-
Overview
- When a VM instance is started using Google-provided public images, a guest environment is automatically installed on the VM instance
- The guest environment is a set of scripts, daemons, and binaries that read the content of the metadata server to make a virtual machine (VM) run properly on Compute Engine
- A metadata server is a communication channel for transferring information from a client to the guest operating system
- VM instances created using Google-provided public images include a guest environment that is installed by default
- In some cases the installed guest environment might become outdated
- If the guest environment on the instance is outdated, update the guest environment
- A custom image or a virtual disk can be imported to the Compute Engine platform when automatic installation of the guest environment option is not selected
- A guest environment is not used when migrating VMs to Compute Engine using Migrate for Compute Engine
- A guest environment is not used with images that do not have the guest environment optimizations for local SSD
-
OS Configuration
-
OS configuration
- Use the OS configuration management service to deploy, query, and maintain consistent configurations (desired state and software) for VM instance
- On Compute Engine, use guest policies to maintain consistent software configurations on a VM
-
Guest policies
- A guest policy is a resource that contains settings such as the desired package, package repository, and software configurations
- The guest policy specifies VMs settings should apply to
- Use guest policies to install, remove, and auto-update software packages
- Use guest policies to configure software package repositories
- Use guest policies to install software using software recipes
-
Key terms
- Package: Software packages such as dpkg or rpm
- Package repository: A repository where software packages can be installed from
- Software recipe: A set of instructions for installing unpackaged software for a guest operating system
- Software recipes specify instructions for installing software on the VMs
- Software recipes are ideal to install software that is not delivered as a conventional software package, or for packages that require additional installation arguments or instructions
-
How guest policies work
- Set up guest policies for project or specific VM instances and install the OS Config agent
- OS Config agent runs on VM and uses the specifications in the guest policy to maintain the desired state for the VM
- The OS Config agent applies the configurations during the agent's first run and then corrects any drift every 10–15 minutes
- The OS Config agent uses the standard system package manager to apply the changes where applicable
- On Linux, this means running a system package manager such as apt-get install or yum install for package installation
- Set a policy that ensures that the Cloud Monitoring agent is installed on all instances in project that have the prefix test
-
OS inventory
- Use OS inventory management to collect operating system and package information that is stored as guest attributes on the Compute Engine metadata server
- Query guest attributes to retrieve information about the operating system that is running on a VM instance
- OS inventory management can be used to identifying virtual machines that are running a specific version of an operating system
- OS inventory management can be used to view packages that are installed on a VM instance
- OS inventory management can be used to generate a list of package updates that are available for each VM instance
- OS inventory management can be used to identify missing packages, updates, or patches for a VM instance
- When OS inventory management is enabled, the OS Config agent runs an inventory scan to collect data, and then sends this information to the metadata server and various log streams
- This scan runs every 10 minutes on the VM instance
-
Os login
- Use OS Login to manage SSH access to instances using IAM without having to create and manage individual SSH keys
- OS Login maintains a consistent Linux user identity across VM instances and is the recommended way to manage many users across multiple instances or projects
- OS Login simplifies SSH access management by linking Linux user account to Google identity
- Administrators can easily manage access to instances at either an instance or project level by setting IAM permissions
- OS Login provides automatic Linux account lifecycle management.
- It directly ties a Linux user account to a user's Google identity so that the same Linux account information is used across all instances in the same project or organization
- It provides fine grained authorization using Google Cloud IAM
- Project and instance-level administrators can use IAM to grant SSH access to a user's Google identity without granting a broader set of privileges
- OS login grants a user permissions to log into the system, but not the ability to run commands such as sudo
- OS login enables automatic permission updates
- With OS Login, permissions are updated automatically when an administrator changes Cloud IAM permissions
- If IAM permissions are removed from a Google identity, access to VM instances is revoked
- Google checks permissions for every login attempt to prevent unwanted access
- Users can import existing Linux accounts Administrators or optionally synchronize Linux account information from Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) that are set up on-premises
- Can ensure that users have the same user ID (UID) in both Cloud and on-premises environments.
-
Os Patch
- Use OS patch management to apply operating system patches across a set of Compute Engine VM instances (VMs)
- Long running VMs require periodic system updates to protect against defects and vulnerabilities
- With the OS patch management service, create patch jobs and patch deployments
- A patch job runs across VM instances and applies patches
- A patch deployment schedules patch jobs and automates the operating system and software patch update process