gcloud compute instances update-container - updates Compute Engine virtual machine instances running container images

gcloud compute instances update-containerINSTANCE_NAME[--container-image=CONTAINER_IMAGE][--container-mount-disk=[mode=MODE],[mount-path=MOUNT-PATH],[name=NAME],[partition=PARTITION]][--container-privileged][--container-restart-policy=POLICY][--container-stdin][--container-tty][--[no-]shielded-integrity-monitoring][--shielded-learn-integrity-policy][--[no-]shielded-secure-boot][--[no-]shielded-vtpm][--zone=ZONE][--clear-container-args    |--container-arg=CONTAINER_ARG][--clear-container-command    |--container-command=CONTAINER_COMMAND][--container-env=[KEY=VALUE, …,…]--container-env-file=CONTAINER_ENV_FILE--remove-container-env=[KEY,…]][--container-mount-host-path=[host-path=HOSTPATH,mount-path=MOUNTPATH[,mode=MODE],…]--container-mount-tmpfs=[mount-path=MOUNTPATH,…]--remove-container-mounts=[MOUNTPATH[,MOUNTPATH,…],…]][GCLOUD_WIDE_FLAG …]

gcloud compute instances update-container updates Compute Enginevirtual machines that runs a Docker image. For example:

gcloudcomputeinstancesupdate-containerinstance-1--zoneus-central1-a--container-image=gcr.io/google-containers/busybox

updates an instance called instance-1, in the us-central1-a zone, to run the'busybox' image.

For more examples, refer to theEXAMPLES section below.

gcloudcomputeinstancesupdate-containerinstance-1--container-image=gcr.io/google-containers/busybox--container-command='echo "Hello world"'

To run the gcr.io/google-containers/busybox image in privileged mode, run:

gcloudcomputeinstancesupdate-containerinstance-1--container-image=gcr.io/google-containers/busybox--container-privileged

INSTANCE_NAME

Name of the instance to update. For details on valid instance names, refer tothe criteria documented under the field 'name' at:https://cloud.google.com/compute/docs/reference/rest/v1/instances

--container-image=CONTAINER_IMAGE

Sets container image in the declaration to the specified value.

Empty string is not allowed.

--container-mount-disk=[mode=MODE],[mount-path=MOUNT-PATH],[name=NAME],[partition=PARTITION]

Mounts a disk to the container by using mount-path or updates how the volume ismounted if the same mount path has already been declared. The disk must alreadybe attached to the instance with a device-name that matches the disk name.Multiple flags are allowed.

name

Name of the disk. Can be omitted if exactly one additional disk is attached tothe instance. The name of the single additional disk will be used by default.

mount-path

Path on container to mount to. Mount paths with spaces and commas (and otherspecial characters) are not supported by this command.

partition

Optional. The partition of the disk to mount. Multiple partitions of a disk canbe mounted.

mode

Volume mount mode:rw (read/write) orro (read-only).Defaults torw. Fails if the disk mode isro andvolume mount mode isrw.

--container-privileged

Sets permission to run container to the specified value.

--container-restart-policy=POLICY

Sets container restart policy to the specified value.POLICY must be one of:never,on-failure,always.

--container-stdin

Sets configuration whether to keep containerSTDIN always open tothe specified value.

--container-tty

Sets configuration whether to allocate a pseudo-TTY for the container to thespecified value.

--[no-]shielded-integrity-monitoring

Enables monitoring and attestation of the boot integrity of the instance. Theattestation is performed against the integrity policy baseline. This baseline isinitially derived from the implicitly trusted boot image when the instance iscreated. This baseline can be updated by usinggcloud compute instancesupdate-container --shielded-learn-integrity-policy. On Shielded VMinstances, integrity monitoring is enabled by default. For information about howto modify Shielded VM options, seehttps://cloud.google.com/compute/docs/instances/modifying-shielded-vm.For information about monitoring integrity on Shielded VM instances, seehttps://cloud.google.com/compute/docs/instances/integrity-monitoring." Changesto this setting with the update command only take effect after stopping andstarting the instance. Use--shielded-integrity-monitoring toenable and--no-shielded-integrity-monitoring to disable.

