Bu sayfa henüz yerel dilinizde mevcut değildir. Daha fazla dil seçeneği eklemek için yoğun bir şekilde çalışıyoruz. Desteğiniz için teşekkür ederiz.

Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
Cloud Phone Host
Huawei Cloud EulerOS
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT Device Access
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
Distributed Database Middleware
Database and Application Migration UGO
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
Intelligent EdgeCloud
SAP Cloud
High Performance Computing
Developer Services
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS

One-Stop Resource O&M

Updated on 2024-04-19 GMT+08:00


An O&M engineer at an e-commerce company noticed that compliance issues with cloud resources were prominent in their daily work, particularly with regards to OS compliance risks. This raised concerns among customers about the security and compliance of the OS on the cloud. It was necessary to periodically check the compliance of the host OS patches to avoid vulnerabilities caused by missing patches, which could lead to business losses. There was no unified OS compliance management or self-closed loop tool on the cloud, making it difficult to fix compliance issues or seek help from Huawei. The goal was to automate the scanning of OS patches and promptly fix patch vulnerabilities to ensure compliance with host OS patches.


Governance: Provide automated and scheduled OS compliance inspections, with an out-of-the-box experience while retaining customer customization capabilities. This allows for the timely detection of OS compliance issues and the output of compliance reports.

O&M: Trigger patch repairs based on compliance reports, and ensure full coverage of OS compliance through incremental iterations, closing the loop on OS compliance issues within the SLA.

Patch management: COC offers OS patch management capabilities, supporting scanning and fixing patches for Linux OSs like Huawei Cloud EulerOS, CentOS, and EulerOS, in ECS node and CCE cluster scenarios. COC scans host OS patches based on the rules in patch baselines and provides compliance reports. It has three common patch baselines and allows you to customize patch baselines to meet your specific needs. You can customize patch installation rules, patch compliance levels, and exceptional patches.

Patch management allows you to:

  1. Create patch baselines based on the OS and its corresponding patch scan baselines.
  2. Scan patches for resources based on scan baselines.
  3. Check the summary for scan compliance once the scan is completed.
  4. Fix patches for uncompliant resources.

Scheduled O&M: COC offers automatic O&M capabilities, including script management, job management, and scheduled O&M.

  • Script management: COC provides public scripts and allows you to create custom scripts. Three types of scripts are supported: shell, python, and bat.
  • Job management: You can orchestrate cloud service APIs, public jobs, custom jobs, and job controls into custom jobs.
  • Scheduled O&M: Scheduled O&M can execute specific scripts or jobs on certain instances as scheduled or periodically.

Core Advantages

  • Dynamic identification: OS compliance risks are dynamically identified.
  • Automatic resource discovery and management
  • Safe production: During O&M operations, automatic batching and blast radius assessment are conducted.
  • Automatic warning: SMS, email, and WeChat are utilized to automatically send notifications.


UniAgent has been installed on the server for automatic O&M. For details, see "Installing the UniAgent".

Step 1: Create a Patch Baseline

Create a patch baseline on COC.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
  3. Click Creating Patch Baseline.
    Figure 1 Clicking Creating Patch Baseline
  4. Fill in patch baseline information.
    Figure 2 Setting patch baseline parameters

    Table 1 describes the OS installation rule.

    Table 2 describes the custom installation rule.

    Table 1 OS installation rule






    Huawei Cloud EulerOS 1.1

    Huawei Cloud EulerOS 2.0

    Product for which you want to scan patches. Only the patches of the selected product are scanned and fixed.








    Category of patches. Only the patches of the selected category are scanned and fixed.








    Severity level of patches. Only the patches of the selected severity are scanned and fixed.

    Compliance Reporting







    Level at which patches that meet the patch baseline are displayed in the compliance report

    Install Non-Security Patches


    If you select this option, patches with vulnerabilities will not be upgraded during patch fix.

