All Products
Search
Document Center

Scheduled apply patch baseline

Last Updated: Oct 11, 2021

Background information

Most enterprises often have specific compliance requirements for IT assets, including Alibaba Cloud Elastic Compute Service (ECS) instances. The system vulnerabilities of the instances need to be fixed at the earliest opportunity to avoid security attacks, or some software packages need to be kept up to date. In such cases, the patch management feature can be used. You can configure a scheduled fix to scan or install patches every day or at a specified point in time. For example, you want to install patches with a low priority based on a default patch baseline, or customize a patch baseline. This topic shows you how to configure a scheduled fix. Scheduled fixes support the following modes:

1.Scan patches: Check patches and return the results.

2.Install patches without restarting the ECS instance.

3.Install patches and restart the ECS instance as required by the patches.

Permissions

Operation Orchestration Service (OOS) must be granted the permissions to call specific operations. The following code block provides an example on how to grant the permissions:

{
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

For more information, visit the following URL:

Grant RAM permission for OOS

Procedure

1.Click Scheduled Fix.

1

2.Set the parameters as required. Set the Fix Operations parameter to Scan or Scan and Install. If you set the Fix Operations parameter to Scan and Install, set the Allow Restart parameter.23

3.Select instances that require a scheduled fix.5

4.View the status after the fix is complete. 7