[Revision] OS Management Service has been released on Oracle Cloud Infrastructure.

2020/02/11 Tokyo region compatible </ font>

I wrote an article of OS Management Service on 2019/12, but the setting was not completed due to lack of description in the manual. It was. After that, the manual was greatly expanded, and the original article included experimental operations, so I decided to write it with new additions and corrections.

1. OS Management Service released!

** OS Management Service ** has been released. This feature was previously introduced in OOW 2019 and the Oracle Linux on Oracle Cloud Infrastructure Blog.

However, at this point (2020/02), there are two points to note.

** 1st point: ** Only the following regions are provided. Supports Tokyo region and Seoul region on 02/11/2020

OS Management Service is currently generally available in the following Oracle Cloud Infrastructure regions: US East (Ashburn), US West (Phoenix), Canada Southeast (Toronto), UK South (London), Germany Central (Frankfurt),, Japan East (Tokyo), South Korea Central (Seoul), Brazil East (Sao Paulo), and Australia East (Sydney).

** Second point: ** The target of the service is Oracle Linux 6/7/8, and Oracle Autonomous Linux is not included. </ font> The following blogs seem to cover Oracle Autonomous Linux as well, but at least not at this time.

This service is included by default with Oracle Autonomous Linux images provided by Oracle Cloud Infrastructure, and you don’t need to install any special software to enable OS Management Service.

Initially, I thought it was intended for Oracle Autonomous Linux, so I wrote it with the following beginning. Hey!

I was interested in Linux lovers ** Oracle Autonomous Linux </ font> **. I think I wrote the earliest and most detailed article in the world.

And finally, the long-awaited OS Management Service has been released.

2. Look at the manual

Let's take a quick look at the manual "Overview of OS Management".

The Oracle Cloud Infrastructure OS Management service provides tools for common operating system management tasks for Compute instances, focusing initially on managing software packages for Oracle Linux instances.

** OS Management Service is an operating system management tool for Compute instances, initially providing package management capabilities for Linux instances. ** </ font>

The following are some of the places you are interested in.

  • OS Management Agent must be installed to manage Compute instances with OS Management Service
  • When OS Management Service is enabled, packages can be referenced / added / updated / deleted for Compute instances.
  • Compute instances registered in OS Management Service can be patch-managed individually or in groups.
  • Compute instance package management can be executed immediately or scheduled (once, at regular intervals) as a job.
  • Target operating system is Oracle Linux 6/7/8
  • For Compute instances registered with OS Management Service, existing Yum repository settings will be invalidated.
  • Compute instances registered with the OS Management Service refer to Yum repository information called "Software Sources" located in the root compartment.
  • When the tenant first uses the OS Management Service, it takes 60 to 90 minutes for the Compute instance to be registered.

One of the important things here is that ** "The target operating system is Oracle Linux 6/7/8" **. Oracle Autonomous Linux is not included.

Thinking calmly, both policies are the exact opposite.

  • ** Oracle Autonomous Linux: ** Automatically patch daily. The administrator is not involved in patch management.
  • ** OS Management Service: ** Administrator manages patching. Efficiently implemented for multiple instances manually or automatically (pre-schedule).

Oracle Autonomous Linux may also be supported in the future, but it is less necessary at this time due to different management policies.

3. OS Management Service Architecture

Before actually setting, the mechanism of OS Management Service and the main components will be explained. The figure below is an architecture diagram inferred from the description in the manual and actual research.

osms-arch00.PNG

OS Management Service
The entity that provides the functions of OS Management. It not only provides managed instance information, but also installs and updates packages for instances. Equivalent to OMS + repository DB in Oracle Enterprise Manager
OS Management Agent
Agent (osms-agent) running on a managed instance. Install after creating an instance
Managed Instance
Compute instance registered with OS Management. osms-agent runs and various operations can be performed through the OS Management Service. Also, the repository information (/etc/yum.repos.d/*repo) of the registered instance will be invalidated
Software Sources
Yum repository information centrally managed on the server side. The default software source is in the root compartment of your tenant, but the entity is Yum repository information (equivalent to a repo file) stored in the management information DB
Oracle Linux Yum Repository
Oracle Linux Yum repositories include "Public Yum repositories" that can be accessed from anywhere and "Yum repositories prepared for each OCI region" that can only be accessed from OCI.

