gcloud compute os-config patch-jobs execute

Execute an OS patch on the specified VM instances

Options

NameDescription
--account <ACCOUNT>Google Cloud Platform user account to use for invocation. Overrides the default *core/account* property value for this command invocation
--apt-distIf specified, machines running Apt use the `apt-get dist-upgrade` command; otherwise the `apt-get upgrade` command is used
--apt-excludes <APT_EXCLUDES>List of packages to exclude from update
--apt-exclusive-packages <APT_EXCLUSIVE_PACKAGES>An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored
--asyncReturn immediately, without waiting for the operation in progress to complete
--billing-project <BILLING_PROJECT>The Google Cloud Platform project that will be charged quota for operations performed in gcloud. If you need to operate on one project, but need quota against a different project, you can use this flag to specify the billing project. If both `billing/quota_project` and `--billing-project` are specified, `--billing-project` takes precedence. Run `$ gcloud config set --help` to see more information about `billing/quota_project`
--configuration <CONFIGURATION>The configuration to use for this command invocation. For more information on how to use configurations, run: `gcloud topic configurations`. You can also use the CLOUDSDK_ACTIVE_CONFIG_NAME environment variable to set the equivalent of this flag for a terminal session
--description <DESCRIPTION>Textual description of the patch job
--display-name <DISPLAY_NAME>Display name for this patch job. This does not have to be unique
--dry-runWhether to execute this patch job as a dry run. If this patch job is a dry run, instances are contacted, but the patch is not run
--duration <DURATION>Total duration in which the patch job must complete. If the patch does not complete in this time, the process times out. While some instances might still be running the patch, they will not continue to work after completing the current step. See $ gcloud topic datetimes for information on specifying absolute time durations. + If unspecified, the job stays active until all instances complete the patch
--flags-file <YAML_FILE>A YAML or JSON file that specifies a *--flag*:*value* dictionary. Useful for specifying complex flag values with special characters that work with any command interpreter. Additionally, each *--flags-file* arg is replaced by its constituent flags. See $ gcloud topic flags-file for more information
--flatten <KEY>Flatten _name_[] output resource slices in _KEY_ into separate records for each item in each slice. Multiple keys and slices may be specified. This also flattens keys for *--format* and *--filter*. For example, *--flatten=abc.def* flattens *abc.def[].ghi* references to *abc.def.ghi*. A resource record containing *abc.def[]* with N elements will expand to N records in the flattened output. This flag interacts with other flags that are applied in this order: *--flatten*, *--sort-by*, *--filter*, *--limit*
--format <FORMAT>Set the format for printing command output resources. The default is a command-specific human-friendly output format. The supported formats are: `config`, `csv`, `default`, `diff`, `disable`, `flattened`, `get`, `json`, `list`, `multi`, `none`, `object`, `table`, `text`, `value`, `yaml`. For more details run $ gcloud topic formats
--helpDisplay detailed help
--impersonate-service-account <SERVICE_ACCOUNT_EMAIL>For this gcloud invocation, all API requests will be made as the given service account instead of the currently selected account. This is done without needing to create, download, and activate a key for the account. In order to perform operations as the service account, your currently selected account must have an IAM role that includes the iam.serviceAccounts.getAccessToken permission for the service account. The roles/iam.serviceAccountTokenCreator role has this permission or you may create a custom role. Overrides the default *auth/impersonate_service_account* property value for this command invocation
--instance-filter-allA filter that targets all instances in the project
--instance-filter-group-labels <KEY=VALUE>A filter that represents a label set. Targeted instances must have all specified labels in this set. For example, "env=prod and app=web". + This flag can be repeated. Targeted instances must have at least one of these label sets. This allows targeting of disparate groups, for example, "(env=prod and app=web) or (env=staging and app=web)"
--instance-filter-name-prefixes <INSTANCE_FILTER_NAME_PREFIXES>A filter that targets instances whose name starts with one of these prefixes. For example, "prod-"
--instance-filter-names <INSTANCE_FILTER_NAMES>A filter that targets instances of any of the specified names. Instances are specified by the URI in the form "zones/<ZONE>/instances/<INSTANCE_NAME>", "projects/<PROJECT_ID>/zones/<ZONE>/instances/<INSTANCE_NAME>", or "https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/zones/<ZONE>/instances/<INSTANCE_NAME>"
--instance-filter-zones <INSTANCE_FILTER_ZONES>A filter that targets instances in any of the specified zones. Leave empty to target instances in any zone
--log-httpLog all HTTP server requests and responses to stderr. Overrides the default *core/log_http* property value for this command invocation
--post-patch-linux-executable <POST_PATCH_LINUX_EXECUTABLE>A set of commands to run on a Linux machine after an OS patch completes. Commands must be supplied in a file. If the file contains a shell script, include the shebang line. + The path to the file must be supplied in one of the following formats: + An absolute path of the file on the local filesystem. + A URI for a Google Cloud Storage object with a generation number
