Google Cloud Compute Engine makes creating and using virtual machines easy and efficient. Leveraging startup scripts, managed instance groups, and custom images extends the ease of compute engine instance creation. Managing configurations and patching of a large fleet of compute engine instances can be more involved and not quite as worry free if you are doing so by hand. Managing the configuration and update patch status of a large fleet can introduce a significant amount of toil into a weekly and monthly maintenance schedule. Out of date machines also pose serious security risks and challenges. With cybersecurity becoming a more important part and more visible part of cloud strategies and cloud computing, it is critically important to minimize attack surface and vectors. A vulnerable, compromised, or crashed machine can cost the business and your team money, downtime, and grief. But they also can cost your organization or team toil. Toil tends to be work that is manual, repetitive, automatable, tactical, devoid of enduring value, and scales linearly as a service grows. Toil consumes time and resources that could otherwise be applied to meaningful engineering efforts. Managing fleets of compute engine instances can introduce lots of additional, pesky, time consuming toil. Pesky additional sources of toil drive Site Reliability Engineers crazy.
Lucky for us, Google has a new API and feature set to make managing compute engine instances just as easy as creating them!
The Cloud OS Config API is an efficient and effective method for managing operating system patches, patch compliance, and configuration management on virtual machine instances on Google Cloud Platform. The OS Configuration API consists of three key uses: operating system inventory management, patch management, and configuration management.
Operating System Inventory Management.
Cloud OS Inventory Management provides users with critical information about the operating system, information on installed packages, and available package updates. Users leverage the google cloud cli to access a list of os-inventory enabled instances and can describe each instance to generate a detailed view of the operating system details, installed packages, available updates and upgrades, and security patches.
OS Patching and Patch Management:
Cloud OS patching and patch management offers the user the ability to update and/or upgrade operating systems and packages via the console or gcloud cli either on a set schedule or at-will. Virtual machine instances can be targeted for patching by labels or instance name prefixes, or all virtual machine instances with os patching enabled.
Creating immediate execution and scheduled patch jobs in the Cloud console consists of stepping through 4 key sections: Target VMs, Patch Config, Scheduling, and Advanced Options. Past and current patch jobs are tracked in the console and current status and execution details, status reporting, and links to logs are easily accessible in the console.
The OS Patch Management tab in the Compute Engine console provides a user friendly interface with a dashboard, vm instance detailed view, past and current patch view, and scheduled patch deployment view. From the dashboard and vm detail views you can instantly identify machines with available security patches and updates.
OS Guest Policies
Cloud OS Guest policies are JSON or YAML files used to declare a desired state for a virtual machine instance or group of instances. Guest policies consist of assignments and required configuration sections. The assignments section determines which virtual machines will be subject to the guest policy. Virtual machines can be targeted based on instance name or prefix, labels, zones, or operating system information. Guest policies can be created or updated by using the gcloud cli or by making a call to the Cloud OS Config API. Guest policies can also be listed, described, updated, deleted, viewed, and debugged via the gcloud cli and Cloud OS Config API.
This article first appeared as an internal Woolpert Technical Article @ Woolpert.com
Appendix:
Cloud OS Config Note 1: Leveraging these features requires the following prerequisites on either each virtual machine instance or on the entire project:
Enable guest attributes metadata key
Enable OS Inventory metadata key
Operating System Inventory Management is supported on Debian 9, Ubuntu 16.04 and 18.04, CentOS 6, 7, and 8, Red Hat Enterprise Linux 6, 7, and 8, and Windows Server 2008R2, 2012R2, 2016, 2019 and semi-annual releases 1803 and 1809.
To enable guest attributes: https://cloud.google.com/compute/docs/instances/view-os-details
OS Information Provided:
- Hostname
- LongName - The detailed operating system name. For example, Microsoft Windows Server 2016 Datacenter.
- ShortName - The short form of the operating system name. For example, Windows.
- Kernel version
- OS architecture
- OS version
- OS Config agent version
- Last updated - A timestamp of the last time the agent successfully scanned the system and updated the guest attributes with OS Inventory data.
Cloud OS Config Code Sample 1 : OS Guest Policy yaml example:
assignment:
# Assign to VM instances where `(label.color=red AND label.env=test) OR (label.color=blue AND label.env=test)`
groupLabels:
- labels:
color: red
env: test
- labels:
color: blue
env: test
packages:
- name: "my-package"
desiredState: INSTALLED
- name: "bad-package-1"
desiredState: REMOVED
- name: "bad-package-2"
desiredState: REMOVED
manager: APT # Only apply this to systems with APT.
packageRepositories:
- apt: # Only apply this to systems with APT.
uri: "https://packages.cloud.google.com/apt"
archiveType: DEB
distribution: cloud-sdk-stretch
components:
- main
- yum: # Only apply this to systems with YUM.
id: google-cloud-sdk
displayName: "Google Cloud SDK"
baseUrl: https://packages.cloud.google.com/yum/repos/cloud-sdk-el7-x86_64
gpgKeys:
- https://packages.cloud.google.com/yum/doc/yum-key.gpg
- https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
Top comments (0)