Package-level declarations

Apt patching is completed by executing apt-get update && apt-get upgrade. Additional options can be set to control how this is executed.

Common configurations for an ExecStep.

A step that runs an executable for a PatchJob.

Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value.

Cloud Storage object representation.

Googet patching is performed by running googet update.

Represents a monthly schedule. An example of a valid monthly schedule is "on the third Tuesday of the month" or "on the 15th of the month".

Sets the time for a one time patch deployment. Timestamp is in RFC3339 text format.

VM inventory details.

Filters to select target VMs for an assignment. If more than one filter criteria is specified below, a VM will be selected if and only if it satisfies all of them.

Message representing label set. * A label is a key value pair set for a VM. * A LabelSet is a set of labels. * Labels within a LabelSet are ANDed. In other words, a LabelSet is applicable for a VM only if it matches all the labels in the LabelSet. * Example: A LabelSet with 2 labels: env=prod and type=webserver will only be applicable for those VMs with both labels present.

Message to configure the rollout at the zonal level for the OS policy assignment.

Filtering criteria to select VMs based on inventory details.

A file or script to execute.

A resource that allows executing scripts on the VM. The ExecResource has 2 stages: validate and enforce and both stages accept a script as an argument to execute. When the ExecResource is applied by the agent, it first executes the script in the validate stage. The validate stage can signal that the ExecResource is already in the desired state by returning an exit code of 100. If the ExecResource is not in the desired state, it should return an exit code of 101. Any other exit code returned by this stage is considered an error. If the ExecResource is not in the desired state based on the exit code from the validate stage, the agent proceeds to execute the script from the enforce stage. If the ExecResource is already in the desired state, the enforce stage will not be run. Similar to validate stage, the enforce stage should return an exit code of 100 to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of 100 was chosen over 0 (and 101 vs 1) to have an explicit indicator of in desired state, not in desired state and errors. Because, for example, Powershell will always return an exit code of 0 unless an exit statement is provided in the script. So, for reasons of consistency and being explicit, exit codes 100 and 101 were chosen.

Specifies a file available as a Cloud Storage Object.

Specifies a file available via some URI.

A resource that manages the state of a file.

A remote or local file.

Resource groups provide a mechanism to group OS policy resources. Resource groups enable OS policy authors to create a single OS policy to be applied to VMs running different operating Systems. When the OS policy is applied to a target VM, the appropriate resource group within the OS policy is selected based on the OSFilter specified within the resource group.

A package managed by APT. - install: apt-get update && apt-get -y install [name] - remove: apt-get -y remove [name]

A deb package file. dpkg packages only support INSTALLED state.

A package managed by GooGet. - install: googet -noconfirm install package - remove: googet -noconfirm remove package

An MSI package. MSI packages only support INSTALLED state.

A resource that manages a system package.

An RPM package file. RPM packages only support INSTALLED state.

A package managed by YUM. - install: yum -y install package - remove: yum -y remove package

A package managed by Zypper. - install: zypper -y install package - remove: zypper -y rm package

Represents a single apt package repository. These will be added to a repo file that will be managed at /etc/apt/sources.list.d/google_osconfig.list.

Represents a Goo package repository. These are added to a repo file that is managed at C:/ProgramData/GooGet/repos/google_osconfig.repo.

A resource that manages a package repository.

Represents a single yum package repository. These are added to a repo file that is managed at /etc/yum.repos.d/google_osconfig.repo.

Represents a single zypper package repository. These are added to a repo file that is managed at /etc/zypp/repos.d/google_osconfig.repo.

An OS policy resource is used to define the desired state configuration and provides a specific functionality like installing/removing packages, executing a script etc. The system ensures that resources are always in their desired state by taking necessary actions if they have drifted from their desired state.

An OS policy defines the desired state configuration for a VM.

Patch configuration specifications. Contains details on how to apply the patch(es) to a VM instance.

Targets a group of VM instances by using their assigned labels. Labels are key-value pairs. A GroupLabel is a combination of labels that is used to target VMs for a patch job. For example, a patch job can target VMs that have the following GroupLabel: {"env":"test", "app":"web"}. This means that the patch job is applied to VMs that have both the labels env=test and app=web.

A filter to target VM instances for patching. The targeted VMs must meet all criteria specified. So if both labels and zones are specified, the patch job targets only VMs with those labels and in those zones.

Patch rollout configuration specifications. Contains details on the concurrency control when applying patch(es) to all targeted VMs.

Sets the time for recurring patch deployments.

Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and google.protobuf.Timestamp.

Represents a time zone from the IANA Time Zone Database.

Represents one week day in a month. An example is "the 4th Sunday".

Represents a weekly schedule.

Windows patching is performed using the Windows Update Agent.

Yum patching is performed by executing yum update. Additional options can be set to control how this is executed. Note that not all settings are supported on all platforms.

Zypper patching is performed by running zypper patch. See also https://en.opensuse.org/SDB:Zypper_manual.