Requirements to build custom images

Linux

In some situations, your applications might require you to build your ownoperating system or compile a custom kernel. If you compile custom kernels orcreate custom operating systems for your VMs, ensure that they meet therequirements in this document.

Building a custom operating system is anadvanced task for users with applications that specifically require a customkernel. Most users can create VMs from one of the availablepublic images, use the automatedvirtual disk import tool toimport disks into Compute Engine from other environments, ormanually import a custom imagefrom a system with a common stock Linux distribution.

Hardware support requirements

Your kernel must support the following devices:

  • PCI Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
  • ISA bridge: Intel 82371AB/EB/MB PIIX4 ISA (rev 03)

  • Ethernet controller:

    • Virtio-Net Ethernet Adapter.

    • gVNIC is required for second generation machine series that useper VM Tier_1 networking performance,Tau T2A,and allthird generationand later machine series, excluding bare metal instances.

      Additionally, gVNIC is required or recommended if you use GPUs on any ofthe following:

      • General-purpose N1 machine types
      • Accelerator-optimizedA4,A3,A2, orG2 machine types

    • IDPF (Intel Data Plane Function) LAN interface is required for baremetal instances and instances that use Cloud RDMA.

    • Virtio-Net Ethernet Adapter is only supported with first and secondgeneration machine series.

    • vendor = 0x1AF4 (Qumranet/Red Hat)

    • device id = 0x1000. Subsystem ID 0x1

    • Checksum offload is supported

    • TSO v4 is supported

    • GRO v4 is supported

    • If using Dynamic Network Interfaces, you must load the802.1Q module into thekernel

  • SCSI Storage Controller:

    • Virtio-SCSI Storage Controller
    • vendor = 0x1AF4 (Qumranet/Red Hat)
    • device id = 0x1004. Subsystem ID 0x8.
    • SCSI Primary Commands 4 and SCSI Block Commands 3 are supported
    • Only one request queue is supported
    • Persistent disks report 4 KiB physical sectors / 512 bytelogical sectors
    • Only block devices (disks) are supported
    • The Hotplug / Events feature bit is supported
Note: For second generation Tau T2A and G2, and all third generation and latermachine series, you must use an NVMe storage controller.
  • Serial Ports:
    • Four 16550A ports
    • ttyS0 on IRQ 4
    • ttyS1 on IRQ 3
    • ttyS2 on IRQ 6
    • ttyS3 on IRQ 7

Required Linux kernel build options

You must build the operating system kernel with the following options:

  • CONFIG_KVM_GUEST=y
    • Enable paravirtualization functionality.
  • CONFIG_KVM_CLOCK=y
    • Enable the paravirtualized clock (if applies to your kernel version).
  • CONFIG_VIRTIO_PCI=y
    • Enable paravirtualized PCI devices.
  • CONFIG_SCSI_VIRTIO=y
    • Enable access to paravirtualized disks.
  • CONFIG_VIRTIO_NET=y
    • Enable access to networking.
  • CONFIG_PCI_MSI=y
    • Enable high-performance interrupt delivery, which is required for localSSD devices.

Kernel build options for security

Use the recommended security settings in your kernel build options:

