Ubuntu on GCP

Canonical Ltd.

Jun 30, 2025

 CONTENTS

1 In this documentation 3

2 Project and community 5

2.1 How-to guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

i
ii
 Ubuntu on GCP

Ubuntu on Google Cloud Platform (GCP) is a set of customized Ubuntu images that allow easy access to a wide
range of products and services - offered by both Google Cloud and Canonical. These images have an optimized kernel
that boots faster, has a smaller footprint and includes GCP-specific drivers.
These images provide a foundation for deploying cloud-based software solutions, specifically for software built on
Ubuntu and running on Google cloud. They focus on providing the optimal tools and features needed to run specific
workloads.
The images create a stable and secure cloud platform that is ideal for scaling development work done on Ubuntu-
based systems. Since Ubuntu is one of the most favored operating systems among developers, using an Ubuntu-based
image for the corresponding cloud deployment becomes the simplest option.
Everyone from individual developers to large enterprises use these images for developing and deploying their
softwares. For highly regulated industries from the government, medical and finance sectors, various security-certified
images are also available.

CONTENTS 1
Ubuntu on GCP

2 CONTENTS
 CHAPTER

ONE

IN THIS DOCUMENTATION

How-to guides
Step-by-step guides covering key operations and common tasks related to using Ubuntu images on GCE.
Explanation
Discussion and clarification of key topics, such as security features, Google’s ‘guest agents’ on Ubuntu and our image
retention policy.

3
Ubuntu on GCP

4 Chapter 1. In this documentation

 CHAPTER

TWO

PROJECT AND COMMUNITY

Ubuntu on GCP is a member of the Ubuntu family and the project warmly welcomes community projects, contributions,
suggestions, fixes and constructive feedback.
• Get support
• Join our online chat
• Discuss on Matrix
• Talk to us about Ubuntu on Google cloud
• Contribute to these docs
• Code of conduct

2.1 How-to guides

These guides provide instructions for performing different operations related to our products on Google Cloud.

2.1.1 GCE - Launching and using Ubuntu instances

While using Ubuntu on GCP, you’ll need to perform tasks such as finding the right image to use, launching different
instance types, creating golden images and containers, using Ubuntu Pro and doing upgrades.
• Find images
• Create instances
• Launch a desktop
• Build a Pro golden image
• Create customized docker containers
• Upgrade to Pro
• Enable Pro features
• Upgrade from Focal to Jammy
• Set hostname

2.1.2 GKE and Kubernetes

If you want to use Ubuntu Pro on your Kubernetes cluster, you can deploy it on GCE using these instructions.
• Deploy Kubernetes on GCE

5
Ubuntu on GCP

2.1.3 Contributing to the docs

If you come across any problems with this documentation and you want to help with corrections, suggestions or new
content, here’s how you can do that:
• Contribute to these docs

Using GCE
These how-to guides relate to launching and using Ubuntu-based GCE instances. They include instructions for per-
forming different sets of tasks.
Launching different types of instances:
• Find images
• Create instances
• Launch a desktop
Creating golden images and customized containers:
• Build a Pro golden image
• Create customized docker containers
Performing upgrades:
• Upgrade to Pro
• Enable Pro features
• Upgrade from Focal to Jammy
Administrative operations:
• Set hostname

Find Ubuntu images on GCE

On your Google Cloud console, you can find the latest Ubuntu images by selecting Ubuntu as the Operating System
under Compute Engine > VM instances> CREATE INSTANCE > Boot disk > CHANGE.
For a programmatic method, you can use the gcloud command:

gcloud compute images list --filter ubuntu-os

Daily, untested images are found under the ubuntu-os-cloud-devel project:

gcloud compute images --project ubuntu-os-cloud-devel list --filter ubuntu-os-cloud-devel

Image locator

Canonical also produces an Ubuntu cloud image finder where users can filter based on a variety of criteria, such as
region or release, etc.

Create different instance types on GCP

The procedure for creating different instance types on GCP basically boils down to choosing the correct options on
your google console. Some specific examples are given below.

6 Chapter 2. Project and community

 Ubuntu on GCP

Create an Ubuntu LTS instance

On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE IN-
STANCE:
• select Ubuntu and Ubuntu 24.04 LTS in Boot disk > CHANGE > Operating system and Version

Create an Ubuntu Pro instance

On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE IN-
STANCE:
• select Ubuntu Pro and Ubuntu 24.04 LTS Pro Server in Boot disk > CHANGE > Operating system and
Version
Once the instance is up, ssh into it and run

pro status

to check that livepatch, esm-apps and esm-infra are enabled.

Create an Ubuntu Pro FIPS instance

On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE IN-
STANCE:
• select Ubuntu Pro and Ubuntu 20.04 LTS Pro FIPS Server in Boot disk > CHANGE > Operating system
and Version
Once the instance is up, ssh into it and run

uname -r

The kernel version will include fips in the name. To check the FIPS packages, run:

dpkg-query -l | grep fips

It should show you a long list of packages with fips in the name or version.

Create an ARM-based instance

On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE IN-
STANCE:
• choose the ARM CPU platform T2A in Machine configuration > Series
• choose an ARM compatible OS and version, say Ubuntu and Ubuntu 24.04 LTS Minimal in Boot disk >
CHANGE > Operating system and Version

Create an AMD SEV based confidential computing VM

On your Google Cloud console, while creating a new instance from Compute Engine > VM instances> CREATE IN-
STANCE:
• select Confidential VM service > ENABLE
It’ll show you the available machine type - n2d-standard-2 and boot disk image - Ubuntu 20.04 LTS. Select EN-
ABLE again and the changes will be reflected under the Machine configuration and Boot disk sections. However, we
need to change the disk image to one with Pro FIPS:

2.1. How-to guides 7

Ubuntu on GCP

• Go to Boot disk > CHANGE > Confidential Images and filter using ‘ubuntu’ to select Ubuntu 20.04 LTS Pro
FIPS Server. Select that and create the instance.
To check that confidential computing has been enabled correctly, once the instance is up, ssh into it and run

dmesg | grep SEV

A statement containing: AMD Secure Encryption Virtulization (SEV) active should be displayed.
Back on the google console, open the instance details and go to Logs > Logging. In the list of logs, look for one
that mentions sevLaunchAttestationReportEvent and expand it. In the resulting JSON, check that the field
integrityEvaluationPassed is set to true, under sevLaunchAttestationReportEvent, something like:

insertId: "0",
jsonPayload: {
@type: "type.googleapis.com/cloud_integrity.IntegrityEvent",
bootCounter: "0",
sevLaunchAttestationReportEvent: {
integrityEvaluationPassed: true
sevPolicy: {0}
[...]

