting image. Defaults to
2015-07-28 18:30:32 -04:00
`"packer-{{timestamp}}"` .
2013-12-12 22:59:29 -05:00
2017-06-14 21:04:16 -04:00
- `instance_name` (string) - A name to give the launched instance. Beware that
2015-07-28 18:30:32 -04:00
this must be unique. Defaults to `"packer-{{uuid}}"` .
2014-04-26 14:02:25 -04:00
2017-09-06 18:01:39 -04:00
- `labels` (object of key/value strings) - Key/value pair labels to apply to
2017-09-18 12:53:40 -04:00
the launched instance.
2017-09-06 17:22:51 -04:00
2017-06-14 21:04:16 -04:00
- `machine_type` (string) - The machine type. Defaults to `"n1-standard-1"` .
2014-05-04 13:53:57 -04:00
2017-06-14 21:04:16 -04:00
- `metadata` (object of key/value strings) - Metadata applied to the launched
2016-07-20 14:12:20 -04:00
instance.
2014-05-04 13:47:40 -04:00
2018-08-21 04:35:33 -04:00
- `min_cpu_platform` (string) - A Minimum CPU Platform for VM Instance.
The avalability and default CPU platforms varies across zones, based on
the hardware available in each GCP zone. [Details ](https://cloud.google.com/compute/docs/instances/specify-min-cpu-platform )
2017-06-21 09:13:53 -04:00
- `network` (string) - The Google Compute network id or URL to use for the
2017-09-14 13:14:28 -04:00
launched instance. Defaults to `"default"` . If the value is not a URL, it
will be interpolated to `projects/((network_project_id))/global/networks/((network))` .
This value is not required if a `subnet` is specified.
2013-12-12 22:59:29 -05:00
2017-06-14 21:04:16 -04:00
- `network_project_id` (string) - The project ID for the network and subnetwork
2016-12-02 16:22:36 -05:00
to use for launched instance. Defaults to `project_id` .
2017-06-14 21:04:16 -04:00
- `omit_external_ip` (boolean) - If true, the instance will not have an external IP.
2016-08-02 16:43:04 -04:00
`use_internal_ip` must be true if this property is true.
2017-06-14 21:04:16 -04:00
- `on_host_maintenance` (string) - Sets Host Maintenance Option. Valid
2017-02-10 15:11:08 -05:00
choices are `MIGRATE` and `TERMINATE` . Please see [GCE Instance Scheduling
Options](https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options),
2017-06-14 21:04:16 -04:00
as not all machine\_types support `MIGRATE` (i.e. machines with GPUs).
2017-03-08 13:44:07 -05:00
If preemptible is true this can only be `TERMINATE` . If preemptible
is false, it defaults to `MIGRATE`
2018-03-13 22:14:31 -04:00
- `preemptible` (boolean) - If true, launch a preemptible instance.
2016-02-18 00:40:31 -05:00
2017-06-14 21:04:16 -04:00
- `region` (string) - The region in which to launch the instance. Defaults to
2016-02-11 04:08:32 -05:00
to the region hosting the specified `zone` .
2018-02-22 12:46:13 -05:00
- `service_account_email` (string) - The service account to be used for launched instance. Defaults to
2018-03-07 18:35:01 -05:00
the project's default service account unless `disable_default_service_account` is true.
2018-02-22 12:46:13 -05:00
2017-06-14 21:04:16 -04:00
- `scopes` (array of strings) - The service account scopes for launched instance.
2016-10-22 15:06:07 -04:00
Defaults to:
2016-10-22 02:30:18 -04:00
2017-06-14 21:04:16 -04:00
``` json
2017-03-25 18:13:52 -04:00
[
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.full_control"
]
```
2016-10-22 15:06:07 -04:00
2017-06-14 21:04:16 -04:00
- `source_image_project_id` (string) - The project ID of the
2016-10-12 16:48:37 -04:00
project containing the source image.
2017-06-14 21:04:16 -04:00
- `startup_script_file` (string) - The filepath to a startup script to run on
2016-05-24 20:13:36 -04:00
the VM from which the image will be made.
2017-06-14 21:04:16 -04:00
- `state_timeout` (string) - The time to wait for instance state changes.
2015-07-28 18:30:32 -04:00
Defaults to `"5m"` .
2013-12-08 18:02:03 -05:00
2017-06-21 09:13:53 -04:00
- `subnetwork` (string) - The Google Compute subnetwork id or URL to use for
the launched instance. Only required if the `network` has been created with
custom subnetting. Note, the region of the subnetwork must match the `region`
2017-09-14 13:14:28 -04:00
or `zone` in which the VM is launched. If the value is not a URL, it
will be interpolated to `projects/((network_project_id))/regions/((region))/subnetworks/((subnetwork))`
2016-02-11 03:54:48 -05:00
2017-06-14 21:04:16 -04:00
- `tags` (array of strings)
2014-05-04 13:47:40 -04:00
2017-06-14 21:04:16 -04:00
- `use_internal_ip` (boolean) - If true, use the instance's internal IP
2015-07-28 18:30:32 -04:00
instead of its external IP during building.
2016-10-22 15:06:07 -04:00
2016-05-24 20:13:36 -04:00
## Startup Scripts
2016-10-22 15:06:07 -04:00
Startup scripts can be a powerful tool for configuring the instance from which the image is made.
2016-05-24 20:13:36 -04:00
The builder will wait for a startup script to terminate. A startup script can be provided via the
`startup_script_file` or 'startup-script' instance creation `metadata` field. Therefore, the build
time will vary depending on the duration of the startup script. If `startup_script_file` is set,
the 'startup-script' `metadata` field will be overwritten. In other words,`startup_script_file`
takes precedence.
The builder does not check for a pass/fail/error signal from the startup script, at this time. Until
such support is implemented, startup scripts should be robust, as an image will still be built even
when a startup script fails.
### Windows
2017-03-28 11:27:57 -04:00
A Windows startup script can only be provided via the 'windows-startup-script-cmd' instance
2017-06-14 21:04:16 -04:00
creation `metadata` field. The builder will *not* wait for a Windows startup scripts to
2017-03-28 11:27:57 -04:00
terminate. You have to ensure that it finishes before the instance shuts down.
2016-05-24 20:13:36 -04:00
### Logging
2017-06-14 21:04:16 -04:00
2016-05-24 20:13:36 -04:00
Startup script logs can be copied to a Google Cloud Storage (GCS) location specified via the
'startup-script-log-dest' instance creation `metadata` field. The GCS location must be writeable by
the credentials provided in the builder config's `account_file` .
2015-07-27 22:32:21 -04:00
2013-12-08 18:02:03 -05:00
## Gotchas
2017-07-27 00:53:16 -04:00
CentOS and recent Debian images have root ssh access disabled by default. Set `ssh_username` to
2015-07-28 18:30:32 -04:00
any user, which will be created by packer with sudo access.
2013-12-08 18:02:03 -05:00
2015-07-28 18:30:32 -04:00
The machine type must have a scratch disk, which means you can't use an
`f1-micro` or `g1-small` to build images.