gcloud alpha compute os-config patch-jobs execute

NAME
gcloud alpha compute os-config patch-jobs execute - execute an OS patch on the specified VM instances
SYNOPSIS
gcloud alpha compute os-config patch-jobs execute (--instance-filter=INSTANCE_FILTER     | --instance-filter-all     | --instance-filter-group-labels=[KEY=VALUE,…] --instance-filter-name-prefixes=[INSTANCE_FILTER_NAME_PREFIXES,…] --instance-filter-names=[INSTANCE_FILTER_NAMES,…] --instance-filter-zones=[INSTANCE_FILTER_ZONES,…]) [--async] [--description=DESCRIPTION] [--display-name=DISPLAY_NAME] [--dry-run] [--duration=DURATION] [--reboot-config=REBOOT_CONFIG] [--retry] [--apt-dist --apt-excludes=[APT_EXCLUDES,…]     | --apt-exclusive-packages=[APT_EXCLUSIVE_PACKAGES,…]] [--post-patch-linux-executable=POST_PATCH_LINUX_EXECUTABLE --post-patch-linux-success-codes=[POST_PATCH_LINUX_SUCCESS_CODES,…]] [--post-patch-windows-executable=POST_PATCH_WINDOWS_EXECUTABLE --post-patch-windows-success-codes=[POST_PATCH_WINDOWS_SUCCESS_CODES,…]] [--pre-patch-linux-executable=PRE_PATCH_LINUX_EXECUTABLE --pre-patch-linux-success-codes=[PRE_PATCH_LINUX_SUCCESS_CODES,…]] [--pre-patch-windows-executable=PRE_PATCH_WINDOWS_EXECUTABLE --pre-patch-windows-success-codes=[PRE_PATCH_WINDOWS_SUCCESS_CODES,…]] [--windows-exclusive-patches=[WINDOWS_EXCLUSIVE_PATCHES,…]     | --windows-classifications=[WINDOWS_CLASSIFICATIONS,…] --windows-excludes=[WINDOWS_EXCLUDES,…]] [--yum-exclusive-packages=[YUM_EXCLUSIVE_PACKAGES,…]     | --yum-excludes=[YUM_EXCLUDES,…] --yum-minimal --yum-security] [--zypper-exclusive-patches=[ZYPPER_EXCLUSIVE_PATCHES,…]     | --zypper-categories=[ZYPPER_CATEGORIES,…] --zypper-severities=[ZYPPER_SEVERITIES,…] --zypper-with-optional --zypper-with-update] [GCLOUD_WIDE_FLAG]
REQUIRED FLAGS
Filters for selecting which instances to patch: Exactly one of these must be specified:
--instance-filter=INSTANCE_FILTER
(DEPRECATED) Filter expression for selecting the instances to patch. Patching supports the same filter mechanisms as gcloud compute instances list, allowing one to patch specific instances by name, zone, label, or other criteria.
  --instance-filter is deprecated; use individual filter flags instead. See
  the command help text for more details.
--instance-filter-all
A filter that targets all instances in the project.
Individual filters. The targeted instances must meet all criteria specified.
--instance-filter-group-labels=[KEY=VALUE,…]
A filter that represents a label set. Targeted instances must have all specified labels in this set. For example, "env=prod and app=web".

This flag can be repeated. Targeted instances must have at least one of these label sets. This allows targeting of disparate groups, for example, "(env=prod and app=web) or (env=staging and app=web)".

