Update latest guestOsFeatures for GCP #265
Conversation
|
|
|
@abhay2101 Thanks for the PR! Adding the |
Yes we need to add "--confidential-compute-type=TDX "below during launch time and also add TDX_CAPABLE in "image_guest_os_features" in packer file. You want me to update instance create readme at https://github.com/search?q=repo%3Ahashicorp%2Fpacker-plugin-googlecompute%20%22instances%20create%22&type=code ? Reason didn't updated that coz not everyone want to create confidential VM's. |
|
@abhay2101 The PR seems to just be updating the docs and adding information about support for TDX in the ImageGuestOSFeatures. I highly doubt this alone would do the job. We might have to update the code to enable the confidential computing as well. If this alone is working for you, would you be able to update the PR with some testing details? |
@tanmay-hc Updated PR with testing details. thanks. |
|
@abhay2101 I tried using the test you mentioned and as expected, using just |
Just to make it more clearer:
|
|
@abhay2101 our approach is valid and should work fine in most cases. That said, I think it makes sense for us to add a new builder flag — This would let users opt into building the image inside a Confidential VM if needed, which can help with OS setups that behave differently in that environment. Also, please do a |
@tanmay-hc Updated documentation via "make generate". thanks. |
|
@abhay2101 Would you also be able to make the |
@tanmay-hc Not fully convinced that we need this change coz 1. tdx will only get enabled on certain hw and not supported by all. 2. building TDX enabled image doesn't need tdx enabled OS/HW. It is only needed when we boot tdx enabled guest OS. 3. works fine now with current changes. we might not gain much here with adding that flag. |
|
@abhay2101 I agree the flag addresses a niche use case. I'm merging this PR for now and will consider adding the flag later if a concrete use case arises. |
Add additional guesos features added recently in gcp images
https://cloud.google.com/compute/docs/images/create-custom#guest-os-features
Please include tests. We recommend looking at existing tests as an example.
Build image with TDX_CAPABLE and it shows in describe image for gcp.
If your PR resolves any open issue(s), please indicate them like this so they will be closed when your PR is merged:
Closes #255
TESTING DETAILS: Testing done on RHEL9.5
Add below feature flag in the packer code during googlecompute-import
"image_guest_os_features": "UEFI_COMPATIBLE,VIRTIO_SCSI_MULTIQUEUE,GVNIC,TDX_CAPABLE,SEV_CAPABLE,SEV_SNP_CAPABLE",
https://cloud.google.com/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance#gcloud
gcloud compute instances create INSTANCE_NAME
--confidential-compute-type=CONFIDENTIAL_COMPUTING_TECHNOLOGY
--machine-type=MACHINE_TYPE_NAME
--min-cpu-platform="CPU_PLATFORM"
--maintenance-policy="MAINTENANCE_POLICY"
--zone=ZONE_NAME
--image-family=IMAGE_FAMILY_NAME
--image-project=IMAGE_PROJECT
--project=PROJECT_ID
This will start google confidential VM and instance and image can be verified for confidential instance via below command:
gcloud compute instances describe test-vm --zone=us-central1-a | grep confidential
gcloud compute images describe test-image