Send feedback
Workload metadata variables
Stay organized with collections
Save and categorize content based on your preferences.
You can change the Confidential Space workload VM behavior by passing variables
into the --metadata
option when you create the VM.
To pass in multiple variables, first set the delimiter by prefixing the
--metadata
value with ^~^
. This sets the delimiter to ~
, as ,
is used in
variable values.
For example:
metadata="^~^tee-restart-policy=Always~ tee-image-reference=us-docker.pkg.dev/WORKLOAD_AUTHOR_PROJECT_ID /REPOSITORY_NAME /WORKLOAD_CONTAINER_NAME :latest"
The following table details the metadata variables you can set for your
workload VM.
Note: Some metadata variables can be affected by launch policies set by workload authors.
Metadata key
Type
Description and values
tee-image-reference
Interacts with:
String
Required. This points to the location of the workload container.
Example
tee-image-reference=us-docker.pkg.dev/WORKLOAD_AUTHOR_PROJECT_ID /REPOSITORY_NAME /WORKLOAD_CONTAINER_NAME :latest
tee-cmd
Interacts with:
String array
Overrides the
CMD
instructions specified in the workload container's
Dockerfile
.
Example
tee-cmd=['ls', 'cat ./file.txt']
tee-container-log-redirect
Interacts with:
Defined string
Outputs STDOUT
and STDERR
from the
workload container to Cloud Logging or serial console, under the
confidential-space-launcher field.
The valid values are:
false
: (default) no logging occurs.
true
: outputs to the serial console and
Cloud Logging.
cloud_logging
: outputs to Cloud Logging only.
serial
: outputs to the serial console only.
A high log volume in the serial
console might impact workload performance.
Example
tee-container-log-redirect=true
tee-dev-shm-size
Integer
Sets the size in kB of the /dev/shm
shared memory
mount.
Example
tee-dev-shm-size=65536
tee-env-ENVIRONMENT_VARIABLE_NAME
Interacts with:
String
Sets environment variables in the workload container. The workload
author must also add the environment variable names to the
allow_env_override
launch policy, or they won't be set.
Example
tee-env-example-env-1='value-1'~tee-env-example-env-2='value-2'
tee-impersonate-service-accounts
Interacts with:
String
A list of service accounts that can be impersonated by the workload
operator. The workload operator must be
allowed to impersonate the service accounts .
Multiple service accounts can be listed, separated by commas.
Example
tee-impersonate-service-accounts=SERVICE_ACCOUNT_NAME_1 @WORKLOAD_OPERATOR_PROJECT_ID .iam.gserviceaccount.com,SERVICE_ACCOUNT_NAME_2 @WORKLOAD_OPERATOR_PROJECT_ID .iam.gserviceaccount.com
tee-monitoring-memory-enable
Interacts with:
Boolean
Defaults to false
. When set to true
,
enables memory usage monitoring. The metrics collected by the
Confidential VM are of the
guest/memory/bytes_used
type, and can be viewed in Cloud Logging
or
Metrics Explorer .
Example
tee-monitoring-memory-enable=true
tee-mount
Interacts with:
String
A list of semicolon-separated mount definitions. A mount
definition consists of a comma-separated list of key-value pairs,
requiring type
, source
, and
destination
. destination
must be an
absolute path and type
/source
must be
tmpfs
.
Example
type=tmpfs,source=tmpfs,destination=/tmp/tmpfs,size=12345;type=tmpfs,source=tmpfs,destination=/run/workload
tee-restart-policy
Interacts with:
Defined string
The restart policy of the container launcher when the workload
stops
The valid values are:
Never
(default)
Always
OnFailure
This variable is only supported by the production Confidential Space
image.
Example
tee-restart-policy=OnFailure
tee-signed-image-repos
Interacts with:
String
A list of comma-separated container repositories that store the
signatures that are generated by
Sigstore Cosign .
Example
tee-signed-image-repos=us-docker.pkg.dev/projectA/repo/example,us-docker.pkg.dev/projectB/repo/example,us-docker.pkg.dev/projectC/repo/example
Send feedback
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-03 UTC.
[{
"type": "thumb-down",
"id": "hardToUnderstand",
"label":"Hard to understand"
},{
"type": "thumb-down",
"id": "incorrectInformationOrSampleCode",
"label":"Incorrect information or sample code"
},{
"type": "thumb-down",
"id": "missingTheInformationSamplesINeed",
"label":"Missing the information/samples I need"
},{
"type": "thumb-down",
"id": "otherDown",
"label":"Other"
}]
[{
"type": "thumb-up",
"id": "easyToUnderstand",
"label":"Easy to understand"
},{
"type": "thumb-up",
"id": "solvedMyProblem",
"label":"Solved my problem"
},{
"type": "thumb-up",
"id": "otherUp",
"label":"Other"
}]
Need to tell us more?
{"lastModified": "Last updated 2024-10-03 UTC."}
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-03 UTC."]]