1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.osconfig.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/osconfig/v1/osconfig_common.proto"; 22import "google/protobuf/duration.proto"; 23import "google/protobuf/timestamp.proto"; 24 25option csharp_namespace = "Google.Cloud.OsConfig.V1"; 26option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb"; 27option java_outer_classname = "PatchJobs"; 28option java_package = "com.google.cloud.osconfig.v1"; 29option php_namespace = "Google\\Cloud\\OsConfig\\V1"; 30option ruby_package = "Google::Cloud::OsConfig::V1"; 31 32// A request message to initiate patching across Compute Engine 33// instances. 34message ExecutePatchJobRequest { 35 // Required. The project in which to run this patch in the form `projects/*` 36 string parent = 1 [ 37 (google.api.field_behavior) = REQUIRED, 38 (google.api.resource_reference) = { 39 type: "cloudresourcemanager.googleapis.com/Project" 40 } 41 ]; 42 43 // Description of the patch job. Length of the description is limited 44 // to 1024 characters. 45 string description = 2; 46 47 // Required. Instances to patch, either explicitly or filtered by some 48 // criteria such as zone or labels. 49 PatchInstanceFilter instance_filter = 7 50 [(google.api.field_behavior) = REQUIRED]; 51 52 // Patch configuration being applied. If omitted, instances are 53 // patched using the default configurations. 54 PatchConfig patch_config = 4; 55 56 // Duration of the patch job. After the duration ends, the patch job 57 // times out. 58 google.protobuf.Duration duration = 5; 59 60 // If this patch is a dry-run only, instances are contacted but 61 // will do nothing. 62 bool dry_run = 6; 63 64 // Display name for this patch job. This does not have to be unique. 65 string display_name = 8; 66 67 // Rollout strategy of the patch job. 68 PatchRollout rollout = 9; 69} 70 71// Request to get an active or completed patch job. 72message GetPatchJobRequest { 73 // Required. Name of the patch in the form `projects/*/patchJobs/*` 74 string name = 1 [ 75 (google.api.field_behavior) = REQUIRED, 76 (google.api.resource_reference) = { 77 type: "osconfig.googleapis.com/PatchJob" 78 } 79 ]; 80} 81 82// Request to list details for all instances that are part of a patch job. 83message ListPatchJobInstanceDetailsRequest { 84 // Required. The parent for the instances are in the form of 85 // `projects/*/patchJobs/*`. 86 string parent = 1 [ 87 (google.api.field_behavior) = REQUIRED, 88 (google.api.resource_reference) = { 89 type: "osconfig.googleapis.com/PatchJob" 90 } 91 ]; 92 93 // The maximum number of instance details records to return. Default is 100. 94 int32 page_size = 2; 95 96 // A pagination token returned from a previous call 97 // that indicates where this listing should continue from. 98 string page_token = 3; 99 100 // A filter expression that filters results listed in the response. This 101 // field supports filtering results by instance zone, name, state, or 102 // `failure_reason`. 103 string filter = 4; 104} 105 106// A response message for listing the instances details for a patch job. 107message ListPatchJobInstanceDetailsResponse { 108 // A list of instance status. 109 repeated PatchJobInstanceDetails patch_job_instance_details = 1; 110 111 // A pagination token that can be used to get the next page of results. 112 string next_page_token = 2; 113} 114 115// Patch details for a VM instance. For more information about reviewing VM 116// instance details, see 117// [Listing all VM instance details for a specific patch 118// job](https://cloud.google.com/compute/docs/os-patch-management/manage-patch-jobs#list-instance-details). 119message PatchJobInstanceDetails { 120 // The instance name in the form `projects/*/zones/*/instances/*` 121 string name = 1 [(google.api.resource_reference) = { 122 type: "compute.googleapis.com/Instance" 123 }]; 124 125 // The unique identifier for the instance. This identifier is 126 // defined by the server. 127 string instance_system_id = 2; 128 129 // Current state of instance patch. 130 Instance.PatchState state = 3; 131 132 // If the patch fails, this field provides the reason. 133 string failure_reason = 4; 134 135 // The number of times the agent that the agent attempts to apply the patch. 