2020/02/11 Tokyo region compatible </ font>
I wrote an article of OS Management Service on 2019/12, but the setting was not completed due to lack of description in the manual. It was. After that, the manual was greatly expanded, and the original article included experimental operations, so I decided to write it with new additions and corrections.
** OS Management Service ** has been released. This feature was previously introduced in OOW 2019 and the Oracle Linux on Oracle Cloud Infrastructure Blog.
However, at this point (2020/02), there are two points to note.
** 1st point: ** Only the following regions are provided. Supports Tokyo region and Seoul region on 02/11/2020
OS Management Service is currently generally available in the following Oracle Cloud Infrastructure regions: US East (Ashburn), US West (Phoenix), Canada Southeast (Toronto), UK South (London), Germany Central (Frankfurt),, Japan East (Tokyo), South Korea Central (Seoul), Brazil East (Sao Paulo), and Australia East (Sydney).
** Second point: ** The target of the service is Oracle Linux 6/7/8, and Oracle Autonomous Linux is not included. </ font> The following blogs seem to cover Oracle Autonomous Linux as well, but at least not at this time.
This service is included by default with Oracle Autonomous Linux images provided by Oracle Cloud Infrastructure, and you don’t need to install any special software to enable OS Management Service.
Initially, I thought it was intended for Oracle Autonomous Linux, so I wrote it with the following beginning. Hey!
I was interested in Linux lovers ** Oracle Autonomous Linux </ font> **. I think I wrote the earliest and most detailed article in the world.
And finally, the long-awaited OS Management Service has been released.
Let's take a quick look at the manual "Overview of OS Management".
The Oracle Cloud Infrastructure OS Management service provides tools for common operating system management tasks for Compute instances, focusing initially on managing software packages for Oracle Linux instances.
** OS Management Service is an operating system management tool for Compute instances, initially providing package management capabilities for Linux instances. ** </ font>
The following are some of the places you are interested in.
One of the important things here is that ** "The target operating system is Oracle Linux 6/7/8" **. Oracle Autonomous Linux is not included.
Thinking calmly, both policies are the exact opposite.
Oracle Autonomous Linux may also be supported in the future, but it is less necessary at this time due to different management policies.
Before actually setting, the mechanism of OS Management Service and the main components will be explained. The figure below is an architecture diagram inferred from the description in the manual and actual research.
Of these, ** software sources ** are particularly difficult to understand. However, at the moment, there is no problem with understanding about "the one that centrally manages and provides Yum repository information on the server side". It's complicated as it is, so you may not know unless you read the manual and actually operate it.
Explains how to set up the OS Management Service. The main tasks are "granting permissions" and "installing agents". With this setting, the minimum functions can be used.
complaints mode. The official manual of the initial version was poorly made, and the minimum information required for setting was omitted. It's been revised and fulfilled, but it's still difficult. It's stressful!
The following conditions must be met in order to use OS Management.
The procedure for setting up OS Management is as follows. In addition to granting policies (privileges) to the OS Management administrator, you need to configure the instance principal so that managed instances can use OS Management.
** 1. Policy settings for OS Management administrator ** --Assign policies to users who operate OS Management via console, CLI, or REST
** 2. Instance Principal Setup ** --Creating a dynamic group --Policy assignment to dynamic groups
** 3. Install OS Management Agent on the managed instance **
This is the end of the minimum work. At the time of initial registration, it will be available 60 to 90 minutes after executing 3.
Check the status before setting. Log in to the management console to view the instance details. Click ** [OS Management] ** at the bottom left and the following will be displayed. The ** [OS Management] ** menu is not displayed in non-compliant regions such as the Tokyo region.
Also, as explained in the prerequisites, ** [Use Oracle Cloud Agent to mange this instance] ** must be enabled when creating the instance. New instances are enabled by default, so it's a good idea to create a new one.
This option is displayed by clicking ** Show Advanced Options ** on the instantiation page.
Assign policies to users who operate OS Management through the console, CLI, or REST. Since it cannot be assigned directly to the user, specify the group to which the user belongs.
item | value |
---|---|
NAME | OsmsAdmin_policy |
DESCRIPTION | for OS Management Admin Group |
Policy Statements | ALLOW group |
ALLOW group <group name> to manage osms-family in compartment <compartment name>
There is no problem if it is an instance you created, but you need READ permission for the managed instance.