Of these, ** software sources ** are particularly difficult to understand. However, at the moment, there is no problem with understanding about "the one that centrally manages and provides Yum repository information on the server side". It's complicated as it is, so you may not know unless you read the manual and actually operate it.

4. Setting up the OS Management Service

Explains how to set up the OS Management Service. The main tasks are "granting permissions" and "installing agents". With this setting, the minimum functions can be used.

complaints mode. The official manual of the initial version was poorly made, and the minimum information required for setting was omitted. It's been revised and fulfilled, but it's still difficult. It's stressful!

4-1. Prerequisites for using OS Management Service

The following conditions must be met in order to use OS Management.

  • Must be the target region of OS Management Service
  • You must have enabled ** "Manage Instances Using Oracle Cloud Agent" ** when creating a Compute instance.
  • Service Gateway or NAT Gateway can be used in the private subnet
  • Internet Gateway available on public subnets
  • Target operating system is Oracle Linux 6/7/8

4-2. Setup procedure

The procedure for setting up OS Management is as follows. In addition to granting policies (privileges) to the OS Management administrator, you need to configure the instance principal so that managed instances can use OS Management.

** 1. Policy settings for OS Management administrator ** --Assign policies to users who operate OS Management via console, CLI, or REST

** 2. Instance Principal Setup ** --Creating a dynamic group --Policy assignment to dynamic groups

** 3. Install OS Management Agent on the managed instance **

This is the end of the minimum work. At the time of initial registration, it will be available 60 to 90 minutes after executing 3.

4-3. Confirmation of initial state

Check the status before setting. Log in to the management console to view the instance details. Click ** [OS Management] ** at the bottom left and the following will be displayed. The ** [OS Management] ** menu is not displayed in non-compliant regions such as the Tokyo region.

osmanage01.PNG

Also, as explained in the prerequisites, ** [Use Oracle Cloud Agent to mange this instance] ** must be enabled when creating the instance. New instances are enabled by default, so it's a good idea to create a new one.

This option is displayed by clicking ** Show Advanced Options ** on the instantiation page.

autonomous11.PNG

4-4. Policy setting for OS Management administrator

Assign policies to users who operate OS Management through the console, CLI, or REST. Since it cannot be assigned directly to the user, specify the group to which the user belongs.

  1. Select ** [Identity]-[Policies] ** from the management console.
  2. Create a policy with the following contents.
item value
NAME OsmsAdmin_policy
DESCRIPTION for OS Management Admin Group
Policy Statements ALLOW group to manage osms-family in compartment
ALLOW group <group name> to manage osms-family in compartment <compartment name>

There is no problem if it is an instance you created, but you need READ permission for the managed instance.

4-5. Instance Principal Setup

The OS Management Service requires not only control from the management console, but also reverse control from the managed instance. Therefore, create dynamic groups and policies to configure instance principals.

4-5-1. Creating a dynamic group

  1. Select ** [Identity]-[Dynamic Groups] ** from the management console.
  2. Create a dynamic group with the following contents.
item value
NAME OsmsManagedInstance_dgrp
DESCRIPTION for OS Management Service
Matching Rules ANY {instance.compartment.id = ''}

Rule example


ANY {instance.compartment.id = 'ocidv1:compartment:oc1:phx:samplecompartmentocid6q6igvfauxmima74jv', instance.compartment.id = 'ocidv1:compartment:oc1:phx:samplecompartmentocidythksk89ekslsoelu2'}

4-5-2. Policy Assignment

  1. Select ** [Identity]-[Policies] ** from the management console.
  2. Create a policy with the following contents.
item value
NAME OsmsInstancePrincipal_policy
DESCRIPTION for OS Management Service
Policy Statements1 Allow dynamic-group <dynamic group name> to use osms-managed-instances in tenancy
Policy Statements2 ALLOW dynamic-group <dynamic group name> to read instance-family in tenancy
Policy Statements3 ALLOW service osms to read instances in tenancy

Policy example


Allow dynamic-group OsmsManagedInstance_dgrp to use osms-managed-instances in tenancy
ALLOW dynamic-group OsmsManagedInstance_dgrp to read instance-family in tenancy 
ALLOW service osms to read instances in tenancy

4-6. Installation of OS Management Agent

Install the OS Management Agent (ʻosms-agent`) on the managed instance.

