Skip to main content
A recipe is a catalog resource that defines how to build a custom image. Each recipe pairs one or more base images with a provisioning script that installs tools, languages, and dependencies. A single recipe can target multiple cloud substrates — reference an AWS base image, a GCE base image, or both. When you bake a recipe, Murmur runs the provisioning script on a scratch VM built from the base image, then snapshots the result as a new image.

Fields

NameTypeRequiredDescription
namestringyesUnique identifier. DNS label format: [a-z][a-z0-9-]{0,62}.
base_image_aws_refstringconditionalBase image name for AWS bakes. Must reference a catalog image with an AWS source. At least one of base_image_aws_ref or base_image_gce_ref is required.
base_image_gce_refstringconditionalBase image name for GCE bakes. Must reference a catalog image with a GCE source. At least one of base_image_aws_ref or base_image_gce_ref is required.
provisioning_scriptstringyesScript content that runs on the scratch VM during bake. Max 256 KiB.
provisioning_timeoutstringyesMaximum execution time for the provisioning script. Go duration format (e.g. 10m, 30m). Max 1h.
secret_allowliststring[]noNames of catalog secrets the provisioning script may access during bake. Only these secrets are available on the scratch VM. Each name must match [A-Z][A-Z0-9_]* and must not start with MURMUR_.
descriptionstringnoHuman-readable description shown in the dashboard. Max 1024 bytes.
When both base_image_aws_ref and base_image_gce_ref are set, the referenced images must have the same architecture. You cannot bake from an amd64 GCE base and an arm64 AWS base.

Examples

GCE-only recipe with a provisioning script

name: python-toolchain
base_image_gce_ref: murmur-gce-base
provisioning_script: |
  #!/bin/bash
  set -euo pipefail
  apt-get update -y
  apt-get install -y python3.12 python3.12-venv python3-pip
  pip3 install poetry==1.8.3 ruff==0.4.8
  python3.12 --version
  poetry --version
provisioning_timeout: "15m"
description: "Python 3.12 with Poetry and Ruff"

cat <<'EOF' | murmur set recipe python-toolchain
name: python-toolchain
base_image_gce_ref: murmur-gce-base
provisioning_script: |
  #!/bin/bash
  set -euo pipefail
  apt-get update -y
  apt-get install -y python3.12 python3.12-venv python3-pip
  pip3 install poetry==1.8.3 ruff==0.4.8
  python3.12 --version
  poetry --version
provisioning_timeout: "15m"
description: "Python 3.12 with Poetry and Ruff"
EOF

Multi-substrate recipe

name: go-service
base_image_aws_ref: murmur-aws-base
base_image_gce_ref: murmur-gce-base
provisioning_script: |
  #!/bin/bash
  set -euo pipefail
  curl -fsSL https://go.dev/dl/go1.22.4.linux-amd64.tar.gz | tar -C /usr/local -xz
  export PATH=$PATH:/usr/local/go/bin
  go install golang.org/x/tools/gopls@latest
  go version
provisioning_timeout: "20m"
secret_allowlist:
  - GITHUB_TOKEN
  - NPM_TOKEN
description: "Go 1.22 with gopls, cross-substrate"

Recipe with secret access

name: private-deps
base_image_gce_ref: murmur-gce-base
provisioning_script: |
  #!/bin/bash
  set -euo pipefail
  echo "//npm.pkg.github.com/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
  npm install -g @acme/internal-cli@latest
provisioning_timeout: "10m"
secret_allowlist:
  - NPM_TOKEN
description: "Installs private npm packages"

Listing recipes

murmur get recipe

NAME               DESCRIPTION
python-toolchain   Python 3.12 with Poetry and Ruff
go-service         Go 1.22 with gopls, cross-substrate
private-deps       Installs private npm packages

Reading a single recipe

murmur get recipe python-toolchain

Baking a recipe

After creating a recipe, bake it to produce a runnable image: 
murmur bake python-toolchain prod us-central1
See the custom images guide for a full walkthrough.

Errors

CodeMeaningWhat to do
INVALID_ARGUMENTname is requiredProvide a name field.
INVALID_ARGUMENTname must match [a-z][a-z0-9-]{0,62}Use a lowercase DNS label — starts with a letter, only lowercase letters, digits, and hyphens, max 63 characters.
INVALID_ARGUMENTat least one of base_image_aws_ref or base_image_gce_ref is requiredSet base_image_aws_ref, base_image_gce_ref, or both.
INVALID_ARGUMENTprovisioning_script is requiredProvide the script content in provisioning_script.
INVALID_ARGUMENTprovisioning_script exceeds 256 KiB limitReduce the script size. Move large assets to a remote location and fetch them during provisioning.
INVALID_ARGUMENTprovisioning_timeout is requiredSet provisioning_timeout to a Go duration string (e.g. 10m).
INVALID_ARGUMENTprovisioning_timeout: invalid durationUse Go duration format: 10m, 30m, 1h.
INVALID_ARGUMENTprovisioning_timeout: duration must be positiveThe duration must be greater than zero.
INVALID_ARGUMENTprovisioning_timeout exceeds 1h maximumReduce the timeout to 1 hour or less.
INVALID_ARGUMENTsecret_allowlist[N]: secret name must match [A-Z][A-Z0-9_]*Secret names use uppercase letters, digits, and underscores, starting with a letter.
INVALID_ARGUMENTsecret_allowlist[N]: secret name is reserved (MURMUR_*)Names starting with MURMUR_ are reserved. Choose a different name.
INVALID_ARGUMENTdescription exceeds 1024 byte limitShorten the description to 1024 bytes or fewer.
INVALID_ARGUMENTbase_image_aws_ref "X" does not existThe named image does not exist in the catalog. Create it first or fix the name.
INVALID_ARGUMENTbase_image_aws_ref "X" is not an AWS imageThe referenced image exists but has a GCE or Docker source, not AWS. Use an image with an AWS source.
INVALID_ARGUMENTbase_image_gce_ref "X" does not existThe named image does not exist in the catalog. Create it first or fix the name.
INVALID_ARGUMENTbase_image_gce_ref "X" is not a GCE imageThe referenced image exists but has an AWS or Docker source, not GCE. Use an image with a GCE source.
INVALID_ARGUMENTarchitecture mismatch: base_image_aws_ref is X but base_image_gce_ref is YBoth base images must have the same architecture. Replace one so they match.
FAILED_PRECONDITIONcannot delete recipe "X": referenced by image: YBaked images reference this recipe. Delete the referencing images first.