Introduction of OCI OS management

OCI OS Management basics

Item Description
Use Allows you to manage updates and patches for the OS environment on your OCI instances.
Advantage You do not need to login to the instance because you can check and install updates and patch on the OCI console.
Once you have grouped your instances, you can install updates and patches on many instances (similar OS and version) at the same time.
Supported Images Oracle Linux 6,7,8
Windows 2012 R2, 2016, 2019
(Oracle Autonomous Linux is not supported.)

Network-related Prerequisites
Internet Gateway is required if the instance is in a Public Subnet.
NAT Gateway or Service Gateway is required if the instance is in a Private Subnet.
The security list requires permission to Windows Update Server. (For Windows OS)

Use Linux7.9 as an example, I will go through how to setup OS Management.

Enable OS Management
When you create a Compute instance, the OS Management Agent is automatically installed.
“Create Compute Instance” ->“Show Advanced Options” -> “Oracle Cloud Agent” Tab

After creating the instance, you can confirm that it is enabled from the "Oracle Cloud Agent" tab.
You can also Enable/Disable it.

If the following is displayed on the OS management details screen, you need to create a Dynamic Group and related Policies so that the instance can use the OS Management service.

Creating a Dynamic Group
Dynamic Group name:OsmsManagedInstance
ANY { = 'ocid1.instance.oc1.iad..exampleuniqueid1', = 'ocid1.compartment.oc1..exampleuniqueid2'}

In this example, the DG applies to all instances under the specified Compartment.

Creating a policy
Create a policy that grants the instances access to the OS Management service.
Statement:ALLOW dynamic-group <dynamic_group_name> to use osms-managed-instances in compartment <compartment_name>

Create a policy granting instances of that dynamic group permission to retrieve their details for authorization purposes.
Statement:ALLOW dynamic-group <dynamic_group_name> to read instance-family in compartment <compartment_name>

Create a policy to allow the OS Management service to emit metrics.
Policy-3: Policy_OS_Mgmt_3
Statement: ALLOW service osms to read instances in compartment <compartment_name>

Agent restart
Login to the instance and restart the agent with the following command.
Linux7, Linux 8:

sudo systemctl restart oracle-cloud-agent.service

sudo initctl restart oracle-cloud-agent

Windows: (Run from PowerShell with administrator privileges)
PS C:\Users\opc> Restart-Service OCA

Checking the Updates
If you recheck the OS management screen, the information will be displayed as below.

You can check the details of the Available Updates.

Install Package Updates
Specify the update you want to install and start the installation.

You can also specify the UTC time for the installation. (The default is "Install Now".)

You can check the progress after the installation starts.

Check the status after completion.

If you want to install all at once, click "Install All Updates".

Here is the state after batch update:

Creating an Instance Group
OCI MENU-> Compute -> OS Management -> Managed Instance Groups -> Create Instance Group

Enter the Group Name.

Add instances to the created group.

Updates for Instance Group
Specify the Instance Group and do "Install All Updates". (You can also install the update individually.)

You can choose to update now or at a specified time.

Select the "Update Type" and start to install.

You can check the progress from the "Work Request" screen.

In summary, OCI OS Management makes it easy to manage OS updates and patches. You don't need to login to the OS, which is very convenient.
Especially, it is suitable for managing many instances at the same time.


Related Blog
Personal Blogs on Oracle Cloud Infrastructure
OCI OS管理の使用体験 (Japanese version)

Official Document
Getting Started with OS Management