Create an Intel® TDX based confidential computing VM

In GCE, Intel® TDX is supported in the C3 machine series since they use the 4th Gen Intel® Xeon CPUs. To create the
VM, in the Google Cloud CLI, use the instances create command with confidential-compute-type=TDX:

gcloud alpha compute instances create INSTANCE_NAME \

--machine-type MACHINE_TYPE --zone us-central1-a \
--confidential-compute-type=TDX \
--on-host-maintenance=TERMINATE \
--image-family=IMAGE_FAMILY_NAME \
--image-project=IMAGE_PROJECT \
--project PROJECT_NAME

where:
• MACHINE_TYPE: is the C3 machine type to use and
• IMAGE_FAMILY_NAME: is the name of the confidential VM supported image family to use, such as Ubuntu
22.04 LTS, Ubuntu 24.04 LTS or Ubuntu 24.04 LTS Pro Server

Launch an Ubuntu desktop on a VM

If you want an Ubuntu desktop environment on your VM, you can set it up and use the Chrome Remote Desktop service
to access it from your local Chrome web browser.

ò Note

If you don’t have an Ubuntu VM already, you can create one based on Create an Ubuntu LTS instance

8 Chapter 2. Project and community

 Ubuntu on GCP

Install Chrome Remote Desktop

SSH into your VM and update the package manager:

sudo apt update

Download and install the Chrome Remote Desktop installation package:

wget https://dl.google.com/linux/direct/chrome-remote-desktop_current_amd64.deb
sudo apt-get install --assume-yes ./chrome-remote-desktop_current_amd64.deb

Install Ubuntu desktop

Install a lightweight graphical display manager like SLiM (Simple Login Manager) on your VM:

sudo apt install slim

Install the Ubuntu desktop environment:

sudo apt install ubuntu-desktop

During the installation,

• you might be asked to choose the default display manager, with slim highlighted. Select it by hitting the enter
key.
• you might be asked to select the services that need a restart. Some of the services are selected by default, accept
that selection by hitting the enter key.
Once the installation is done, reboot the machine:

sudo reboot

SSH back into the VM when the connection is restored, and start SLiM:

sudo service slim start

Configure the remote desktop service

To start the remote desktop connection, you’ll need an authorization key. This can be created using Chrome on your
local machine. Browse to the Chrome Remote Desktop setup page, where you’ll see the option to Set up another
computer on the Set up via SSH tab.
• Select Begin
• Select Next, since you have already installed Chrome Remote Desktop on the remote computer
• Select Authorize
• Copy the command shown for Debian Linux.
Back on your VM’s SSH window:
• Paste the command and run it
• Enter a 6-digit pin when prompted. This pin will be needed during remote login to the VM.

2.1. How-to guides 9

Ubuntu on GCP

Connect to your Ubuntu desktop

On your local machine, go to the Chrome Remote Desktop access page, and you’ll see your VM under Remote devices
on the Remote Access tab. Select the VM and you will be prompted to input the 6-digit pin that you created in the
previous step.
You might see a window with messages similar to “This session logs you into Ubuntu”. Select OK to close the window.
If you see a page that says “Authentication is required to create a color managed device”, select Cancel to ignore it.
You might also see a setup screen that you can follow through by selecting Start Setup > Next > Next > Start Using
Ubuntu
Your VM with an Ubuntu desktop is now fully functional and accessible within your Chrome browser. Select Activities
to access search and other desktop shortcuts.

Build Ubuntu Pro golden image

A golden image is a base image that is used as a template for your virtual machines. You can create it from your Google
Cloud console’s Cloud Shell (as explained below) or using other tools like Packer.
We’ll be using Ubuntu Pro 22.04 LTS as the base image, although the steps should work fine for all Pro images available
in your console.

Create a golden image

In your Google Cloud console, search for the ‘Cloud Shell’ product and open it by selecting Go to console. Once in,
look for the available Ubuntu Pro images:

gcloud compute images list --project=ubuntu-os-pro-cloud | grep ubuntu-pro

NAME: ubuntu-pro-1604-xenial-v20230710
FAMILY: ubuntu-pro-1604-lts
NAME: ubuntu-pro-1804-bionic-arm64-v20230921
FAMILY: ubuntu-pro-1804-lts-arm64
NAME: ubuntu-pro-1804-bionic-v20230921
FAMILY: ubuntu-pro-1804-lts
NAME: ubuntu-pro-2004-focal-arm64-v20230920
FAMILY: ubuntu-pro-2004-lts-arm64
NAME: ubuntu-pro-2004-focal-v20230920
FAMILY: ubuntu-pro-2004-lts
NAME: ubuntu-pro-2204-jammy-arm64-v20230921
FAMILY: ubuntu-pro-2204-lts-arm64
NAME: ubuntu-pro-2204-jammy-v20230921
FAMILY: ubuntu-pro-2204-lts
NAME: ubuntu-pro-fips-1804-bionic-v20230530
FAMILY: ubuntu-pro-fips-1804-lts
NAME: ubuntu-pro-fips-2004-focal-v20230920
FAMILY: ubuntu-pro-fips-2004-lts

From the options seen, choose Ubuntu Pro 22.04 LTS and use its family name in the golden image creation command
below:

gcloud compute images create golden-image --source-image-family=ubuntu-pro-2204-lts --

˓→source-image-project=ubuntu-os-pro-cloud

In a bit you’ll see output similar to the following and the created golden image will be available in your image gallery.

10 Chapter 2. Project and community

 Ubuntu on GCP

Created [https://www.googleapis.com/compute/v1/projects/[YOUR_PROJECT]/global/images/
˓→golden-image].

