IBM Cloud Docs
Importing and validating custom images into VPC

Importing and validating custom images into VPC

You can create your own custom image on premises and then import it to IBM Cloud® Virtual Private Cloud infrastructure from IBM Cloud® Object Storage. Then, you can use your custom image to create a new virtual server instance that runs on the KVM hypervisor. If you plan to use your custom image in a private catalog, you must first import the custom image into IBM Cloud VPC and validate it.

You can also create a custom image of a boot volume that is attached to a server at import time. For more information, see About creating an image from volume.

Prerequisites

To complete this task, you must have an instance of IBM Cloud® Object Storage available. You must also create an authorization so that the Image Service for VPC can access images in IBM Cloud Object Storage. For more information, see Granting access to IBM Cloud Object Storage to import and export images.

All custom images must meet the following requirements:

  • Contain a single file or volume.
  • Be in qcow2 or vhd format.
  • Be cloud-init enabled or bootable by using ESXi kickstart.
  • Size doesn't exceed 250 GB.
  • The minimum size is 10 GB. For any image that is less than 10 GB, the size is rounded up to 10 GB.

Keep the following considerations in mind when you import a custom image:

  • When you import a custom image, it's private to the account where you import it.
  • The region where you choose to import the image is the region where you can create virtual servers from that image.
  • For custom images with Red Hat Enterprise Linux® or Windows® operating systems, you must select the appropriate version of the operating system. Depending on how you configured the image, select either bring your own license byol, or if you plan to license the OS through IBM Cloud, select the version without byol appended.

For more information about custom images, see Getting started with custom images.

Importing a custom image by using the UI

When you have an image available in IBM Cloud Object Storage, you can import it to IBM Cloud VPC infrastructure by using the IBM Cloud console.

  1. Make sure that your compatible custom image is available in IBM Cloud Object Storage. To upload an image to IBM Cloud Object Storage, on the Objects page of your bucket, click Upload. You can use the Aspera high-speed transfer plug-in to upload images larger than 200 MB. For more information, see Creating a Linux custom image, Creating a Windows custom image, Bring your own license and Uploading data to IBM Cloud Object Storage.
  2. In IBM Cloud console, go to Menu icon Menu icon > VPC Infrastructure > Compute > Images.
  3. On the Custom images tab, click Create.
  4. Complete the fields that are described in Table 1 and click Create Custom Image.
Import custom image user interface fields
Field Value
Location Select the specific geographic area and region where you want your custom image to be available for provisioning.
Name A name is required for your custom image.
Resource group Select a resource group for the custom image.
Tags You can assign a label to this resource so that you can easily filter resources in your resource list.
Source Select Cloud Object Storage as the source. A list displays from which you select an IBM Cloud Object Storage service instance where the image that you want to import is stored.
Do you need to create a custom image from a volume instead? Select the source for the custom image by choosing either Virtual server instance boot volume or Block storage boot volume. For more information, see Creating an image from a volume.
Location Select the specific geographic region where your image is stored.
Bucket Select the IBM Cloud Object Storage bucket where your image is stored.
Name Select the image file in the IBM Cloud Object Storage service instance that you want to import. If you are importing an encrypted image, the image must be encrypted with LUKS encryption by using QEMU and your own passphrase. For more information, see Encrypting the image.
Operating System

Select the operating system that is included in your image.

For custom images with Red Hat Enterprise Linux or Windows operating systems, you can bring your own license (BYOL) or license through IBM Cloud.

For Red Hat Enterprise Linux or Windows BYOL custom images, you must select the OS with -byol appended to the name. For example, if you have a Windows 2019 BYOL custom image, select windows-2019-amd64-byol for the operating system. Failure to select the -byol version of the operating system when you import a BYOL custom image might result in a virtual server that is unable to start.

If you configured your Red Hat Enterprise Linux or Windows custom image to license through IBM Cloud, you must select the non-BYOL operating system. For example, if you have a Windows 2019 custom image that you plan to license through IBM Cloud, select windows-2019-amd64 as the operating system when you import the custom image.

