Help Center/ Cloud Operations Center/ Best Practices/ One-Stop Resource O&M
Updated on 2024-04-19 GMT+08:00
View PDF
Share

One-Stop Resource O&M

Scenario

An O&M engineer at an e-commerce company noticed that compliance issues with cloud resources were prominent in their daily work, particularly with regards to OS compliance risks. This raised concerns among customers about the security and compliance of the OS on the cloud. It was necessary to periodically check the compliance of the host OS patches to avoid vulnerabilities caused by missing patches, which could lead to business losses. There was no unified OS compliance management or self-closed loop tool on the cloud, making it difficult to fix compliance issues or seek help from Huawei. The goal was to automate the scanning of OS patches and promptly fix patch vulnerabilities to ensure compliance with host OS patches.

Solution

Governance: Provide automated and scheduled OS compliance inspections, with an out-of-the-box experience while retaining customer customization capabilities. This allows for the timely detection of OS compliance issues and the output of compliance reports.

O&M: Trigger patch repairs based on compliance reports, and ensure full coverage of OS compliance through incremental iterations, closing the loop on OS compliance issues within the SLA.

Patch management: COC offers OS patch management capabilities, supporting scanning and fixing patches for Linux OSs like Huawei Cloud EulerOS, CentOS, and EulerOS, in ECS node and CCE cluster scenarios. COC scans host OS patches based on the rules in patch baselines and provides compliance reports. It has three common patch baselines and allows you to customize patch baselines to meet your specific needs. You can customize patch installation rules, patch compliance levels, and exceptional patches.

Patch management allows you to:

  1. Create patch baselines based on the OS and its corresponding patch scan baselines.
  2. Scan patches for resources based on scan baselines.
  3. Check the summary for scan compliance once the scan is completed.
  4. Fix patches for uncompliant resources.

Scheduled O&M: COC offers automatic O&M capabilities, including script management, job management, and scheduled O&M.

  • Script management: COC provides public scripts and allows you to create custom scripts. Three types of scripts are supported: shell, python, and bat.
  • Job management: You can orchestrate cloud service APIs, public jobs, custom jobs, and job controls into custom jobs.
  • Scheduled O&M: Scheduled O&M can execute specific scripts or jobs on certain instances as scheduled or periodically.

Core Advantages

  • Dynamic identification: OS compliance risks are dynamically identified.
  • Automatic resource discovery and management
  • Safe production: During O&M operations, automatic batching and blast radius assessment are conducted.
  • Automatic warning: SMS, email, and WeChat are utilized to automatically send notifications.

Prerequisites

UniAgent has been installed on the server for automatic O&M. For details, see "Installing the UniAgent".

Step 1: Create a Patch Baseline

Create a patch baseline on COC.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
  3. Click Creating Patch Baseline.
    Figure 1 Clicking Creating Patch Baseline
  4. Fill in patch baseline information.
    Figure 2 Setting patch baseline parameters

    Table 1 describes the OS installation rule.

    Table 2 describes the custom installation rule.

    Table 1 OS installation rule

    Type

    Option

    Description

    Product

    All

    Huawei Cloud EulerOS 1.1

    Huawei Cloud EulerOS 2.0

    Product for which you want to scan patches. Only the patches of the selected product are scanned and fixed.

    Category

    All

    Security

    Bugfix

    Enhancement

    Recommended

    Newpackage

    Category of patches. Only the patches of the selected category are scanned and fixed.

    Severity

    All

    Critical

    Important

    Moderate

    Low

    None

    Severity level of patches. Only the patches of the selected severity are scanned and fixed.

    Compliance Reporting

    Unspecified

    Critical

    High

    Medium

    Low

    Suggestion

    Level at which patches that meet the patch baseline are displayed in the compliance report

    Install Non-Security Patches

    None

    If you select this option, patches with vulnerabilities will not be upgraded during patch fix.