    Exceptional Patches


    Approved patches and rejected patches can be in the following formats:

    1. Complete software package name: example-1.0.0-1.r1.hce2.x86_64

    2. Software package names that contain a single wildcard: example-1.0.0*.x86_64

    Table 2 Custom installation rule






    Huawei Cloud EulerOS 1.1

    Huawei Cloud EulerOS 2.0

    Product for which you want to scan patches. Only the patches of the selected product are scanned and fixed.

    Compliance Reporting







    Level at which patches that meet the patch baseline are displayed in the compliance report

    Baseline Patch


    You can customize the version and release number of baseline patches, and only the patches that match the custom baseline patch can be scanned and installed.

    1. You can upload a maximum of 1,000 base patches for a single baseline.

    2. The patch name can contain a maximum of 200 characters. Only letters, digits, underscores (_), hyphens (-), periods (.), asterisks (*), and plus signs (+) are allowed.

    3. The second column data consists of a version number (consisting of letters, digits, underscores, periods, and colons) and a release number (consisting of letters, digits, underscores, and periods), each supporting a maximum of 50 characters and separated by a hyphen (-).

  5. Click Submit.
    Figure 3 Creating a custom patch baseline

Step 2: Scan Patches

Patch scan allows you to scan patches on the target ECS or CCE instance for compliance. It scans against the compliance report based on the selected default baseline, instance, and batch execution policy.

If an instance cannot be selected, check whether its UniUniAgent status is normal or whether the OS is supported by COC's patch management.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
  3. Click Create Patch Scanning Task.
    Figure 4 Clicking Create Patch Scanning Task
  4. Click Add Instances.
    Figure 5 Selecting instances
  5. Select the ECSs or CCE instances to scan.
    Figure 6 Selecting the ECSs
    Figure 7 Selecting the CCE instances
  6. Set Batch Policy.
    Batch policy:
    • Automatic: The selected instances are divided into multiple batches based on the default rule.
    • Manual: You can manually divide instances into multiple batches as needed.
    • No batch: All target instances are in the same batch.
    Figure 8 Selecting a batch policy
  7. Set Suspension Policy.
    Suspension threshold: You can set a suspension threshold to determine the execution success rate. Once the number of failed servers reaches the number calculated based on the threshold, the service ticket status will become abnormal and the patch scan will cease.
    Figure 9 Suspension policy
  8. Click Submit.
    Figure 10 Execution confirmation page
  9. Confirm the execution information. If the information is correct, click OK.
  10. Once the service ticket is executed, click Compliance Reporting. On the displayed page, check the ECS compliance status in the Compliance Reporting List area.
    Figure 11 Service ticket details
    Figure 12 Compliance report list

Step 3: View the Patch Compliance Report

After patch compliance scanning or remediation, you can click the compliance report summary details to view patch details on the instance.

The patch compliance report will only retain the most recent scan or remediation record.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
    Figure 13 Clicking Summary in the Operation column
  3. Locate the row containing the patch compliance report for which you want to check details and click Summary in the Operation column.

    Status description:

    Compliant (Installed): The patch complies with the patch baseline, has been installed on an ECS instance, and no update is available.

    Compliant (Installed-other): The patch is not compliant with the patch baseline but has been installed on an ECS instance.

    Noncompliant (Installed-to be restarted): The patch has been repaired, and can take effect only after the ECS instance is restarted.

    Noncompliant (InstalledRejected): The rejected patches defined in the exceptional patches of a patch baseline. This patch will not be repaired even if it is compliant with the patch baseline.

    Noncompliant (Missing): The patch meets the baseline but has not been installed.

    Noncompliant (Failed): The patch failed to be repaired.

