The Patch Management Skill allows you to scan and install system patches on ECS instances through natural language conversations in AI platforms such as OpenClaw, Cursor, and Claude.
Overview
The Patch Management Skill leverages CloudOps Orchestration Service (OOS) and Cloud Assistant to provide the following capabilities:
Scan system patches: Check the patch status of one or more ECS instances and identify missing security updates and system fixes.
Install system patches: Install missing system patches on one or more ECS instances, with configurable reboot policies and snapshot backups.
Patch baseline management: Specify a patch baseline name to filter and install patches based on predefined baseline rules.
The Skill executes patch operations through the OOS template ACS-ECS-BulkyApplyPatchBaseline, supports batch processing of up to 1000 instances, and automatically polls execution status until completion.
Prerequisites
Control environment (where the AI agent platform runs):
AI agent platform ready: An AI agent platform that supports the Skill protocol (such as OpenClaw, Cursor, or Claude) is installed and configured.
Alibaba Cloud CLI version: Alibaba Cloud CLI 3.3.1 or later is required. Run
aliyun versionto check your current version. If the version is outdated, upgrade the CLI.Alibaba Cloud credentials: Configure identity credentials in Alibaba Cloud CLI. Run
aliyun configure listto verify the credential status.RAM permissions: The Alibaba Cloud account or RAM user must be granted the following permissions to use the Patch Management Skill. For more information, see Manage RAM user permissions.
Target environment (ECS instances where patches will be applied):
Instance status: The Cloud Assistant Agent must be installed on the target ECS instances. If not installed, Install the Cloud Assistant Agent.
Network connectivity: Instances must have Internet access to download patch packages. To enable Internet access, see Enable public bandwidth.
Operating system: Supports Linux (CentOS, Ubuntu, Alibaba Cloud Linux, Debian, etc.) and Windows Server.
Add the Skill
The Patch Management Skill is available on the Alibaba Cloud Skill platform and ClawHub. You can add it in the following ways:
Conversational (Recommended)
Send the following prompt in the Agent mode chat interface of your AI platform to automatically add and configure the Skill:
Install the skill "Alibabacloud Ecs Patch Management" (sdk-team/alibabacloud-ecs-patch-management) from ClawHub.
Skill page: https://clawhub.ai/sdk-team/alibabacloud-ecs-patch-management
After install, inspect the skill metadata and help me finish setup.CLI (OpenClaw)
In an OpenClaw environment, add the Skill directly via CLI:
openclaw skills install alibabacloud-ecs-patch-managementManual
In the Skill management page of your AI platform, add the following Skill URL:
https://skills.aliyun.com/skills/alibabacloud-ecs-patch-managementUsage Scenarios
The Skill supports the following scenarios. Describe your requirements in natural language in the chat interface of your AI platform to trigger the corresponding workflow.
Scan System Patches
Scan the patch status of one or more ECS instances and identify missing patches. The scan workflow includes the following steps:
Confirm target instances: The Skill confirms target instances based on the provided instance IDs and region information.
Confirm parameters: The Skill displays a parameter confirmation table listing the region ID, instance IDs, action type (scan), and patch baseline name, and waits for your confirmation before execution.
Execute scan: The Skill creates a scan task through the OOS StartExecution API and automatically polls the execution status (every 20 seconds, up to 20 minutes).
Output scan report: After the scan completes, the Skill outputs a report containing the execution ID, number of missing patches, patch details, and follow-up recommendations.
Example conversations:
"Scan system patches on i-bp1xxxxxxxx"
"Check which patches are missing on my Hangzhou instance"
"Show me what security updates this instance needs"
Install System Patches
Install missing system patches on one or more ECS instances. The installation workflow includes the following steps:
Confirm target instances: The Skill confirms target instances based on the provided instance IDs and region information.
Configure installation parameters: The Skill guides you to confirm optional parameters such as the reboot policy and whether to create a snapshot backup.
Confirm parameters: Before installation, the Skill displays a parameter confirmation table listing the region ID, instance IDs, action type (install), reboot policy, snapshot configuration, and waits for your confirmation before execution.
Execute installation: The Skill creates an installation task through the OOS StartExecution API and automatically polls the execution status (every 20 seconds, up to 20 minutes).
Output installation report: After the installation completes, the Skill outputs a report containing the execution ID, installation results, reboot status, and follow-up recommendations.
Example conversations:
"Install system patches on i-bp1xxxxxxxx"
"Create a snapshot before installing patches, and reboot later"
"Install security patches on 3 instances in Hangzhou, no reboot needed"
Parameters
The Skill supports the following parameters:
Parameter | Required | Description |
RegionId | Yes | The region ID of the target instances, such as |
InstanceIds | Yes | List of target instance IDs. Up to 1000 instances per operation. |
Action | Yes | The operation type. Valid values: |
rebootIfNeed | No | Whether to allow rebooting instances after patch installation. Default: no. Only takes effect when |
whetherCreateSnapshot | No | Whether to create a system disk snapshot before installation. Default: no. Only takes effect when |
retentionDays | No | Snapshot retention period in days. Valid values: 1 to 65536. Default: 7. Only takes effect when |
FAQ
How do I troubleshoot a failed patch scan or installation?
Common causes and solutions for operation failures:
Instance not running: Verify that the target instance is in the Running state.
Network unavailable: Instances must have Internet access to connect to patch sources. Verify that the instance has Internet access and the security group allows outbound traffic.
Cloud Assistant Agent not installed or offline: Verify that the Cloud Assistant Agent is installed and online on the target instance.
Insufficient disk space: Verify that the instance has sufficient disk space to download and install patch packages.
Insufficient permissions: Verify that the current account has the required RAM permissions.
Is a reboot required after installing patches?
It depends on the patch type. Kernel-level patches typically require a reboot to take effect, while application-level patches generally do not. Use the rebootIfNeed parameter to control reboot behavior:
true:允许系统在补丁安装后按需自动重启false(默认):不自动重启,补丁安装后由您手动决定重启时间
What if the operation times out but the task is still running?
The Skill polls for up to 20 minutes. If the task times out but is still running, manually check the execution status with the following command:
aliyun oos list-executions --biz-region-id "<RegionId>" --execution-id "<ExecutionId>"You can find the execution ID in the report output by the Skill.
Can I operate on multiple instances simultaneously?
Yes. Provide multiple instance IDs and the Skill uses the batch execution capability of OOS to operate on multiple instances in parallel, with a maximum of 50 instances per operation.
Should I create a snapshot before installing patches?
We recommend enabling snapshot backups in production environments. Set whetherCreateSnapshot to true and specify an appropriate retentionDays value (default: 7 days). If compatibility issues arise after patch installation, you can quickly roll back the system disk using the snapshot.