OS configuration management (preview)

This page provides an overview of OS configuration management. OS configuration management uses OS policies to automate and centralize the deployment, configuration, maintenance, and reporting of software configurations on your virtual machine (VM) instances.

Use cases

OS configuration management is ideal for the following scenarios:

  • Installing and maintaining agents for tasks such as monitoring and logging
  • Deploying agents such as security agents, and ensuring that these agent are running on all VMs
  • Improving startup script flexibility. With OS configuration management you can modify existing scripts and re-deploy them.
  • Running OS policy compliance checks
  • Adding update repositories for software packages
  • Managing files on the operating system
  • Running condition-based scripts. You can set up scripts that run based on certain conditions to maintain consistent state within the operating system.

Components

OS policy

An OS policy is a file that contains the declarative configuration for OS resources such as packages, repositories, files, or custom resources defined by scripts.

An OS resource can perform a single task such as installing an agent and can be reused without changes in different assignments. You can create a multi-step workflow by combining multiple OS resources into a single OS policy. For example, an OS policy can have one resource that sets up a repository and a second resource that installs specific packages from that repository.

For more information about OS policies, see OS policy and OS policy assignment.

OS policy assignment

OS policy assignments are used by VM Manager to apply your OS policies to VMs. Use OS policy assignments to combine multiple OS policies and target them to a dynamic group of VMs by using filters such as labels, OS families, and zones.

For example, an OS policy assignment that applies three policies to all the Ubuntu VMs in your test environment, while excluding those that are running Google Kubernetes Engine, can be created by specifying the following:

  • Policy A: install monitoring agent
  • Policy B: install logging agent
  • Policy C: install security agent
  • Include label: env:test
  • Exclude label: goog-gke-node
  • OS family: ubuntu

Rollouts

When you create a new OS policy assignment, VM Manager applies the OS policies to each VM according to the rollout configuration. During the rollout, a copy of each OS policy is placed on the VM. When you update an OS policy assignment, VM Manager checks and enforces the configuration changes for the OS policy that is on the target VM.

We recommend that you apply new configuration changes slowly to ensure that you have time to identify any potential disruptions that might be caused by configuration changes. This provides you with time needed to cancel the rollout and address the issue.

Specifying the rollout option enables you to pace configuration changes and control the speed of configuration deployments. Each operation for an OS policy assignment starts a rollout process. Operations include the creation, update, or deletion of an OS policy assignment.

You can use the rollout option to set the following:

  • Disruption budget: the fixed number or percentage of VMs that can experience a rollout at one time. This means that at any moment of the rollout only a specified number of VMs are targeted.
  • Wait time: the time between when the service applies policies to the VM and when a VM is removed from the disruption threshold. For example, a wait time of 15 minutes means that the rollout process must wait 15 minutes after applying the policies to a VM before it can remove the VM from the disruption threshold and the rollout can proceed. The wait time helps control the speed of a rollout and also lets you catch and resolve potential rollout issues early. Select a time that is long enough for you to monitor the status of your rollouts.

For information about how to create OS policy assignments, see Creating an OS policy assignment.

How OS configuration management works

To set up OS configuration management, you need to enable VM Manager, create or download OS policies, and then create an OS policy assignment that applies these OS policies to the target VMs. For detailed instructions, see Creating an OS policy assignment.

OS configuration management architecture.
Figure 1. OS configuration management architecture overview

During VM Manager setup, OS Config agents are enabled on the VMs in your project. The OS Config agents that are running on these target VMs use standard system utilities to apply the changes that are specified in the OS policies.

  • Linux VMs run system package managers such as apt or yum for package installation, or bash for scripting.
  • Windows VMs run googet package manager and PowerShell for scripting.

Policy compliance reports

After the OS policy assignments are created, VM Manager periodically checks for and enforces the OS policies. After each check a compliance report is generated.

A VM is compliant when OS policies are successfully rolled out and the specified configurations are up-to-date.

To view compliance reports, see Viewing compliance reports.

Pricing

For information about pricing, see VM Manager pricing.

What's next?