About creating an image from a volume
You can create a custom image from a boot volume of a virtual server instance in the console, from the CLI, or with the API. The image is a full copy of the source volume. The image includes the operating system and any user data. The image has the same capacity and contains identical data. The OS information for the custom image comes from the originating boot volume. Optionally, you can specify resource groups and tags for your image. You can use the custom image to create new virtual server instances.
The custom image that you create is regional, based on the location of the original boot volume. All custom images are private to the account in which they are created and labeled as custom.
The image also inherits the encryption type. If the original volume used provider-managed encryption, you can keep that or you can specify customer-managed encryption and provide your own root keys. If the original volume used customer-managed encryption, the image inherits the root key. However, you can change that root key if you want to use another key. You can't switch from customer-managed encryption to provider-managed encryption.
Custom images that are created from a volume are independent from the original volume. You can update the image and delete it as needed. You can delete the original volume and the custom image persists.
IAM permissions for creating an image from volume
With Cloud Identity and Access Management (IAM), you can securely authenticate users for platform services and control access to resources consistently across IBM Cloud®. The following table shows the roles that are required to create an image from a volume.
| Operation | Action | IAM access roles | API method |
|---|---|---|---|
| Create an instance | is.instance.instance.create | Administrator, Editor | POST /instances |
| List all instances | is.instance.instance.list | Administrator, Editor, Operator, Viewer | GET /instances |
| Create an image from a boot volume | is.image.image.create | Administrator, Editor | POST /images |
| List all images | is.image.image.list | Administrator, Editor, Operator, Viewer | GET /images |
| Delete image | is.image.image.delete | Administrator, Editor | DELETE /images |
| Schedule deprecation | is.image.image.deprecate | Administrator, Editor | POST /images with deprecation_at value specified |
| Schedule obsolescence | is.image.image.obsolete | Administrator, Editor | POST /images with obsolescence_at value specified |
Volume requirements
To create an image from a volume, the volume must meet the following requirements:
- The volume must be in the region where you want to create the custom image.
- The volume must be a primary boot volume with 100 GB capacity. Data volumes are not supported.
- The volume must be attached to an instance. Unattached boot volumes are not supported.
- The instance must be in an available state.
- The available, the running instance must be stopped before you create the custom image. Creating an image from a running instance is not allowed.
Options for creating an image from a volume
You can create a custom image from a boot volume in several ways.
-
From the console, you can create a custom image from any of the following pages.
- The Custom images for VPC page
- The list of instances on the Virtual server instances for VPC page
- The Instance details page
- The list of volumes on the Block Storage volumes for VPC page
- The Volume details page
-
In the API, you can create a custom image at the same time as you create an instance, or you can create an image from an existing instance. With the regional API, you create an image by making a
POST /imagesrequest with the boot volume ID. -
From the CLI, you can create a custom image at the same time as you create an instance, or you can create an image from an existing instance. Issue the
ibmcloud is image-createcommand and specify the boot volume's ID.
Custom image encryption
When you create an image from a volume, you have the following encryption choices.
-
If the volume uses the default IBM-managed encryption, then the image from that boot volume inherits the IBM-managed encryption. You can keep this encryption, or you can specify your own root key when you create the image.
-
If the volume uses a customer-managed encryption, then the image inherits the customer root key (CRK) from the volume. You can keep this encryption, or you can specify another CRK.
Custom image lifecycle
You can use the UI, CLI, API, and Terraform to manage the lifecycle of your custom images with three statuses. You can move the image back and forth through all the statuses and set dates to automatically change an image status. All status changes are tracked as an IBM Cloud Activity Tracker Event Routing event. You can filter your list of images based on status to aid in clean-up or tracking of your images. For more information about making status changes, see Managing custom images.
| Image status | Description |
|---|---|
available |
You can use the available status to indicate an operating system image is available and provisionable in all zones.
You might see an image in |
deprecated |
You can use the deprected status to indicate the image can be used, but it is not recommended. For example, with a stock image, when a new version of an operating system is made available, the older version image
of that guest operating system changes to deprecated. You can still create virtual server instances or bare metal servers with these images. |
obsolete |
You can use the obsolete status to indicate images must not be used, such as an operating system image that has reached EOS. You can't create virtual server instances or bare metal servers with these images. If you try to
use an obsolete image to create an instance, you receive a message that states that you can't use the image to create an instance. This status allows a reversible disabling of an image before you delete the image. |
Any image that is in deprecated or obsolete status is still billed. If you don't want to be billed for the image, you must delete it.