Google-managed VMs and User-managed VMs
When you deploy your app to a Managed VM hosting environment, root access to the underlying VMs is disabled by default. The VMs are Google-managed , or locked . This ensures that the fleet of compute is homogenous and manageable. Root access can be enabled per-VM by members of the project. When root access is enabled, a VM is User-managed , or unlocked .
When a VM is unlocked, these Google-managed services are disabled:
- Instance health checking and healing
- Automatic rollout of OS updates and security patches
An unlocked VM will still be part of the load balancer pool, and will receive external requests.
You can lock and unlock a VM from the Cloud Console.
You can use the SDK's
debug
command to unlock all the VMs for a particular module and version.
Whenever you switch VM management, a "VM instance locked/unlocked" event appears in the admin console and the event will be logged in the VM's /var/log/syslog.log file.
Changing management with the Cloud Console
Use the Cloud Console to switch management of a single instance of a module:
- Go to the Cloud Console, select your project
- Go to the App Engine section and select the Instances page
- Select a module and one of its instances
- Choose User-managed or Google-managed from the pulldown menu
When you switch to User-managed, a new tab will open in your browser, running a terminal shell that is ssh-ed into the VM.
When you switch to Google-managed, the VM will be stopped and a new instance of your app will be started, running on a clean, new VM.
Changing management with the debug command
The
debug
command can only be used to unlock VMs. To switch back to
Google-managed VMs you must use the Cloud Console or redeploy the module using
the
update
command. This command unlocks
all
the VMs that are running a
particular version of a module.
The debug command has three optional flags:
-A <application-name>
The application name
-M <module-name>
The module name
-V <version-name>
The version name
Note that the
--oauth2
flag cannot be used with the debug command and managed VMs.
Python
To unlock all instances of the default module, specify the project's root directory:<python_sdk_path>/appcfg.py -s preview.appengine.google.com debug <project-directory>
Alternatively, you could use the -A and -V flags to unlock all instances of a specific version of the default module:
<python_sdk_path>/appcfg.py -s preview.appengine.google.com -A <app> -V <version> debug
To unlock instances of any module/version, use the -A, -M, and -V flags to name it explicitly:
<python_sdk_path>/appcfg.py -s preview.appengine.google.com -A <app> -M <module-name> -V <version> debug