GCP Cloud Shell not only allows to execute and automate tasks around your Cloud resources, but It can help you understand what happens behind the scene when a vm is provisioned for example. That’s also a good way to prepare for the GCP Cloud engineer certification. Although it normally takes a subscription to ACloudGuru to follow the course behind this quick lab, they still made the startup script available for free in their GitHub. That’s all we need to demonstrate how to complete the task using google GCloud commands which was not covered in the original course.
Here’s a direct link to the shell script in their GitHub repo: gcp-cloud-engineer/compute-labs/worker-startup-script.sh
I. Lab purpose
In this exercise, we want to learn what a compute engine requires in order to run a script at launch that will install a logging agent, do a stress test, and write all the syslog events into a Google logging and output feedback into a bucket. You’ll realize that there are underlying service accounts and permission scopes that allow a machine to interact with other cloud services and APIs to get the job done. To sum it up :
- We want a new project,
- Launch a new GCE instance that runs a specific script
- System logs shipped to Stackdriver (Cloud logging) logs.
- We want to have a new GCS bucket for resulting log file.
- We want the log file (status feedback) to appear in that new bucket after the instance finishes starting up.
- All this with No SSH access to the instance itself. Vm should handle everything on its own.
Google CLI setup
I used Cloud Shell to complete this lab. However, you can also run GCloud commands from your workstation via Google SDK.
- Retrieve the Startup script
- Create a new project
- Create logs destination bucket
- Enable GCE API
- Create new GCE instance
- Enable Scope to write to GCS
- Set startup script
- Set metadata to point to logs destination bucket
- Monitoring Progress
- Check stack driver logs
- Check CPU graph
- Check logs bucket
1. Create a New Project
- From your Cloud Shell terminal.
$ gcloud projects create gcs-gce-project-lab --name="GCS & GCE LAB" --labels=type=lab
$ cloud config set project gcs-gce-project-lab
Link the new project with a billing account
- There are 2 ways to link a project to a billing account. One through alpha and another through beta gcloud command
$ gcloud beta billing accounts list
ACCOUNT_ID NAME OPEN MASTER_ACCOUNT_ID
-------------------- ---------------------------- ------ ------------------ 0X0X0X-0X0X0X-0X0X0X Brokedba Billing account True ** link the project to a billing account **
$ gcloud alpha billing accounts projects link gcs-gce-project-lab \
** OR **
$ gcloud beta billing projects link gcs-gce-project-lab --billing-account=0X0X0X-0X0X0X-0X0X0X
2. Enable GCE API
- By default, Most of the APIs are disabled in a project upon creation unlike other Cloud platforms.
- In our case we need to enable the GCE APIs in order to create and launch vms.
$ gcloud services enable compute.googleapis.com
$ gcloud services enable computescanning.googleapis.com
3. Set default region/zone
- This can be done within the current GCloud configuration level or at project level
Active Config in Cloud Shell
$ gcloud config set compute/region us-east1
$ gcloud config set compute/zone us-east1-b
$ gcloud compute project-info add-metadata --metadata google-compute-default-region=us-east1,google-compute-default-zone=us-east1-b --project gcs-gce-project-lab
4. Service account
- In GCP, a default service account is attached to projects upon creation that all future vms can use to interact with the rest of the platform through IAM permissions and scopes. We’ll use it and add more privileges for our vm.
- The FORMAT is: PROJECT_NUMBERemail@example.com
- We just run the below commands to retrieve the Service account name:
$ gcloud projects describe gcs-gce-project-lab | grep projectNumber
Derived Service Account name
5. Download the Startup script from github
- This script is responsible for updating Linux packages, install a logging agent, do a stress test, and write all the syslog events into a GCS bucket. `lab-logs-bucket` is the metadata name matching the bucket we’ll be creating.
- But first, we need to download it locally so we can edit it and call it when creating the compute instance later on.
Every compute instance stores its metadata on a metadata server. Your VM automatically has access to the metadata server API without any additional authorization. Metadata is stored as
key:value pairs and there are two types; default and custom. In our example the bucket name `gs://gcs-gce-bucket` is stored in the instance metadata name `lab-logs-bucket` that our script will query during the startup.
6. Create the GCS bucket
- The bucket name must match the log_bucket_metadata_name called in our worker-startup-script. Choose a unique one
$ gsutil mb -l us-east1 -p gcs-gce-project-lab gs://gcs-gce-bucket
7. Create GCE instance and run Startup script
- We are finally ready to give this test a go and monitor the progress of each task including metadata and startup script.
- You should run the command in one line as my display is truncated for better readability
$ gcloud compute instances create gcs-gce-vm --metadata lab-logs-bucket=gs://gcs-gce-bucket --metadata-from-file startup-script=./worker-startup-script.sh --machine-type=f1-micro --image-family debian-10 --image-project debian-cloud --service-account firstname.lastname@example.org --scopes storage-rw,logging-write,monitoring-write,logging-write,pubsub,service-management,service-control,trace
NAME ZONE MACHINE_TYPE INTERNAL_IP EXTERNAL_IP STATUS ---------------------- ------------- ------------- -------------- ---------
gcs-gce-vm us-east1-b f1-micro 10.100.0.1 184.108.40.206 RUNNING
Notice the write privilege into GCS (storage-rw) that will allow our vm to write the logs into the logs bucket.
System logs available in Stackdriver Logs
GCS bucket created and log File appears in bucket after instance finishes starting up
No SSH access needed to the instance
- We learned that we can automate startup and shutdown scripts without ever needing to ssh to the instance
- We learned more about the scopes needed from a vm to interact with google storage through its service account
- Using default or custom service accounts can efficiently streamline the tasks done by vms or services without human intervention
- Feel free to try the lab yourself and remember to change the name of the bucket since they are globally unique
Thanks for reading!