NAME: golden-image
PROJECT: [YOUR_PROJECT]
FAMILY:
DEPRECATED:
STATUS: READY

Verify that the image contains the Ubuntu Pro license:

gcloud compute images describe golden-image

architecture: X86_64
archiveSizeBytes: '1094443008'
creationTimestamp: '2023-09-29T03:56:22.275-07:00'
diskSizeGb: '10'
guestOsFeatures:
- type: VIRTIO_SCSI_MULTIQUEUE
- type: SEV_CAPABLE
- type: SEV_SNP_CAPABLE
- type: SEV_LIVE_MIGRATABLE
- type: UEFI_COMPATIBLE
- type: GVNIC
id: '8518177910815396794'
kind: compute#image
labelFingerprint: 42WmSpB8rSM=
licenseCodes:
- '2592866803419978320'
licenses:
- https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/licenses/
˓→ubuntu-pro-2204-lts

name: golden-image
selfLink: https://www.googleapis.com/compute/v1/projects/ubuntu-dimple/global/images/
˓→golden-image

shieldedInstanceInitialState:
[...]

The line starting with “licenses:” shows the expected Pro license.

Create an instance using the golden image

To create an instance based on this golden image, run:

gcloud compute instances create instance-from-golden-image --image=golden-image

Created [https://www.googleapis.com/compute/v1/projects/ubuntu-dimple/zones/asia-
˓→southeast1-a/instances/instance-from-golden-image].

NAME: instance-from-golden-image
ZONE: asia-southeast1-a
MACHINE_TYPE: n1-standard-1
PREEMPTIBLE:
INTERNAL_IP: 10.148.0.2
(continues on next page)

2.1. How-to guides 11

Ubuntu on GCP

(continued from previous page)

EXTERNAL_IP: 34.143.153.215
STATUS: RUNNING

Now SSH into this new instance:

gcloud compute ssh instance-from-golden-image

The SSH command might need you to create an SSH key for gcloud if you don’t have one already. Once you complete
the steps and reach the prompt of the new instance, check its license by running:

pro status

The output should be similar to the following and indicates that Pro features such as ESM and livepatch are enabled.

SERVICE ENTITLED STATUS DESCRIPTION

anbox-cloud yes disabled Scalable Android in the cloud
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
livepatch yes enabled Canonical Livepatch service
usg yes disabled Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>

Account: ubuntu-dimple
Subscription: ubuntu-dimple
Valid until: Fri Dec 31 00:00:00 9999 UTC
Technical support level: essential

Share the golden image

To share this golden image with other users, you’ll need to add them as principals and assign the Compute Image User
role to them. This will give them permission to list, read, and use the image but not to modify it.
Go to your image gallery, select the image that you just created. In the INFO PANEL on the right, select PERMISSIONS
> ADD PRINCIPAL:
• In the Add principals field insert the email addresses of all the users that you want to share your image with.
• In the Assign roles field, select Compute Engine > Compute Image User
On saving these settings, the specified users will have access to the image.
You can also grant users the Viewer IAM role for the project that you used to create the image in. This will ensure that
the shared image appears in their image selection list.

Create customized docker containers on Ubuntu Pro

Docker containers are extremely useful for running applications reliably on different computing environments. This is
because they package the application along with all its dependencies into a single image that can be easily deployed.
Docker is the underlying technology used to run these containers / images. Docker also allows you to modify the
container and create new customized versions easily. As an example, on your Ubuntu Pro VM, we’ll run a container
based on the latest Ubuntu image and then customize it by including Python.

12 Chapter 2. Project and community

 Ubuntu on GCP

ò Note

If you don’t have an Ubuntu Pro VM already, you can create one based on Create an Ubuntu Pro instance

Install Docker

On your Ubuntu Pro VM, the easiest way to install Docker is to use snap. Update your package manager data and then
install docker using:

sudo apt update

sudo snap install docker

Download a Docker image

Search for available Ubuntu images:

sudo docker search ubuntu

You’ll find many ubuntu related images, some of which have an [OK] under the ‘OFFICIAL’ column indicating that
they are images built and supported by a company.

NAME DESCRIPTION STARS ␣

˓→ OFFICIAL AUTOMATED
ubuntu Ubuntu is a Debian-based Linux operating sys... 16442␣
˓→ [OK]
websphere-liberty WebSphere Liberty multi-architecture images ... 297 ␣
˓→ [OK]
ubuntu-upstart DEPRECATED, as is Upstart (find other proces... 115 ␣
˓→ [OK]
neurodebian NeuroDebian provides neuroscience research s... 104 ␣
˓→ [OK]
ubuntu/nginx Nginx, a high-performance reverse proxy & we... 100
ubuntu/squid Squid is a caching proxy for the Web. Long-t... 67
[...]

Pull the latest official Ubuntu image:

sudo docker pull ubuntu

It’ll give an output similar to:

Using default tag: latest

latest: Pulling from library/ubuntu
445a6a12be2b: Pull complete
Digest: sha256:aabed3296a3d45cede1dc866a24476c4d7e093aa806263c27ddaadbdce3c1054
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest

You can check the downloaded images using:

sudo docker images

The image that you just pulled will show up in the output:

2.1. How-to guides 13

Ubuntu on GCP

REPOSITORY TAG IMAGE ID CREATED SIZE

ubuntu latest c6b84b685f35 6 weeks ago 77.8MB

Run the container

Run a container based on this downloaded image and it’ll take you to the new container’s command prompt:

sudo docker run -it ubuntu

root@0587b9a5915d:/#

In this container, you can check if it is the latest version of Ubuntu:

cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"

Customize the image

To customize the image, you can for instance install Python within the container:

apt update
apt install python3

Check the installed version:

/usr/bin/python3 -V

Python 3.10.12

Now that you have modified the original Ubuntu image, you can save the changes to create a new image. Use Ctrl +
P and Ctrl + Q to exit the container interface and get back into the VM.
To save the changes you’ll need the container ID (of the container where you made the changes). You can get this by
checking the containers running on your VM:

sudo docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

0587b9a5915d ubuntu "/bin/bash" 3 minutes ago Up 3 minutes quirky_
˓→lamarr

Now commit the changes to create a new Docker image:

sudo docker commit -m "installed python3" -a "myname" 0587b9a5915d

where the parameter -m (message) is used to indicate the changes made and -a (author) is used to indicate the author
of the changes.
If you look at the list of images on your VM, you’ll see the newly added one:

14 Chapter 2. Project and community

 Ubuntu on GCP

sudo docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

<none> <none> 4fad28bffebd 53 seconds ago 152MB
ubuntu latest c6b84b685f35 6 weeks ago 77.8MB

Upgrade in-place from LTS to Pro

If your production environment is based on Ubuntu LTS and you need the premium security, support or compliance
features of Ubuntu Pro, then you don’t have to migrate your applications to new Ubuntu Pro VMs. You can just perform
an in-place upgrade of your existing machines in three simple steps:
1. Stop your machine:

gcloud compute instances stop $INSTANCE_NAME

2. Append an Ubuntu Pro license to the disk:

gcloud beta compute disks update $INSTANCE_NAME --zone=$ZONE --update-user-

˓→licenses=”LICENSE_URI”

where,
• INSTANCE_NAME: is the name of the instance (boot disk) to append the license to
• ZONE: is the zone containing the instance
• LICENSE_URI: is the license URI for the Pro version that you are upgrading to. If your VM runs Ubuntu 16.04
LTS, you need to upgrade to Ubuntu Pro 16.04 LTS. Choose the appropriate URI from:

Version License URI

Ubuntu Pro 16.04 LTS https://www.googleapis.com/compute/v1/projects/
ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1604-lts
Ubuntu Pro 18.04 LTS https://www.googleapis.com/compute/v1/projects/
ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-1804-lts
Ubuntu Pro 20.04 LTS https://www.googleapis.com/compute/v1/projects/
ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2004-lts
Ubuntu Pro 22.04 LTS https://www.googleapis.com/compute/v1/projects/
ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2204-lts
Ubuntu Pro 24.04 LTS https://www.googleapis.com/compute/v1/projects/
ubuntu-os-pro-cloud/global/licenses/ubuntu-pro-2404-lts

3. Start the machine

gcloud compute instances start $INSTANCE_NAME

SSH into your machine and verify the upgrade by running:

pro status

The output should show the different services available and their current status. Something like:

SERVICE ENTITLED STATUS DESCRIPTION

esm-apps yes enabled Expanded Security Maintenance for Applications
(continues on next page)

2.1. How-to guides 15

Ubuntu on GCP

(continued from previous page)

esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security␣
˓→updates

livepatch yes enabled Canonical Livepatch service

usg yes disabled Security compliance and audit tools

For comprehensive instructions, please refer to the official Google Cloud documentation for upgrading to Pro.

Enable Ubuntu Pro features

Not all Pro features are automatically enabled when you create your Ubuntu Pro VM. They can be enabled individually
as per your requirements.

ò Note

If you don’t have an Ubuntu Pro VM already, you can either create a new instance (refer: Create an Ubuntu Pro
instance) or do an in-place upgrade of your LTS VM to Pro (refer: Upgrade in-place from LTS to Pro).

To check the current status of different Pro services on your VM, SSH into it and run:

pro status

Use the appropriate section below to enable the service that you need.

ESM

Extended Security Maintenance (ESM) guarantees a security coverage of 10 years for your Pro VM. So e.g. Ubuntu
22.04 LTS will get security updates till 2032. This feature is automatically enabled with Pro and on running pro
status, you should see something like:

SERVICE ENTITLED STATUS DESCRIPTION

esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
[...]

esm-infra guarantees 10-year security coverage for packages in the “main” repository, which includes Canonical-
supported free and open-source software.
esm-apps further extends this coverage to the “universe” repository, which includes community-maintained free and
open-source software.

CIS hardening

CIS Benchmarks are best practices for the secure configuration of a system. Ubuntu Pro includes CIS tooling packages
and your Pro VM can be made CIS compliant by enabling the CIS service and then hardening the instance. Enable CIS
using:

sudo ua enable cis

With the tooling packages now installed, you can for instance, harden your Ubuntu Pro 20.04 LTS system with CIS
level 1 server profile, by running:

16 Chapter 2. Project and community

 Ubuntu on GCP

sudo /usr/share/ubuntu-scap-security-guides/cis-hardening/Canonical_Ubuntu_20.04_CIS-
˓→harden.sh lvl1_server

In a few minutes, the hardening process will complete to give you a CIS level 1 compliant environment. To audit the
system, run:

sudo cis-audit level1_server

The output should be similar to:

Title Ensure mounting of cramfs filesystems is disabled

Rule xccdf_com.ubuntu.focal.cis_rule_CIS-1.1.1.1
Result pass
[...]

CIS audit scan completed. The scan results are available in /usr/share/ubuntu-scap-
˓→security-guides/cis-20.04-report.html report.

The HTML report mentioned above will show you your CIS score. For comprehensive CIS hardening instructions,
refer to the Ubuntu CIS Compliance documentation.

FIPS compliance

Federal Information Processing Standards (FIPS) are standards and guidelines for federal computer systems developed
by National Institute of Standards and Technology (NIST). To enable FIPS on your Pro VM, run:

sudo ua enable fips

The output will be similar to:

One moment, checking your subscription first

This will install the FIPS core packages.
Are you sure? (y/N) y
Updating package lists
Installing FIPS packages
FIPS enabled
A reboot is required to complete install.

Reboot the instance by running sudo reboot or through the Google Cloud console. Once the machine restarts, you
can SSH into it again and run pro status to verify that the fips service is enabled.

Livepatch

With livepatch enabled, high and critical CVEs are patched in place on a running kernel, without the need for a re-
boot. This means that you don’t have to worry about kernel related security vulnerabilities. You can avoid unexpected
downtime and delay your reboot until the next scheduled maintenance window.
To enable livepatch, run:

sudo ua enable livepatch

Run pro status to verify that the livepatch service is enabled.

2.1. How-to guides 17

Ubuntu on GCP

Upgrade from Focal to Jammy on GCE

General Advice

Once you have decided to upgrade your system, the next question is how? There are two options depending on whether
your system is setup/deployed with automation or whether it requires manual configuration.
For fully automated system deployments it is recommended to redeploy with new Jammy instances instead of upgrading
from Focal.
For systems that cannot be easily created or destroyed and require manual configuration, running do-release-upgrade
is a good option. However this option requires some manual intervention as explained below.

