Google Compute Engine: startup-script is not running in Container-optimized OS

0
votes

I've been using startup-script metadata many times with GCE, but not with containers.

I'm trying to deploy a GCR image to a compute instance.

Instance created with this command:

gcloud compute instances create my-instance --image-project=cos-cloud --image-family=cos-77-lts --machine-type=e2-micro --zone=us-central1-a --metadata=GCR_ADDRESS=$GCR_ADDRESS --metadata-from-file=startup-script=./start.sh --tags=http-server,https-server

The start.sh script contains this:

#!/bin/bash

METADATA=http://metadata.google.internal/computeMetadata/v1
SVC_ACCT=$METADATA/instance/service-accounts/default
ACCESS_TOKEN=$(curl -H 'Metadata-Flavor: Google' $SVC_ACCT/token | cut -d'"' -f 4)
docker login -u oauth2accesstoken -p $ACCESS_TOKEN https://gcr.io

GCR_ADDRESS=$(curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/GCR_ADDRESS" -H "Metadata-Flavor: Google")

wget https://raw.githubusercontent.com/jfrazelle/dotfiles/master/etc/docker/seccomp/chrome.json
docker run -it --rm --security-opt seccomp=./seccomp.json $GCR_ADDRESS

The problem is that startup-script doesn't get started.

I can SSH into this instance and run the start.sh script manually. It works fine, pulls the image, starts the container etc.

Cloud Logger shows no traces of the startup-script running.

What am I doing wrong?

1
google-cloud-platformgoogle-compute-engine
Connect to the serial port and review the boot logs. Startup script processing is logged in the boot logs. I do not remember if journalctl is present in COS, but if it is you can look at the boot logs from an SSH session.John Hanley
thanks @JohnHanley! That helped! some of my commands required writing to fs, which is disallowed in container-optimized os. Logs indicated that. Though why the startup-script logs were present in journalctl but not in Cloud Logging?stkvtflw
I suppose you have this issues because COS is pre-configured OS with some limitations. Have you fixed your startup-script?Serhii Rohoza
COS is locked down. COS cannot be modified by startup scripts. If you try, your scripts will fail.John Hanley

1 Answers

0
votes

As per the docs startup-script is a reserved key used by Kubernetes Engine. At the moment, it's not possible to use startup-script script for GKE with COS. However, there is a PIT as a Feature Request on this issue. Feel free to post there should you have any additional comments or concerns regarding the issue.