    Exceptional Patches

    None

    Approved patches and rejected patches can be in the following formats:

    1. Complete software package name: example-1.0.0-1.r1.hce2.x86_64

    2. Software package names that contain a single wildcard: example-1.0.0*.x86_64
    Table 2 Custom installation rule

    Type

    Option

    Description

    Product

    All

    Huawei Cloud EulerOS 1.1

    Huawei Cloud EulerOS 2.0

    Product for which you want to scan patches. Only the patches of the selected product are scanned and fixed.

    Compliance Reporting

    Unspecified

    Critical

    High

    Medium

    Low

    Suggestion

    Level at which patches that meet the patch baseline are displayed in the compliance report

    Baseline Patch

    None

    You can customize the version and release number of baseline patches, and only the patches that match the custom baseline patch can be scanned and installed.

    1. You can upload a maximum of 1,000 base patches for a single baseline.

    2. The patch name can contain a maximum of 200 characters. Only letters, digits, underscores (_), hyphens (-), periods (.), asterisks (*), and plus signs (+) are allowed.

    3. The second column data consists of a version number (consisting of letters, digits, underscores, periods, and colons) and a release number (consisting of letters, digits, underscores, and periods), each supporting a maximum of 50 characters and separated by a hyphen (-).
  5. Click Submit.
    Figure 3 Creating a custom patch baseline

Step 2: Scan Patches

Patch scan allows you to scan patches on the target ECS or CCE instance for compliance. It scans against the compliance report based on the selected default baseline, instance, and batch execution policy.

If an instance cannot be selected, check whether its UniUniAgent status is normal or whether the OS is supported by COC's patch management.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
  3. Click Create Patch Scanning Task.
    Figure 4 Clicking Create Patch Scanning Task
  4. Click Add Instances.
    Figure 5 Selecting instances
  5. Select the ECSs or CCE instances to scan.
    Figure 6 Selecting the ECSs
    Figure 7 Selecting the CCE instances
  6. Set Batch Policy.
    Batch policy:
    • Automatic: The selected instances are divided into multiple batches based on the default rule.
    • Manual: You can manually divide instances into multiple batches as needed.
    • No batch: All target instances are in the same batch.
    Figure 8 Selecting a batch policy
  7. Set Suspension Policy.
    Suspension threshold: You can set a suspension threshold to determine the execution success rate. Once the number of failed servers reaches the number calculated based on the threshold, the service ticket status will become abnormal and the patch scan will cease.
    Figure 9 Suspension policy
  8. Click Submit.
    Figure 10 Execution confirmation page
  9. Confirm the execution information. If the information is correct, click OK.
  10. Once the service ticket is executed, click Compliance Reporting. On the displayed page, check the ECS compliance status in the Compliance Reporting List area.
    Figure 11 Service ticket details
    Figure 12 Compliance report list

Step 3: View the Patch Compliance Report

After patch compliance scanning or remediation, you can click the compliance report summary details to view patch details on the instance.

The patch compliance report will only retain the most recent scan or remediation record.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
    Figure 13 Clicking Summary in the Operation column
  3. Locate the row containing the patch compliance report for which you want to check details and click Summary in the Operation column.

    Status description:

    Compliant (Installed): The patch complies with the patch baseline, has been installed on an ECS instance, and no update is available.

    Compliant (Installed-other): The patch is not compliant with the patch baseline but has been installed on an ECS instance.

    Noncompliant (Installed-to be restarted): The patch has been repaired, and can take effect only after the ECS instance is restarted.

    Noncompliant (InstalledRejected): The rejected patches defined in the exceptional patches of a patch baseline. This patch will not be repaired even if it is compliant with the patch baseline.

    Noncompliant (Missing): The patch meets the baseline but has not been installed.

    Noncompliant (Failed): The patch failed to be repaired.