136 int64 attempt_count = 5; 137} 138 139// A request message for listing patch jobs. 140message ListPatchJobsRequest { 141 // Required. In the form of `projects/*` 142 string parent = 1 [ 143 (google.api.field_behavior) = REQUIRED, 144 (google.api.resource_reference) = { 145 type: "cloudresourcemanager.googleapis.com/Project" 146 } 147 ]; 148 149 // The maximum number of instance status to return. 150 int32 page_size = 2; 151 152 // A pagination token returned from a previous call 153 // that indicates where this listing should continue from. 154 string page_token = 3; 155 156 // If provided, this field specifies the criteria that must be met by patch 157 // jobs to be included in the response. 158 // Currently, filtering is only available on the patch_deployment field. 159 string filter = 4; 160} 161 162// A response message for listing patch jobs. 163message ListPatchJobsResponse { 164 // The list of patch jobs. 165 repeated PatchJob patch_jobs = 1; 166 167 // A pagination token that can be used to get the next page of results. 168 string next_page_token = 2; 169} 170 171// A high level representation of a patch job that is either in progress 172// or has completed. 173// 174// Instance details are not included in the job. To paginate through instance 175// details, use ListPatchJobInstanceDetails. 176// 177// For more information about patch jobs, see 178// [Creating patch 179// jobs](https://cloud.google.com/compute/docs/os-patch-management/create-patch-job). 180message PatchJob { 181 option (google.api.resource) = { 182 type: "osconfig.googleapis.com/PatchJob" 183 pattern: "projects/{project}/patchJobs/{patch_job}" 184 }; 185 186 // Enumeration of the various states a patch job passes through as it 187 // executes. 188 enum State { 189 // State must be specified. 190 STATE_UNSPECIFIED = 0; 191 192 // The patch job was successfully initiated. 193 STARTED = 1; 194 195 // The patch job is looking up instances to run the patch on. 196 INSTANCE_LOOKUP = 2; 197 198 // Instances are being patched. 199 PATCHING = 3; 200 201 // Patch job completed successfully. 202 SUCCEEDED = 4; 203 204 // Patch job completed but there were errors. 205 COMPLETED_WITH_ERRORS = 5; 206 207 // The patch job was canceled. 208 CANCELED = 6; 209 210 // The patch job timed out. 211 TIMED_OUT = 7; 212 } 213 214 // A summary of the current patch state across all instances that this patch 215 // job affects. Contains counts of instances in different states. These states 216 // map to `InstancePatchState`. List patch job instance details to see the 217 // specific states of each instance. 218 message InstanceDetailsSummary { 219 // Number of instances pending patch job. 220 int64 pending_instance_count = 1; 221 222 // Number of instances that are inactive. 223 int64 inactive_instance_count = 2; 224 225 // Number of instances notified about patch job. 226 int64 notified_instance_count = 3; 227 228 // Number of instances that have started. 229 int64 started_instance_count = 4; 230 231 // Number of instances that are downloading patches. 232 int64 downloading_patches_instance_count = 5; 233 234 // Number of instances that are applying patches. 235 int64 applying_patches_instance_count = 6; 236 237 // Number of instances rebooting. 238 int64 rebooting_instance_count = 7; 239 240 // Number of instances that have completed successfully. 241 int64 succeeded_instance_count = 8; 242 243 // Number of instances that require reboot. 244 int64 succeeded_reboot_required_instance_count = 9; 245 246 // Number of instances that failed. 247 int64 failed_instance_count = 10; 248 249 // Number of instances that have acked and will start shortly. 250 int64 acked_instance_count = 11; 251 252 // Number of instances that exceeded the time out while applying the patch. 253 int64 timed_out_instance_count = 12; 254 255 // Number of instances that are running the pre-patch step. 256 int64 pre_patch_step_instance_count = 13; 257 258 // Number of instances that are running the post-patch step. 259 int64 post_patch_step_instance_count = 14; 260 261 // Number of instances that do not appear to be running the agent. Check to 262 // ensure that the agent is installed, running, and able to communicate with 263 // the service. 264 int64 no_agent_detected_instance_count = 15; 265 } 266 267 // Unique identifier for this patch job in the form 268 // `projects/*/patchJobs/*` 269 string name = 1; 270 271 // Display name for this patch job. This is not a unique identifier. 