You can change the Confidential Space workload VM behavior by passing variables
into the --metadata option when you create the VM.
To pass in multiple variables, first set the delimiter by prefixing the
--metadata value with ^~^. This sets the delimiter to ~, as , is used in
variable values.
Sets environment variables in the workload container. The workload
author must also add the environment variable names to the
allow_env_override
launch policy, or they won't be set.
Defaults to false. When set to true,
enables memory usage monitoring. The metrics collected by the
Confidential VM are of the
guest/memory/bytes_used
type, and can be viewed in Cloud Logging
or
Metrics Explorer.
A list of semicolon-separated mount definitions. A mount
definition consists of a comma-separated list of key-value pairs,
requiring type, source, and
destination. destination must be an
absolute path and type/source must be
tmpfs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-09 UTC."],[[["\u003cp\u003eYou can modify the behavior of a Confidential Space workload VM by using the \u003ccode\u003e--metadata\u003c/code\u003e option and passing in specific variables during VM creation.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003etee-image-reference\u003c/code\u003e metadata key is required and it specifies the location of the workload container image.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003etee-cmd\u003c/code\u003e metadata key allows overriding the \u003ccode\u003eCMD\u003c/code\u003e instructions defined in the workload container's Dockerfile, while other variables allow environment variables, service accounts impersonation, memory monitoring and mount definitions to be modified.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003etee-container-log-redirect\u003c/code\u003e key controls the destination of the workload container's \u003ccode\u003eSTDOUT\u003c/code\u003e and \u003ccode\u003eSTDERR\u003c/code\u003e output, allowing it to be directed to the serial console, Cloud Logging, or both.\u003c/p\u003e\n"],["\u003cp\u003eYou can define the restart policy for the workload container using \u003ccode\u003etee-restart-policy\u003c/code\u003e, with options such as \u003ccode\u003eNever\u003c/code\u003e, \u003ccode\u003eAlways\u003c/code\u003e, or \u003ccode\u003eOnFailure\u003c/code\u003e, which dictates the container's behavior when it stops.\u003c/p\u003e\n"]]],[],null,[]]