    Figure 14 Patch compliance report summary

Step 4: Install the Patch

The patch repair feature allows users to repair non-compliant ECS or CCE instances scanned by patches. The patch repair feature upgrades or installs non-compliant patches on ECS or CCE instances.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
  3. Select the instance whose patch needs to be repaired and click Repair.
    Figure 15 Selecting the target instances
  4. Set Batch Policy.
    Batch policy:
    • Automatic: The selected instances are divided into multiple batches based on the default rule.
    • Manual: You can manually divide instances into multiple batches as needed.
    • No batch: All target instances are in the same batch.
    Figure 16 Selecting a batch policy
  5. Set Suspension Policy.
    Suspension threshold: You can set a suspension threshold to determine the execution success rate. Once the number of failed servers reaches the number calculated based on the threshold, the service ticket status will become abnormal and the patch scan will cease.
    Figure 17 Suspension policy
  6. Set whether to allow restart.

    Some patches require a restart to take effect. If you choose not to restart, you will need to schedule a restart at a later time.

  7. Confirm the execution information. If the information is correct, click Confirm Execution.
    Figure 18 Execution information page

Step 5: Create a Scheduled O&M Task

Scheduled O&M allows you to execute specific scripts or jobs on certain instances as scheduled or periodically.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Automated O&M > Scheduled O&M.
    Figure 19 Listing scheduled O&M tasks
  3. Click Create Task.
    Figure 20 Modifying a scheduled task
  4. Enter basic information about the scheduled task. Set the time zone. If you select Single execution, select the task execution time. If you select Periodic execution, the Simple Cycle and Cron options are displayed, allowing you to customize the execution period. The scheduled task is executed periodically based on the customized execution period, until the rule expires.
    Figure 21 Scheduled Settings
  5. Enter the task type. If you select Scripts, search for a desired script by keyword from the drop-down script lists. Select the desired script.
    Figure 22 Task Type

    Click View Selected Scripts. The script details are displayed on the right.

    Figure 23 Script Details

    Default script parameters are displayed in Script Input Parameters. You can select Sensitive to determine whether to display the parameters in plaintext. You can click the text box to edit the parameter values.

    Enter the execution user and the timeout interval.

    Select an instance and click Add instances. The Select Instance dialog box is displayed. You can select CloudCMDB resources or CloudCMDB application groups for View Type and search for the target instances based on the resource type and region. Select the check box next to the instance list and click OK.

    Figure 24 Selecting instances

    Select a batch policy and suspension policy.

  6. Enter the task type. If you select Jobs, click the text box, and select custom jobs or common jobs by searching for the desired job name. Select the desired job.
    Figure 25 Selecting Jobs

    Click View Selected Jobs. The Job Details slide-out is displayed. Click the option in the Global Parameters area. The global parameter details are displayed in the level-2 dialog box on the right. Click an option in the Job Execution Procedure area. The job step details are displayed in the level-2 dialog box on the right.

    Figure 26 Querying job steps

    Select the target instance mode. If you select Unique for each step, you can set the target instance and batch policy for each job step.

    Figure 27 Selecting instances

    Click the job procedure. The job step details are displayed on the right. Enter the success rate threshold and the temporary continuation strategy, select an exception handling policy, and click Save complete the modification.

    Figure 28 Editing a job step

    Select an instance and click Add instances. The Select Instance dialog box is displayed. You can select CloudCMDB resources or CloudCMDB application groups for View Type and search for the target instances based on the resource type and region. Select the check box next to the instance list and click OK.

    Figure 29 Adding instances

    Select a batch policy and suspension policy.

  7. You can determine whether to select Manual Review based on the service requirements.
    Figure 30 Enabling manual review
  8. Determine whether to enable Send Notification based on service requirements. If enabled, set Notification Policy, Recipient, and Notification Mode.
    Figure 31 Setting notification parameters
  9. Click Submit.
  10. Locate a target task in the list, and click Enable or Disable in the Operation column to enable or disable it.
    Figure 32 Checking the task list