OS inventory management


This page provides an overview of OS inventory management. For information on setting up and using OS inventory management, see Viewing operating system details.

Use OS inventory management to collect and view operating system details for your virtual machine (VM) instances. These operating system details include information such as hostname, operating system, and kernel version. You can also get information about installed OS packages, available OS package updates, Windows applications and OS vulnerabilities.

OS inventory management versions

Two versions of OS inventory management are available:

The following table compares the two options:

OS inventory management (earlier version) OS inventory management
VM Manager must be set up
OS Config agent version Any Version dated 20201110 or later1
Guest attribute must be enabled on VM or project
Resource type2 Global Zonal
Vulnerability reports
Cloud Asset Inventory integration
Security Command Center integration (preview)
Launch stage GA GA

1To view agent version, see View OS Config agent version.

2For information about resource types, see Global, regional, and zonal resources.

When to use OS inventory management

OS inventory management can be used to complete the following tasks:

  • Identify VMs that are running a specific version of an operating system
  • View operating system packages that are installed on a VM
  • Generate a list of operating system package updates that are available for each VM
  • Identify missing operating system packages, updates, or patches for a VM
  • View vulnerability reports for a VM

How OS inventory management works

When OS inventory management is enabled, the OS Config agent runs an inventory scan to collect data, and then sends this information to the metadata server, OS Config API, and various log streams. This scan runs every 10 minutes on the VM.

To enable OS inventory management, VM Manager must be set up on the VM. See Setting up VM Manager.

After you set up VM Manager, you can then query either the guest attributes or the OS Config API to retrieve information about the operating system that is running on a VM. See Viewing operating system details.

How the operating system data is collected

For Linux VMs, the OS Config agent runs on the VM and parses the /etc/os-release, or the equivalent file for the Linux distribution to gather operating system details. The OS Config agent also uses package managers such as apt, yum, or GooGet to collect information about the installed packages and available updates for the instance.

For Windows VMs, the OS Config agent uses the Windows system APIs to collect the OS information details. The Windows Update agent is also used to find the installed and available updates.

Where the operating system data is stored

Inventory data is stored as either guest attributes under the guestInventory namespace or in the OS Config API. The contents for the installed packages and package updates are compressed using gzip and then base64 encoded to save space.

Logging

During the collection and storage of data, the OS Config agent writes activity logs to the various log streams on Compute Engine. These include:

  • The serial port
  • System logs - Windows event log and Linux syslog
  • Standard streams - stdout
  • Cloud Logging logs - These logs are only available if Cloud Logging is enabled on the VM instance.

Information provided by OS inventory management

OS inventory management can provide the following information about the operating system that is running on your VM instance:

  • Hostname
  • LongName - The detailed operating system name. For example, Microsoft Windows Server 2016 Datacenter.
  • ShortName - The short form of the operating system name. For example, Windows.
  • Kernel version
  • OS architecture
  • OS version
  • OS Config agent version
  • Last updated - A timestamp of the last time the agent successfully scanned the system and updated the guest attributes with OS Inventory data.

Installed operating system package and application information

The following table summarizes the information that OS inventory management provides for installed operating system packages on Linux and Windows VMs. It also outlines the information that is available for applications that are running on Windows.

Operating system Package manager Available fields
Linux and Windows Server Installed package information is available from the following package managers:
  • RPM for Red Hat Enterprise Linux (RHEL)
  • DEB for Debian and Ubuntu
  • GooGet for Windows Server
For each installed package the following information is provided:
  • Name of the package
  • Architecture
  • Version
Windows Server Windows update agent The following fields are listed for the Windows updates:
  • Title
  • Description
  • Categories
  • CategoryIDs1
  • KBArticleIDs
  • SupportURL
  • UpdateID1
  • RevisionNumber1
  • LastDeploymentChangeTime
Windows Server Windows Quick Fix Engineering updates The following fields are listed for the QuickFixEngineering updates
  • Caption
  • Description
  • HotFixID
  • InstalledOn
Windows Server Windows Installer 2 The following fields are listed for the Windows Installer:
  • DisplayName
  • DisplayVersion
  • Publisher
  • InstallDate
  • HelpLink

1This field is hidden in the default gcloud compute instances os-inventory describe command-line output. To view this field you must view the output in the JSON format. To view the output in JSON format, append the --format=JSON to the gcloud command. For more information about output formatting, review gcloud topic formats.

2To view installer properties for your Windows applications, you need OS Config agent version 20210811 or later. To view agent version, see View OS Config agent version.

Available operating system package update information

The following table summarises the update information that OS inventory management provides for installed operating system packages.

Operating system Package manager Available fields
Linux and Windows Server Package update information is available from the following package managers:
  • Yum for Red Hat Enterprise Linux (RHEL)
  • Apt for Debian and Ubuntu
  • GooGet for Windows Server
For each package update that is available the following information is provided:
  • Name of the package
  • Architecture
  • Version
Windows Server Windows update agent The following fields are listed for the Windows updates:
  • Title
  • Description
  • Categories
  • CategoryIDs1
  • KBArticleIDs
  • SupportURL
  • UpdateID1
  • RevisionNumber1
  • LastDeploymentChangeTime

1This field is hidden in the default gcloud compute instances os-inventory describe command-line output. To view this field you must view the output in the JSON format. To view the output in JSON format, append the --format=JSON to the gcloud command. For more information about output formatting, review gcloud topic formats.

Vulnerability reports

Software vulnerabilities are weaknesses that can either cause an accidental system failure or result in malicious activity. For VMs, a vulnerability can be an issue in the code or the logic of operation for either operating system packages or software applications.

Vulnerabilities associated with the installed operating system packages are normally stored in a vulnerability source repository. For more information about these vulnerability sources, see Vulnerability sources. You can use OS inventory management to view vulnerability reports for issues with installed OS packages.

To get vulnerability data for a VM, VM Manager must be set up, and OS Config agent version dated 20201110 or later must be running on the VM. See Setting up VM Manager.

After the OS Config agent is set up and reporting inventory, the OS Config API service continuously scans and checks the vulnerability source of the operating system against the available inventory data. When a vulnerability is detected in the operating system packages, the service generates a vulnerability report. These reports are generated as follows:

  • For most vulnerabilities in the installed operating system package, the OS Config API generates a vulnerability report within a few minutes of the change.
  • For Common Vulnerabilities and Exposures (CVEs), the OS Config API generates the vulnerability report within three to four hours after the CVE is published to the operating system.

To view these vulnerability reports, see View vulnerability reports.

Data retention

OS inventory and vulnerability report data is stored until the VM is deleted. However, if for any reason the OS Config agent stops reporting to the OS Config API service for a few days, then VM Manager deletes the available OS inventory and vulnerability report data collected until that point. No data will be available for that VM until the OS Config agent starts running again.

Pricing

For information about pricing, see VM Manager pricing.

What's next