Please note that the contents of this offline web site may be out of date. To access the most recent documentation visit the online version .
Note that links that point to online resources are green in color and will open in a new window.
We would love it if you could give us feedback about this material by filling this form (You have to be online to fill it)



Accessing VMs

Google-managed VMs and User-managed VMs

When you deploy your app to a Managed VM hosting environment, root access to the underlying VMs is disabled by default. The VMs are Google-managed , or locked . This ensures that the fleet of compute is homogenous and manageable. Root access can be enabled per-VM by members of the project. When root access is enabled, a VM is User-managed , or unlocked .

When a VM is unlocked, these Google-managed services are disabled:

  • Instance health checking and healing
  • Automatic rollout of OS updates and security patches

An unlocked VM will still be part of the load balancer pool, and will receive external requests.

You can lock and unlock a VM from the Cloud Console.

You can use the SDK's debug command to unlock all the VMs for a particular module and version.

Whenever you switch VM management, a "VM instance locked/unlocked" event appears in the admin console and the event will be logged in the VM's /var/log/syslog.log file.

Changing management with the Cloud Console

Use the Cloud Console to switch management of a single instance of a module:

  • Go to the Cloud Console, select your project
  • Go to the App Engine section and select the Instances page
  • Select a module and one of its instances
  • Choose User-managed or Google-managed from the pulldown menu

When you switch to User-managed, a new tab will open in your browser, running a terminal shell that is ssh-ed into the VM.

When you switch to Google-managed, the VM will be stopped and a new instance of your app will be started, running on a clean, new VM.

Changing management with the debug command

The debug command can only be used to unlock VMs. To switch back to Google-managed VMs you must use the Cloud Console or redeploy the module using the update command. This command unlocks all the VMs that are running a particular version of a module.

The debug command has three optional flags:

-A <application-name> The application name
-M <module-name> The module name
-V <version-name> The version name


Note that the --oauth2 flag cannot be used with the debug command and managed VMs.

Python

To unlock all instances of the default module, specify the project's root directory: 

<python_sdk_path>/appcfg.py -s preview.appengine.google.com debug <project-directory>

Alternatively, you could use the -A and -V flags to unlock all instances of a specific version of the default module: 

<python_sdk_path>/appcfg.py -s preview.appengine.google.com  -A <app> -V <version> debug

To unlock instances of any module/version, use the -A, -M, and -V flags to name it explicitly: 

<python_sdk_path>/appcfg.py -s preview.appengine.google.com  -A <app> -M <module-name> -V <version> debug

Go

To unlock all instances of the default module, specify the project's root directory: 
<go_sdk_path>/appcfg.py -s preview.appengine.google.com debug <project-directory>

Alternatively, you could use the -A and -V flags to unlock all instances of a specific version of the default module: 

<go_sdk_path>/appcfg.py -s preview.appengine.google.com  -A <app> -V <version> debug

To unlock instances of any module/version, use the -A, -M, and -V flags to name it explicitly: 

<go_sdk_path>/appcfg.py -s preview.appengine.google.com  -A <app> -M <module-name> -V <version> debug

Java

To unlock all instances of a Java module, specify the war directory that defines the module: 
<java_sdk_path>/appcfg.sh -s preview.appengine.google.com debug <war-dir>

You can also use the -A, -M, and -V flags along with the war directory. In this case, each flag value overrides the corresponding parameter in the file: 

<java_sdk_path>/appcfg.sh -s preview.appengine.google.com  -A <app> -V <version> debug <war-dir>

Working with User-managed VMs

Once a VM is unlocked, you can connect to it via SSH . You can also use the gcloud compute ssh tool or another third party SSH client.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License , and code samples are licensed under the Apache 2.0 License . For details, see our Site Policies .

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.