All Products
Search
Document Center

CloudOps Orchestration Service:Immediate fix

Last Updated:Dec 26, 2024

To prevent security attacks, we recommend that you fix system vulnerabilities at the earliest opportunity. If you need to keep software packages up-to-date, or scan or install patches, you can use the patch management feature of CloudOps Orchestration Service (OOS). This feature helps you quickly fix vulnerabilities and ensure system security and stability.OOS This topic describes how to use the patch management feature of OOS to fix system vulnerabilities at the earliest opportunity.

Patch management modes

Alibaba Cloud OOS provides three patch management modes.

Warning

If you select RebootIfNeed when you install a patch, the system determines whether to restart an instance based on the information about the patch.

  1. Scan a patch: Check the system vulnerabilities of an Elastic Compute Service (ECS) instance.ECS

  2. Install a patch without restarting an ECS instance: Fix system vulnerabilities without restarting the ECS instance.

  3. Install a patch and restart an ECS instance: Fix system vulnerabilities and restart the ECS instance based on the patch requirement.

Required permissions

To manage a patch, you must have the following permissions:

{
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

You can configure the permissions in the Resource Access Management (RAM) console.RAM

Procedure

  1. Log on to the CloudOps Orchestration Service console. In the left-side navigation pane, click Quick Setup.

  2. On the Quick Setup page, click Create in the Patch Management section.image

  3. Select Execute Now for the TimerTrigger parameter. Select Scan and Install or Scan Only for the Action parameter. If you select Scan and Install, you can specify whether to restart an instance and whether to create a snapshot.image

  4. Select the instance on which you want to install a patch.image

  5. Click Create. In the dialog box that appears, click OK.

  6. In the left-side navigation pane, choose Server Management > Patch Management to view the fix status.image