    Figure 14 Patch compliance report summary

Step 4: Install the Patch

The patch repair feature allows users to repair non-compliant ECS or CCE instances scanned by patches. The patch repair feature upgrades or installs non-compliant patches on ECS or CCE instances.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Resource O&M > Resource O&M > Patch Management.
  3. Select the instance whose patch needs to be repaired and click Repair.
    Figure 15 Selecting the target instances
  4. Set Batch Policy.
    Batch policy:
    • Automatic: The selected instances are divided into multiple batches based on the default rule.
    • Manual: You can manually divide instances into multiple batches as needed.
    • No batch: All target instances are in the same batch.
    Figure 16 Selecting a batch policy
  5. Set Suspension Policy.
    Suspension threshold: You can set a suspension threshold to determine the execution success rate. Once the number of failed servers reaches the number calculated based on the threshold, the service ticket status will become abnormal and the patch scan will cease.
    Figure 17 Suspension policy
  6. Set whether to allow restart.

    Some patches require a restart to take effect. If you choose not to restart, you will need to schedule a restart at a later time.

  7. Confirm the execution information. If the information is correct, click Confirm Execution.
    Figure 18 Execution information page

Step 5: Create a Scheduled O&M Task

Scheduled O&M allows you to execute specific scripts or jobs on certain instances as scheduled or periodically.

  1. Log in to COC.
  2. In the navigation pane on the left, choose Automated O&M > Scheduled O&M.
    Figure 19 Listing scheduled O&M tasks
  3. Click Create Task.
    Figure 20 Modifying a scheduled task
  4. Enter basic information about the scheduled task. Set the time zone. If you select Single execution, select the task execution time. If you select Periodic execution, the Simple Cycle and Cron options are displayed, allowing you to customize the execution period. The scheduled task is executed periodically based on the customized execution period, until the rule expires.
    Figure 21 Scheduled Settings
  5. Enter the task type. If you select Scripts, search for a desired script by keyword from the drop-down script lists. Select the desired script.
    Figure 22 Task Type

    Click View Selected Scripts. The script details are displayed on the right.

    Figure 23 Script Details

    Default script parameters are displayed in Script Input Parameters. You can select Sensitive to determine whether to display the parameters in plaintext. You can click the text box to edit the parameter values.

    Enter the execution user and the timeout interval.

    Select an instance and click Add instances. The Select Instance dialog box is displayed. You can select CloudCMDB resources or CloudCMDB application groups for View Type and search for the target instances based on the resource type and region. Select the check box next to the instance list and click OK.

    Figure 24 Selecting instances

    Select a batch policy and suspension policy.

  6. Enter the task type. If you select Jobs, click the text box, and select custom jobs or common jobs by searching for the desired job name. Select the desired job.
    Figure 25 Selecting Jobs

    Click View Selected Jobs. The Job Details slide-out is displayed. Click the option in the Global Parameters area. The global parameter details are displayed in the level-2 dialog box on the right. Click an option in the Job Execution Procedure area. The job step details are displayed in the level-2 dialog box on the right.

    Figure 26 Querying job steps

    Select the target instance mode. If you select Unique for each step, you can set the target instance and batch policy for each job step.

    Figure 27 Selecting instances

    Click the job procedure. The job step details are displayed on the right. Enter the success rate threshold and the temporary continuation strategy, select an exception handling policy, and click Save complete the modification.

    Figure 28 Editing a job step

    Select an instance and click Add instances. The Select Instance dialog box is displayed. You can select CloudCMDB resources or CloudCMDB application groups for View Type and search for the target instances based on the resource type and region. Select the check box next to the instance list and click OK.

    Figure 29 Adding instances

    Select a batch policy and suspension policy.

  7. You can determine whether to select Manual Review based on the service requirements.
    Figure 30 Enabling manual review
  8. Determine whether to enable Send Notification based on service requirements. If enabled, set Notification Policy, Recipient, and Notification Mode.
    Figure 31 Setting notification parameters
  9. Click Submit.
  10. Locate a target task in the list, and click Enable or Disable in the Operation column to enable or disable it.
    Figure 32 Checking the task list

Sitemizi ve deneyiminizi iyileştirmek için çerezleri kullanırız. Sitemizde tarama yapmaya devam ederek çerez politikamızı kabul etmiş olursunuz. Daha fazla bilgi edinin





Selected Content

Submit selected content with the feedback