Search code examples
phpgoogle-cloud-platformgoogle-compute-engine

Is there a way to recover the connection to my GCP VM?

  1. I have a GCP VM on which is installed a Docker with Drupal.
  2. e2-medium with SSD 10Go
  3. After increasing the disk size to 20GB, I can no longer access the VM in SSH

The manipulations that I tried

  • Return to the starting configuration
  • IAP configuration with dedicated address ranges to arrive on the VM subnet
  • Connection to the serial port of the machine

This last point works, but I don't know what to check or what to look for to restart the VM

In the console logs, i have this:

  [{
"insertId": "2","jsonPayload": {
"lateBootReportEvent": {
 "actualMeasurements": [
 {
  "hashAlgo": "SHA1",
  "pcrNum": "PCR_14",
  "value": "xxwkxkw,xw"
  }
  ],
  "policyMeasurements": [
  {
  "value": "hhhh+jjjjj=",
  "hashAlgo": "SHA1",
  "pcrNum": "PCR_9"
  }
  ],
  "policyEvaluationPassed": false
},
"@type": "type.googleapis.com/cloud_integrity.IntegrityEvent",
"bootCounter": "31"
},
"resource": {
"type": "gce_instance",
"labels": {
  "instance_id": "00000000",
  "zone": "europe-000000
  "project_id": "HHHHHHHHH"
}
},
"timestamp": "2022-04-28T21:35:52.092570946Z",
"severity": "ERROR",
"logName": "/logs/compute.googleapis.com%2Fshielded_vm_integrity",
"receiveTimestamp": "2022-04-28T21:35:54.103571412Z"
}]

Does the shielded_vm_integrity type error speak to you please?

Thank you

Solution

  • Your VM is failing to boot because of a boot integrity check. You resized the disk which changed the boot configuration.

    The solution is to disable the shielded VM options:

    • Go to VM instances
    • Click on the VM instance name to open the VM instance details page
    • Stop the VM, wait for the VM to stop
    • Click Edit
    • Turn off Secure Boot
    • Turn off vTPM
    • Turn off Integrity Monitoring

    CLI command:

    gcloud compute instances update VM_NAME \
    --no-shielded-secure-boot \
    --no-shielded-vtpm \
    --no-shielded-integrity-monitoring

    Once your VM is running successfully, you can enable these features.

    Determining the cause of boot integrity validation failure

    What is Shielded VM

    There is a free book download on TPM which contains details on the Platform Configuration Registers mentioned in your logs (PCR-9 and PCR-14):

    A Practical Guide to TPM 2.0