Manual intervention steps

While upgrading from Focal to Jammy, manual decision making will be needed for the following options that are
presented.

Additional SSH daemon

When upgrading in a session over SSH there is an inherent risk of losing access if something goes wrong with the SSH
daemon. To mitigate this risk an additional SSH daemon is started on a different port as a backup.
The prompt notifies you that an additional SSH daemon will be started and you can either continue or cancel the
upgrade.

Optional firewall rules for additional SSH daemon

If you are using a firewall there is a chance that the port used by the backup SSHD is not open. Opening this port is
not done automatically since it could be security risk. An optional command to open the port is provided and you are
prompted to press enter to continue.

18 Chapter 2. Project and community

 Ubuntu on GCP

Start upgrade

A final prompt is provided before starting the upgrade. It gives information about the number of changes and the
estimated time to complete because once started, the upgrade process cannot be canceled. At this stage you can continue,
cancel or see additional details.

Restart services automatically

During the upgrade of certain libraries, some services have to be restarted. You have the option of allowing the services
to be restarted automatically during the upgrade. If you select ‘no’ here, you’ll be asked about the services that you
want to restart after each library upgrade.

2.1. How-to guides 19

Ubuntu on GCP

SSHD configuration modified

Canonical makes changes to /etc/ssh/sshd_config for GCP images. As a result, during upgrade you’ll see a prompt
notifying you about the availability of a newer version of the sshd_config file. You’ll be asked if you want to keep the
existing modified version, use the default one from the new upgrade or take some other action.

Chrony configuration modified

Due to a possible bug in ucf, even if there are no changes in /etc/chrony/chrony.conf you’ll be shown a prompt
asking whether you want to keep the current version, use the default one from the new upgrade, or take some other
action.

Remove obsolete packages

An obsolete package is a package which is no longer available in any of the sources for apt. Usually it is safe and
recommended to remove obsolete packages. But before doing so you’ll be asked if you wish to remove them and you’ll
have the option to select from yes, no and more details.

20 Chapter 2. Project and community

 Ubuntu on GCP

Restart to finish upgrade

Finally, a restart will be necessary for some parts of the upgrade to be applied. If you select no, you can use /var/
run/reboot-required.pkgs to check for the packages that need a reboot.

Set hostname of GCE instances

The hostname of GCE instances can be set using multiple methods. Google’s preferred method is to use its DHCP
service, which requires you to choose a fully qualified DNS name (FQDN), e.g. something like test123.test.com. If
you don’t want an FQDN or if you want to use a consistent method for assigning hostnames across clouds, you can use
a set-up tool like cloud-init to set your hostname.
Both these methods are described here. Also, due to a recent hostname-related update on GCP, you might have to make
some additional changes for GCE images that use Ubuntu 24.04 LTS and later. These are explained at the end.

Using DHCP (Google’s preferred method)

By default, Google’s DHCP service sets the hostname to an automatically generated internal DNS name.
To set your own custom name, follow the instructions given in Create a VM instance with a custom hostname. In this
case, the DHCP service will additionally provide the custom name and will prioritize it to be the default hostname.
However, as mentioned earlier, the custom name needs to be an FQDN.

Using cloud-init

cloud-init uses the hostname command to programmatically set the hostname. You need to configure its metadata with
the required hostname and use the gcloud compute instances add-metadata command:

gcloud compute instances add-metadata INSTANCE_NAME --metadata-from-file=KEY=VALUE

Here INSTANCE_NAME is your VM name and the metadata is specified using a KEY=VALUE pair. For instance,
the metadata could be specified as ‘user-data=FILENAME’, where FILENAME is the local path to a file that contains
the desired cloud-init configurations. Include the desired hostname in that user-data file:

#cloud-config

hostname: test123

For more details about this, see Set Hostname in the cloud-init documentation.

Changes based on new defaults (Ubuntu 24.04+)

In GCE images that use Ubuntu 24.04 LTS or later, the /etc/hostname file is no longer present by default, and the
cloud-init key create_hostname_file is set to false.

2.1. How-to guides 21

Ubuntu on GCP

Implications for using cloud-init

Due to the way the underlying hostname command works, whenever a user or tool (such as cloud-init) tries to set
the hostname on a system without /etc/hostname, it will only be set transiently and will be overwritten by Google’s
DHCP service. To avoid this, you’ll need to set create_hostname_file to true in the user-data file:

#cloud-config

hostname: test123
create_hostname_file: true

By setting create_hostname_file to true, you ensure two things:

1. cloud-init will create the /etc/hostname file on boot (if it does not already exist)
2. hostname will be statically set to the one specified in the user-data file

Creating consistent multi-VM environments across releases

Another scenario where this new default can create inconsistencies is in the case of a server farm with images spanning
the Ubuntu 24.04 LTS boundary (i.e. both 24.04+ and 23.10-). In this case, if you want a consistent file system
layout and hostname style across all images, then you’ll have to either remove the /etc/hostname file from the earlier
versions or add it to the later versions.

Remove /etc/hostname from Ubuntu 23.10 and earlier

Set the cloud-init key create_hostname_file to false and ensure that /etc/hostname is deleted during or after
first boot. So the user-data file will need:

#cloud-config

create_hostname_file: false

Add /etc/hostname to Ubuntu 24.04 LTS and later

Set the cloud-init key create_hostname_file to true in the user-data file:

#cloud-config

hostname: test123
create_hostname_file: true

Using Kubernetes
This how-to guide gives you instructions for using Ubuntu Pro on your Kubernetes cluster.

Deploy Kubernetes with Ubuntu Pro on GCE

Limitations - Why not use Pro on GKE?

Google does not have Ubuntu Pro image offerings for GKE (Google Kubernetes Engine) nodes as yet, i.e. you cannot
choose Ubuntu Pro images for GKE nodes. GKE does not support custom images for the nodes and neither does it
allow post-deployment customization of node VMs.
“Modifications on the boot disk of a node VM do not persist across node re-creations. Nodes are re-created
during manual upgrade, auto-upgrade, auto-repair, and auto-scaling. In addition, nodes are re-created

22 Chapter 2. Project and community

 Ubuntu on GCP

when you enable a feature that requires node re-creation, such as GKE Sandbox, intranode visibility, and
shielded nodes.”
—GKE docs
Since there’s no mechanism to enable Ubuntu Pro or pre-bake the UA token in a specific cluster, a managed Pro
Kubernetes cluster in GKE is not currently possible.
So one option to get an Ubuntu Pro based Kubernetes cluster is to manually deploy and manage Kubernetes on Ubuntu
Pro VMs in GCE.

