You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: examples/secure-boot/README.md
+29Lines changed: 29 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,6 +38,35 @@ SC by ensuring that the underlying infrastructure is secure and
38
38
trusted. This helps to strengthen the overall security posture of
39
39
Google Cloud Platform environments and protect sensitive data.
40
40
41
+
## Development Workflow for Customization Scripts
42
+
43
+
When developing a new customization script (like `install_gpu_driver.sh` or others in this directory) to be used with the custom image build process, the following workflow is recommended:
44
+
45
+
1.**Manual Execution on a Live Cluster Node:**
46
+
* Create a standard Dataproc cluster matching the target OS version (e.g., 2.2-debian12).
47
+
* SSH into a node (e.g., the master node).
48
+
* Copy your script to the node (e.g., using `gcloud compute scp your-script.sh node-name:/tmp/`).
49
+
* Get a clean root shell: `exec sudo -i bash`
50
+
* Run the script with tracing and timing: `time bash -x /tmp/your-script.sh`.
51
+
* Debug and refine the script in this environment. This allows for rapid iteration, and the `time` command helps identify performance bottlenecks. Add idempotency checks to your script to allow for faster re-runs during debugging.
52
+
53
+
2.**Test as an Init Action on Cluster Creation:**
54
+
* Once the script runs cleanly when executed manually as root, test it as an initialization action during cluster creation.
55
+
* Upload the script to a GCS bucket.
56
+
* Create a new cluster using `gcloud dataproc clusters create --initialization-actions gs://your-bucket/your-script.sh ...`.
57
+
* This verifies the script works correctly within the Dataproc cluster startup sequence and with the permissions of the init action environment.
58
+
59
+
3.**Test as a Custom Image Customization Script:**
60
+
* Use the `temp/create-custom-image-test-host-X.X.sh` scripts (e.g., `create-custom-image-test-host-2.2.sh`) to create a single builder VM mimicking the custom image creation environment for the target OS.
61
+
* This will run your script via the `startup_script/run.sh` wrapper, just like the real image build process.
62
+
* SSH to the debug instance (e.g., `debug-deb12-build`) to check logs and behavior. The relevant logs will be in `/tmp` on the instance.
63
+
64
+
4.**Full Custom Image Build:**
65
+
* Once the script works in the single debug instance, run the full build process using `examples/secure-boot/build-and-run-podman.sh` (ensure it's set to run `examples/secure-boot/build-current-images.sh`).
66
+
* This will build all image variants and purposes defined in `pre-init.sh` and its screenrc.
67
+
68
+
This staged approach helps isolate issues, starting from manual execution and progressively moving closer to the automated custom image build process.
69
+
41
70
## Examples
42
71
43
72
To create a custom image with a self-signed, trusted certificate
0 commit comments