All Products
Search

This Product

    CloudOps Orchestration Service:Scheduled fix

    Document Center

    CloudOps Orchestration Service:Scheduled fix

    Last Updated:Dec 28, 2023

    Background information

    Most enterprises often have specific compliance requirements for IT assets, including Alibaba Cloud Elastic Compute Service (ECS) instances. The system vulnerabilities of the instances need to be fixed at the earliest opportunity to prevent security attacks, or some software packages need to be kept up to date. In such cases, the patch management feature can be used. You can configure a scheduled fix to scan or install patches every day or at a specified point in time. For example, you can use this feature to install patches with a low priority based on a default patch baseline or a custom patch baseline as scheduled. This topic shows you how to configure a scheduled fix. Scheduled fixes support the following modes:

    1. Scan patches: Check patches and return the results.

    2. Install patches without restarting an ECS instance.

    3. Install patches and restart an ECS instance as required by the patches.

    Warning

    If you select Allow Restart when you install a patch, the system determines whether to restart the instance based on the information about the installed patch.

    Permissions

    CloudOps Orchestration Service (OOS) must be granted the permissions to call specific operations. The following code block provides an example on how to grant the permissions:

    {
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

    For more information, visit the following URL:

    Grant RAM permissions to OOS

    Procedure

    1. In the OOS console, click Patch Management in the left-side navigation pane. On the page that appears, click Scheduled Fix.

    image

    2. Configure the parameters as required.

    Set the Fix Operations parameter to Scan or Scan and Install. If you set the Fix Operations parameter to Scan and Install, you also need to set the Allow Restart parameter.image

    image

    3. Set the Instance Selection Method parameter to Manually Select Instances.

    Select the instances for which you want to configure the scheduled fix.

    image

    4. Click Execute Now. View the execution status on the Executions page.

    image