272 string display_name = 14; 273 274 // Description of the patch job. Length of the description is limited 275 // to 1024 characters. 276 string description = 2; 277 278 // Time this patch job was created. 279 google.protobuf.Timestamp create_time = 3; 280 281 // Last time this patch job was updated. 282 google.protobuf.Timestamp update_time = 4; 283 284 // The current state of the PatchJob. 285 State state = 5; 286 287 // Instances to patch. 288 PatchInstanceFilter instance_filter = 13; 289 290 // Patch configuration being applied. 291 PatchConfig patch_config = 7; 292 293 // Duration of the patch job. After the duration ends, the 294 // patch job times out. 295 google.protobuf.Duration duration = 8; 296 297 // Summary of instance details. 298 InstanceDetailsSummary instance_details_summary = 9; 299 300 // If this patch job is a dry run, the agent reports that it has 301 // finished without running any updates on the VM instance. 302 bool dry_run = 10; 303 304 // If this patch job failed, this message provides information about the 305 // failure. 306 string error_message = 11; 307 308 // Reflects the overall progress of the patch job in the range of 309 // 0.0 being no progress to 100.0 being complete. 310 double percent_complete = 12; 311 312 // Output only. Name of the patch deployment that created this patch job. 313 string patch_deployment = 15 [ 314 (google.api.field_behavior) = OUTPUT_ONLY, 315 (google.api.resource_reference) = { 316 type: "osconfig.googleapis.com/PatchDeployment" 317 } 318 ]; 319 320 // Rollout strategy being applied. 321 PatchRollout rollout = 16; 322} 323 324// Patch configuration specifications. Contains details on how to apply the 325// patch(es) to a VM instance. 326message PatchConfig { 327 // Post-patch reboot settings. 328 enum RebootConfig { 329 // The default behavior is DEFAULT. 330 REBOOT_CONFIG_UNSPECIFIED = 0; 331 332 // The agent decides if a reboot is necessary by checking signals such as 333 // registry keys on Windows or `/var/run/reboot-required` on APT based 334 // systems. On RPM based systems, a set of core system package install times 335 // are compared with system boot time. 336 DEFAULT = 1; 337 338 // Always reboot the machine after the update completes. 339 ALWAYS = 2; 340 341 // Never reboot the machine after the update completes. 342 NEVER = 3; 343 } 344 345 // Post-patch reboot settings. 346 RebootConfig reboot_config = 1; 347 348 // Apt update settings. Use this setting to override the default `apt` patch 349 // rules. 350 AptSettings apt = 3; 351 352 // Yum update settings. Use this setting to override the default `yum` patch 353 // rules. 354 YumSettings yum = 4; 355 356 // Goo update settings. Use this setting to override the default `goo` patch 357 // rules. 358 GooSettings goo = 5; 359 360 // Zypper update settings. Use this setting to override the default `zypper` 361 // patch rules. 362 ZypperSettings zypper = 6; 363 364 // Windows update settings. Use this override the default windows patch rules. 365 WindowsUpdateSettings windows_update = 7; 366 367 // The `ExecStep` to run before the patch update. 368 ExecStep pre_step = 8; 369 370 // The `ExecStep` to run after the patch update. 371 ExecStep post_step = 9; 372 373 // Allows the patch job to run on Managed instance groups (MIGs). 374 bool mig_instances_allowed = 10; 375} 376 377// Namespace for instance state enums. 378message Instance { 379 // Patch state of an instance. 380 enum PatchState { 381 // Unspecified. 382 PATCH_STATE_UNSPECIFIED = 0; 383 384 // The instance is not yet notified. 385 PENDING = 1; 386 387 // Instance is inactive and cannot be patched. 388 INACTIVE = 2; 389 390 // The instance is notified that it should be patched. 391 NOTIFIED = 3; 392 393 // The instance has started the patching process. 394 STARTED = 4; 395 396 // The instance is downloading patches. 397 DOWNLOADING_PATCHES = 5; 398 399 // The instance is applying patches. 400 APPLYING_PATCHES = 6; 401 402 // The instance is rebooting. 403 REBOOTING = 7; 404 405 // The instance has completed applying patches. 406 SUCCEEDED = 8; 407 408 // The instance has completed applying patches but a reboot is required. 409 SUCCEEDED_REBOOT_REQUIRED = 9; 410 411 // The instance has failed to apply the patch. 412 FAILED = 10; 413 414 // The instance acked the notification and will start shortly. 