The OS Management Service requires not only control from the management console, but also reverse control from the managed instance. Therefore, create dynamic groups and policies to configure instance principals.
item | value |
---|---|
NAME | OsmsManagedInstance_dgrp |
DESCRIPTION | for OS Management Service |
Matching Rules | ANY {instance.compartment.id = ' |
Rule example
ANY {instance.compartment.id = 'ocidv1:compartment:oc1:phx:samplecompartmentocid6q6igvfauxmima74jv', instance.compartment.id = 'ocidv1:compartment:oc1:phx:samplecompartmentocidythksk89ekslsoelu2'}
item | value |
---|---|
NAME | OsmsInstancePrincipal_policy |
DESCRIPTION | for OS Management Service |
Policy Statements1 | Allow dynamic-group <dynamic group name> to use osms-managed-instances in tenancy |
Policy Statements2 | ALLOW dynamic-group <dynamic group name> to read instance-family in tenancy |
Policy Statements3 | ALLOW service osms to read instances in tenancy |
Policy example
Allow dynamic-group OsmsManagedInstance_dgrp to use osms-managed-instances in tenancy
ALLOW dynamic-group OsmsManagedInstance_dgrp to read instance-family in tenancy
ALLOW service osms to read instances in tenancy
Install the OS Management Agent (ʻosms-agent`) on the managed instance.
Log in to the instance with ssh.
Make sure the repository containing osms-agent is enabled. It's okay if oci_yum_included or ol7_ociyum_configm is enabled. For more information on the repository, see this entry.
# yum repolist enabled
Loaded plugins: langpacks, ulninfo
repo id repo name status
ol7_UEKR5/x86_64 Latest Unbreakable Enterprise Kernel Release 5 for Ora 193
ol7_addons/x86_64 Oracle Linux 7Server Add ons (x86_64) 387
★ Omitted
ol7_oci_included/x86_64 Oracle Software for OCI users on Oracle Linux 7Server 117 ★ This
ol7_optional_latest/x86_64 Oracle Linux 7Server Optional Latest (x86_64) 11778
ol7_software_collections/x86_64 Software Collection Library release 3.0 packages for O 14300
repolist: 77122
# yum install osms-agent -y
★ Omitted
Running transaction
Installing : osms-agent-0.0.1-444.el7.x86_64 1/1
Verifying : osms-agent-0.0.1-444.el7.x86_64 1/1
Installed:
osms-agent.x86_64 0:0.0.1-444.el7
Complete!
# systemctl is-active osms-agent
active
Registration will be completed immediately for the second and subsequent units after the initial setup is completed.
** Troubleshooting ** </ font> If the screen doesn't change after 2 hours or more and the following files continue to show errors every few minutes, try starting Postfix. Then leave it for 2 hours.
/var/log/messages
/var/log/osms-agent/agent.log
Start Postfix
# systemctl start postfix
I did a lot of things at the same time, so I haven't figured out the root cause. .. .. .. Please teach me.
** Tips ** </ font> The syslog of osms-agent can be easily extracted with the following command. </ font>
# journalctl -u osms-agent
Once configured, let's take a look inside the management console and managed instances.
View the details of your Compute instance.
Click ** "..." ** on the right to display a pop-up. There are three menus: View OS Management Details, Install Security Updates, and Install All Upadates.
Click ** "View OS Management Details" ** to display the next page.
Next, select ** [Compute]-[OS Management] ** from the management console menu. Here, ** [Software Sources] ** is displayed. Only a part is displayed here, which spans multiple pages.
The next screen is when you create an instance group and have two instances as members. By grouping, you can instruct multiple instances to update at the same time.
** Caution ** Members of the same instance group can only be members of the same version and type of operating system.
Log in to the instance with ssh and check around the repo file.
After installing osms-agent and completing the OS Management Service configuration, all repo files will be renamed as follows:
$ ls /etc/yum.repos.d/
ksplice-ol7.repo.osms-backup oracle-linux-ol7.repo.osms-backup
ksplice-uptrack.repo.osms-backup oracle-softwarecollection-ol7.repo.osms-backup
oci-included-ol7.repo.osms-backup uek-ol7.repo.osms-backup
oracle-epel-ol7.repo.osms-backup virt-ol7.repo.osms-backup
oraclelinux-developer-ol7.repo.osms-backup
The yum command reads the /etc/yum.repos.d/*.repo
file, so I'm worried if yum can be used with this. However, if you check the repository, you can see that it is available (it takes time to synchronize the metadata the first time).