  1. Log in to the instance with ssh.

  2. Make sure the repository containing osms-agent is enabled. It's okay if oci_yum_included or ol7_ociyum_configm is enabled. For more information on the repository, see this entry.

# yum repolist enabled
Loaded plugins: langpacks, ulninfo
repo id                         repo name                                              status
ol7_UEKR5/x86_64                Latest Unbreakable Enterprise Kernel Release 5 for Ora   193
ol7_addons/x86_64               Oracle Linux 7Server Add ons (x86_64)                    387
★ Omitted
ol7_oci_included/x86_64 Oracle Software for OCI users on Oracle Linux 7Server 117 ★ This
ol7_optional_latest/x86_64      Oracle Linux 7Server Optional Latest (x86_64)          11778
ol7_software_collections/x86_64 Software Collection Library release 3.0 packages for O 14300
repolist: 77122
  1. Install osms-agent. Oracle Linux images after 2020/1/28 have osms-agent pre-installed.
# yum install osms-agent -y
★ Omitted
Running transaction
  Installing : osms-agent-0.0.1-444.el7.x86_64                                  1/1
  Verifying  : osms-agent-0.0.1-444.el7.x86_64                                  1/1

Installed:
  osms-agent.x86_64 0:0.0.1-444.el7

Complete!
  1. You can see that the osms-agent service is running.
# systemctl is-active osms-agent
active
  1. The initial setup takes time, so leave it for at least 2 hours just in case. When the setting is completed, the display of the management console changes as follows.

osms-con04.PNG

Registration will be completed immediately for the second and subsequent units after the initial setup is completed.

** Troubleshooting ** </ font> If the screen doesn't change after 2 hours or more and the following files continue to show errors every few minutes, try starting Postfix. Then leave it for 2 hours.

/var/log/messages /var/log/osms-agent/agent.log

Start Postfix


# systemctl start postfix

I did a lot of things at the same time, so I haven't figured out the root cause. .. .. .. Please teach me.

** Tips ** </ font> The syslog of osms-agent can be easily extracted with the following command. </ font>

# journalctl -u osms-agent

5. Check the status after setting

Once configured, let's take a look inside the management console and managed instances.

5-1. Checking the management console

  1. View the details of your Compute instance. osms-con04.PNG

  2. Click ** "..." ** on the right to display a pop-up. There are three menus: View OS Management Details, Install Security Updates, and Install All Upadates. osms-con05.PNG

  3. Click ** "View OS Management Details" ** to display the next page. osms-con06.PNG

  4. Next, select ** [Compute]-[OS Management] ** from the management console menu. Here, ** [Software Sources] ** is displayed. Only a part is displayed here, which spans multiple pages. osms-con03.PNG

  5. The next screen is when you create an instance group and have two instances as members. By grouping, you can instruct multiple instances to update at the same time. osms-con08.PNG

** Caution ** Members of the same instance group can only be members of the same version and type of operating system.

5-2. Confirmation of managed instance

Log in to the instance with ssh and check around the repo file.

After installing osms-agent and completing the OS Management Service configuration, all repo files will be renamed as follows:

$ ls /etc/yum.repos.d/
ksplice-ol7.repo.osms-backup                oracle-linux-ol7.repo.osms-backup
ksplice-uptrack.repo.osms-backup            oracle-softwarecollection-ol7.repo.osms-backup
oci-included-ol7.repo.osms-backup           uek-ol7.repo.osms-backup
oracle-epel-ol7.repo.osms-backup            virt-ol7.repo.osms-backup
oraclelinux-developer-ol7.repo.osms-backup

The yum command reads the /etc/yum.repos.d/*.repo file, so I'm worried if yum can be used with this. However, if you check the repository, you can see that it is available (it takes time to synchronize the metadata the first time).