For a custom image that uses a generic OS, select Generic and then select the appropriate version.

Notes:

  • For a custom image using an operating system not listed in IBM Cloud VPC, you must create a custom image that uses a generic OS. For more information, see Creating a generic operating system custom image.

  • Select the ESXi kickstart version if your image requires that technology to boot and initialize. However, this option is only available for bare metal servers.

Encryption The default selection is Provider-managed. If you have not encrypted your image by using QEMU, use the default value, Provider-managed. If you are importing an image that you have encrypted by using QEMU and your own passphrase, select the key management service where your customer root key (CRK) that protects your passphrase is stored. Select either Key Protect or Hyper Protect Crypto Services. VHD format images are not supported for encryption.
Encryption service instance For an encrypted image, select the specific instance of the key management service where your CRK that wraps your encryption passphrase is stored. For more information, see Setting up your key management service and keys.
Key name Select the customer root key (CRK) that you used to wrap your encryption passphrase. For more information, see Setting up your key management service and keys.
Wrapped data encryption key For an encrypted image, specify the ciphertext that is associated with the wrapped data encryption key (WDEK). The WDEK is produced by wrapping the passphrase that you used to encrypt your image with your customer root key. For more information, see Setting up your key management service and keys.
Manage image lifecycle (optional) Select to schedule status changes for the image. You can schedule a single status change or schedule the complete lifecycle of the image. The image statuses are:

  • available: The image can be used to create an instance.

  • deprecated: The image is still available to use to provision an instance. Using the deprecated status can discourage use of the image before the status changes to obsolete.

  • obsolete: The image is not available to use to provision an instance.

  • Schedule complete lifecycle: You can schedule both the deprecated and obsolete status changes at the same time.

You can move back and forth between the three statuses. Only the statuses you can change to are displayed. You can schedule status changes by using calendar date and time or number of days. The obsolescence date must always be after the deprecation date.

Importing a custom image by using the CLI

Make sure that your compatible custom image is available in IBM Cloud Object Storage. For more information, see Creating a Linux custom image, Creating a Windows custom image, Creating a generic operating system custom image, Bring your own license and Uploading data to IBM Cloud Object Storage.

When you have an image available in IBM Cloud Object Storage, you can import it to IBM Cloud VPC infrastructure by using the command-line interface (CLI).

To import a custom image by using the CLI, use the ibmcloud is image-create command. Specify the name of the custom image to be created by using the IMAGE_NAME variable. The name can't be used by another image in the region and names that start with ibm- are reserved for system-provided images. You must also specify the source; for example, specify the --file option with the image file location. Specify the --os-name option with the name of the operating system for the image.

ibmcloud is image-create IMAGE_NAME [--file IMAGE_FILE_LOCATION] [--os-name OPERATING_SYSTEM_NAME]

The following example creates a custom image with the name of my-ubuntu-16-amd64. The image source location is cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2. The operating system is ubuntu-16-amd64.

ibmcloud is image-create my-ubuntu-16-amd64 --file cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2 --os-name ubuntu-16-amd64

For more information, see ibmcloud is image-create in the VPC CLI reference page.

Schedule custom image lifecycle status changes by using the CLI

When you import a custom image by using the command-line interface (CLI), you can also schedule the lifecycle status changes of an IBM Cloud VPC custom image at the same time by using options of the ibmcloud is image-create command.

Specify the name of the custom image to be created by using the IMAGE_NAME variable. The name can't be used by another image in the region and names that start with ibm- are reserved for system-provided images. You must also specify the source; for example, specify the --file option with the image file location. Specify the --os-name option with the name of the operating system for the image.

To schedule the deprecate-at or obsolete-at properties, specify a date in the ISO 8601 (YYYY-MM-DDThh:mm:ss+hh:mm) date and time format.

