Rescue an inaccessible VM

Linux

If your Linux VM is inaccessible due to any reason, you can try rescue theVM using the following steps.

Required roles

To get the permissions that you need to rescue a VM, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to rescue a VM. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to rescue a VM:

  • compute.instances.create on project
  • compute.disks.create on project
  • compute.instances.get on project
  • compute.disks.createSnapshot on disks
  • compute.instances.attachDisk on new VM
  • compute.disks.use on disk
  • compute.instances.start on new and inaccessible VM
  • compute.instances.stop on new and inaccessible VM

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Rescue a VM

If you can't connect to your VM, or your boot disk is full, you mustcreate a temporary VM to rescue the inaccessible VM.

  1. (Optional) Stop the inaccessible VM.
  2. Create a snapshot from the boot disk of the inaccessible VM. If the root file system is split across multiple disks, you must snapshot each disk.
  3. Create a temporary VM using a public image closest to inaccessible VM's OS. In some cases a trusted image policy might restrict you from creating boot disks from public images. In such cases you must ask an administrator to temporarily lift this restriction before you can create a rescue VM. SeeSet image access constraints for more information.

  4. For each of the snapshots of the inaccessible VM's boot disks you previously created, create a new disk from the snapshot and attach it to the rescue VM by doing the following:

    1. In the Google Cloud console, go to theVM instances page.

      Go to VM instances

    2. Click the name of the temporary VM that you created.

    3. ClickEdit.

    4. UnderAdditional disks, clickAdd new disk, and then dothe following:

      1. Add the disk name, likemy-recovery-disk
      2. ForSource type, select theSnapshot tab.
      3. In theSource snapshot drop-down menu, select the snapshot of thesource VM that you created earlier in these steps.
      4. ClickDone.

    5. ClickSave.

  5. Connect to the temporary VM using SSH.

  6. Identify the name of each of the disks that you previously attached to the VM by running the following command:

    lsblk -d -o NAME,SERIAL

    The output is similar to the following:

     NAME SERIAL sda  rescue-vm sdb  my-recovery-disk

    In this example,rescue-vm is the boot disk of the rescue VM andmy-recovery-disk is the boot disk from the snapshot of the inaccessible VM. Note theNAME of the inaccessible VM for use in the next step.

  7. For each of the disks that you previously attached to the VM, do the following:

    1. Identify the file system of each partition by running the followingcommand:

      fdisk -l /dev/NAME -o Device,Size,Type

      ReplaceNAME with the name of the inaccessibleVM's boot disk from the previous step. In this example, the name wouldbesdb.

      The output is similar to the following:

      Disk /dev/sdb: 10 GiB, 10737418240 bytes, 20971520 sectorsDisk model: PersistentDiskUnits: sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 4096 bytesI/O size (minimum/optimal): 4096 bytes / 4096 bytesDisklabel type: gptDisk identifier: B31430F1-F041-4555-96B9-B2F43DC057ADDevice     Size Type/dev/sdb1    2M BIOS boot/dev/sdb2   20M EFI System/dev/sdb3   10G Linux filesystem

      TheType column lists the file system of each partition. If the filesystem type is missing for any partitions, run the following command:

      file -sL /dev/PARTITION_NAME

      ReplaceNAME with the name of the partition.

      The output differs depending on the file system type:

      • No file system: If the output only displaysdata, the partitiondoesn't contain a file system. Example output:

        /dev/sdb1: data

      • EFI file system: If the output describes a DOS/MBR boot sector,the partition has an EFI file system. Example output:

        dev/sdb2: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, reserved sectors4, root entries 512, sectors 40960 (volumes<=32 MB), Media descriptor 0xf8, sectors/FAT 40, sectors/track 32, heads 64, serial number 0xf2af2664, label: "EFI        ", FAT (16 bit)

      • Linux file system: If the output describes file system data, thepartition is a Linux file system. Example output:

        /dev/sdb3: SGI XFS filesystem data (blksz 4096, inosz 512, v2 dirs)

      Note the partition name of the Linux file system.

    2. Create a mount point at/rescue:

      sudo mkdir /rescue

    3. Mount the Linux file system partition to/rescue:

      sudo mountPARTITION_NAME /rescue

      ReplacePARTITION_NAME with the name of the Linux file systemyou previously noted.

    4. If you want to modify the root directory of the file system using thechroot command, you must additionally mount the virtual file systemand devices by running the following commands:

      sudo mount -t proc /proc /rescue/procsudo mount -t sysfs /sys /rescue/syssudo mount -o bind /dev /rescue/devsudo mount -o bind /dev/pts /rescue/dev/ptssudo mount -o bind /run /rescue/run

    The inaccessible boot disk's file system is now mounted at/rescue.You can navigate the file system, change config files, fix issues orretrieve the data.

Revert the changes and boot the inaccessible VM back

After the issue is fixed or data is retrieved, you need to bring back the actualVM. Use the following steps to restore the original VM:

  1. Unmount the additional disk which is mounted at/rescue in thetemporary VM:

     cd ~ sudo umount /rescue

  2. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

    1. Select the temporary VM that you created.

    2. ClickEdit.

    3. UnderAdditional disks, clickfor the disk created in earlier steps to detach the additionaldisk from the temporary VM.

    4. ClickSave.

  3. Go to theVM instances page in the Google Cloud console.

    Go to VM instances

    1. If the inaccessible VM is still running,stop the VM.

    2. Click the name of the VM you just stopped, and then clickEdit.

    3. UnderBoot disk, clickDetach book disk to detach the exiting boot disk fromthe inaccessible VM.

    4. Next, clickCONFIGURE BOOTDISK to attach the disk you created and fixed previously inRescue a VM on this page.

      1. In theBoot Disk section, click theExisting disks tab.
      2. In the drop-down list, select the disk that you created in the previoussection, for examplemy-recovery-disk.
      3. ClickSelect and then clickSave.

    5. Start the VM.

  4. You should now be able toconnect to the VM using SSH.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.