GCP – Compute Engine explained: How to orchestrate your patch deployment
In April, we announced the general availability of Google Cloud’s OS patch management service to protect your running VMs against defects and vulnerabilities. This service works on Compute Engine and across Windows and Linux OS environments. In this blog, we share how to orchestrate your patch deployment using pre-patch and post-patch scripts.
What are pre-patch and post-patch scripts?
When running a patch job, you can specify the scripts that you want to run as part of the patching process. These scripts are useful for performing tasks such as safely shutting down an application and performing health checks:
-
Pre-patch scripts run before patching starts. If a system reboot is required before patching starts, the pre-patch script runs before the reboot.
-
Post-patch scripts run after patching completes. If a system reboot is required as part of the patching, the post-patch script runs after the reboot.
Note: A patch deployment is not executed if the pre-patch script fails, which can be an important safeguard feature for customers before deploying patches on their machines. If the post-patch script fails in any VM, the patch job is marked as failed.
Why pre-patch and post-patch scripts?
By reducing the risk of downtime, patch management can be one of the most important determiners in the security of your entire IT system, as well as for end-user productivity.
To successfully automate the complete end-to-end patching process, you as the patch administrator may need to customize these scripts for your environment and workload. For example, as part of your patch deployment process, you might want to run health checks before or after patching to make sure your services and applications are running as expected.
There are lots of other scenarios where a pre-patch or post-patch script might be useful.
Scenarios that can be automated using a pre-patch script
-
Taking a VM out of load balance before patching
-
Draining users from an application server instance before they perform maintenance on the server or take it offline
-
Ensuring the VM is in a state that is safe to patch
Scenarios that can be automated using a post-patch script
-
Checking if all your services and applications are running after a patch job
-
Performing health checks
-
Putting a VM back into the load balancer after patching
How to enable pre-patch and post-patch scripts on Compute Engine
Setting up pre-patch and post-patch scripts for your Compute Engine environment is a straightforward process.
1. During a new patch deployment, select Advanced options to add your pre-patch and / or post-patch script. These script files can either be stored on the VM or in a versioned Cloud Storage bucket:
- If your Cloud Storage object is not publicly readable, ensure that the default Compute Engine service account for the project has the necessary IAM permissions to read Cloud Storage objects. To ensure that you have the correct permissions, check the permission settings on the Cloud Storage object.
- If you want to use a Cloud Storage bucket to store your scripts, create a Cloud Storage bucket and upload your scripts to the bucket.
Note that you can select one pre-patch and post-patch script that runs on all targeted Linux VMs and one pre-patch and post-patch script that runs on all targeted Windows VMs.
Patch your Compute Engine VMs today
With this done, orchestrating your patch deployment using pre / post steps on Compute Engine should now be easy to execute. To learn more about the OS patch management service, including automating your patch deployment, visit the documentation.
Read More for the details.