Create Ubuntu Pro VMs

Create a few Ubuntu Pro VMs for your Kubernetes cluster - say k8s-worker-1 and k8s-worker-2 to act as worker
nodes and k8s-main for the control plane.
If you want to create them from the google console, refer to Create an Ubuntu Pro instance. Or you can also use the
gcloud CLI tool to create the VMs:

gcloud compute instances create <instance-name> <options..>

To access the VMs via SSH use:

gcloud compute ssh --zone <instance-zone> <instance-name> --project <project-name>

Install Kubernetes

You can use MicroK8s to meet your Kubernetes needs. SSH into each node and install the snap:

# repeat for each node

sudo snap install microk8s --classic

Create a cluster

Use the microk8s add-node command to create a cluster out of two or more MicroK8s instances. The instance on
which this command is run will be the cluster’s manager and will host the Kubernetes control plane. For further details,
refer to the MicroK8s clustering doc.
1. On k8s-main run:

sudo microk8s add-node

On completion, it’ll give instructions for adding another node to the cluster:

From the node you wish to join to this cluster, run the following:
microk8s join 10.128.0.24:25000/bde599439dc4182f54fc39f1c444edf3/9713e9c1c063

Use the '--worker' flag to join a node as a worker not running the control plane, eg:
microk8s join 10.128.0.24:25000/bde599439dc4182f54fc39f1c444edf3/9713e9c1c063 --worker

[...]

2. On k8s-worker-1 (based on the instructions received) run:

sudo microk8s join 10.128.0.24:25000/bde599439dc4182f54fc39f1c444edf3/9713e9c1c063 --

˓→worker

2.1. How-to guides 23

Ubuntu on GCP

This will add k8s-worker-1 to the cluster as a worker node. Now, repeat these two steps for each worker node, i.e.
run microk8s add-node on k8s-main and use the new token that is generated to add k8s-worker-2 to the cluster.
Use the kubetl get nodes command in the control plane VM (k8s-main) to check that the nodes have joined the
cluster:

sudo microk8s kubectl get nodes --output=wide

NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE ␣

˓→ KERNEL-VERSION CONTAINER-RUNTIME
k8s-worker-1 Ready <none> 13m v1.27.5 10.128.0.25 <none> Ubuntu 22.
˓→04.3 LTS 6.2.0-1014-gcp containerd://1.6.15
k8s-worker-2 Ready <none> 28m v1.27.5 10.128.0.26 <none> Ubuntu 22.
˓→04.3 LTS 6.2.0-1014-gcp containerd://1.6.15
k8s-main Ready <none> 49m v1.27.5 10.128.0.24 <none> Ubuntu 22.
˓→04.3 LTS 6.2.0-1014-gcp containerd://1.6.15

You can also check the cluster-info using the kubectl cluster-info command on k8s-main:

microk8s kubectl cluster-info

Kubernetes control plane is running at https://127.0.0.1:16443

CoreDNS is running at https://127.0.0.1:16443/api/v1/namespaces/kube-system/services/
˓→kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

Access the Pro Kubernetes cluster

You can access your Pro Kubernetes cluster from any working environment with a Kubernetes client. For this you’ll
need to allow external access to the control plane VM and also get the relevant kubeconfig file.

Allow external access to control plane VM

HTTPS traffic access - On your google console, select the k8s-main instance and in the details page, go to Edit >
Networking > Firewalls and enable Allow HTTPS traffic.
Kubernetes port access - Allow access to the Kubernetes port (16443 - found in response to the kubectl
cluster-info command above), by creating a firewall rule in the VPC firewall rules. For instructions on how to
do that, refer to the Google Cloud VPC docs.

Get the kubeconfig file

To access the cluster from your local workstation, you’ll need to copy the appropriate kubeconfig file from your control
plane VM. But before doing that, since you’ll be connecting to the VM using its external IP address, you’ll also have
to ensure that the file’s certificate is valid for the external IP address.
Update certificate - In your control plane VM, edit the /var/snap/microk8s/current/certs/csr.conf.
template file to add the VM’s external IP address in the “alt_names” section. The external IP address can be obtained
from the GCE VM Instances page.

...
[ alt_names ]
DNS.1 = kubernetes
(continues on next page)

24 Chapter 2. Project and community

 Ubuntu on GCP

(continued from previous page)

DNS.2 = kubernetes.default
IP.1 = 127.0.0.1
IP.2 = 10.152.183.1
#MOREIPS
IP.100 = <External-IP>
...

To refresh the certificates with the latest version of csr.conf.template, run:

sudo snap set microk8s test="$(date)"

Get config file - In your control plane VM, run:

sudo microk8s config

The output will be the required kubeconfig file, something like:

apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <certificate>
server: https://10.128.0.24:16443
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
user: <username>
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: <username>
user:
token: <token>

Copy this to your local workstation as ${HOME}/.kube/config. Replace the server’s private IP address with the
external IP address and save it.

Access the cluster

You now have an Ubuntu Pro Kubernetes cluster running in GCE. You should be able to access it from your local
workstation, using a Kubernetes client. To check the access, run:

kubectl get nodes --output=wide

This will show you details about your cluster nodes. You can verify the Pro subscription on each of the provisioned
nodes by running pro status on them.

2.1. How-to guides 25

Ubuntu on GCP

Contribute to these docs

These docs are located on the GitHub repository named ubuntu-cloud-docs, and you’ll need a GitHub account to make
contributions. It is a good idea to fork this repository into your account before you start, otherwise, GitHub will prompt
you to do so when you attempt your first change.
This documentation set is:
• structured using the Diátaxis approach
• written in reStructuredText as per the Canonical style guide
• built with Sphinx
• hosted on Read the Docs
We are always looking for ways to improve our docs, so we appreciate your contributions!

