Create and run shutdown scripts that execute commands right before a virtual machine (VM) instance is stopped or restarted. This is useful if you rely on automated scripts to start up and shut down instances, allowing instances time to clean up or perform tasks, such as exporting logs, or syncing with other systems.
Shutdown scripts are especially useful for VMs in a managed instance group with an autoscaler. If the autoscaler shuts down a VM in the group, the shutdown script runs before the VM stops and the shutdown script performs any actions that you define. The script runs during the limited shutdown period before the VM stops. For example, your shutdown script might copy processed data to Cloud Storage or back up any logs.
Shutdown scripts function very similarly to startup scripts. Much of the documentation for startup scripts also applies for shutdown scripts.
For both shutdown and reboot tasks, VMs always run shutdown scripts as follows:
- For Linux VMs, by using the rootuser.
- For Windows VMs, by using the Systemaccount.
Prerequisites
To run scripts stored in metadata on a VM instance, the guest environment must be installed and running.
- The guest environment includes the guest agent (for example, google-guest-agent on Linux) that reads the script content or URL from the instance's metadata and initiates execution.
- All public Compute Engine images come with the guest environment preinstalled.
- If you create a custom image, you must manually install the Google Guest Environment to ensure scripts from metadata and other Cloud de Confiance by S3NS features function properly.
Before you begin
- Learn about Startup scripts.
- Understand what the metadata server is.
- 
  
  If you haven't already, set up authentication.
  Authentication verifies your identity for access to Cloud de Confiance by S3NS services and APIs. To run
  code or samples from a local development environment, you can authenticate to
  Compute Engine by selecting one of the following options:
  
    
    
      
    
  
    
    
      
    
  
    
    
      
    
  
 
  
 
  
    
      Select the tab for how you plan to use the samples on this page: ConsoleWhen you use the Cloud de Confiance console to access Cloud de Confiance by S3NS services and APIs, you don't need to set up authentication. gcloud- 
 
  
  
  
    
    
  
    
    
  
    
    
      
    
  
  
    
    
  
    
    
  
    
    
  
  
  
   
    
      Install the Google Cloud CLI, and then sign in to the gcloud CLI with your federated identity. After signing in, initialize the Google Cloud CLI by running the following command: gcloud init
- Set a default region and zone.
 TerraformTo use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. Install the Google Cloud CLI, and then sign in to the gcloud CLI with your federated identity. Create local authentication credentials for your user account: gcloud auth application-default login If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. For more information, see Set up authentication for a local development environment. RESTTo use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI. Install the Google Cloud CLI, and then sign in to the gcloud CLI with your federated identity. For more information, see Authenticate for using REST in the Cloud de Confiance authentication documentation. 
- 
 
  
  
  
    
    
  
    
    
  
    
    
      
    
  
  
    
    
  
    
    
  
    
    
  
  
  
   
    
      
Permissions required for this task
To perform this task, you must have the following permissions:
- All permissions required to create an instance
- compute.instances.setMetadataon the instance
Specifications
The following sections outline the specifications for shutdown scripts.
Limitations
There are some limitations to note when using shutdown scripts:
- Compute Engine executes shutdown scripts only on a best-effort basis. In rare cases, Compute Engine cannot guarantee that the shutdown script will complete.
- On Windows, the Local Group Policy is used to launch the shutdown script.
- The installation package configures the Local Group Policy
Computer Configuration/Windows Setting/Scripts (Startup/Shutdown)setting to launch the script upon system shutdown.
 
