The Good, the Bad and the Ugly in Cybersecurity – Week 12
March 19, 2021
What’s new with Google Cloud
March 21, 2021
Earlier this year, we introduced VM Manager, a suite of tools that can be used to manage virtual machines running on Google Cloud at scale.
One of the services available with VM Manager is OS patch management, which helps to apply patches to virtual machines on-demand and based on schedules. Both Linux and Windows operating systems are supported and the service uses the respective update infrastructure of the operating system (e.g. apt, ZYpp, yum and Windows Update Agent) to both identify and apply missing patches.
A request that comes up often when talking to customers that plan on using this service or are already using it, is how to create a backup of the state of a virtual machine before patches are applied in order to be able to roll back in case something goes wrong with patching or with the patches themselves. Unfortunately this feature is not supported by VM Manager out of the box.
One of the capabilities the service supports however is the ability to run pre-patch and post-patch scripts on each VM that is targeted for patching. Scripts running pre-patching or post-patching run on the instance and in the context of the service account that is associated with it (either the Compute Engine default service account or the one that was used during creation).
In this blog, I will explain how pre-patch scripts can be leveraged to create a crash consistent disk clone of the attached persistent disks of a VM before patches are applied.
This blog describes a solution to a common customer problem. The ideal solution would be to have a direct integration in the service, that does not rely on executing the snapshot creation on the VM and in the context of the associated service account. Assigning the required permission to the service account ultimately gives these permissions to any user that can login onto the VMs.
By making the patching of a VM dependent on taking a disk clone (this is how the sample script in this article is put together), a failure to create the clone ultimately results in not patching the VM.
Setting up VM Manager and OS patch management is out of the scope of this article. Follow the instructions on Setting up VM Manager to enable VM Manager for your project.
Permissions
Creating disk clones requires at least the following permissions to be assigned to the service account associated with the VM:
compute.disks.create # on the projectcompute.disks.createSnapshot # on the source disk
Scopes
The script that creates the clone ultimately runs on the VM that is being patched. This means that it is not only required to set the correct permission to the service account associated with the VM but the API scope needs to be set as well.
Set the scope to either Allow full access to all Cloud APIs
