Importing and validating custom images into VPC
You can create your own custom image on premises and then import it to IBM Cloud® Virtual Private Cloud infrastructure from IBM Cloud® Object Storage. Then, you can use your custom image to create a new virtual server instance that runs on the KVM hypervisor. If you plan to use your custom image in a private catalog, you must first import the custom image into IBM Cloud VPC and validate it.
You can also create a custom image of a boot volume that is attached to a server at import time. For more information, see About creating an image from volume.
Prerequisites
To complete this task, you must have an instance of IBM Cloud® Object Storage available. You must also create an authorization so that the Image Service for VPC can access images in IBM Cloud Object Storage. For more information, see Granting access to IBM Cloud Object Storage to import and export images.
All custom images must meet the following requirements:
- Contain a single file or volume.
- Be in qcow2 or vhd format.
- Be cloud-init enabled or bootable by using ESXi kickstart.
- Size doesn't exceed 250 GB.
- The minimum size is 10 GB. For any image that is less than 10 GB, the size is rounded up to 10 GB.
Keep the following considerations in mind when you import a custom image:
- When you import a custom image, it's private to the account where you import it.
- The region where you choose to import the image is the region where you can create virtual servers from that image.
- For custom images with Red Hat Enterprise Linux® or Windows® operating systems, you must select the appropriate version of the operating system. Depending on how you configured the image, select either bring your own license
byol
, or if you plan to license the OS through IBM Cloud, select the version withoutbyol
appended.
For more information about custom images, see Getting started with custom images.
Importing a custom image by using the UI
When you have an image available in IBM Cloud Object Storage, you can import it to IBM Cloud VPC infrastructure by using the IBM Cloud console.
- Make sure that your compatible custom image is available in IBM Cloud Object Storage. To upload an image to IBM Cloud Object Storage, on the Objects page of your bucket, click Upload. You can use the Aspera high-speed transfer plug-in to upload images larger than 200 MB. For more information, see Creating a Linux custom image, Creating a Windows custom image, Bring your own license and Uploading data to IBM Cloud Object Storage.
- In IBM Cloud console, go to Menu icon > VPC Infrastructure > Compute > Images.
- On the Custom images tab, click Create.
- Complete the fields that are described in Table 1 and click Create Custom Image.
Field | Value |
---|---|
Location | Select the specific geographic area and region where you want your custom image to be available for provisioning. |
Name | A name is required for your custom image. |
Resource group | Select a resource group for the custom image. |
Tags | You can assign a label to this resource so that you can easily filter resources in your resource list. |
Source | Select Cloud Object Storage as the source. A list displays from which you select an IBM Cloud Object Storage service instance where the image that you want to import is stored. Do you need to create a custom image from a volume instead? Select the source for the custom image by choosing either Virtual server instance boot volume or Block storage boot volume. For more information, see Creating an image from a volume. |
Location | Select the specific geographic region where your image is stored. |
Bucket | Select the IBM Cloud Object Storage bucket where your image is stored. |
Name | Select the image file in the IBM Cloud Object Storage service instance that you want to import. If you are importing an encrypted image, the image must be encrypted with LUKS encryption by using QEMU and your own passphrase. For more information, see Encrypting the image. |
Operating System |
Select the operating system that is included in your image. For custom images with Red Hat Enterprise Linux or Windows operating systems, you can bring your own license (BYOL) or license through IBM Cloud. For Red Hat Enterprise Linux or Windows BYOL custom images, you must select the OS with If you configured your Red Hat Enterprise Linux or Windows custom image to license through IBM Cloud, you must select the non-BYOL operating system. For example, if you have a Windows 2019 custom image that you plan to license through IBM Cloud, select windows-2019-amd64 as the operating system when you import the custom image. For a custom image that uses a generic OS, select Notes:
|
Encryption | The default selection is Provider-managed. If you have not encrypted your image by using QEMU, use the default value, Provider-managed. If you are importing an image that you have encrypted by using QEMU and your own passphrase, select the key management service where your customer root key (CRK) that protects your passphrase is stored. Select either Key Protect or Hyper Protect Crypto Services. VHD format images are not supported for encryption. |
Encryption service instance | For an encrypted image, select the specific instance of the key management service where your CRK that wraps your encryption passphrase is stored. For more information, see Setting up your key management service and keys. |
Key name | Select the customer root key (CRK) that you used to wrap your encryption passphrase. For more information, see Setting up your key management service and keys. |
Wrapped data encryption key | For an encrypted image, specify the ciphertext that is associated with the wrapped data encryption key (WDEK). The WDEK is produced by wrapping the passphrase that you used to encrypt your image with your customer root key. For more information, see Setting up your key management service and keys. |
Manage image lifecycle (optional) | Select to schedule status changes for the image. You can schedule a single status change or schedule the complete lifecycle of the image. The image statuses are:
You can move back and forth between the three statuses. Only the statuses you can change to are displayed. You can schedule status changes by using calendar date and time or number of days. The obsolescence date must always be after the deprecation date. |
Importing a custom image by using the CLI
Make sure that your compatible custom image is available in IBM Cloud Object Storage. For more information, see Creating a Linux custom image, Creating a Windows custom image, Creating a generic operating system custom image, Bring your own license and Uploading data to IBM Cloud Object Storage.
