Managing guest policies

After you create a guest policy, you can use the following procedures to review and manage your policies:

• Update guest policies: Modify your guest policy configurations.
• Describe guest policies: Get details about a specific guest policy.
• List guest policies: View a list of guest policies in a project.
• Delete a guest: Delete a specific guest policy.
• View configurations for a VM instance: View configurations that are applied to a VM instance.
• Debug a guest policy: Troubleshoot a guest policy.

Since the OS Config agent runs every 10-15 minutes, when you set up a update or deletion of a policy it will take roughly 10-15 minutes to take effect.

You can manage your guest policies using either the gcloud command-line tool or the Cloud OS Config API.

In the gcloud command-line tool and the Cloud OS Config API, the name of the guest policy name is referred to as the policy-id.

Before you begin

• If you want to use the command-line examples in this guide:
  1. Install or update to the latest version of the gcloud command-line tool.
  2. Set a default region and zone.
• If you want to use the API examples in this guide, set up API access.

Updating guest policies

To update a guest policy, complete the following steps:

1. Update the YAML or JSON file.
2. Run an update or patch command. The update process is similar to the create process with the addition of support for etags that allow for concurrency and consistency control.

gcloud beta compute os-config guest-policies update policy-id \
     --file=file

PATCH https://osconfig.googleapis.com/v1beta/projects/project-id/guestPolicies/policy-id

{
  For more information, see Guest policy JSON
}

Describing a guest policy

gcloud beta compute os-config guest-policies describe policy-id

GET https://osconfig.googleapis.com/v1beta/projects/project-id/guestPolicies/policy-id

Listing guest policies

gcloud beta compute os-config guest-policies list

GET https://osconfig.googleapis.com/v1beta/projects/project-id/guestPolicies

Deleting guest policies

When the OS Config agent detects that a deletion of a guest policy is triggered, the current state of the system is maintained, but no further maintenance of the configuration is done. For example, say you have a guest policy package-update- zone2b set up that installs a package my-package on all VMs in zone us- west2-b and keeps the package UPDATED.

If you delete the package-update-zone2b policy, the following changes take place:

• All VMs in us-west2-b that have my-package installed, keeps my-package installed. There is no reversion of the current system state.

• On all future runs of the OS Config agent, after the policy deletion, the following takes place:

  • If a new VM is added to us-west2-b,my-package is not installed on this new VM.
  • For instances with my-package installed, the package is not updated.

gcloud beta compute os-config guest-policies delete policy-id

DELETE https://osconfig.googleapis.com/v1beta/projects/project-id/guestPolicies/policy-id

Viewing configurations for a VM instance

gcloud beta compute os-config guest-policies lookup instance-name \
    --zone=zone

POST https://osconfig.googleapis.com/v1beta/projects/project-id/zones/zone/instances/instance-name:lookupEffectiveGuestPolicy

Debugging a guest policy

You can enable debug logging by setting the metadata osconfig-log-level=debug on the VM instance or project. You can then review either the Cloud Logging or serial port (console) logs for the instance. The OS Config agent writes its log entries to both locations.

Inspect Cloud Logging

After you enable Cloud Logging, the OS Config agent publishes messages in the logs. These logs entries track the following information for the OS Config agent:

• The version of the OS Config Agent that is installed in the VM.
• Polling of the OS Config API for any guest policies applicable to this VM.
• Reception of all guest policies applicable to this VM instance.
• Execution of guest policies steps.
• Any errors encountered during the process.

You can use the Cloud Console or gcloud command-line tool to inspect Cloud Logging logs corresponding to a specific VM instance.

gcloud logging read "resource.type=gce_instance AND logName=projects/${DEVSHELL_PROJECT_ID}/logs/OSConfigAgent AND severity=ERROR"

For more details, see Viewing Cloud Logging logs

Inspecting guest policies

You can use the Cloud Console or gcloud command-line tool to inspect the guest policies associated with your project.

Inspecting guest policies for a particular VM instance

You can also run the lookup command for a given instance to see which configurations apply to that VM instance.

In cases where a VM instance does not seem to be appying the requirements of the expected guest policy, it is useful to inspect the list of guest policies whose assignments include that specific VM instance. This helps to determine if the Assignment field in the guest policy matches this particular VM.

Use the os-config guest-policies lookup command to list the guest policies that might be targeting a particular VM. Replace VM_NAME with the name of the VM to inspect.

gcloud beta compute os-config guest-policies lookup VM_NAME

For more information, see Viewing configurations for a VM instance.

The output from the command might reveal that the VM is not actually targeted in the VM assignment properties of the guest policy. For example, it might not be listed in the list of Labels or the list of VM name prefixes.

Recovering from failure

A failed software recipe installation is not retried. This is because the system doesn't know the state in which the failed software recipe left things. When debugging failed software recipes, we recommend deleting and recreating the VM instance.

What's next?

• Learn more about the OS configuration management service.
• Set up a guest policy.