All Products
Search
Document Center

Immediate apply patch baseline

Last Updated: Oct 11, 2021

Background information

Most enterprises often have specific compliance requirements for IT assets, including Alibaba Cloud Elastic Compute Service (ECS) instances. The system vulnerabilities of the instances need to be fixed at the earliest opportunity to avoid security attacks, or some software packages need to be kept up to date. In such cases, the patch management feature can be used. You can configure an immediate fix to immediately scan or install patches. For example, you want to install patches with a low priority based on a default patch baseline, or customize a patch baseline. This topic shows you how to configure an immediate fix. Immediate fixes support the following modes:

1.Scan patches: Check patches and return the results.

2.Install patches without restarting the ECS instance.

3.Install patches and restart the ECS instance as required by the patches.

Permissions

Operation Orchestration Service (OOS) must be granted the permissions to call specific operations. The following code block provides an example on how to grant the permissions:

{
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

For more information, visit the following URL:

Grant RAM permission for OOS

Procedure

1.Click Immediate Fix.1

2.Set the Fix Operations parameter to Scan or Scan and Install. If you set the Fix Operations parameter to Scan and Install, set the Allow Restart parameter.2

3.Select instances that require an immediate fix.3

4.View the status after the fix is complete. 4