When you have an image available in IBM Cloud Object Storage, you can import it to IBM Cloud VPC infrastructure by using the command-line interface (CLI).
To import a custom image by using the CLI, use the ibmcloud is image-create
command. Specify the name of the custom image to be created by using the IMAGE_NAME
variable. The name can't be used by another
image in the region and names that start with ibm-
are reserved for system-provided images. You must also specify the source; for example, specify the --file
option with the image file location. Specify the --os-name
option with the name of the operating system for the image.
ibmcloud is image-create IMAGE_NAME [--file IMAGE_FILE_LOCATION] [--os-name OPERATING_SYSTEM_NAME]
The following example creates a custom image with the name of my-ubuntu-16-amd64
. The image source location is cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2
. The operating system is ubuntu-16-amd64
.
ibmcloud is image-create my-ubuntu-16-amd64 --file cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2 --os-name ubuntu-16-amd64
For more information, see ibmcloud is image-create in the VPC CLI reference page.
Schedule custom image lifecycle status changes by using the CLI
When you import a custom image by using the command-line interface (CLI), you can also schedule the lifecycle status changes of an IBM Cloud VPC custom image at the same time by using options of the ibmcloud is image-create
command.
Specify the name of the custom image to be created by using the IMAGE_NAME
variable. The name can't be used by another image in the region and names that start with ibm-
are reserved for system-provided images. You
must also specify the source; for example, specify the --file
option with the image file location. Specify the --os-name
option with the name of the operating system for the image.
To schedule the deprecate-at
or obsolete-at
properties, specify a date in the ISO 8601 (YYYY-MM-DDThh:mm:ss+hh:mm
) date and time format.
YYYY
is the four-digit yearMM
is the two-digit monthDD
is the two-digit dayT
separates the date and time informationhh
is the two-digit hoursmm
is the two-digit minutes+hh:mm
or-hh:mm
is the Coordinated Universal Time time zone
Thus, the date of 30 September 2023 at 8:00 PM in the North American Central Standard time zone (CST) would be 2023-09-30T20:00:00-06:00
When you schedule the date and time, you can't use your current date and time or a future date and time. For example, if it is 8 AM on 12 June, then the scheduled date and time must be after 8 AM on 12 June. If you define both the deprecate-at
and obsolete-at
dates and times, the deprecate-at
date must be after the obsolete-at
date and time.
ibmcloud is image-create IMAGE_NAME [--file IMAGE_FILE_LOCATION] [--os-name OPERATING_SYSTEM_NAME] [--deprecate-at YYYY-MM-DDThh:mm:ss+hh:mm] [--obsolete-at YYYY-MM-DDThh:mm:ss+hh:mm]
The following example creates a custom image with the name of my-ubuntu-16-amd64
. The image source location is cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2
. The operating system is ubuntu-16-amd64
.
The image is scheduled to be deprecated on 2023-03-01T06:11:28+05:30
. The image is scheduled to be obsolete on 2023-12-31T06:11:28+05:30
.
ibmcloud is image-create my-ubuntu-16-amd64 --file cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2 --os-name ubuntu-16-amd64 --deprecate-at 2023-03-01T06:11:28+05:30 --obsolete-at 2023-12-31T06:11:28+05:30
For more information, see ibmcloud is image-create in the VPC CLI reference page.
Importing a custom image by using the API
Make sure that your compatible custom image is available in IBM Cloud Object Storage. For more information, see Creating a Linux custom image, Creating a Windows custom image, Creating a generic operating system custom image, Bring your own license, and Uploading data to IBM Cloud Object Storage.
When you have an image available in IBM Cloud Object Storage, you can import it to IBM Cloud VPC infrastructure by using the application programming interface (API).
To import a custom image by using the API, use Create an image.
The name
can't be used by another image in the region and names that start with ibm-
are reserved for system-provided images. Specify the file.href
subproperty with the location of the image. Specify the
operating_system.name
subproperty with the name of the image operating system.
Generic operating system custom images is a beta feature that is available for evaluation and testing purposes. The generic operating systems have family
of Generic
. Be sure to select the one with allow_user_image_creation
value of true
and the user_data_format
needed for your operating system to boot and initialize correctly. For more information, see User data format considerations.
