xref: /aosp_15_r20/external/googleapis/google/cloud/osconfig/agentendpoint/v1/patch_jobs.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2020 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.osconfig.agentendpoint.v1;
18
19option go_package = "cloud.google.com/go/osconfig/agentendpoint/apiv1/agentendpointpb;agentendpointpb";
20option java_outer_classname = "PatchJobs";
21option java_package = "com.google.cloud.osconfig.agentendpoint.v1";
22
23// Patch configuration specifications. Contains details on how to
24// apply patches to a VM instance.
25message PatchConfig {
26  // Post-patch reboot settings.
27  enum RebootConfig {
28    // The default behavior is DEFAULT.
29    REBOOT_CONFIG_UNSPECIFIED = 0;
30
31    // The agent decides if a reboot is necessary by checking
32    // signals such as registry keys on Windows or `/var/run/reboot-required` on
33    // APT based systems. On RPM based systems, a set of core system package
34    // install times are compared with system boot time.
35    DEFAULT = 1;
36
37    // Always reboot the machine after the update completes.
38    ALWAYS = 2;
39
40    // Never reboot the machine after the update completes.
41    NEVER = 3;
42  }
43
44  // Post-patch reboot settings.
45  RebootConfig reboot_config = 1;
46
47  // Retry strategy can be defined to have the agent retry patching
48  // during the window if patching fails. If omitted, the agent will use its
49  // default retry strategy.
50  RetryStrategy retry_strategy = 2;
51
52  // Apt update settings. Use this override the default apt patch rules.
53  AptSettings apt = 3;
54
55  // Yum update settings. Use this override the default yum patch rules.
56  YumSettings yum = 4;
57
58  // Goo update settings. Use this override the default goo patch rules.
59  GooSettings goo = 5;
60
61  // Zypper update settings. Use this override the default zypper patch rules.
62  ZypperSettings zypper = 6;
63
64  // Windows update settings. Use this override the default windows patch rules.
65  WindowsUpdateSettings windows_update = 7;
66
67  // The ExecStep to run before the patch update.
68  ExecStep pre_step = 8;
69
70  // The ExecStep to run after the patch update.
71  ExecStep post_step = 9;
72
73  // Allows the patch job to run on Managed instance groups (MIGs).
74  bool mig_instances_allowed = 10;
75}
76
77// Apt patching will be performed by executing `apt-get update && apt-get
78// upgrade`. Additional options can be set to control how this is executed.
79message AptSettings {
80  // Apt patch type.
81  enum Type {
82    // By default, upgrade will be performed.
83    TYPE_UNSPECIFIED = 0;
84
85    // Runs `apt-get dist-upgrade`.
86    DIST = 1;
87
88    // Runs `apt-get upgrade`.
89    UPGRADE = 2;
90  }
91
92  // By changing the type to DIST, the patching will be performed
93  // using `apt-get dist-upgrade` instead.
94  Type type = 1;
95
96  // List of packages to exclude from update.
97  repeated string excludes = 2;
98
99  // An exclusive list of packages to be updated. These are the only packages
100  // that will be updated. If these packages are not installed, they will be
101  // ignored. This field cannot be specified with any other patch configuration
102  // fields.
103  repeated string exclusive_packages = 3;
104}
105
106// Yum patching will be performed by executing `yum update`. Additional options
107// can be set to control how this is executed.
108//
109// Note that not all settings are supported on all platforms.
110message YumSettings {
111  // Adds the `--security` flag to `yum update`. Not supported on
112  // all platforms.
113  bool security = 1;
114
115  // Will cause patch to run `yum update-minimal` instead.
116  bool minimal = 2;
117
118  // List of packages to exclude from update. These packages will be excluded by
119  // using the yum `--exclude` flag.
120  repeated string excludes = 3;
121
122  // An exclusive list of packages to be updated. These are the only packages
123  // that will be updated. If these packages are not installed, they will be
124  // ignored. This field must not be specified with any other patch
125  // configuration fields.
126  repeated string exclusive_packages = 4;
127}
128
129// Googet patching is performed by running `googet update`.
130message GooSettings {
131
132}
133
134// Zypper patching is performed by running `zypper patch`.
135// See also https://en.opensuse.org/SDB:Zypper_manual.
136message ZypperSettings {
137  // Adds the `--with-optional` flag to `zypper patch`.
138  bool with_optional = 1;
139
140  // Adds the `--with-update` flag, to `zypper patch`.
141  bool with_update = 2;
142
143  // Install only patches with these categories.
144  // Common categories include security, recommended, and feature.
145  repeated string categories = 3;
146
147  // Install only patches with these severities.
148  // Common severities include critical, important, moderate, and low.
149  repeated string severities = 4;
150
151  // List of patches to exclude from update.
152  repeated string excludes = 5;
153
154  // An exclusive list of patches to be updated. These are the only patches
155  // that will be installed using 'zypper patch patch:<patch_name>' command.
