All Products
Search
Document Center

CloudOps Orchestration Service:How Patch Manager works

Last Updated:Jun 02, 2026

Patch Manager scans system patches, checks their status, and installs missing patches on Linux and Windows instances.

Linux

Patch Manager supports multiple Linux distributions. Each uses a different package manager to scan and install patches.

Operating system

Package manager

CentOS 7, Alibaba Cloud Linux 2, and Red Hat Enterprise Linux 7

YUM

CentOS Stream 9, Alibaba Cloud Linux 3, Red Hat Enterprise Linux 8 and 9, Anolis OS 8, AlmaLinux OS 8 and 9, Rocky Linux 8 and 9, and Fedora 37, 38, and 39

DNF

Ubuntu 16.04, 18.04, 20.04, 22.04, and 24.04

APT

Debian 11/12

APT

SUSE Linux Enterprise Server (SLES) 12 and 15, and openSUSE 15

Zypper

Patch baselines on YUM and DNF

CentOS, Alibaba Cloud Linux, Red Hat Enterprise Linux, and Anolis OS use YUM or DNF to manage packages. Both support update notifications stored in a updateinfo.xml file in the software repository. Each update notification contains a set of packages that fix specific issues. These packages are treated as security packages. If you do not select Include Non-security Updates when creating a patch baseline, only packages listed in update notifications are eligible.

Fields in updateinfo.xml:

Parameter

Description

type

Update notification type. Valid values:

Security

Bugfix

Enhancement

Recommended

Newpackage

title

Update notification title.

severity

Severity level. Valid values:

Critical

Important

Moderate

Low

Unspecified

summary

Brief description.

description

Detailed description.

references

References, including CVE and Bugzilla information.

pkglist

Associated RPM packages.

Patch Manager filters update notifications in updateinfo.xml based on patch baseline rules. For example, the CentOS public baseline specifies:

'PatchFilterGroup': [
    {
        'Values': [
            '*'
        ],
        'Key': 'Product'
    },
    {
        'Values': [
            'Security',
            'Bugfix'
        ],
        'Key':'Classification'
    },
    {
        'Values': [
            'Critical',
            'Important'
        ],
        'Key': 'Severity'
    }
]

This rule matches Security or Bugfix updates at Critical or Important severity. Equivalent yum command:

yum check-update --security --bugfix --secseverity=Critical,Important

Equivalent dnf commands:

dnf  check-update --security --bugfix --secseverity=Critical
dnf  check-update --security --bugfix --secseverity=Important

If a custom baseline rule does not specify patch types or severity levels, the equivalent commands are:

yum check-update --security
dnf check-update --security

After filtering, Patch Manager runs the yum(update api) or dnf update command to install patches, then restarts the instance. If Allow Restart is set to No, the instance is not restarted.

Note: If kernel live patching is enabled on Alibaba Cloud Linux 2 and only kernel live patches are installed, Patch Manager skips the restart. Kernel Live Patching overview.

Patch baselines on APT

On Debian and Ubuntu, patch baselines select patches based on the Priority and Section fields of DEB packages.

Patch Manager scans and installs patches as follows:

1. Runs apt update to refresh the package list.

2. Matches upgradable packages against the patch baseline. If Include Non-security Updates is not selected, only packages in the security repository are eligible. Security repository names by OS:

Debian Server 8: debian-security jessie
Debian Server 9: debian-security stretch
Debian Server 10: debian-security buster
Debian Server 11: debian-security bullseye
Debian Server 12: debian-security bookworm
Ubuntu Server 16.04 LTS: xenial-security
Ubuntu Server 18.04 LTS: bionic-security
Ubuntu Server 20.04 LTS: focal-security
Ubuntu Server 22.04 LTS: jammy-security

The Debian/Ubuntu public baseline matches packages with Required or Important priority:

'PatchFilterGroup': [
    {
        'Values': [
            '*'
        ],
        'Key': 'Product'
    },
    {
        'Values': [
            'Required',
            'Important'
        ],
        'Key': 'Severity'
}

This rule is equivalent to:

1. Run apt list --upgradable to list all upgradable packages.

2. Run apt list -a package-name to list all versions, sorted latest to earliest.

3. Run apt show package-name=={Version} to check the priority and whether it meets the baseline rule.

4. Verify the matching version is in the security repository.

Patch Manager runs the apt update api command to install matched patches, then restarts the instance. If Allow Restart is set to No, the instance is not restarted.

Patch baselines on Zypper

On SLES and openSUSE, Zypper manages system patches. Run zypper list-patches to list applicable patches. Patch attributes:

status

not needed: Patch is not required.

applied: The patch is installed.

need: Patch must be installed.

Category

Category

  • security: Fixes security vulnerabilities and bugs.

  • recommended: Improves performance, functionality, or compatibility.

  • optional: Additional features or non-critical fixes.

  • feature: Adds or improves functionality.

  • document: Documentation updates.

  • yast: YaST system management patches.

Severity

Severity

  • low: low-level issues or risks.

  • moderate: moderate issues or risks.

  • important: important issues or risks.

  • critical: critical issues or risks.

  • unspecified: unspecified issues or risks.

Created On

Patch creation date.

Zypper patch baselines filter by Category and Severity. Example:

"PatchFilterGroup": [
    {
        "Values": [
            "*"
        ],
        "Key": "Product"
    },
    {
        "Values": [
            "security",
            "recommended"
        ],
        "Key": "Classification"
    },
    {
        "Values": [
            "Critical",
            "Important",
            "Moderate"
        ],
        "Key": "Severity"
    }
],

This rule matches security and recommended patches at Critical, Important, or Moderate severity.

Windows

Windows patch update process

During scanning or installation, Patch Manager removes superseded updates and shows only the latest. For example, if KB4550961 is superseded by KB4556846, only KB4556846 appears.

If a patch has dependencies, install them first. The dependent patch becomes detectable only after its dependencies are installed and a rescan runs. For example, KB5005076 depends on KB4566425 — KB5005076 is not detected until KB4566425 is installed.

Note: Patch Manager supports only Windows Server 2012 R2, Server 2016, Server 2019, Server 2022, and Server 2025.