This is an OCI feature that has to be configured and enabled on compute instances. Here is the official documentation and this is a powerful feature if you set it up correctly. So here I start.
My plan is to tag instances accross the tenancy who can run commands, and based on that tags include instances into Dynamic Groups and with a policy allow instances to use the feature.
1 I start with creating a tag namespace which will store my tag keys
Following oci cli command can be used to create the tag namespace. You may notice we are using http raw request rather than matching cli command, as cli tool doesn't offer a specific command for tag operations. Personally I find REST API more useful than OCI CLI Command Reference . Rest API documentation offers real sample scripts, not generated ones like the cli
2 Now I am adding tag keys. I am not interested in cost tracking, but I want a list of values that users can select from rather than a free form string.
Following cli scripts can be used to create keys under a namespace
3 The tags are created so I can tag the instances either using the console.
If updating using oci cli you must also provide the existing tags. So first I get the instance, copy defined-tags.
4 I need compute instances to identify themselves as a member of IAM Dynamic Groups as described here . So for that reason I am creating a Dynamic Group with the condition of having a tag value.
Following cli script can be used to create the dynamic group
5 Now I will create/update a policy to allow my recently created Dynamic Group to run commands. All requirements explained here on official documentation .
Again similar to adding tags to instances, if updating an existing policy I need provide all the existing statements and version date.
6 Now it is time for testing. First I create the command and wait 3-4 minutes before it succeeded
I can use cli to create the command.
And the results of the command as well as the exit code is displayed
This is really powerful, you can pass script files, instruct to import script from Object Storage, store output as text or on Object Storage. It can be used as part of any automation purpose, data processing, configuration even for debug and restore purposes. It is up to your imagination.
Troubleshooting
1Official documentation advises me to check cloud agent log file for agent log
2After restarting the agent I get my commands running
3A succesful execution log looks like this:
4The commands are run with oacrun user, I've added the user to sudoers.
No comments:
Post a Comment