--instance-filter-name-prefixes=[INSTANCE_FILTER_NAME_PREFIXES,…]
A filter that targets instances whose name starts with one of these prefixes. For example, "prod-".
--instance-filter-names=[INSTANCE_FILTER_NAMES,…]
A filter that targets instances of any of the specified names. Instances are specified by the URI in the form "zones/<ZONE>/instances/<INSTANCE_NAME>", "projects/<PROJECT_ID>/zones/<ZONE>/instances/<INSTANCE_NAME>", or "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/zones/<ZONE>/instances/<INSTANCE_NAME>".
--instance-filter-zones=[INSTANCE_FILTER_ZONES,…]
A filter that targets instances in any of the specified zones. Leave empty to target instances in any zone.
OPTIONAL FLAGS
--async
Return immediately, without waiting for the operation in progress to complete.
--description=DESCRIPTION
Textual description of the patch job.
--display-name=DISPLAY_NAME
Display name for this patch job. This does not have to be unique.
--dry-run
Whether to execute this patch job as a dry run. If this patch job is a dry run, instances are contacted, but the patch is not run.
--duration=DURATION
Total duration in which the patch job must complete. If the patch does not complete in this time, the process times out. While some instances might still be running the patch, they will not continue to work after completing the current step. See $ gcloud topic datetimes for information on specifying absolute time durations.

If unspecified, the job stays active until all instances complete the patch.

--reboot-config=REBOOT_CONFIG
Post-patch reboot settings. REBOOT_CONFIG must be one of:
always
Always reboot the machine after the update completes.
default
The agent decides if a reboot is necessary by checking signals such as registry keys or '/var/run/reboot-required'.
never
Never reboot the machine after the update completes.
--retry
Specifies whether to attempt to retry, within the duration window, if patching initially fails. If omitted, the agent uses its default retry strategy.
Settings for machines running Apt:
--apt-dist
If specified, machines running Apt use the apt-get dist-upgrade command; otherwise the apt-get upgrade command is used.
At most one of these may be specified:
--apt-excludes=[APT_EXCLUDES,…]
List of packages to exclude from update.
--apt-exclusive-packages=[APT_EXCLUSIVE_PACKAGES,…]
An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored.
Post-patch step settings for Linux machines:
--post-patch-linux-executable=POST_PATCH_LINUX_EXECUTABLE
A set of commands to run on a Linux machine after an OS patch completes. Commands must be supplied in a file. If the file contains a shell script, include the shebang line.

The path to the file must be supplied in one of the following formats:

An absolute path of the file on the local filesystem.

A URI for a Google Cloud Storage object with a generation number.

--post-patch-linux-success-codes=[POST_PATCH_LINUX_SUCCESS_CODES,…]
Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0.
Post-patch step settings for Windows machines:
--post-patch-windows-executable=POST_PATCH_WINDOWS_EXECUTABLE
A set of commands to run on a Windows machine after an OS patch completes. Commands must be supplied in a file. If the file contains a PowerShell script, include the .ps1 file extension. The PowerShell script executes with flags -NonInteractive, -NoProfile, and -ExecutionPolicy Bypass.

The path to the file must be supplied in one of the following formats:

An absolute path of the file on the local filesystem.

A URI for a Google Cloud Storage object with a generation number.

--post-patch-windows-success-codes=[POST_PATCH_WINDOWS_SUCCESS_CODES,…]
Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0.
Pre-patch step settings for Linux machines:
--pre-patch-linux-executable=PRE_PATCH_LINUX_EXECUTABLE
A set of commands to run on a Linux machine before an OS patch begins. Commands must be supplied in a file. If the file contains a shell script, include the shebang line.

The path to the file must be supplied in one of the following formats:

An absolute path of the file on the local filesystem.

A URI for a Google Cloud Storage object with a generation number.

--pre-patch-linux-success-codes=[PRE_PATCH_LINUX_SUCCESS_CODES,…]
Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0.
Pre-patch step settings for Windows machines:
--pre-patch-windows-executable=PRE_PATCH_WINDOWS_EXECUTABLE
A set of commands to run on a Windows machine before an OS patch begins. Commands must be supplied in a file. If the file contains a PowerShell script, include the .ps1 file extension. The PowerShell script executes with flags -NonInteractive, -NoProfile, and -ExecutionPolicy Bypass.

The path to the file must be supplied in one of the following formats:

An absolute path of the file on the local filesystem.

A URI for a Google Cloud Storage object with a generation number.

