This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Google Cloud Sys logs observation

Posted on 01-05-2025 01:18 AM
Hussien-Idris-C
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Dear Community, 

We have been facing downtime in our application and have been going though all logs coming from the Google Cloud Ops agent to make sure we understand all logs and if they may be causing issues due to misconfiguration or other problems.

These logs in specific have been appearing so much since first we installed the ops agent on our servers.

  • Finished GCE Workload Certificate refresh
  • Error getting config status, workload certificates may not be configured: failed to GET "instance/gce-workload-certificates/config-status" from MDS with error: error connecting to metadata server, status code: 404"
  • [output:stackdriver:stackdriver.0] Cached token is expired. Waiting on lock.
  • "packages.GetPackageUpdates() error: error getting apt updates: exit status 100"
  • OSConfigAgent Error inventory.go:55: packages.GetPackageUpdates() error: error getting apt updates: exit status 100"

I would love if someone could shed light on these error logs and if there's a way to disable them if it will not impact our systems.

0 1 254
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
DarwinVinoth
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

1. Workload Certificate Refresh Issue
Log Message:

Finished GCE Workload Certificate refresh Error getting config status, workload certificates may not be configured: failed to GET "instance/gce-workload-certificates/config-status" from MDS with error: error connecting to metadata server, status code: 404"
Cause:
This error occurs because the instance metadata server (MDS) is unable to find the workload certificate configuration. This feature is primarily used for securing workloads in GCE instances.
If your setup does not use GCE Workload Identity or workload certificates, these logs are harmless.
Solution:
Disable Workload Certificate Monitoring:

If you don't require workload certificates, you can disable it by adding the following in your Ops Agent config file (/etc/google-cloud-ops-agent/config.yaml):
yaml
metrics: receivers: [] processors: []
Ensure Metadata Server Connectivity:

Run the following command to check if the metadata server is reachable:

curl "http://metadata.google.internal/computeMetadata/v1/instance/" -H "Metadata-Flavor: Google"
If the request fails, verify firewall rules or VPC restrictions blocking metadata access.

0 Likes
Top Solution Authors
View all