  • YYYY is the four-digit year
  • MM is the two-digit month
  • DD is the two-digit day
  • T separates the date and time information
  • hh is the two-digit hours
  • mm is the two-digit minutes
  • +hh:mm or -hh:mm is the Coordinated Universal Time time zone

Thus, the date of 30 September 2023 at 8:00 PM in the North American Central Standard time zone (CST) would be 2023-09-30T20:00:00-06:00

When you schedule the date and time, you can't use your current date and time or a future date and time. For example, if it is 8 AM on 12 June, then the scheduled date and time must be after 8 AM on 12 June. If you define both the deprecate-at and obsolete-at dates and times, the deprecate-at date must be after the obsolete-at date and time.

ibmcloud is image-create IMAGE_NAME [--file IMAGE_FILE_LOCATION] [--os-name OPERATING_SYSTEM_NAME] [--deprecate-at YYYY-MM-DDThh:mm:ss+hh:mm] [--obsolete-at YYYY-MM-DDThh:mm:ss+hh:mm]

The following example creates a custom image with the name of my-ubuntu-16-amd64. The image source location is cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2. The operating system is ubuntu-16-amd64. The image is scheduled to be deprecated on 2023-03-01T06:11:28+05:30. The image is scheduled to be obsolete on 2023-12-31T06:11:28+05:30.

ibmcloud is image-create my-ubuntu-16-amd64 --file cos://us-south/custom-image-vpc-bucket/customImage-0.qcow2 --os-name ubuntu-16-amd64 --deprecate-at 2023-03-01T06:11:28+05:30 --obsolete-at 2023-12-31T06:11:28+05:30

For more information, see ibmcloud is image-create in the VPC CLI reference page.

Importing a custom image by using the API

Make sure that your compatible custom image is available in IBM Cloud Object Storage. For more information, see Creating a Linux custom image, Creating a Windows custom image, Creating a generic operating system custom image, Bring your own license, and Uploading data to IBM Cloud Object Storage.

When you have an image available in IBM Cloud Object Storage, you can import it to IBM Cloud VPC infrastructure by using the application programming interface (API).

To import a custom image by using the API, use Create an image.

The name can't be used by another image in the region and names that start with ibm- are reserved for system-provided images. Specify the file.href subproperty with the location of the image. Specify the operating_system.name subproperty with the name of the image operating system.

Generic operating system custom images is a beta feature that is available for evaluation and testing purposes. The generic operating systems have family of Generic. Be sure to select the one with allow_user_image_creation value of true and the user_data_format needed for your operating system to boot and initialize correctly. For more information, see User data format considerations.

The following example imports a custom image with the name of my-image, source location of cos://us-south/my-bucket/my-image.qcow2, and the operating system for the image is debian-9-amd64.

curl -X POST "$vpc_api_endpoint/v1/images?version=2023-02-21&generation=2" -H "Authorization: Bearer $iam_token" -d '{
      "name": "my-image",
      "file": {
        "href": "cos://us-south/my-bucket/my-image.qcow2"
      },
      "operating_system": {
        "name": "debian-9-amd64"
      }
    }'

Schedule custom image lifecycle status changes by using the API

When you import a custom image by using the application programming interface (API), you can also schedule the lifecycle status changes of an IBM Cloud VPC custom image at the same time by using the Create an image command.

The name can't be used by another image in the region and names that start with ibm- are reserved for system-provided images. Specify the file.href subproperty with the location of the image. Specify the operating_system.name subproperty with the name of the image operating system.

To schedule the deprecation_at or obsolescence_at properties, specify a date in the ISO 8601 (YYYY-MM-DDThh:mm:ss+hh:mm) date and time format.

  • YYYY is the four-digit year
  • MM is the two-digit month
  • DD is the two-digit day
  • T separates the date and time information
  • hh is the two-digit hours
  • mm is the two-digit minutes
  • +hh:mm or -hh:mm is the Coordinated Universal Time time zone

Thus, the date of 30 September 2023 at 8:00 PM in the North American Central Standard time zone (CST) would be 2023-09-30T20:00:00-06:00

When you schedule the date and time, you can't use your current date and time. For example, if it is 8 AM on 12 June, then the scheduled date and time must be after 8 AM on 12 June. If you define both the deprecation_at and obsolescence_at dates and times, the obsolescence_at date must be after the deprecation_at date and time.

