About OS policies

This page provides an overview of OS policies. Use OS policies to automate and centralize the deployment, configuration, maintenance, and reporting of software configurations on your virtual machine (VM) instances.

Use cases

OS policies are ideal for the following scenarios:

  • Installing and maintaining agents for tasks such as monitoring and logging
  • Deploying agents such as security agents, and ensuring that these agent are running on all VMs
  • Improving startup script flexibility. With OS policies you can modify existing scripts and re-deploy them
  • Running compliance checks
  • Adding update repositories for software packages
  • Managing files on the operating system
  • Running condition-based scripts. You can set up scripts that run based on certain conditions to maintain consistent state within the operating system.

Components

OS policy

An OS policy is a file that contains the declarative configuration for OS resources such as packages, repositories, files, or custom resources defined by scripts.

An OS resource can perform a single task such as installing an agent and can be reused without changes in different assignments. You can create a multi-step workflow by combining multiple OS resources into a single OS policy. For example, an OS policy can have one resource that sets up a repository and a second resource that installs specific packages from that repository.

For more information about OS policies, see OS policy and OS policy assignment.

OS policy assignment

OS policy assignments are used by VM Manager to apply your OS policies to VMs. Use OS policy assignments to combine multiple OS policies and target them to a dynamic group of VMs by using filters such as labels, OS families, and zones.

For example, an OS policy assignment that applies three policies to all the Ubuntu VMs in your test environment, while excluding those that are running Google Kubernetes Engine, can be created by specifying the following:

  • Policy A: install monitoring agent
  • Policy B: install logging agent
  • Policy C: install security agent
  • Include label: env:test
  • Exclude label: goog-gke-node
  • OS family: ubuntu

Rollouts

When you create a new OS policy assignment, VM Manager applies the OS policies to each VM according to the rollout configuration. During the rollout, a copy of each OS policy is placed on the VM. When you update an OS policy assignment, VM Manager checks and enforces the configuration changes for the OS policy that is on the target VM.

We recommend that you apply new configuration changes slowly to ensure that you have time to identify any potential disruptions that might be caused by configuration changes. This provides you with time needed to cancel the rollout and address the issue.

Specifying the rollout option enables you to pace configuration changes and control the speed of configuration deployments. Each operation for an OS policy assignment starts a rollout process. Operations include the creation, update, or deletion of an OS policy assignment.

You can use the rollout option to set the following:

  • Wave size (disruption budget): the fixed number or percentage of VMs that can experience a rollout at one time. This means that at any moment of the rollout only a specified number of VMs are targeted.
  • Wait time: the time between when the service applies policies to the VM and when a VM is removed from the disruption threshold. For example, a wait time of 15 minutes means that the rollout process must wait 15 minutes after applying the policies to a VM before it can remove the VM from the disruption threshold and the rollout can proceed. The wait time helps control the speed of a rollout and also lets you catch and resolve potential rollout issues early. Select a time that is long enough for you to monitor the status of your rollouts.

For information about how to create OS policy assignments, see Creating an OS policy assignment.

OS Config agent

During VM Manager setup, OS Config agents are enabled on the VMs in your project. The OS Config agents that are running on these target VMs use standard system utilities to apply the changes that are specified in the OS policies.

  • Linux VMs run system package managers such as apt or yum for package installation, or /bin/sh for scripting.
  • Windows VMs run googet package manager and PowerShell for scripting.

For information about how to setup VM Manager, see Setting up VM Manager.

How OS policies work

To use OS policies for maintaining your operating systems, do the following:

  1. Create or download OS policies
  2. Create OS policy assignments that applies these OS policies to the target VMs
OS policies architecture.
Figure 1. OS policies architecture overview

After the OS policy assignments are created, VM Manager periodically checks and enforces these OS policies. The time interval between each enforcement check is 60 minutes.

During the check and enforcement, VM Manager completes the following steps:

  1. Identifies the OS policy assignments for a VM
  2. Identifies the OS policies associated with the OS policy assignments
  3. Sends the information for each OS policy to the OS Config agent that is running on the VM
  4. The OS Config agent then validates each policy and makes updates as follows:
    • If resources within an OS policy are already in their desired state, the OS Config agent does not perform any actions
    • If resources within an OS policy are not in their desired state, the OS Config agent takes appropriate actions to bring the resources to the desired state
  5. Collects the compliance status of each OS policy that is applied to the VM. To view compliance reports, see Viewing compliance reports.

Pricing

For information about pricing, see VM Manager pricing.

What's next?