The following example imports a custom image with the name of my-image
, source location of cos://us-south/my-bucket/my-image.qcow2
, and the operating system for the image is debian-9-amd64
.
curl -X POST "$vpc_api_endpoint/v1/images?version=2023-02-21&generation=2" -H "Authorization: Bearer $iam_token" -d '{
"name": "my-image",
"file": {
"href": "cos://us-south/my-bucket/my-image.qcow2"
},
"operating_system": {
"name": "debian-9-amd64"
}
}'
Schedule custom image lifecycle status changes by using the API
When you import a custom image by using the application programming interface (API), you can also schedule the lifecycle status changes of an IBM Cloud VPC custom image at the same time by using the Create an image command.
The name
can't be used by another image in the region and names that start with ibm-
are reserved for system-provided images. Specify the file.href
subproperty with the location of the image. Specify
the operating_system.name
subproperty with the name of the image operating system.
To schedule the deprecation_at
or obsolescence_at
properties, specify a date in the ISO 8601 (YYYY-MM-DDThh:mm:ss+hh:mm
) date and time format.
YYYY
is the four-digit yearMM
is the two-digit monthDD
is the two-digit dayT
separates the date and time informationhh
is the two-digit hoursmm
is the two-digit minutes+hh:mm
or-hh:mm
is the Coordinated Universal Time time zone
Thus, the date of 30 September 2023 at 8:00 PM in the North American Central Standard time zone (CST) would be 2023-09-30T20:00:00-06:00
When you schedule the date and time, you can't use your current date and time. For example, if it is 8 AM on 12 June, then the scheduled date and time must be after 8 AM on 12 June. If you define both the deprecation_at
and obsolescence_at
dates and times, the obsolescence_at
date must be after the deprecation_at
date and time.
The following example imports a custom image with the name of my-image
, source location of cos://us-south/my-bucket/my-image.qcow2
, and the operating system for the image is debian-9-amd64
. The image
is scheduled to be deprecated on 2023-03-01T06:11:28+05:30
. The image is scheduled to be obsolete on 2023-12-31T06:11:28+05:30
.
curl -X POST "$vpc_api_endpoint/v1/images?version=2023-02-21&generation=2" -H "Authorization: Bearer $iam_token" -d '{
"name": "my-image",
"file": {
"href": "cos://us-south/my-bucket/my-image.qcow2"
},
"operating_system": {
"name": "debian-9-amd64"
},
"deprecation_at": "2023-03-01T06:11:28+05:30",
"obsolescence_at": "2023-12-31T06:11:28+05:30"
}'
Schedule custom image lifecycle status changes by using Terraform
When you import a custom image by using Terraform, you can also schedule the lifecycle status changes of an IBM Cloud VPC custom image at the same time by using the Terraform resource command ibm_is_image.
The name
attribute can't be used by another image in the region and names that start with ibm-
are reserved for system-provided images.
To schedule the deprecation_at
or obsolescence_at
attributes, specify a date in the ISO 8601 (YYYY-MM-DDThh:mm:ss+hh:mm
) date and time format.
YYYY
is the four-digit yearMM
is the two-digit monthDD
is the two-digit dayT
separates the date and time informationhh
is the two-digit hoursmm
is the two-digit minutes+hh:mm
or-hh:mm
is the Coordinated Universal Time time zone
Thus, the date of 30 September 2023 at 8:00 PM in the North American Central Standard time zone (CST) would be 2023-09-30T20:00:00-06:00
When you schedule the date and time, you can't use your current date and time. For example, if it is 8:00 AM on 12 June, then the scheduled date and time must be after 8:00 AM on 12 June. If you define both the deprecation_at
and
obsolescence_at
dates and times, the obsolescence_at
date must be after the deprecation_at
date and time.
The following example imports a custom image with the name of example-image
, source location of cos://us-south/buckettesttest/livecd.ubuntu-cpc.azure.vhd
, and the operating system for the image is ubuntu-16-04-amd64
.
The image is scheduled to be deprecated on 2023-11-28T15:10:00.000Z
. The image is scheduled to be obsolete on 2023-11-28T15:10:00.000Z
.
-
Schedule a status change to
deprecated
.resource "ibm_is_image" "example" { name = "example-image" href = "cos://us-south/buckettesttest/livecd.ubuntu-cpc.azure.vhd" operating_system = "ubuntu-16-04-amd64" deprecated_at = "2023-11-28T15:10:00.000Z" }
-
Schedule a status change to
obsolete
.resource "ibm_is_image" "example" { name = "example-image" href = "cos://us-south/buckettesttest/livecd.ubuntu-cpc.azure.vhd" operating_system = "ubuntu-16-04-amd64" obsolescence_at = "2023-11-28T15:10:00.000Z" }
Validating an imported custom image by using the UI
After you import a custom image, you can view the checksum that was generated for the image when it is imported to IBM Cloud VPC.
