All Products
Search

This Product

    CloudOps Orchestration Service:Scheduled fix

    Document Center

    CloudOps Orchestration Service:Scheduled fix

    Last Updated:Dec 26, 2024

    To prevent security attacks, we recommend that you fix system vulnerabilities at the earliest opportunity. If you want to keep software packages up to date, scan or install patches, install low-priority patches based on the default patch baseline, or configure a custom patch baseline, you can use the patch management feature of CloudOps Orchestration Service (OOS). This feature helps you quickly fix vulnerabilities and ensures system security and stability. This topic describes how to use the patch management feature of OOS to fix system vulnerabilities at the earliest opportunity.

    Patch management modes

    Alibaba Cloud OOS provides three patch management modes.

    Warning

    If you select RebootIfNeed when you install a patch, the system determines whether to restart an instance based on the information about the patch.

    1. Scan a patch: Check the system vulnerabilities of an Elastic Compute Service (ECS) instance.ECS

    2. Install a patch without restarting an ECS instance: Fix system vulnerabilities without restarting the ECS instance.

    3. Install a patch and restart an ECS instance: Fix system vulnerabilities and restart the ECS instance based on the patch requirement.

    Required permissions

    To manage a patch, you must have the following permissions:

    {
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

    You can configure the permissions in the Resource Access Management (RAM) console.RAM

    Procedure

    1. Log on to the CloudOps Orchestration Service console. In the left-side navigation pane, click Quick Setup.

    2. On the Quick Setup page, click Create in the Patch Management section.image

    3. On the Patch Management page, select Executed Once at the Specified Time or Executed Periodically for the TimerTrigger parameter.

      • Executed Once at the Specified Time: A scheduled fix is executed at the specified point in time.image

      • Executed Periodically: A scheduled fix is executed on a regular basis.image

    4. Select Scan and Install or Scan Only for the Action parameter. If you select Scan and Install, you can specify whether to restart an instance and whether to create a snapshot.image

    5. Select the instance on which you want to install a patch.image

    6. Click Create. In the dialog box that appears, click OK.

    7. In the left-side navigation pane, choose Server Management > Patch Management to view the fix status.image