156  // This field must not be used with any other patch configuration fields.
157  repeated string exclusive_patches = 6;
158}
159
160// Windows patching is performed using the Windows Update Agent.
161message WindowsUpdateSettings {
162  // Microsoft Windows update classifications as defined in
163  // [1]
164  // https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro
165  enum Classification {
166    // Invalid. If classifications are included, they must be specified.
167    CLASSIFICATION_UNSPECIFIED = 0;
168
169    // "A widely released fix for a specific problem that addresses a critical,
170    // non-security-related bug." [1]
171    CRITICAL = 1;
172
173    // "A widely released fix for a product-specific, security-related
174    // vulnerability. Security vulnerabilities are rated by their severity. The
175    // severity rating is indicated in the Microsoft security bulletin as
176    // critical, important, moderate, or low." [1]
177    SECURITY = 2;
178
179    // "A widely released and frequent software update that contains additions
180    // to a product’s definition database. Definition databases are often used
181    // to detect objects that have specific attributes, such as malicious code,
182    // phishing websites, or junk mail." [1]
183    DEFINITION = 3;
184
185    // "Software that controls the input and output of a device." [1]
186    DRIVER = 4;
187
188    // "New product functionality that is first distributed outside the context
189    // of a product release and that is typically included in the next full
190    // product release." [1]
191    FEATURE_PACK = 5;
192
193    // "A tested, cumulative set of all hotfixes, security updates, critical
194    // updates, and updates. Additionally, service packs may contain additional
195    // fixes for problems that are found internally since the release of the
196    // product. Service packs my also contain a limited number of
197    // customer-requested design changes or features." [1]
198    SERVICE_PACK = 6;
199
200    // "A utility or feature that helps complete a task or set of tasks." [1]
201    TOOL = 7;
202
203    // "A tested, cumulative set of hotfixes, security updates, critical
204    // updates, and updates that are packaged together for easy deployment. A
205    // rollup generally targets a specific area, such as security, or a
206    // component of a product, such as Internet Information Services (IIS)." [1]
207    UPDATE_ROLLUP = 8;
208
209    // "A widely released fix for a specific problem. An update addresses a
210    // noncritical, non-security-related bug." [1]
211    UPDATE = 9;
212  }
213
214  // Only apply updates of these windows update classifications. If empty, all
215  // updates will be applied.
216  repeated Classification classifications = 1;
217
218  // List of KBs to exclude from update.
219  repeated string excludes = 2;
220
221  // An exclusive list of kbs to be updated. These are the only patches
222  // that will be updated. This field must not be used with other
223  // patch configurations.
224  repeated string exclusive_patches = 3;
225}
226
227// The strategy for retrying failed patches during the patch window.
228message RetryStrategy {
229  // If true, the agent will continue to try and patch until the window has
230  // ended.
231  bool enabled = 1;
232}
233
234// A step that runs an executable for a PatchJob.
235message ExecStep {
236  // The ExecStepConfig for all Linux VMs targeted by the PatchJob.
237  ExecStepConfig linux_exec_step_config = 1;
238
239  // The ExecStepConfig for all Windows VMs targeted by the PatchJob.
240  ExecStepConfig windows_exec_step_config = 2;
241}
242
243// Common configurations for an ExecStep.
244message ExecStepConfig {
245  // The interpreter used to execute the a file.
246  enum Interpreter {
247    // Deprecated, defaults to NONE for compatibility reasons.
248    INTERPRETER_UNSPECIFIED = 0;
249
250    // Invalid for a Windows ExecStepConfig. For a Linux ExecStepConfig, the
251    // interpreter will be parsed from the shebang line of the script if
252    // unspecified.
253    NONE = 3;
254
255    // Indicates that the script will be run with /bin/sh on Linux and cmd
256    // on windows.
257    SHELL = 1;
258
259    // Indicates that the file will be run with PowerShell.
260    POWERSHELL = 2;
261  }
262
263  // Location of the executable.
264  oneof executable {
265    // An absolute path to the executable on the VM.
266    string local_path = 1;
267
268    // A GCS object containing the executable.
269    GcsObject gcs_object = 2;
270  }
271
272  // Defaults to [0]. A list of possible return values that the
273  // execution can return to indicate a success.
274  repeated int32 allowed_success_codes = 3;
275
276  // The script interpreter to use to run the script. If no interpreter is
277  // specified the script will be executed directly, which will likely
278  // only succeed for scripts with shebang lines.
279  // [Wikipedia shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)).
280  Interpreter interpreter = 4;
281}
282
283// GCS object representation.
284message GcsObject {
285  // Bucket of the GCS object.
286  string bucket = 1;
287
288  // Name of the GCS object.
289  string object = 2;
290
291  // Generation number of the GCS object. This is used to ensure that the
292  // ExecStep specified by this PatchJob does not change.
293  int64 generation_number = 3;
294}
295