If you generate a checksum locally for your image before you import it, you can compare the two checksums to make sure that they are identical. Matching checksums indicate that the image is unaltered.
-
In IBM Cloud console, go to Menu icon > VPC Infrastructure > Compute > Images.
-
On the Custom images tab, from your list of custom images, click the name of the custom image that you want to validate.
-
In the image details side panel, locate the Checksum (SHA256) field. You see content similar to, 6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7.
For z/OS Wazi aaS custom image only: You cannot validate the checksum of the imported custom images that are deployed from Wazi Image Builder.
-
Compare the Checksum (SHA256) value to the output that is generated when you calculate a checksum for the image locally.
- Example Linux command:
sha256sum ubuntu_image.qcow2
- Example Mac command:
shasum -a 256 ubuntu_image.qcow2
- You receive output similar to:
6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7
- Example Linux command:
-
Create a virtual server instance or a bare metal server by using this image. For more information, see Create a virtual server instance or Creating Bare Metal Servers on VPC.
Validating an imported custom image by using the CLI
After you import a custom image, you can view the checksum that was generated for the image when it is imported to IBM Cloud VPC.
If you generate a checksum locally for your image before you import it, you can compare the two checksums to make sure that they are identical. Matching checksums indicate that the image is unaltered.
To validate an imported custom image by using the CLI, use the ibmcloud is image
command.
First, view the details of the imported custom image you want to validate. Specify the name or ID of the custom image to be created by using the IMAGE
variable.
ibmcloud is image IMAGE
For more information, see ibmcloud is imagein the VPC CLI reference page.
The following example views the details of a custom image with the ID of r134-1d1e92e9-6550-4d06-8483-d674310045fd
.
ibmcloud is image r134-1d1e92e9-6550-4d06-8483-d674310045fd
Getting image r134-1d1e92e9-6550-4d06-8483-d674310045fd under account Rios IMSLess as user gbgrout@ibm.com...
ID r134-589548bd-9241-4ad7-a610-1df6ba020793
Name my-image-from-volume-cli-1
CRN crn:v1:staging:public:is:us-south:a/efe5afc483594adaa8325e2b4d1290df::image:r134-589548bd-9241-4ad7-a610-1df6ba020793
Status available
Operating system Name Architecture Vendor Version Dedicated host only
centos-7-amd64 amd64 CentOS 7.x - Minimal Install false
Source volume ID Name
r134-6438d80f-4433-4445-be2f-0cca05afff3e transpose-clubhouse-putt-repent
Created 2023-03-16T01:11:03+05:30
Deprecation Date 2023-03-01T06:11:28+05:30
Obsolescence Date 2023-12-31T06:11:28+05:30
Visibility private
Owner type user
Minimum provisioned size(GB) 250
SHA256 Checksum 774d44ac0d55f2bfe869b995565715e5d9970ec23ce7127b2e2776b2618a9f7c
File size(GB) 2
Encryption none
Resource group 11caaa983d9c4beb82690daab08717e9
Resource type image
Catalog Offering Managed false
Compare the returned Checksum (SHA256) value to the output that is generated when you calculate a checksum for the image locally.
- Example Linux command:
sha256sum ubuntu_image.qcow2
- Example Mac command:
shasum -a 256 ubuntu_image.qcow2
- You receive output similar to:
6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7
After you validate the Checksum (SHA256), use the image to create a virtual server. See Creating a virtual server instance by using the CLI.
Validating an imported custom image by using the API
After you import a custom image, you can view the checksum that was generated for the image when it is imported to IBM Cloud VPC.
If you generate a checksum locally for your image before you import it, you can compare the two checksums to make sure that they are identical. Matching checksums indicate that the image is unaltered.
To validate as custom image by using the API, use List all images.
For the $image_id
, specify the ID of the custom image you want to validate.
curl -X GET "$vpc_api_endpoint/v1/images/$image_id/?version=2023-02-21&generation=2" -H "Authorization: Bearer $iam_token"
Compare the returned Checksum (SHA256) value to the output that is generated when you calculate a checksum for the image locally.
- Example Linux command:
sha256sum ubuntu_image.qcow2
- Example Mac command:
shasum -a 256 ubuntu_image.qcow2
- You receive output similar to:
6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7
After you validate the Checksum (SHA256), use the image to create a virtual server. See Creating a virtual server instance by using the API.
Next steps
After you validate the custom images, you can deploy and manage your custom images. For more information, see Managing custom images.
If you plan to manage your custom images with a private catalog, see Onboarding a virtual server image for VPC. If you plan to publish your images through the Global Catalog and bill users by using a software plan, see Onboarding a virtual server for VPC with a plan.