An OS policy is a file that contains the declarative configuration for OS resources such as packages, repositories, files, or custom resources defined by scripts.
An OS policy assignment is an API resource that is used by VM Manager to apply OS policies to VMs.
OS policy
An OS policy is a JSON or YAML file that has three sections:
Mode. The policy behavior. The following two modes are available:
Validation
: for this mode, the policy checks to see if the resources are in the desired state but doesn't take any action.Enforcement
: for this mode, the policy checks to see if the resources are in the desired state and, if not, performs the necessary actions to bring them to that desired state.
For both modes, VM Manager reports compliance for the OS policy and the associated resources.
Resource groups. The operating system name and version that the associated resource specifications apply to. For example, you can define a single policy to install or deploy an agent across different operating system distributions and versions.
Resources. The specifications needed for the VM to attain the desired configuration. The following resource types are supported:
pkg
: used for installing or removing Linux and Windows packagesrepository
: used for specifying which repository software packages can be installed fromexec
: used to enable the running of an ad hoc bash or PowerShell scriptfile
: used to manage files on the system
Example OS policies
The following examples show how to create OS policies. You can upload these OS policies to the Google Cloud console when creating an OS policy assignment.
- Example 1: installs a package
- Example 2: runs a script
- Example 3: specifies a download repository and installs packages from that repository.
For a full list of sample OS policies that you can apply in your environment, see the GoogleCloudPlatform/osconfig GitHub repository.
Example 1
Create an OS policy that installs a Windows MSI downloaded from a Cloud Storage bucket.
Example 2
Create an OS policy that verifies if the Apache web server is running on your Linux VMs.
Example 3
Create an OS policy that installs Google Cloud's operations suite agents on CentOS VMs.
OS policy assignment
An OS policy assignment has the following sections:
OS Policies. One or more OS policies that you want to apply to your VM. To download or create a policy, see OS policies.
Target VMs. A set of VMs within a single zone that you want to apply the policy to. Within a zone you can limit or restrict VMs by using OS families and include or exclude labels. You can select a combination of the following options:
- OS families: specifies the target operating systems that the OS policy applies to. For a full list of operating systems and versions that support OS configuration management (OS policies), see Operating system details.
- Include set: specifies the VMs that the OS policy applies to based on VM or system labels.
- Exclude set: specifies the VMs that the OS policy should ignore based on VM or system labels.
For both include and exclude label sets, a single string label is accepted if it matches the naming convention used by the system. However, most labels are specified in
key:value
pairs. For more information about labels, see Labeling resources.For example, you can select all the Ubuntu VMs in your test environment, and exclude those that are running Google Kubernetes Engine, by specifying the following:
- OS family:
ubuntu
- Include:
env:test
,env:staging
- Exclude:
goog-gke-node
A rollout rate. Specifies the pace at which to apply the OS policies to the VMs. The OS policies are rolled out gradually to let you track system health and make modifications if the updates cause regressions in your environment. A rollout plan has the following components:
- Wave size (disruption budget): the fixed number or percentage of VMs that can experience a rollout at one time. This means that at any moment of the rollout only a specified number of VMs are targeted.
- Wait time: the time between when the service applies policies to the VM and when a VM is removed from the disruption threshold. For example, a wait time of 15 minutes means that the rollout process must wait 15 minutes after applying the policies to a VM before it can remove the VM from the disruption threshold and the rollout can proceed. The wait time helps control the speed of a rollout and also lets you catch and resolve potential rollout issues early. Select a time that is long enough for you to monitor the status of your rollouts.
For example, if you set a target of 10 VMs, set the disruption threshold at 20%, and set a bake time of 15 minutes, then at any given time, only 2 VMs are scheduled to be updated. After each VM is updated, 15 minutes must pass before the VM is removed from the disruption threshold and another VM is added to the rollout.
For more information about rollouts, see Rollouts.
Example OS policy assignment
The following examples show how to create OS policy assignments. You can use these examples to create OS policy assignments from the Google Cloud CLI or the OS Config API.
- Example 1: installs a package
- Example 2: runs a script
- Example 3: specifies a download repository and installs packages from that repository.
For a list of sample OS policy assignments that you can apply in your environment, see the GoogleCloudPlatform/osconfig GitHub repository.
Example 1
Create an OS policy assignment that installs a Windows MSI downloaded from a Cloud Storage bucket.
Example 2
Create an OS policy assignment that verifies if the Apache web server is running on all your Linux VMs.
Example 3
Creates an OS policy assignment that installs Google Cloud's operations suite agents on CentOS VMs.
What's next?
- Learn more about OS configuration management.
- Create an OS policy assignment.
- Manage OS policies.