# yum repolist enabled
Loaded plugins: langpacks, osmsplugin, ulninfo
This system is receiving updates from OSMS.★ The point is that it is OSMS ★
repo id                         repo name                                 status
ol7_addons-x86_64               Oracle Linux 7Server Add ons (x86_64)        245
ol7_developer-x86_64            Oracle Linux 7Server Development Packages    650
ol7_developer_epel-x86_64       Oracle Linux 7Server Development Packages 20,231
ol7_ksplice-x86_64              Ksplice for Oracle Linux 7 (x86_64)        6,749
ol7_latest-x86_64               Oracle Linux 7Server Latest (x86_64)      12,370
ol7_oci_included-x86_64         Oracle Software for OCI users on Oracle L    117
ol7_optional_latest-x86_64      Oracle Linux 7Server Optional Latest (x86  9,710
ol7_software_collections-x86_64 Software Collection Library release 3.0 p  9,983
ol7_uekr5-x86_64                Latest Unbreakable Enterprise Kernel Rele    195
repolist: 60,250

When I wondered why, I found a suspicious file in osms-agent.

# rpm -qf /usr/share/yum-plugins/osmsplugin.py
osms-agent-0.0.1-444.el7.x86_64

The first line is the Copyright of Red Hat. Looking at the code after that, it hooks the Yum command and references a remote repository (OSMS channels). A remote repository is an OS Management ** "software source" **.

/usr/share/yum-plugins/osmsplugin.py


# Copyright (c) 1999-2016 Red Hat, Inc.  Distributed under GPLv2.
★ Omitted
 def init_hook(conduit):
     """
     Plugin initialization hook. We setup the Spacewlk channels here.

     We get a list of OSMS channels from the server, then make a repo obj
     each one. This list of repos is then added to yum's list of repos vi
     conduit.
     """

     global rhn_enabled, external_proxy_dict

     conduit_conf = conduit.getConf()
     timeout = conduit.confFloat('main', 'timeout', conduit_conf.timeout)

The reason why it is the copyright of Red Hat is ** Red Hat Satellite ** / ** Spacewalk Because I am using the code of .github.io /) **.

Next, when I check it with netstat, osms-agent has a session. 169.254.169.254 is OCI's internal network and 129.146.12.149 is the Oracle Service Network in the Phoenix region. This is the global IP used by # osn-ranges).

# netstat -anp | grep osms
tcp        0      0 127.0.0.1:9003          0.0.0.0:*               LISTEN      2173/osms-agent
tcp        1      0 10.0.2.23:54778         169.254.169.254:80      CLOSE_WAIT  2173/osms-agent
tcp       32      0 10.0.2.23:39368         129.146.12.149:443      CLOSE_WAIT  2173/osms-agent
tcp        1      0 10.0.2.23:54776         169.254.169.254:80      CLOSE_WAIT  2173/osms-agent
unix  2      [ ACC ]     STREAM     LISTENING     26635    2173/osms-agent      ///var/lib/osms-agent/osms-agent.sock
unix  3      [ ]         STREAM     CONNECTED     25321    2166/osms-agent

5-3. How to cancel registration

The manual description regarding deregistration seems to be evolving day by day. Please refer to the manual for the latest information.

  1. Stop and disable osms-agent.
# systemctl stop osms-agent
# systemctl disable osms-agent
  1. Exclude from instances / groups if possible.
  2. Execute the following command to restore the definition of the repo file.
# osms unregister
# yum clean all
  1. Make sure that the extension of the repo file is restored.
# ls /etc/yum.repos.d/
ksplice-ol7.repo       oracle-epel-ol7.repo            oracle-softwarecollection-ol7.repo
ksplice-uptrack.repo   oraclelinux-developer-ol7.repo  uek-ol7.repo
oci-included-ol7.repo  oracle-linux-ol7.repo           virt-ol7.repo

6. Summary

I don't use all the features, but I'll write it with some guesswork.

  • ** OS Management Service is a service for Oracle Linux 6/7/8. Not applicable to Oracle Autonomous Linux </ font> **
  • ** Package management for multiple servers is possible </ font> **
  • ** OS Management Service is Red Hat Satellite and its clone [Spacewalk]( Managed service version of package management tools like https://spacewalkproject.github.io/) </ font> **

As you can see by actually operating it, setting / operating the OS Management Service is not easy due to the difficulty of the manual. It's a managed service, so it's not as tedious as deploying Red Hat Satellite or Spacewalk on-premises, but you may not realize the effect unless you have at least a dozen nodes or more.

And if it's a feature for the enterprise, I'd like the "repository snapshot feature" on Red Hat Satellite.

The manual says ** focusing initially **, so I'm sure it will be expanded in the future.