PatchConfig

Patch configuration specifications. Contains details on how to apply the patch(es) to a VM instance.

JSON representation
{
  "rebootConfig": enum (RebootConfig),
  "apt": {
    object (AptSettings)
  },
  "yum": {
    object (YumSettings)
  },
  "goo": {
    object (GooSettings)
  },
  "zypper": {
    object (ZypperSettings)
  },
  "windowsUpdate": {
    object (WindowsUpdateSettings)
  },
  "preStep": {
    object (ExecStep)
  },
  "postStep": {
    object (ExecStep)
  }
}
Fields
rebootConfig

enum (RebootConfig)

Post-patch reboot settings.

apt

object (AptSettings)

Apt update settings. Use this setting to override the default apt patch rules.

yum

object (YumSettings)

Yum update settings. Use this setting to override the default yum patch rules.

goo

object (GooSettings)

Goo update settings. Use this setting to override the default goo patch rules.

zypper

object (ZypperSettings)

Zypper update settings. Use this setting to override the default zypper patch rules.

windowsUpdate

object (WindowsUpdateSettings)

Windows update settings. Use this override the default windows patch rules.

preStep

object (ExecStep)

The ExecStep to run before the patch update.

postStep

object (ExecStep)

The ExecStep to run after the patch update.

RebootConfig

Post-patch reboot settings.

Enums
REBOOT_CONFIG_UNSPECIFIED The default behavior is DEFAULT.
DEFAULT The agent decides if a reboot is necessary by checking signals such as registry keys on Windows or /var/run/reboot-required on APT based systems. On RPM based systems, a set of core system package install times are compared with system boot time.
ALWAYS Always reboot the machine after the update completes.
NEVER Never reboot the machine after the update completes.

AptSettings

Apt patching is completed by executing apt-get update && apt-get upgrade. Additional options can be set to control how this is executed.

JSON representation
{
  "type": enum (Type),
  "excludes": [
    string
  ],
  "exclusivePackages": [
    string
  ]
}
Fields
type

enum (Type)

By changing the type to DIST, the patching is performed using apt-get dist-upgrade instead.

excludes[]

string

List of packages to exclude from update. These packages will be excluded

exclusivePackages[]

string

An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored. This field cannot be specified with any other patch configuration fields.

Type

Apt patch type.

Enums
TYPE_UNSPECIFIED By default, upgrade will be performed.
DIST Runs apt-get dist-upgrade.
UPGRADE Runs apt-get upgrade.

YumSettings

Yum patching is performed by executing yum update. Additional options can be set to control how this is executed.

Note that not all settings are supported on all platforms.

JSON representation
{
  "security": boolean,
  "minimal": boolean,
  "excludes": [
    string
  ],
  "exclusivePackages": [
    string
  ]
}
Fields
security

boolean

Adds the --security flag to yum update. Not supported on all platforms.

minimal

boolean

Will cause patch to run yum update-minimal instead.

excludes[]

string

List of packages to exclude from update. These packages are excluded by using the yum --exclude flag.

exclusivePackages[]

string

An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored. This field must not be specified with any other patch configuration fields.

GooSettings

Googet patching is performed by running googet update.

ZypperSettings

Zypper patching is performed by running zypper patch. See also https://en.opensuse.org/SDB:Zypper_manual.

JSON representation
{
  "withOptional": boolean,
  "withUpdate": boolean,
  "categories": [
    string
  ],
  "severities": [
    string
  ],
  "excludes": [
    string
  ],
  "exclusivePatches": [
    string
  ]
}
Fields
withOptional

boolean

Adds the --with-optional flag to zypper patch.

withUpdate

boolean

Adds the --with-update flag, to zypper patch.

categories[]

string

Install only patches with these categories. Common categories include security, recommended, and feature.

severities[]

string

Install only patches with these severities. Common severities include critical, important, moderate, and low.

excludes[]

string

List of patches to exclude from update.

exclusivePatches[]

string

An exclusive list of patches to be updated. These are the only patches that will be installed using 'zypper patch patch:' command. This field must not be used with any other patch configuration fields.

WindowsUpdateSettings

Windows patching is performed using the Windows Update Agent.

JSON representation
{
  "classifications": [
    enum (Classification)
  ],
  "excludes": [
    string
  ],
  "exclusivePatches": [
    string
  ]
}
Fields
classifications[]

enum (Classification)

Only apply updates of these windows update classifications. If empty, all updates are applied.

excludes[]

string

List of KBs to exclude from update.

exclusivePatches[]

string

An exclusive list of kbs to be updated. These are the only patches that will be updated. This field must not be used with other patch configurations.

Classification

Microsoft Windows update classifications as defined in [1] https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro

Enums
CLASSIFICATION_UNSPECIFIED Invalid. If classifications are included, they must be specified.
CRITICAL "A widely released fix for a specific problem that addresses a critical, non-security-related bug." [1]
SECURITY "A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low." [1]
DEFINITION "A widely released and frequent software update that contains additions to a product's definition database. Definition databases are often used to detect objects that have specific attributes, such as malicious code, phishing websites, or junk mail." [1]
DRIVER "Software that controls the input and output of a device." [1]
FEATURE_PACK "New product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release." [1]
SERVICE_PACK "A tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product. Service packs my also contain a limited number of customer-requested design changes or features." [1]
TOOL "A utility or feature that helps complete a task or set of tasks." [1]
UPDATE_ROLLUP "A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS)." [1]
UPDATE "A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug." [1]

ExecStep

A step that runs an executable for a PatchJob.

JSON representation
{
  "linuxExecStepConfig": {
    object (ExecStepConfig)
  },
  "windowsExecStepConfig": {
    object (ExecStepConfig)
  }
}
Fields
linuxExecStepConfig

object (ExecStepConfig)

The ExecStepConfig for all Linux VMs targeted by the PatchJob.

windowsExecStepConfig

object (ExecStepConfig)

The ExecStepConfig for all Windows VMs targeted by the PatchJob.

ExecStepConfig

Common configurations for an ExecStep.

JSON representation
{
  "allowedSuccessCodes": [
    integer
  ],
  "interpreter": enum (Interpreter),

  // Union field executable can be only one of the following:
  "localPath": string,
  "gcsObject": {
    object (GcsObject)
  }
  // End of list of possible types for union field executable.
}
Fields
allowedSuccessCodes[]

integer

Defaults to [0]. A list of possible return values that the execution can return to indicate a success.

interpreter

enum (Interpreter)

The script interpreter to use to run the script. If no interpreter is specified the script will be executed directly, which will likely only succeed for scripts with shebang lines.

Union field executable. Location of the executable. executable can be only one of the following:
localPath

string

An absolute path to the executable on the VM.

gcsObject

object (GcsObject)

A Cloud Storage object containing the executable.

GcsObject

Cloud Storage object representation.

JSON representation
{
  "bucket": string,
  "object": string,
  "generationNumber": string
}
Fields
bucket

string

Required. Bucket of the Cloud Storage object.

object

string

Required. Name of the Cloud Storage object.

generationNumber

string (int64 format)

Required. Generation number of the Cloud Storage object. This is used to ensure that the ExecStep specified by this PatchJob does not change.

Interpreter

The interpreter used to execute the a file.

Enums
INTERPRETER_UNSPECIFIED Invalid for a Windows ExecStepConfig. For a Linux ExecStepConfig, the interpreter will be parsed from the shebang line of the script if unspecified.
SHELL Indicates that the script is run with /bin/sh on Linux and cmd on Windows.
POWERSHELL Indicates that the file is run with PowerShell flags -NonInteractive, -NoProfile, and -ExecutionPolicy Bypass.