Solved: Re: GCP VM patch management(VM manager)

gcloudLearning · 07-21-2023 09:33 AM

IN OS patch management , We have defined patch deployment schedule.

I want to check if we dont define any additional patch configuration -> patch attribute . and use the default setting after selecting the machines,

Will all kind of patches (security etc) be applied on machines or untill we define the configuration , updates will not start. ? Do we need to specify the patch attribute in each schedule that we create

also please let me know how the updates cycle in Google cloud . example Microsoft relarese patches every 3rd week of the month. how it's in google cloud .

Willbin

Hello @gcloudLearning,

Welcome to Google Cloud Community!

For Patch configuration, this document might be useful for you.

When running a patch job, you can specify parameters to control the patches that are applied on the VM. The patch configuration parameters are platform dependent and are often passed through to the underlying system update tools. The actual patches are sourced from the package repositories (Linux) or the Windows Update server (Windows) that is configured on the VM.

You can specify the following patch configurations for your VMs:

For Windows, you specify the classification of patches to apply (eg. Security and Critical) or target specific KBs to exclude. For more information about patch classification, see the Microsoft support documentation.

For RHEL, Rocky Linux, and CentOS, the underlying system is yum. For patches that target these VMs, you can specify security and minimal packages. You can also exclude specific packages. For more information, see the yum man pages.

For Debian & Ubuntu, the underlying system is apt. For patches that target these VMs, you can specify dist-upgrade or a standard upgrade. You can also exclude specific packages. For more information, see either the Debian man pages or Ubuntu man pages.

For SuSE, the underlying system is zypper, specifically using zypper patches. For patches that target these VMs, you can specify options such as:

with update: update all packages not covered by patches

with optional: optional patches are treated as needed

The categories or severities of patches to apply

You can also exclude specific patches.

Optionally, for all the supported operating systems, you can select to install approved patches only by specifying these updates. This allows you to enter a list of approved packages or patches. When you select these approved patches, only the approved packages or patches are installed. All other patch configuration parameters are skipped during the update.

It will always depend on the OS providers, they usually publish updates every month.

Here's additional info that might be useful for you.
OS patch management
Schedule patch jobs
Monitor patch jobs

View solution in original post

Willbin

Hello @gcloudLearning,

Welcome to Google Cloud Community!

For Patch configuration, this document might be useful for you.

When running a patch job, you can specify parameters to control the patches that are applied on the VM. The patch configuration parameters are platform dependent and are often passed through to the underlying system update tools. The actual patches are sourced from the package repositories (Linux) or the Windows Update server (Windows) that is configured on the VM.

You can specify the following patch configurations for your VMs:

For Windows, you specify the classification of patches to apply (eg. Security and Critical) or target specific KBs to exclude. For more information about patch classification, see the Microsoft support documentation.

For RHEL, Rocky Linux, and CentOS, the underlying system is yum. For patches that target these VMs, you can specify security and minimal packages. You can also exclude specific packages. For more information, see the yum man pages.

For Debian & Ubuntu, the underlying system is apt. For patches that target these VMs, you can specify dist-upgrade or a standard upgrade. You can also exclude specific packages. For more information, see either the Debian man pages or Ubuntu man pages.

For SuSE, the underlying system is zypper, specifically using zypper patches. For patches that target these VMs, you can specify options such as:

with update: update all packages not covered by patches

with optional: optional patches are treated as needed

The categories or severities of patches to apply

You can also exclude specific patches.

Optionally, for all the supported operating systems, you can select to install approved patches only by specifying these updates. This allows you to enter a list of approved packages or patches. When you select these approved patches, only the approved packages or patches are installed. All other patch configuration parameters are skipped during the update.

It will always depend on the OS providers, they usually publish updates every month.

Here's additional info that might be useful for you.
OS patch management
Schedule patch jobs
Monitor patch jobs

gcloudLearning

If i take by default configuration , where If i dont define any specific critical or security parameter , will it patch the security and critical patch?

Willbin

Hello @gcloudLearning,

In creating a patch deployment, you really need to choose the patches you want to apply as shown below. As tested, no updates will be applied if you don't choose any patches from the list.

Thanks!

gcloudLearning

@Willbin Thanks for the information . because as per the note 'Path attribute" they clearly mentioned that standard patches will be applied ,that means security and critical will also be applied . looks like statement is not correct,