Patch Manager scans system patches, checks their status, and installs missing patches on Linux and Windows instances.
Linux
Patch Manager supports multiple Linux distributions. Each uses a different package manager to scan and install patches.
|
Operating system |
Package manager |
|
CentOS 7, Alibaba Cloud Linux 2, and Red Hat Enterprise Linux 7 |
YUM |
|
CentOS Stream 9, Alibaba Cloud Linux 3, Red Hat Enterprise Linux 8 and 9, Anolis OS 8, AlmaLinux OS 8 and 9, Rocky Linux 8 and 9, and Fedora 37, 38, and 39 |
DNF |
|
Ubuntu 16.04, 18.04, 20.04, 22.04, and 24.04 |
APT |
|
Debian 11/12 |
APT |
|
SUSE Linux Enterprise Server (SLES) 12 and 15, and openSUSE 15 |
Zypper |
Patch baselines on YUM and DNF
CentOS, Alibaba Cloud Linux, Red Hat Enterprise Linux, and Anolis OS use YUM or DNF to manage packages. Both support update notifications stored in a updateinfo.xml file in the software repository. Each update notification contains a set of packages that fix specific issues. These packages are treated as security packages. If you do not select Include Non-security Updates when creating a patch baseline, only packages listed in update notifications are eligible.
Fields in updateinfo.xml:
|
Parameter |
Description |
|
type |
Update notification type. Valid values: Security Bugfix Enhancement Recommended Newpackage |
|
title |
Update notification title. |
|
severity |
Severity level. Valid values: Critical Important Moderate Low Unspecified |
|
summary |
Brief description. |
|
description |
Detailed description. |
|
references |
References, including CVE and Bugzilla information. |
|
pkglist |
Associated RPM packages. |
Patch Manager filters update notifications in updateinfo.xml based on patch baseline rules. For example, the CentOS public baseline specifies:
'PatchFilterGroup': [
{
'Values': [
'*'
],
'Key': 'Product'
},
{
'Values': [
'Security',
'Bugfix'
],
'Key':'Classification'
},
{
'Values': [
'Critical',
'Important'
],
'Key': 'Severity'
}
]
This rule matches Security or Bugfix updates at Critical or Important severity. Equivalent yum command:
yum check-update --security --bugfix --secseverity=Critical,Important
Equivalent dnf commands:
dnf check-update --security --bugfix --secseverity=Critical
dnf check-update --security --bugfix --secseverity=Important
If a custom baseline rule does not specify patch types or severity levels, the equivalent commands are:
yum check-update --security
dnf check-update --security
After filtering, Patch Manager runs the yum(update api) or dnf update command to install patches, then restarts the instance. If Allow Restart is set to No, the instance is not restarted.
Note: If kernel live patching is enabled on Alibaba Cloud Linux 2 and only kernel live patches are installed, Patch Manager skips the restart. Kernel Live Patching overview.
Patch baselines on APT
On Debian and Ubuntu, patch baselines select patches based on the Priority and Section fields of DEB packages.
Patch Manager scans and installs patches as follows:
1. Runs apt update to refresh the package list.
2. Matches upgradable packages against the patch baseline. If Include Non-security Updates is not selected, only packages in the security repository are eligible. Security repository names by OS:
Debian Server 8: debian-security jessie
Debian Server 9: debian-security stretch
Debian Server 10: debian-security buster
Debian Server 11: debian-security bullseye
Debian Server 12: debian-security bookworm
Ubuntu Server 16.04 LTS: xenial-security
Ubuntu Server 18.04 LTS: bionic-security
Ubuntu Server 20.04 LTS: focal-security
Ubuntu Server 22.04 LTS: jammy-security
The Debian/Ubuntu public baseline matches packages with Required or Important priority:
'PatchFilterGroup': [
{
'Values': [
'*'
],
'Key': 'Product'
},
{
'Values': [
'Required',
'Important'
],
'Key': 'Severity'
}
This rule is equivalent to:
1. Run apt list --upgradable to list all upgradable packages.
2. Run apt list -a package-name to list all versions, sorted latest to earliest.
3. Run apt show package-name=={Version} to check the priority and whether it meets the baseline rule.
4. Verify the matching version is in the security repository.
Patch Manager runs the apt update api command to install matched patches, then restarts the instance. If Allow Restart is set to No, the instance is not restarted.
Patch baselines on Zypper
On SLES and openSUSE, Zypper manages system patches. Run zypper list-patches to list applicable patches. Patch attributes:
|
status |
not needed: Patch is not required. applied: The patch is installed. need: Patch must be installed. |
|
Category Category |
|
|
Severity Severity |
|
|
Created On |
Patch creation date. |
Zypper patch baselines filter by Category and Severity. Example:
"PatchFilterGroup": [
{
"Values": [
"*"
],
"Key": "Product"
},
{
"Values": [
"security",
"recommended"
],
"Key": "Classification"
},
{
"Values": [
"Critical",
"Important",
"Moderate"
],
"Key": "Severity"
}
],
This rule matches security and recommended patches at Critical, Important, or Moderate severity.
Windows
Windows patch update process
During scanning or installation, Patch Manager removes superseded updates and shows only the latest. For example, if KB4550961 is superseded by KB4556846, only KB4556846 appears.
If a patch has dependencies, install them first. The dependent patch becomes detectable only after its dependencies are installed and a rescan runs. For example, KB5005076 depends on KB4566425 — KB5005076 is not detected until KB4566425 is installed.
Note: Patch Manager supports only Windows Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025.