Technical Theory

Creating a Debian Linux VM with Startup Script and Custom Metadata on Google Cloud

Introduction

This tutorial will guide you through creating a Debian Linux virtual machine (VM) instance on Google Compute Engine (GCE). We’ll cover setting up a startup script to automate initial configuration, adding custom metadata for passing configuration data, and assigning a custom service account for secure access to other Google Cloud services.

Prerequisites:

  • A Google Cloud account with billing enabled.
  • The Google Cloud SDK (gcloud CLI) installed and configured.
  • Basic familiarity with Linux command line.
  • (Optional) Terraform installed and configured, if you prefer to automate the resource creation with Infrastructure as Code (IaC).

Task 1: Setting up the Environment

Before creating the VM, ensure you have the necessary tools installed and are authenticated with your Google Cloud account.

  1. Install and initialize the gcloud CLI: If you haven’t already, install the Google Cloud SDK from the official documentation. After installation, initialize it with:

    NODE_TYPE // bash 
    gcloud init

    This command will guide you through authenticating with your Google account and selecting a Google Cloud project.

    Ensure you select the correct Google Cloud project where you want to create the VM instance.

  2. Set the default project: To avoid specifying the project ID in every command, set it as the default:

    NODE_TYPE // bash 
    gcloud config set project YOUR_PROJECT_ID

    Replace YOUR_PROJECT_ID with your actual Google Cloud project ID.

Task 2: Creating a Custom Service Account

For enhanced security, we’ll create a custom service account and grant it specific permissions required by the VM.

  1. Create the service account:

    NODE_TYPE // bash 
    gcloud iam service-accounts create debian-vm-sa \
    --display-name="Debian VM Service Account"

    This command creates a service account named debian-vm-sa.

    NODE_TYPE // output 
    created: projects/YOUR_PROJECT_ID/serviceAccounts/debian-vm-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com

  2. Grant necessary permissions: Determine which permissions the VM requires. For example, if your startup script needs to read data from Cloud Storage, grant the roles/storage.objectViewer role:

    NODE_TYPE // bash 
    gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member="serviceAccount:debian-vm-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/storage.objectViewer"

    Replace roles/storage.objectViewer with the appropriate role for your use case. Other commonly used roles are roles/logging.logWriter to allow the instance to write logs to Cloud Logging and roles/compute.networkViewer to list network resources.

    Grant only the minimum necessary permissions to the service account. This follows the principle of least privilege and improves security.

Task 3: Preparing the Startup Script

A startup script allows you to automate tasks when the VM instance boots up.

  1. Create the startup script: Create a file named startup.sh with the following content (customize it as needed):

    NODE_TYPE // bash 
    #!/bin/bash

# Update package lists
apt-get update

# Install necessary packages (e.g., Apache web server)
apt-get install -y apache2

# Customize the web server (optional)
echo "<h1>Hello from Debian VM!</h1>" > /var/www/html/index.html

# Log a message to Cloud Logging
logger "Startup script completed successfully."
    This example startup script installs the Apache web server. Modify it to install and configure the software you need.

  2. Make the script executable:

    NODE_TYPE // bash 
    chmod +x startup.sh

Task 4: Creating the Debian Linux VM Instance

Now, we’ll create the VM instance with the specified configuration.

  1. Create the VM instance using the gcloud CLI:

    NODE_TYPE // bash 
    gcloud compute instances create debian-vm \
    --image-family=debian-11 \
    --image-project=debian-cloud \
    --machine-type=e2-medium \
    --zone=us-central1-a \
    --subnet=default \
    --scopes=https://www.googleapis.com/auth/cloud-platform \
    --metadata-from-file startup-script=startup.sh \
    --service-account=debian-vm-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com

    Let’s break down the command:

    • gcloud compute instances create debian-vm: Creates a VM instance named debian-vm.
    • --image-family=debian-11 --image-project=debian-cloud: Specifies the Debian 11 image to use.
    • --machine-type=e2-medium: Selects the machine type. e2-medium is eligible for the Free Tier.
    • --zone=us-central1-a: Specifies the zone where the instance will be created.
    • --subnet=default: Attaches the instance to the default subnet.
    • --scopes=https://www.googleapis.com/auth/cloud-platform: Grants the VM broad access to Google Cloud services (use more specific scopes if possible for better security). We can avoid this completely when using a service account with targeted permissions.
    • --metadata-from-file startup-script=startup.sh: Provides the startup script from the startup.sh file.
    • --service-account=debian-vm-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com: Assigns the custom service account we created.
    Always choose a zone that offers the machine type you require and is close to your users. Be mindful of Free Tier eligibility when selecting a machine type.

  2. Verify the instance creation:

    NODE_TYPE // bash 
    gcloud compute instances list

    This command will list all VM instances in your project, including the newly created debian-vm.

    NODE_TYPE // output 
    NAME        ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
debian-vm   us-central1-a  e2-medium      False        10.128.0.2   34.123.45.67  RUNNING

Task 5: Accessing the VM and Verifying the Startup Script

  1. SSH into the VM:

    NODE_TYPE // bash 
    gcloud compute ssh debian-vm --zone=us-central1-a

    This command opens an SSH connection to the VM instance.

  2. Verify the startup script execution: Check the Apache web server:

    NODE_TYPE // bash 
    curl http://localhost

    Expected output:

    NODE_TYPE // output 
    <h1>Hello from Debian VM!</h1>

    Alternatively, check the Cloud Logging logs:

    1. Go to the Cloud Logging console.
    2. Filter the logs by resource type GCE VM Instance and instance name debian-vm.
    3. Look for the log message “Startup script completed successfully.”

Congratulations

You’ve successfully created a Debian Linux VM instance on Google Cloud, configured a startup script, added custom metadata, and assigned a custom service account. You can now leverage this knowledge to deploy and manage more complex applications on Google Cloud. You learned:

  • How to create a GCE VM with gcloud CLI.
  • How to setup a service account and attach it to the VM.
  • How to automate startup tasks with scripts.

Next Topic

Theory

Creating a Debian VM with Startup Script and Metadata in GCP using Terraform
Theory

Creating a Debian VM with a Custom Service Account on Google Cloud
Theory

Creating a VPC Network with Custom Subnets and Firewall Rules in Google Cloud