--shielded-learn-integrity-policy

Causes the instance to re-learn the integrity policy baseline using the currentinstance configuration. Use this flag after any planned boot-specific changes inthe instance configuration, like kernel updates or kernel driver installation.

--[no-]shielded-secure-boot

The instance boots with secure boot enabled. On Shielded VM instances, SecureBoot is not enabled by default. For information about how to modify Shielded VMoptions, seehttps://cloud.google.com/compute/docs/instances/modifying-shielded-vm.Changes to this setting with the update command only take effect after stoppingand starting the instance. Use--shielded-secure-boot to enable and--no-shielded-secure-boot to disable.

--[no-]shielded-vtpm

The instance boots with the TPM (Trusted Platform Module) enabled. A TPM is ahardware module that can be used for different security operations such asremote attestation, encryption, and sealing of keys. On Shielded VM instances,vTPM is enabled by default. For information about how to modify Shielded VMoptions, seehttps://cloud.google.com/compute/docs/instances/modifying-shielded-vm.Changes to this setting with the update command only take effect after stoppingand starting the instance. Use--shielded-vtpm to enable and--no-shielded-vtpm to disable.

--zone=ZONE

Zone of the instance to update. If not specified, you might be prompted toselect a zone (interactive mode only).gcloud attempts to identify theappropriate zone by searching for resources in your currently active project. Ifthe zone cannot be determined,gcloud prompts you for a selection withall available Google Cloud Platform zones.

To avoid prompting when this flag is omitted, the user can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

At most one of these can be specified:

--clear-container-args

Removes the list of arguments from container declaration.

Cannot be used in the same command with--container-arg.

--container-arg=CONTAINER_ARG

Completely replaces the list of arguments with the new list. Each argument musthave a separate --container-arg flag. Arguments are appended the new list in theorder of flags.

Cannot be used in the same command with--clear-container-arg.

At most one of these can be specified:

--clear-container-command

Removes command from container declaration.

Cannot be used in the same command with--container-command.

--container-command=CONTAINER_COMMAND

Sets command in the declaration to the specified value. Empty string is notallowed.

Cannot be used in the same command with--clear-container-command.

--container-env=[KEY=VALUE, …,…]

Update environment variablesKEY with valueVALUEpassed to container.

• SetsKEY to the specified value.
• AddsKEY =VALUE, ifKEY is not yetdeclared.
• Only the last value ofKEY is taken whenKEY isrepeated more than once.

Values, declared with--container-env flag override those with thesameKEY from file, provided in--container-env-file.

--container-env-file=CONTAINER_ENV_FILE

Update environment variables from a file. Same update rules as for--container-env apply. Values, declared with--container-env flag override those with the sameKEYfrom file.

File with environment variables declarations in format used by docker (almost).This means:

• Lines are in format KEY=VALUE
• Values must contain equality signs.
• Variables without values are not supported (this is different from dockerformat).
• If # is first non-whitespace character in a line the line is ignored as acomment.

--remove-container-env=[KEY,…]

Removes environment variablesKEY from container declaration Doesnothing, if a variable is not present.

--container-mount-host-path=[host-path=HOSTPATH,mount-path=MOUNTPATH[,mode=MODE],…]

Mounts a volume by using host-path.

• Adds a volume, ifmount-path is not yet declared.
• Replaces a volume, ifmount-path is declared. All parameters(host-path,mount-path,mode) arecompletely replaced.

host-path

Path on host to mount from.

mount-path

Path on container to mount to. Mount paths with spaces and commas (and otherspecial characters) are not supported by this command.

mode

Volume mount mode: rw (read/write) or ro (read-only).

Default: rw.

--container-mount-tmpfs=[mount-path=MOUNTPATH,…]

Mounts empty tmpfs into container at MOUNTPATH.

mount-path

Path on container to mount to. Mount paths with spaces and commas (and otherspecial characters) are not supported by this command.

--remove-container-mounts=[MOUNTPATH[,MOUNTPATH,…],…]

Removes volume mounts (host-path,tmpfs,disk) withmountPath: MOUNTPATH from containerdeclaration.

Does nothing, if a volume mount is not declared.

Run$gcloud help for details.