415 ACKED = 11; 416 417 // The instance exceeded the time out while applying the patch. 418 TIMED_OUT = 12; 419 420 // The instance is running the pre-patch step. 421 RUNNING_PRE_PATCH_STEP = 13; 422 423 // The instance is running the post-patch step. 424 RUNNING_POST_PATCH_STEP = 14; 425 426 // The service could not detect the presence of the agent. Check to ensure 427 // that the agent is installed, running, and able to communicate with the 428 // service. 429 NO_AGENT_DETECTED = 15; 430 } 431} 432 433// Message for canceling a patch job. 434message CancelPatchJobRequest { 435 // Required. Name of the patch in the form `projects/*/patchJobs/*` 436 string name = 1 [ 437 (google.api.field_behavior) = REQUIRED, 438 (google.api.resource_reference) = { 439 type: "osconfig.googleapis.com/PatchJob" 440 } 441 ]; 442} 443 444// Apt patching is completed by executing `apt-get update && apt-get 445// upgrade`. Additional options can be set to control how this is executed. 446message AptSettings { 447 // Apt patch type. 448 enum Type { 449 // By default, upgrade will be performed. 450 TYPE_UNSPECIFIED = 0; 451 452 // Runs `apt-get dist-upgrade`. 453 DIST = 1; 454 455 // Runs `apt-get upgrade`. 456 UPGRADE = 2; 457 } 458 459 // By changing the type to DIST, the patching is performed 460 // using `apt-get dist-upgrade` instead. 461 Type type = 1; 462 463 // List of packages to exclude from update. These packages will be excluded 464 repeated string excludes = 2; 465 466 // An exclusive list of packages to be updated. These are the only packages 467 // that will be updated. If these packages are not installed, they will be 468 // ignored. This field cannot be specified with any other patch configuration 469 // fields. 470 repeated string exclusive_packages = 3; 471} 472 473// Yum patching is performed by executing `yum update`. Additional options 474// can be set to control how this is executed. 475// 476// Note that not all settings are supported on all platforms. 477message YumSettings { 478 // Adds the `--security` flag to `yum update`. Not supported on 479 // all platforms. 480 bool security = 1; 481 482 // Will cause patch to run `yum update-minimal` instead. 483 bool minimal = 2; 484 485 // List of packages to exclude from update. These packages are excluded by 486 // using the yum `--exclude` flag. 487 repeated string excludes = 3; 488 489 // An exclusive list of packages to be updated. These are the only packages 490 // that will be updated. If these packages are not installed, they will be 491 // ignored. This field must not be specified with any other patch 492 // configuration fields. 493 repeated string exclusive_packages = 4; 494} 495 496// Googet patching is performed by running `googet update`. 497message GooSettings {} 498 499// Zypper patching is performed by running `zypper patch`. 500// See also https://en.opensuse.org/SDB:Zypper_manual. 501message ZypperSettings { 502 // Adds the `--with-optional` flag to `zypper patch`. 503 bool with_optional = 1; 504 505 // Adds the `--with-update` flag, to `zypper patch`. 506 bool with_update = 2; 507 508 // Install only patches with these categories. 509 // Common categories include security, recommended, and feature. 510 repeated string categories = 3; 511 512 // Install only patches with these severities. 513 // Common severities include critical, important, moderate, and low. 514 repeated string severities = 4; 515 516 // List of patches to exclude from update. 517 repeated string excludes = 5; 518 519 // An exclusive list of patches to be updated. These are the only patches 520 // that will be installed using 'zypper patch patch:<patch_name>' command. 521 // This field must not be used with any other patch configuration fields. 522 repeated string exclusive_patches = 6; 523} 524 525// Windows patching is performed using the Windows Update Agent. 526message WindowsUpdateSettings { 527 // Microsoft Windows update classifications as defined in 528 // [1] 529 // https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro 530 enum Classification { 531 // Invalid. If classifications are included, they must be specified. 