Minor changes

If you find a problem that you can fix and it’s a small change, you can use the Edit this page on GitHub link at the
bottom of the relevant page to edit it directly on GitHub. When you are done with your edits, select Commit changes. . .
on the top right. This will help you create a new branch and start a pull request (PR). Use Propose changes to submit
the PR. We will review it and merge the changes.

Suggestions and questions

Use the Give feedback button at the top of any page to create a GitHub issue for any suggestions or questions that you
might have.

New content

When adding new content, it’s easier to work with the documentation on your local machine. For this, you’ll need make
and python3 installed on your system. Once you’ve made your changes, ensure all checks have passed and everything
looks satisfactory before submitting a pull request (PR).

Download and install the docs

If you are working with these docs for the first time, you’ll need to create a fork of the ubuntu-cloud-docs repository
on your GitHub account and then clone that fork to your local machine. Once cloned, go into the ubuntu-cloud-docs
directory and run:

make install

This creates a virtual environment and installs all the required dependencies. You only have to do this step once and
can skip it the next time you want to contribute.

Build and serve the docs

Use the make run command to build and serve the docs at http://127.0.0.1:8000 or equivalently at http://
localhost:8000. This gives you a live preview of the changes that you make (and save), without the need for a
rebuild:

PROJECT=google make run

Setting the PROJECT parameter to google ensures that the documentation set for Ubuntu on GCP gets built. This
parameter is needed to distinguish between the different documentation sets present in the repository.

26 Chapter 2. Project and community

 Ubuntu on GCP

Create content

Choose the appropriate folder for your content. The folders within each project are mapped to the Diátaxis categories
of tutorial, how-to guides, explanation and reference. If required, the categories can have subcategories as well, as
shown in the tree structure below. Also, each folder includes an index.rst file, which acts as a landing page for the
folder.

project/
tutorial
how-to-guides/
subcategory-one/
index.rst
page-one.rst
page-two.rst
page-three.rst
subcategory-two/
| index.rst
| page-one.rst
| page-two.rst
| page-three.rst
| index.rst
explanation
reference
index.rst

If your required category or subcategory is absent, create them using the instructions given below. Then add your
content by creating a new page.

Create new categories (optional)

You can create new categories by following these steps:

1. Create a new folder in your documentation directory.
2. Create a new index.rst file within your new folder.
3. Add the title of your new category to the first line of the index.rst file. Underline it using equal signs (=) that
match the length of your title. For more information on titles and headings, read the reStructuredText style guide.
4. In the index.rst file, add content introducing the category, its purpose, and other relevant links.
5. In your index.rst file, add a toctree that specifies the file names of pages and the index files of the subcategories
within your newly created category. The toctree should resemble the following structure:

.. toctree::
:maxdepth: 2

subcategory-one/index
Subcategory two <subcategory-two/index>
page-one-file-name

For more information, read the Sphinx documentation on toctree.

6. Update the project’s main index.rst file by adding your new category to its toctree.

2.1. How-to guides 27

Ubuntu on GCP

Create new subcategories (optional)

You can create new subcategories by following these steps:

1. Go to the parent category and create a new folder for your subcategory within it.
2. Create an index.rst file within the subcategory folder.
3. Enter the title of your new subcategory on the first line of the index.rst file. Underline it using equal signs (=)
that match the length of your title. For more information on titles and headings, read the reStructuredText style
guide.
4. In the index.rst file, add content introducing the subcategory, its purpose, and other relevant links.
5. In your index.rst file, add a toctree that includes the file names or titles of pages within your new subcategory.
The toctree should resemble the following structure:

.. toctree::
:maxdepth: 1

page-one-file-name
Page Two Title <page-two-file-name>

6. Update the index.rst file of the parent category by adding a reference to the newly created subcategory in its
toctree.

Create new pages

You can create new pages by following these steps:

1. Create a new file within a category or subcategory.
2. Add a title to the first line of the file. Underline it using equal signs (=) that match the length of your title. For
more information on titles and headings, read the reStructuredText style guide.
3. Add content to the new file using reStructuredText and following the Canonical style guide.
4. Update the category or subcategory’s index.rst file by adding the file name or your preferred title to the toctree.
For more information, read the Sphinx documentation on toctree.

Perform checks and submit a PR

Before opening a PR, run the following checks and also ensure that the documentation builds without any warnings
(warnings are treated as errors in the publishing process):

PROJECT=google make spelling

PROJECT=google make linkcheck
PROJECT=google make woke

If you need to add new words to the allowed list of words, include them in .custom_wordlist.txt.
Once all the edits are done, commit the changes and push it to your fork. From the GitHub GUI of your fork, select the
commit and open a PR for it.

2.2 Explanation
If you have questions about our offerings on Google Cloud, about Google’s ‘guest agents’ on Ubuntu, about the security
features available, or if you are wondering about the lifetime of any image, then this is the place to look.

28 Chapter 2. Project and community

 Ubuntu on GCP

2.2.1 Canonical’s offerings on GCP

Canonical works closely with Google to ensure Ubuntu images support the latest GCP features. An optimized Ubuntu
GCP kernel, built in collaboration with Google, delivers the very best performance for scale-out, optimized work-
loads on the Google Cloud hypervisor. This makes Ubuntu a popular choice for both virtual machines and container
workloads.
The optimized linux-gcp kernel enables accelerated networking with the Compute Engine Virtual Ethernet device
and support for the latest Google ARM Tau VM. These advantages contribute to Ubuntu being the default host images
for Anthos Multi-cloud.
The Ubuntu images support secure boot, with signed NVIDIA drivers available for workloads requiring access to vGPU
compute acceleration. For instances that require confidential compute, Ubuntu images have been SEV-capable since
18.04 with SEV-SNP and Intel TDX support currently in private preview.
Ubuntu images are updated regularly with fixes that address the latest CVEs to ensure applications remain free from
vulnerabilities.
Another useful feature is the native integration of Ubuntu images with the Administrator console, enabling patch man-
agement and in-place upgrade of Ubuntu LTS images to Ubuntu Pro without the need for workload redeployment.

