This document describes how to troubleshoot issues with VM Manager. VM Manager includes the following features:
- OS patch management
- OS inventory management
- OS configuration management
For more information about VM Manager, see VM Manager.
Before you begin
- If you want to use the command-line examples in this guide:
- If you want to use the API examples in this guide, set up API access.
To troubleshoot issues with VM Manager, you can review logs. When you review logs, you can identify issues with your VM or in your VM Manager workflow, such as errors in commands or scripts, that you can isolate and resolve.
You can collect the following information from logs:
- Any error message or warning logged by the VM. This is ideal for identifying VM-level errors, or errors from other services running on your VM. To review these logs, see Inspect Cloud Logging.
- Verbose debug information logged by the OS Config agent. This is useful for identifying issues with any of the operations run by VM Manager. To inspect debug logs for the OS Config agent, see Inspect debug logs.
After identifying the issues or errors, you can also review the common errors section to see potential fixes.
Inspect Cloud Logging
You can use the Cloud Console quick links for each feature to view logs for a specific VM.
- In the Google Cloud Console, go to the Patch Jobs tab on the OS patch management page.
- Click the name of the patch job that you want to debug.
- Scroll-down to Updated VM instances.
- For a specific VM, under Logs, click View.
This procedure is supported for OS configuration management (preview). For OS configuration management (beta), use the debug logs option, in the following section.
- In the Google Cloud Console, go to the VM instances tab on the OS configuration management page.
- Click the name of the VM that you want to debug.
- Scroll-down to Policies.
- Under Logs, click View.
Inspect debug logs
You can identify issues with any VM Manager feature by enabling debugging for the OS Config agent and viewing debug log.
Enable debug logging for the OS Config agent
You can enable debug logging by setting the
on the VM instance or project.
To enable debug logging on your VM, complete the following steps:
In the Google Cloud Console, go to the VM instances page.
Click the name of the VM for which you want to set the metadata value.
On the Instance details page, click Edit to edit the settings.
Under Custom metadata, add the following metadata entries:
Click Save to apply your changes to the VM.
instances add-metadata command
gcloud compute instances add-metadata VM_NAME \ --metadata=osconfig-log-level=debug
VM_NAME with the name of your VM.
For instructions on setting instance metadata, follow the API instructions for setting instance metadata.
The following key-value pair is required as part of the metadata property:
View debug logs
When debug logging is enabled, the OS Config agent writes log entries to Cloud Logging and the serial port console.
After you enable debug logging on your VM, it takes the OS Config agent approximately ten minutes to start writing debug messages in Cloud Logging. You can reduce this wait time by restarting the agent or rebooting your VM. For more information about Cloud Logging, see Viewing Cloud Logging logs.
To view debug logs you can use the following options:
- Cloud Logging: use the Cloud Console or
Serial port console
Go to the Logging > Logs Explorer (Logs Viewer) page in the Cloud Console:
If needed, select an existing Google Cloud project at the top of the page, or create a new project.
In the Resource drop-down list, select VM Instance. A list of available VMs (
Click on the VM that you want to view.
In the Log name drop-down list, select OSConfigAgent.
Your query should be similar to the following:
resource.type="gce_instance" resource.labels.instance_id="136126869923081757" logName="projects/my-vm-manager-project/logs/OSConfigAgent"
Click Run query.
gcloud logging read command.
gcloud logging read "resource.type=gce_instance AND logName=projects/PROJECT_ID/logs/OSConfigAgent"
PROJECT_ID with your project ID.
To view debug log information from the serial port console, see Viewing serial port output.
For VM Manager to work, you must have the following:
- An attached service account. You do not need to grant any IAM roles to this service account. VM Manager uses this service account to sign requests to the API service.
- A VM Manager service agent. VM Manager creates this service agent and gives it the Cloud OS Config Service Agent role.
If you use VM Manager and you don't have an attached service account, or a VM Manager service agent, you might see the following errors while working with patch jobs, OS policies, or guest policies:
Service account permissions are missing. Verify that the service account has the correct permissions and try again.
message: "Error running OPERATION_NAME: error calling OPERATION_NAME: code: "PermissionDenied", message: "The caller does not have permission", details: "
Authentication issues might also prevent VM instances from showing up on the OS patch management dashboard.
To resolve these issues, try one or all of the following:
- Verify that all VMs have an attached service account.
Ensure that the Cloud OS Config Service Agent role (
roles/osconfig.serviceAgent) is set on the VM Manager service agent.
gcloud projects add-iam-policy-binding PROJECT_ID \ --member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-osconfig.iam.gserviceaccount.com' \ --role='roles/osconfig.serviceAgent'
Replace the following:
PROJECT_ID: your project ID
PROJECT_NUMBER: your project number