532 CLASSIFICATION_UNSPECIFIED = 0; 533 534 // "A widely released fix for a specific problem that addresses a critical, 535 // non-security-related bug." [1] 536 CRITICAL = 1; 537 538 // "A widely released fix for a product-specific, security-related 539 // vulnerability. Security vulnerabilities are rated by their severity. The 540 // severity rating is indicated in the Microsoft security bulletin as 541 // critical, important, moderate, or low." [1] 542 SECURITY = 2; 543 544 // "A widely released and frequent software update that contains additions 545 // to a product's definition database. Definition databases are often used 546 // to detect objects that have specific attributes, such as malicious code, 547 // phishing websites, or junk mail." [1] 548 DEFINITION = 3; 549 550 // "Software that controls the input and output of a device." [1] 551 DRIVER = 4; 552 553 // "New product functionality that is first distributed outside the context 554 // of a product release and that is typically included in the next full 555 // product release." [1] 556 FEATURE_PACK = 5; 557 558 // "A tested, cumulative set of all hotfixes, security updates, critical 559 // updates, and updates. Additionally, service packs may contain additional 560 // fixes for problems that are found internally since the release of the 561 // product. Service packs my also contain a limited number of 562 // customer-requested design changes or features." [1] 563 SERVICE_PACK = 6; 564 565 // "A utility or feature that helps complete a task or set of tasks." [1] 566 TOOL = 7; 567 568 // "A tested, cumulative set of hotfixes, security updates, critical 569 // updates, and updates that are packaged together for easy deployment. A 570 // rollup generally targets a specific area, such as security, or a 571 // component of a product, such as Internet Information Services (IIS)." [1] 572 UPDATE_ROLLUP = 8; 573 574 // "A widely released fix for a specific problem. An update addresses a 575 // noncritical, non-security-related bug." [1] 576 UPDATE = 9; 577 } 578 579 // Only apply updates of these windows update classifications. If empty, all 580 // updates are applied. 581 repeated Classification classifications = 1; 582 583 // List of KBs to exclude from update. 584 repeated string excludes = 2; 585 586 // An exclusive list of kbs to be updated. These are the only patches 587 // that will be updated. This field must not be used with other 588 // patch configurations. 589 repeated string exclusive_patches = 3; 590} 591 592// A step that runs an executable for a PatchJob. 593message ExecStep { 594 // The ExecStepConfig for all Linux VMs targeted by the PatchJob. 595 ExecStepConfig linux_exec_step_config = 1; 596 597 // The ExecStepConfig for all Windows VMs targeted by the PatchJob. 598 ExecStepConfig windows_exec_step_config = 2; 599} 600 601// Common configurations for an ExecStep. 602message ExecStepConfig { 603 // The interpreter used to execute the a file. 604 enum Interpreter { 605 // Invalid for a Windows ExecStepConfig. For a Linux ExecStepConfig, the 606 // interpreter will be parsed from the shebang line of the script if 607 // unspecified. 608 INTERPRETER_UNSPECIFIED = 0; 609 610 // Indicates that the script is run with `/bin/sh` on Linux and `cmd` 611 // on Windows. 612 SHELL = 1; 613 614 // Indicates that the file is run with PowerShell flags 615 // `-NonInteractive`, `-NoProfile`, and `-ExecutionPolicy Bypass`. 616 POWERSHELL = 2; 617 } 618 619 // Location of the executable. 620 oneof executable { 621 // An absolute path to the executable on the VM. 622 string local_path = 1; 623 624 // A Cloud Storage object containing the executable. 625 GcsObject gcs_object = 2; 626 } 627 628 // Defaults to [0]. A list of possible return values that the 629 // execution can return to indicate a success. 630 repeated int32 allowed_success_codes = 3; 631 632 // The script interpreter to use to run the script. If no interpreter is 633 // specified the script will be executed directly, which will likely 634 // only succeed for scripts with [shebang lines] 635 // (https://en.wikipedia.org/wiki/Shebang_\(Unix\)). 636 Interpreter interpreter = 4; 637} 638 639// Cloud Storage object representation. 640message GcsObject { 641 // Required. Bucket of the Cloud Storage object. 642 string bucket = 1 [(google.api.field_behavior) = REQUIRED]; 643 644 // Required. Name of the Cloud Storage object. 645 string object = 2 [(google.api.field_behavior) = REQUIRED]; 646 647 // Required. Generation number of the Cloud Storage object. This is used to 648 // ensure that the ExecStep specified by this PatchJob does not change. 