  • CONFIG_STRICT_DEVMEM=y
    • Restrict/dev/mem to allow access to only PCI space, BIOS code, anddata regions.
  • CONFIG_DEVKMEM=n
    • Disable support for/dev/kmem.
    • Block access to kernel memory.
  • CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
    • Set low virtual memory that is protected from userspace allocation.
  • CONFIG_DEBUG_RODATA=y
    • Mark the kernel read-only data as write-protected in the pagetables,to catch accidental (and incorrect) writes to suchconst data. Thisoption can have a slight performance impact because a portion of the kernelcode won't be covered by a 2 MB TLB anymore.
  • CONFIG_DEBUG_SET_MODULE_RONX=y
    • Catches unintended modifications to loadable kernel module's text andread-only data. This option also prevents execution of module data.
  • CONFIG_CC_STACKPROTECTOR=y
    • Enables the-fstack-protector GCC feature. This feature puts a canaryvalue at the beginning of critical functions, on the stack beforethe return address, and validates the value before actuallyreturning. This also causes stack-based buffer overflows (that need tooverwrite this return address) to overwrite the canary, which getsdetected and the attack is then neutralized using a kernel panic.
  • CONFIG_COMPAT_VDSO=n
    • Ensures the VDSO isn't at a predictable address to strengthen ASLR. Ifenabled, this feature maps the VDSO to the predictable old-styleaddress, providing a predictable location for exploit code to jump to.SayN here if you are running a sufficiently recentglibc version(2.3.3 or later), to remove the high-mapped VDSO mapping and toexclusively use the randomized VDSO.
  • CONFIG_COMPAT_BRK=n
    • Don't disable heap randomization.
  • CONFIG_X86_PAE=y
    • Set this option for a 32-bit kernel because PAE is required for NX support.This also enables larger swapspace support for non-overcommit purposes.
  • CONFIG_SYN_COOKIES=y
    • Provides some protection against SYN flooding.
  • CONFIG_SECURITY_YAMA=y
    • This selects Yama, which extends DAC support with additional system-widesecurity settings beyond regular Linux discretionary access controls.The default setting is ptrace scope restriction.
  • CONFIG_SECURITY_YAMA_STACKED=y
    • This option forces Yama to stack with the selected primary LSM when Yamais available.

Kernel security settings

You can also harden the security of the kernel through the kernel settingsfile. Edit the/etc/sysctl.conf file to include the following recommendedsecurity settings:

#Enablesynfloodprotectionnet.ipv4.tcp_syncookies=1#Ignoresource-routedpacketsnet.ipv4.conf.all.accept_source_route=0#Ignoresource-routedpacketsnet.ipv4.conf.default.accept_source_route=0#IgnoreICMPredirectsnet.ipv4.conf.all.accept_redirects=0#IgnoreICMPredirectsnet.ipv4.conf.default.accept_redirects=0#IgnoreICMPredirectsfromnon-GWhostsnet.ipv4.conf.all.secure_redirects=1#IgnoreICMPredirectsfromnon-GWhostsnet.ipv4.conf.default.secure_redirects=1#Don'tallowtrafficbetweennetworksoractasarouternet.ipv4.ip_forward=0#Don'tallowtrafficbetweennetworksoractasarouternet.ipv4.conf.all.send_redirects=0#Don'tallowtrafficbetweennetworksoractasarouternet.ipv4.conf.default.send_redirects=0#Reversepathfiltering—IPspoofingprotectionnet.ipv4.conf.all.rp_filter=1#Reversepathfiltering—IPspoofingprotectionnet.ipv4.conf.default.rp_filter=1#IgnoreICMPbroadcaststoavoidparticipatinginSmurfattacksnet.ipv4.icmp_echo_ignore_broadcasts=1#IgnorebadICMPerrorsnet.ipv4.icmp_ignore_bogus_error_responses=1#Logspoofed,source-routed,andredirectpacketsnet.ipv4.conf.all.log_martians=1#Logspoofed,source-routed,andredirectpacketsnet.ipv4.conf.default.log_martians=1#Randomizeaddressesofmmapbase,heap,stackandVDSOpagekernel.randomize_va_space=2#ProvideprotectionfromToCToUracesfs.protected_hardlinks=1#ProvideprotectionfromToCToUracesfs.protected_symlinks=1#Makelocatingkerneladdressesmoredifficultkernel.kptr_restrict=1#Setptraceprotectionskernel.yama.ptrace_scope=1#Setperfonlyavailabletorootkernel.perf_event_paranoid=2

Cloud RDMA RPMs

If you plan to use the OS image with compute instances that useCloud RDMA, the following additional RPMs must be installed:

  • infiniband-diags
  • kmod-idpf-irdma (only for Rocky Linux optimized for Google Cloud OS images)
  • librdmacm-utils
  • libibverbs-utils
  • perftest
  • rdma-core

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.