GCE Images
For each active Ubuntu release, at least two image variants are created for GCE:
• Base images that contain a full Ubuntu development environment
• Minimal images that have a smaller footprint than base images, and are designed for production instances that
will never be accessed by a human
For the LTS releases from 22.04 onwards, we also have:
• Accelerator images that contain the packages needed to run accelerator workloads on advanced GPUs
For the Ubuntu Pro offering, we have:
• Ubuntu Pro images created for 16.04, 18.04, 20.04, 22.04, and 24.04
• Ubuntu Pro FIPS images created for 18.04 and 20.04

GKE images
GKE is Google Cloud’s Kubernetes offering. Canonical produces node images for GKE that act as a base for running
end user pods. These node images include a kernel that is optimized for use in the GKE environment linux-gke,
as well as custom NVIDIA drivers for workloads that wish to leverage GPU acceleration. Further details of the node
images available for GKE can be found in Google’s documentation about GKE node images.

Anthos - Google’s multi-cloud GKE strategy

Google provides a multi-cloud GKE strategy through a variety of Anthos product offerings, with an Ubuntu foundation
providing the cross-platform support:
• GKE Anthos on AWS
• GKE Anthos on Azure
• GKE Anthos on VMware

2.2. Explanation 29
Ubuntu on GCP

2.2.2 Google agents installed on Ubuntu

There are four different “guest agents” installed on Ubuntu images in GCP, each developed by Google and packaged
for Ubuntu by Canonical:
• google-guest-agent [package, source code]
• gce-compute-image-packages [package, source code]
• google-compute-engine-oslogin [package, source code]
• google-osconfig-agent [package, source code]

google-guest-agent
This package is installed on Ubuntu images to facilitate the different platform features available in GCP. It’s written in
Go and can be described as having two main components:
1. The google-metadata-script-runner binary, which enables users to run bespoke scripts on VM startup and
VM shutdown
2. The daemon, which handles the following on the VM:
• SSH and account management
• OS Login (if used)
• Clock skew
• Networking and NICs
• Instance optimizations
• Telemetry
• Mutual TLS Metadata Service (mTLS MDS)

gce-compute-image-packages
This package (written in BASH) is a collection of different configuration scripts that are dropped into the .d directories
of the following:
• apt
• dhcp
• modprobe
• NetworkManager/dispatcher
• rsyslog
• sysctl
• systemd

google-compute-engine-oslogin
Written in a mixture of C and C++, this package is responsible for providing GCP’s OS Login to Ubuntu VMs. At a
high level it can be described as providing the following:
• Authorized Keys Command: provides SSH keys (from an OS Login profile) to sshd for authentication
• NSS Modules: support for making OS Login user/group information available to the VM using NSS (Name
Service Switch)

30 Chapter 2. Project and community

 Ubuntu on GCP

• PAM Modules: provides authorization (and authentication if 2FA is enabled) to allow the VM to grant ssh
access/sudo privileges based on the user’s allotted IAM permissions

google-osconfig-agent
This package is written in Go and is installed to facilitate GCP’s OS Config (also known as “VM manager”). At a high
level, OS Config supports the following:
• OS inventory management
• Patch
• OS policies

2.2.3 Security features with Ubuntu on GCP

Ubuntu images on Google Cloud include the security features provided by both Ubuntu and GCP. Some of these features
might need to be specifically enabled. This explanation provides pointers to these features and to the specific how-to
guides that help you enable them.

Ubuntu security features

Ubuntu on GCP provides all the security features available on Ubuntu Server. A detailed description of these features
can be found on the Ubuntu security page and in our explanation about Security in the Ubuntu cloud images. For
further guidance on usage refer to Ubuntu server’s Introductory page on security.

GCP security features

GCP offers comprehensive security and data protection in the cloud. Security in Google Cloud explains how users can
benefit from GCP security features.

Confidential computing on GCP

To create and launch confidential compute enabled instances on GCE, refer to:
• Create an Intel® TDX based confidential computing VM
• Create an AMD SEV based confidential computing VM

Enhanced security using Ubuntu Pro

Apart from the Ubuntu Server images, GCP also has images for Ubuntu Pro, which come with enhanced security
features:
• Expanded Security Maintenance (ESM): Provides 10 years of security patching for packages in the Ubuntu (main
and universe) repositories.
• Live kernel updates: These reduce downtime and unplanned reboots in case of kernel vulnerabilities.
• FIPS compliance: Includes FIPS-certified modules to enable the use of Ubuntu in highly regulated environments.
To find Ubuntu Pro images on GCE, refer to Create an Ubuntu Pro instance and Create an Ubuntu Pro FIPS instance
and to enable the different Pro features refer to Enable Ubuntu Pro features.

2.2.4 GCE image retention policies

All Ubuntu images on GCE go through a life-cycle of: release > deprecation > deletion.
Whenever a new image is built and released to GCE, the previous serial of the corresponding image is deprecated.
A deprecated image is not visible on the Google console, but it can still be listed, launched in GCP, etc. Our image
retention policy determines when an image will be deleted. Once deleted, the images are no longer accessible for use.

2.2. Explanation 31
Ubuntu on GCP

At any give time, there will be only one active image per Ubuntu variant, with all the other images of that variant being
either deprecated or deleted.

Image retention policy

Our image retention policy depends on the type of Ubuntu image, we publish two types:
• release images - fully tested, production grade images that benefit from Canonical’s in-life support
• daily images - untested builds that contain all the latest updates from the Ubuntu archive
For more details about these image types, check out our documentation of image release types, and to get a list of these
images on GCP, refer to: Find Ubuntu images on GCE.
The retention policy can be summarized as follows:

Ubuntu suite Daily Images Release Images

Interim Release Active Delete all but the last 5 serials No images are deleted
EOL* Delete all but the latest serial Delete all but the latest serial
LTS Release Active Delete all but the last 5 serials No images are deleted
EOSS** Delete all but the latest serial No images are deleted

where:
• EOL refers to when an interim Ubuntu release (for example, Lunar Lobster 23.04) has reached end-of-life,
and will no longer enjoy support
• EOSS refers to when an LTS Ubuntu release (for example, Jammy Jellyfish 22.04 LTS) has reached “End
of Standard Support” but will remain supported under Ubuntu Pro

32 Chapter 2. Project and community