--pre-patch-windows-success-codes=[PRE_PATCH_WINDOWS_SUCCESS_CODES,…]
Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0.
Settings for machines running Windows: At most one of these may be specified:
--windows-exclusive-patches=[WINDOWS_EXCLUSIVE_PATCHES,…]
An exclusive list of KBs to be updated. These are the only patches that will be updated.
Windows patch options
--windows-classifications=[WINDOWS_CLASSIFICATIONS,…]
List of classifications to use to restrict the Windows update. Only patches of the given classifications are applied. If omitted, a default Windows update is performed. For more information on classifications, see: https://support.microsoft.com/en-us/help/824684. WINDOWS_CLASSIFICATIONS must be one of: critical, security, definition, driver, feature-pack, service-pack, tool, update-rollup, update.
--windows-excludes=[WINDOWS_EXCLUDES,…]
Optional list of KBs to exclude from the update operation.
Settings for machines running Yum: At most one of these may be specified:
--yum-exclusive-packages=[YUM_EXCLUSIVE_PACKAGES,…]
An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored.
Yum patch options
--yum-excludes=[YUM_EXCLUDES,…]
Optional list of packages to exclude from updating. If this argument is specified, machines running Yum exclude the given list of packages using the Yum --exclude flag.
--yum-minimal
If specified, machines running Yum use the command yum update-minimal; otherwise the patch uses yum-update.
--yum-security
If specified, machines running Yum append the --security flag to the patch command.
Settings for machines running Zypper: At most one of these may be specified:
--zypper-exclusive-patches=[ZYPPER_EXCLUSIVE_PATCHES,…]
An exclusive list of patches to be updated. These are the only patches that will be installed using the 'zypper patch patch:<patch_name>' command.
Zypper patch options
--zypper-categories=[ZYPPER_CATEGORIES,…]
If specified, machines running Zypper install only patches with the specified categories. Categories include security, recommended, and feature.
--zypper-severities=[ZYPPER_SEVERITIES,…]
If specified, machines running Zypper install only patch with the specified severities. Severities include critical, important, moderate, and low.
--zypper-with-optional
If specified, machines running Zypper add the --with-optional flag to zypper patch.
--zypper-with-update
If specified, machines running Zypper add the --with-update flag to zypper patch.
GCLOUD WIDE FLAGS
These flags are available to all commands: --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

EXAMPLES
To start a patch job named my patch job that patches all instances in the current project, run:
  $ gcloud alpha compute os-config patch-jobs execute \
  --display-name="my patch job" --instance-filter-all

To patch an instance named my-instance-1 in the us-east1-b zone, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-names=\
  "zones/us-east1-b/instances/my-instance-1"

To patch all instances in the us-central1-b and europe-west1-d zones, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-zones="us-central1-b,europe-west1-d"

To patch all instances where the env label is test and app label is web, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-group-labels="env=test,app=web"

To patch all instances where the env label is test and app label is web or where the env label is staging and app label is web, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-group-labels="env=test,app=web" \
  --instance-filter-group-labels="env=staging,app=web"

To apply security and critical patches to Windows instances with the prefix windows- in the instance name, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-name-prefixes="windows-" \
  --windows-classifications=SECURITY,CRITICAL

To update only KB4339284 on Windows instances with the prefix windows- in the instance name, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-name-prefixes="windows-" \
  --windows-exclusive-patches=KB4339284

To patch all instances in the current project and specify scripts to run pre-patch and post-patch, run:

  $ gcloud alpha compute os-config patch-jobs execute \
  --instance-filter-all \
  --pre-patch-linux-executable="/bin/my-script" \
  --pre-patch-linux-success-codes=0,200 \
  --pre-patch-windows-executable="C:\\Users\\user\\test-script.ps1" \
  --post-patch-linux-executable="gs://my-bucket/my-linux-script#12345" \
  --post-patch-windows-executable="gs://my-bucket/my-windows-script#67890"
NOTES
This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you may be trying to access an API with an invitation-only early access whitelist. This variant is also available:
  $ gcloud beta compute os-config patch-jobs execute