The following example imports a custom image with the name of my-image, source location of cos://us-south/my-bucket/my-image.qcow2, and the operating system for the image is debian-9-amd64. The image is scheduled to be deprecated on 2023-03-01T06:11:28+05:30. The image is scheduled to be obsolete on 2023-12-31T06:11:28+05:30.

curl -X POST "$vpc_api_endpoint/v1/images?version=2023-02-21&generation=2" -H "Authorization: Bearer $iam_token" -d '{
      "name": "my-image",
      "file": {
        "href": "cos://us-south/my-bucket/my-image.qcow2"
      },
      "operating_system": {
        "name": "debian-9-amd64"
      },
      "deprecation_at": "2023-03-01T06:11:28+05:30",
      "obsolescence_at": "2023-12-31T06:11:28+05:30"
    }'

Schedule custom image lifecycle status changes by using Terraform

When you import a custom image by using Terraform, you can also schedule the lifecycle status changes of an IBM Cloud VPC custom image at the same time by using the Terraform resource command ibm_is_image.

The name attribute can't be used by another image in the region and names that start with ibm- are reserved for system-provided images.

To schedule the deprecation_at or obsolescence_at attributes, specify a date in the ISO 8601 (YYYY-MM-DDThh:mm:ss+hh:mm) date and time format.

  • YYYY is the four-digit year
  • MM is the two-digit month
  • DD is the two-digit day
  • T separates the date and time information
  • hh is the two-digit hours
  • mm is the two-digit minutes
  • +hh:mm or -hh:mm is the Coordinated Universal Time time zone

Thus, the date of 30 September 2023 at 8:00 PM in the North American Central Standard time zone (CST) would be 2023-09-30T20:00:00-06:00

When you schedule the date and time, you can't use your current date and time. For example, if it is 8:00 AM on 12 June, then the scheduled date and time must be after 8:00 AM on 12 June. If you define both the deprecation_at and obsolescence_at dates and times, the obsolescence_at date must be after the deprecation_at date and time.

The following example imports a custom image with the name of example-image, source location of cos://us-south/buckettesttest/livecd.ubuntu-cpc.azure.vhd, and the operating system for the image is ubuntu-16-04-amd64. The image is scheduled to be deprecated on 2023-11-28T15:10:00.000Z. The image is scheduled to be obsolete on 2023-11-28T15:10:00.000Z.

  • Schedule a status change to deprecated.

    resource "ibm_is_image" "example" {
      name               = "example-image"
      href               = "cos://us-south/buckettesttest/livecd.ubuntu-cpc.azure.vhd"
      operating_system   = "ubuntu-16-04-amd64"
      deprecated_at      = "2023-11-28T15:10:00.000Z"
    }
    
  • Schedule a status change to obsolete.

    resource "ibm_is_image" "example" {
      name               = "example-image"
      href               = "cos://us-south/buckettesttest/livecd.ubuntu-cpc.azure.vhd"
      operating_system   = "ubuntu-16-04-amd64"
      obsolescence_at    = "2023-11-28T15:10:00.000Z"
    }
    

Validating an imported custom image by using the UI

After you import a custom image, you can view the checksum that was generated for the image when it is imported to IBM Cloud VPC.

If you generate a checksum locally for your image before you import it, you can compare the two checksums to make sure that they are identical. Matching checksums indicate that the image is unaltered.

  1. In IBM Cloud console, go to Menu icon Menu icon > VPC Infrastructure > Compute > Images.

  2. On the Custom images tab, from your list of custom images, click the name of the custom image that you want to validate.

  3. In the image details side panel, locate the Checksum (SHA256) field. You see content similar to, 6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7.

    For z/OS Wazi aaS custom image only: You cannot validate the checksum of the imported custom images that are deployed from Wazi Image Builder.

  4. Compare the Checksum (SHA256) value to the output that is generated when you calculate a checksum for the image locally.