# yum repolist enabled
Loaded plugins: langpacks, osmsplugin, ulninfo
This system is receiving updates from OSMS.★ The point is that it is OSMS ★
repo id repo name status
ol7_addons-x86_64 Oracle Linux 7Server Add ons (x86_64) 245
ol7_developer-x86_64 Oracle Linux 7Server Development Packages 650
ol7_developer_epel-x86_64 Oracle Linux 7Server Development Packages 20,231
ol7_ksplice-x86_64 Ksplice for Oracle Linux 7 (x86_64) 6,749
ol7_latest-x86_64 Oracle Linux 7Server Latest (x86_64) 12,370
ol7_oci_included-x86_64 Oracle Software for OCI users on Oracle L 117
ol7_optional_latest-x86_64 Oracle Linux 7Server Optional Latest (x86 9,710
ol7_software_collections-x86_64 Software Collection Library release 3.0 p 9,983
ol7_uekr5-x86_64 Latest Unbreakable Enterprise Kernel Rele 195
repolist: 60,250
When I wondered why, I found a suspicious file in osms-agent.
# rpm -qf /usr/share/yum-plugins/osmsplugin.py
osms-agent-0.0.1-444.el7.x86_64
The first line is the Copyright of Red Hat. Looking at the code after that, it hooks the Yum command and references a remote repository (OSMS channels). A remote repository is an OS Management ** "software source" **.
/usr/share/yum-plugins/osmsplugin.py
# Copyright (c) 1999-2016 Red Hat, Inc. Distributed under GPLv2.
★ Omitted
def init_hook(conduit):
"""
Plugin initialization hook. We setup the Spacewlk channels here.
We get a list of OSMS channels from the server, then make a repo obj
each one. This list of repos is then added to yum's list of repos vi
conduit.
"""
global rhn_enabled, external_proxy_dict
conduit_conf = conduit.getConf()
timeout = conduit.confFloat('main', 'timeout', conduit_conf.timeout)
The reason why it is the copyright of Red Hat is ** Red Hat Satellite ** / ** Spacewalk Because I am using the code of .github.io /) **.
Next, when I check it with netstat, osms-agent has a session. 169.254.169.254
is OCI's internal network and 129.146.12.149
is the Oracle Service Network in the Phoenix region. This is the global IP used by # osn-ranges).
# netstat -anp | grep osms
tcp 0 0 127.0.0.1:9003 0.0.0.0:* LISTEN 2173/osms-agent
tcp 1 0 10.0.2.23:54778 169.254.169.254:80 CLOSE_WAIT 2173/osms-agent
tcp 32 0 10.0.2.23:39368 129.146.12.149:443 CLOSE_WAIT 2173/osms-agent
tcp 1 0 10.0.2.23:54776 169.254.169.254:80 CLOSE_WAIT 2173/osms-agent
unix 2 [ ACC ] STREAM LISTENING 26635 2173/osms-agent ///var/lib/osms-agent/osms-agent.sock
unix 3 [ ] STREAM CONNECTED 25321 2166/osms-agent
The manual description regarding deregistration seems to be evolving day by day. Please refer to the manual for the latest information.
# systemctl stop osms-agent
# systemctl disable osms-agent
# osms unregister
# yum clean all
# ls /etc/yum.repos.d/
ksplice-ol7.repo oracle-epel-ol7.repo oracle-softwarecollection-ol7.repo
ksplice-uptrack.repo oraclelinux-developer-ol7.repo uek-ol7.repo
oci-included-ol7.repo oracle-linux-ol7.repo virt-ol7.repo
I don't use all the features, but I'll write it with some guesswork.
As you can see by actually operating it, setting / operating the OS Management Service is not easy due to the difficulty of the manual. It's a managed service, so it's not as tedious as deploying Red Hat Satellite or Spacewalk on-premises, but you may not realize the effect unless you have at least a dozen nodes or more.
And if it's a feature for the enterprise, I'd like the "repository snapshot feature" on Red Hat Satellite.
The manual says ** focusing initially **, so I'm sure it will be expanded in the future.
Recommended Posts