Google Cloud — VM Manager
VM Manager (VMM) is a suite of tools that can be used to manage Windows and Linux virtual machines (VMs). If you manage a large number of VMs, VMM can automate patching, compliance monitoring, and configuration to simplify operations. At a high level, Google Cloud installs an agent to manage and monitor the operating system and then uses the operating system’s utilities to maintain the state of the VM.
VMM consists of 3 features:
- OS Patch Management — applies on-demand/scheduled patches and analyzes operating systems for patch compliance.
- OS Inventory Management — collects and reviews operating system information.
- OS Configuration Management — installs, removes, and auto-updates software packages.
Step 1: Enable the OS Config service API. This enables patch management, compliance, and configuration.
Step 2: Enable the Container Analysis API. The Container Analysis API provides metadata storage for software artifacts on both Container Registry and Artifact Registry.
Step 3: Create VMs and set required metadata values. Any image with a build date of v20200114 or later, which should be most current generation images, has the OS Config Agent already installed. All you need to do is set the metadata values, which acts as an “on/off” switch. You can apply the metadata values on the cloud project, which applies the values to all VMs within a project, or you can apply metadata values on individual VMs. Since VM Manager is priced per VM, this flexibility helps control costs.
If you need to use an older image, there is an option to install the agent manually.
Step 4: Verification. Use the Verification Checklist to validate the VM Manager installation. It consists of five steps:
- Check if the OS Config API is enabled.
- Check if the metadata is enabled.
- Check if the OS Config agent is installed and running.
- Check if the service account is enabled.
- Check if the VM can communicate with the OS Config API.
It takes time before you see anything in the dashboard.
There is also an integration between VMM and Security Command Center (SCC) Premium Tier in preview <as of this post in August 2022>. VMM identifies operating system vulnerabilities in VMs and then writes its vulnerability reports to SCC. To enable this integration, goto “Security → Security Command Center → Settings → vm-manager → enable”.
Summary
VM Manager monitors, inventories, and configures the operating systems of Compute Engine VMs. Even though there is an agent involved, Google Cloud automates the complexity of managing the agent lifecycle to simplify operations. VMM can also send vulnerability information to Security Command Center to centralize security information.
Further Watching
Further ReadingGoogle Cloud: VM Manager
Google Cloud: Setup VM Manager
Google Cloud: Troubleshoot VM Manager
Google Cloud: Verify VM Manager Setup
Google Cloud: VM Manager Vulnerability Reports
