To prevent security attacks, we recommend that you fix system vulnerabilities at the earliest opportunity. If you need to keep software packages up-to-date, or scan or install patches, you can use the patch management feature of CloudOps Orchestration Service (OOS). This feature helps you quickly fix vulnerabilities and ensure system security and stability.OOS This topic describes how to use the patch management feature of OOS to fix system vulnerabilities at the earliest opportunity.
Patch management modes
Alibaba Cloud OOS provides three patch management modes.
If you select RebootIfNeed when you install a patch, the system determines whether to restart an instance based on the information about the patch.
Scan a patch: Check the system vulnerabilities of an Elastic Compute Service (ECS) instance.ECS
Install a patch without restarting an ECS instance: Fix system vulnerabilities without restarting the ECS instance.
Install a patch and restart an ECS instance: Fix system vulnerabilities and restart the ECS instance based on the patch requirement.
Required permissions
To manage a patch, you must have the following permissions:
{
"Policy": {
"Version": "1",
"Statement": [
{
"Action": [
"ecs:RebootInstance",
"ecs:DescribeInvocationResults",
"ecs:DescribeCloudAssistantStatus",
"ecs:DescribeInstances",
"ecs:DescribeInvocations",
"ecs:RunCommand"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oos:ListInstancePatchStates"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
}
You can configure the permissions in the Resource Access Management (RAM) console.RAM
Procedure
Log on to the CloudOps Orchestration Service console. In the left-side navigation pane, click Quick Setup.
On the Quick Setup page, click Create in the Patch Management section.
Select Execute Now for the TimerTrigger parameter. Select Scan and Install or Scan Only for the Action parameter. If you select Scan and Install, you can specify whether to restart an instance and whether to create a snapshot.
Select the instance on which you want to install a patch.
Click Create. In the dialog box that appears, click OK.
In the left-side navigation pane, choose
to view the fix status.