649 int64 generation_number = 3 [(google.api.field_behavior) = REQUIRED]; 650} 651 652// A filter to target VM instances for patching. The targeted 653// VMs must meet all criteria specified. So if both labels and zones are 654// specified, the patch job targets only VMs with those labels and in those 655// zones. 656message PatchInstanceFilter { 657 // Targets a group of VM instances by using their [assigned 658 // labels](https://cloud.google.com/compute/docs/labeling-resources). Labels 659 // are key-value pairs. A `GroupLabel` is a combination of labels 660 // that is used to target VMs for a patch job. 661 // 662 // For example, a patch job can target VMs that have the following 663 // `GroupLabel`: `{"env":"test", "app":"web"}`. This means that the patch job 664 // is applied to VMs that have both the labels `env=test` and `app=web`. 665 message GroupLabel { 666 // Compute Engine instance labels that must be present for a VM 667 // instance to be targeted by this filter. 668 map<string, string> labels = 1; 669 } 670 671 // Target all VM instances in the project. If true, no other criteria is 672 // permitted. 673 bool all = 1; 674 675 // Targets VM instances matching ANY of these GroupLabels. This allows 676 // targeting of disparate groups of VM instances. 677 repeated GroupLabel group_labels = 2; 678 679 // Targets VM instances in ANY of these zones. Leave empty to target VM 680 // instances in any zone. 681 repeated string zones = 3; 682 683 // Targets any of the VM instances specified. Instances are specified by their 684 // URI in the form `zones/[ZONE]/instances/[INSTANCE_NAME]`, 685 // `projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]`, or 686 // `https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]` 687 repeated string instances = 4; 688 689 // Targets VMs whose name starts with one of these prefixes. Similar to 690 // labels, this is another way to group VMs when targeting configs, for 691 // example prefix="prod-". 692 repeated string instance_name_prefixes = 5; 693} 694 695// Patch rollout configuration specifications. Contains details on the 696// concurrency control when applying patch(es) to all targeted VMs. 697message PatchRollout { 698 // Type of the rollout. 699 enum Mode { 700 // Mode must be specified. 701 MODE_UNSPECIFIED = 0; 702 703 // Patches are applied one zone at a time. The patch job begins in the 704 // region with the lowest number of targeted VMs. Within the region, 705 // patching begins in the zone with the lowest number of targeted VMs. If 706 // multiple regions (or zones within a region) have the same number of 707 // targeted VMs, a tie-breaker is achieved by sorting the regions or zones 708 // in alphabetical order. 709 ZONE_BY_ZONE = 1; 710 711 // Patches are applied to VMs in all zones at the same time. 712 CONCURRENT_ZONES = 2; 713 } 714 715 // Mode of the patch rollout. 716 Mode mode = 1; 717 718 // The maximum number (or percentage) of VMs per zone to disrupt at any given 719 // moment. The number of VMs calculated from multiplying the percentage by the 720 // total number of VMs in a zone is rounded up. 721 // 722 // During patching, a VM is considered disrupted from the time the agent is 723 // notified to begin until patching has completed. This disruption time 724 // includes the time to complete reboot and any post-patch steps. 725 // 726 // A VM contributes to the disruption budget if its patching operation fails 727 // either when applying the patches, running pre or post patch steps, or if it 728 // fails to respond with a success notification before timing out. VMs that 729 // are not running or do not have an active agent do not count toward this 730 // disruption budget. 731 // 732 // For zone-by-zone rollouts, if the disruption budget in a zone is exceeded, 733 // the patch job stops, because continuing to the next zone requires 734 // completion of the patch process in the previous zone. 735 // 736 // For example, if the disruption budget has a fixed value of `10`, and 8 VMs 737 // fail to patch in the current zone, the patch job continues to patch 2 VMs 738 // at a time until the zone is completed. When that zone is completed 739 // successfully, patching begins with 10 VMs at a time in the next zone. If 10 740 // VMs in the next zone fail to patch, the patch job stops. 741 FixedOrPercent disruption_budget = 2; 742} 743