All Products
Search
Document Center

CloudOps Orchestration Service:Immediate fix

Last Updated:Dec 28, 2023

Background information

Most enterprises often have specific compliance requirements for IT assets, including Alibaba Cloud Elastic Compute Service (ECS) instances. The system vulnerabilities of the instances need to be fixed at the earliest opportunity to prevent security attacks, or some software packages need to be kept up to date. In such cases, the patch management feature can be used. You can configure an immediate fix to immediately scan or install patches. For example, you can use this feature to immediately install patches with a low priority based on a default patch baseline or a custom patch baseline. This topic shows you how to configure an immediate fix. Immediate fixes support the following modes:

1. Scan patches: Check patches and return the results.

2. Install patches without restarting an ECS instance.

3. Install patches and restart an ECS instance as required by the patches.

Warning

If you select Allow Restart when you install a patch, the system determines whether to restart the instance based on the information about the installed patch.

Permissions

CloudOps Orchestration Service (OOS) must be granted the permissions to call specific operations. The following code block provides an example on how to grant the permissions:

{
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

For more information, visit the following URL:

Grant RAM permissions to OOS

Procedure

1. In the OOS console, click Patch Management in the left-side navigation pane. On the page that appears, click Immediate Fix.

image

2. Set the Fix Operations parameter to Scan or Scan and Install.

If you set the Fix Operations parameter to Scan and Install, you also need to set the Allow Restart parameter.

image

3. Set the Instance Selection Method parameter to Manually Select Instances.

Select the instances for which you want to configure the immediate fix.

image

4. Click Execute Now. View the execution status on the Executions page.

image