- The installation package configures the Local Group Policy
Shutdown script invocation
Shutdown scripts are triggered when the instance shuts down after any of the following events happen:
- You do the following: 
- Compute Engine stops an instance as part of a programmed stop or delete operation. 
- Compute Engine stops a Spot VM or preemptible instance as part of the preemption process. 
A shutdown script can be of any file type. If there is a shutdown script present in the instance, then Compute Engine does the following:
- Copies the script to a local file in the instance.
- Sets permissions on the file to make the script executable.
- Executes the file when the instance shuts down.
You could, for example, provide a Python script instead of a bash script. Keep in mind that Compute Engine runs the script verbatim, regardless of the type of script.
To execute a script that is not bash, add a shebang line at the top of the file to let the operating system know which interpreter to use. For example, for a Python script, you can add a shebang line like:
#!/usr/bin/python
Shutdown script running time
Your shutdown scripts start running when Compute Engine sets the
instance state to STOPPING. Your scripts must complete before the instance
is fully stopped, which is when its state changes to TERMINATED. The time the
instance takes to reach the TERMINATED state varies depending on the
instance type.
If your scripts take longer than the time it takes for the instance to stop,
then Compute Engine forcefully stops the scripts, which can lead to
data loss or incomplete tasks. To prevent this,
stop the instance from within its guest OS.
This approach keeps the instance state to STOPPING until your shutdown scripts
finish running.
Use a local shutdown script
A local shutdown script is a script that lives on your local computer. Pass in a local shutdown script either as a file or by giving the contents directly to Compute Engine.
Shutdown scripts can perform as many actions as you need, but if you are passing in the file locally, your script cannot exceed the metadata value length limit of 256 KB. To use a script that exceeds the length limit, store your file on Cloud Storage. See Use shutdown script from Cloud Storage for more information.
Provide a shutdown script file
You can only pass in a local shutdown script file through the gcloud
command-line tool.
gcloud
To pass in a local shutdown script file, supply the --metadata-from-file
flag, followed by a metadata key pair, shutdown-script=PATH/TO/FILE, where
PATH/TO/FILE is a relative path to the shutdown script. For example:
gcloud compute instances create example-instance \
    --metadata-from-file shutdown-script=examples/scripts/install.sh
Terraform
To specify a shutdown script directly, use the google_compute_instance
resource with the path to the shutdown script in the metadata.
Provide shutdown script contents directly
Alternatively, you can pass in the contents of your shutdown script directly.
Console
In Cloud de Confiance console, specify a shutdown script directly using the
shutdown-script metadata key:
- Go to the Create an instance page. 
- Specify the VM details. 
- Expand the Advanced options section. 
- Expand Management, and do the following: - In the Metadata section, click Add item.
- In the Key field, enter shutdown-scriptfor the metadata key.
- In the Value field, add the contents of your shutdown script.
 
- Continue with the VM creation process. 
gcloud
Using the Google Cloud CLI, use the --metadata flag to provide
the contents of your shutdown script, followed by the
shutdown-script=CONTENTS key pair, where CONTENTS is the content of your
shutdown script.
gcloud compute instances create example-instance --metadata shutdown-script="#! /bin/bash
> # Shuts down Apache server
> /etc/init.d/apache2 stop"
Terraform
To specify a shutdown script directly, use the google_compute_instance
resource with the shutdown script in the metadata.
REST
In the API, provide a shutdown script as part of the metadata property in
your request when you create an instance. Use shutdown-script as the
metadata key:
POST https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/instances
{...
  "metadata": {
    "items": [
      {
       "key": "shutdown-script",
       "value": "#! /bin/bash\n\n# Shuts down Apache server\n/etc/init.d/apache2 stop"
      }
    ]
  }...
}
Provide a shutdown script on Windows instances
Run shutdown scripts on Windows instances using the following Windows-specific metadata keys. Choose from any of the specialized keys listed below. Each key should match the type of script you want to run.
You can specify multiple shutdown scripts by passing in different keys to your instance but each key can only be specified once per virtual machine.
The following keys can be used with a local shutdown script, using the same instructions earlier in this document.
| cmdshutdown scripts | batshutdown scripts | ps1shutdown scripts | 
|---|---|---|
| windows-shutdown-script-cmd | windows-shutdown-script-bat | windows-shutdown-script-ps1 | 
Use a shutdown script from Cloud Storage
You can store and use a shutdown script from Cloud Storage. Follow
the instructions in the Startup scripts
documentation but replace startup-script-url with shutdown-script-url.
For Windows instances, replace windows-startup-script-url with
windows-shutdown-script-url.
Apply a shutdown script to running instances
To add a shutdown script to a running instance, follow the instructions in the Applying a startup script to running instances documentation but replace the metadata keys with one of the following keys:
- shutdown-script: Supply the shutdown script contents directly with this key. Using the Google Cloud CLI, you can provide the path to a shutdown script file, using the- --metadata-from-fileflag and the- shutdown-scriptmetadata key.
- shutdown-script-url: Supply a Cloud Storage URL to the shutdown script file with this key.
Viewing the output of a shutdown script
Linux
You can view the output from a Linux shutdown script by doing any of the following:
- Connecting to the instance and running the following command: - sudo journalctl -u google-shutdown-scripts.service
- Viewing the output through serial port 1 in the Cloud de Confiance console and checking for - google_metadata_script_runnerevents.
- IAP Desktop from a Windows workstation. For more information, see the GoogleCloudPlatform/iap-desktop repo on GitHub. 
Windows
View the output from a Windows Server shutdown script by using any of the
following and checking for GCEMetadataScripts events:
- Serial port 1 in the Cloud de Confiance console. For more information, see Viewing serial port output. 
- Windows Event Viewer's Application Log. 
- IAP Desktop from a Windows workstation. For more information, see the GoogleCloudPlatform/iap-desktop repo on GitHub.