    • Example Linux command: sha256sum ubuntu_image.qcow2
    • Example Mac command: shasum -a 256 ubuntu_image.qcow2
    • You receive output similar to: 6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7
  5. Create a virtual server instance or a bare metal server by using this image. For more information, see Create a virtual server instance or Creating Bare Metal Servers on VPC.

Validating an imported custom image by using the CLI

After you import a custom image, you can view the checksum that was generated for the image when it is imported to IBM Cloud VPC.

If you generate a checksum locally for your image before you import it, you can compare the two checksums to make sure that they are identical. Matching checksums indicate that the image is unaltered.

To validate an imported custom image by using the CLI, use the ibmcloud is image command.

First, view the details of the imported custom image you want to validate. Specify the name or ID of the custom image to be created by using the IMAGE variable.

ibmcloud is image IMAGE

For more information, see ibmcloud is imagein the VPC CLI reference page.

The following example views the details of a custom image with the ID of r134-1d1e92e9-6550-4d06-8483-d674310045fd.

ibmcloud is image r134-1d1e92e9-6550-4d06-8483-d674310045fd
Getting image r134-1d1e92e9-6550-4d06-8483-d674310045fd under account Rios IMSLess as user gbgrout@ibm.com...

ID                             r134-589548bd-9241-4ad7-a610-1df6ba020793
Name                           my-image-from-volume-cli-1
CRN                            crn:v1:staging:public:is:us-south:a/efe5afc483594adaa8325e2b4d1290df::image:r134-589548bd-9241-4ad7-a610-1df6ba020793
Status                         available
Operating system               Name             Architecture   Vendor   Version                 Dedicated host only
                               centos-7-amd64   amd64          CentOS   7.x - Minimal Install   false

Source volume                  ID                                          Name
                               r134-6438d80f-4433-4445-be2f-0cca05afff3e   transpose-clubhouse-putt-repent

Created                        2023-03-16T01:11:03+05:30
Deprecation Date               2023-03-01T06:11:28+05:30
Obsolescence Date              2023-12-31T06:11:28+05:30
Visibility                     private
Owner type                     user
Minimum provisioned size(GB)   250
SHA256 Checksum                774d44ac0d55f2bfe869b995565715e5d9970ec23ce7127b2e2776b2618a9f7c
File size(GB)                  2
Encryption                     none
Resource group                 11caaa983d9c4beb82690daab08717e9
Resource type                  image
Catalog Offering Managed       false

Compare the returned Checksum (SHA256) value to the output that is generated when you calculate a checksum for the image locally.

  • Example Linux command: sha256sum ubuntu_image.qcow2
  • Example Mac command: shasum -a 256 ubuntu_image.qcow2
  • You receive output similar to: 6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7

After you validate the Checksum (SHA256), use the image to create a virtual server. See Creating a virtual server instance by using the CLI.

Validating an imported custom image by using the API

After you import a custom image, you can view the checksum that was generated for the image when it is imported to IBM Cloud VPC.

If you generate a checksum locally for your image before you import it, you can compare the two checksums to make sure that they are identical. Matching checksums indicate that the image is unaltered.

To validate as custom image by using the API, use List all images.

For the $image_id, specify the ID of the custom image you want to validate.

curl -X GET "$vpc_api_endpoint/v1/images/$image_id/?version=2023-02-21&generation=2" -H "Authorization: Bearer $iam_token"

Compare the returned Checksum (SHA256) value to the output that is generated when you calculate a checksum for the image locally.

  • Example Linux command: sha256sum ubuntu_image.qcow2
  • Example Mac command: shasum -a 256 ubuntu_image.qcow2
  • You receive output similar to: 6809606da67eb83670e6249e54e94043eb43c0471669fb96ea4050c4c07e2df7

After you validate the Checksum (SHA256), use the image to create a virtual server. See Creating a virtual server instance by using the API.

Next steps

After you validate the custom images, you can deploy and manage your custom images. For more information, see Managing custom images.

If you plan to manage your custom images with a private catalog, see Onboarding a virtual server image for VPC. If you plan to publish your images through the Global Catalog and bill users by using a software plan, see Onboarding a virtual server for VPC with a plan.