--post-patch-linux-success-codes <POST_PATCH_LINUX_SUCCESS_CODES>Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0
--post-patch-windows-executable <POST_PATCH_WINDOWS_EXECUTABLE>A set of commands to run on a Windows machine after an OS patch completes. Commands must be supplied in a file. If the file contains a PowerShell script, include the .ps1 file extension. The PowerShell script executes with flags `-NonInteractive`, `-NoProfile`, and `-ExecutionPolicy Bypass`. + The path to the file must be supplied in one of the following formats: + An absolute path of the file on the local filesystem. + A URI for a Google Cloud Storage object with a generation number
--post-patch-windows-success-codes <POST_PATCH_WINDOWS_SUCCESS_CODES>Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0
--pre-patch-linux-executable <PRE_PATCH_LINUX_EXECUTABLE>A set of commands to run on a Linux machine before an OS patch begins. Commands must be supplied in a file. If the file contains a shell script, include the shebang line. + The path to the file must be supplied in one of the following formats: + An absolute path of the file on the local filesystem. + A URI for a Google Cloud Storage object with a generation number
--pre-patch-linux-success-codes <PRE_PATCH_LINUX_SUCCESS_CODES>Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0
--pre-patch-windows-executable <PRE_PATCH_WINDOWS_EXECUTABLE>A set of commands to run on a Windows machine before an OS patch begins. Commands must be supplied in a file. If the file contains a PowerShell script, include the .ps1 file extension. The PowerShell script executes with flags `-NonInteractive`, `-NoProfile`, and `-ExecutionPolicy Bypass`. + The path to the file must be supplied in one of the following formats: + An absolute path of the file on the local filesystem. + A URI for a Google Cloud Storage object with a generation number
--pre-patch-windows-success-codes <PRE_PATCH_WINDOWS_SUCCESS_CODES>Additional exit codes that the executable can return to indicate a successful run. The default exit code for success is 0
--project <PROJECT_ID>The Google Cloud Platform project ID to use for this invocation. If omitted, then the current project is assumed; the current project can be listed using `gcloud config list --format='text(core.project)'` and can be set using `gcloud config set project PROJECTID`. + `--project` and its fallback `core/project` property play two roles in the invocation. It specifies the project of the resource to operate on. It also specifies the project for API enablement check, quota, and billing. To specify a different project for quota and billing, use `--billing-project` or `billing/quota_project` property
--quietDisable all interactive prompts when running gcloud commands. If input is required, defaults will be used, or an error will be raised. Overrides the default core/disable_prompts property value for this command invocation. This is equivalent to setting the environment variable `CLOUDSDK_CORE_DISABLE_PROMPTS` to 1
--reboot-config <REBOOT_CONFIG>Post-patch reboot settings. _REBOOT_CONFIG_ must be one of: + *always*::: Always reboot the machine after the update completes. *default*::: The agent decides if a reboot is necessary by checking signals such as registry keys or '/var/run/reboot-required'. *never*::: Never reboot the machine after the update completes. ::: +
--rollout-disruption-budget <ROLLOUT_DISRUPTION_BUDGET>Number of VMs per zone to disrupt at any given moment
--rollout-disruption-budget-percent <ROLLOUT_DISRUPTION_BUDGET_PERCENT>Percentage of VMs per zone to disrupt at any given moment. The number of VMs calculated from multiplying the percentage by the total number of VMs in a zone is rounded up
--rollout-mode <ROLLOUT_MODE>Mode of the rollout. _ROLLOUT_MODE_ must be one of: + *concurrent-zones*::: Patches are applied to VMs in all zones at the same time. *zone-by-zone*::: Patches are applied one zone at a time. The patch job begins in the region with the lowest number of targeted VMs. Within the region, patching begins in the zone with the lowest number of targeted VMs. If multiple regions (or zones within a region) have the same number of targeted VMs, a tie-breaker is achieved by sorting the regions or zones in alphabetical order. ::: +
--trace-token <TRACE_TOKEN>Token used to route traces of service requests for investigation of issues. Overrides the default *core/trace_token* property value for this command invocation
--user-output-enabledPrint user intended output to the console. Overrides the default *core/user_output_enabled* property value for this command invocation. Use *--no-user-output-enabled* to disable
--verbosity <VERBOSITY>Override the default verbosity for this command. Overrides the default *core/verbosity* property value for this command invocation. _VERBOSITY_ must be one of: *debug*, *info*, *warning*, *error*, *critical*, *none*
--windows-classifications <WINDOWS_CLASSIFICATIONS>List of classifications to use to restrict the Windows update. Only patches of the given classifications are applied. If omitted, a default Windows update is performed. For more information on classifications, see: https://support.microsoft.com/en-us/help/824684. _WINDOWS_CLASSIFICATIONS_ must be one of: *critical*, *security*, *definition*, *driver*, *feature-pack*, *service-pack*, *tool*, *update-rollup*, *update*
--windows-excludes <WINDOWS_EXCLUDES>Optional list of KBs to exclude from the update operation
--windows-exclusive-patches <WINDOWS_EXCLUSIVE_PATCHES>An exclusive list of KBs to be updated. These are the only patches that will be updated
--yum-excludes <YUM_EXCLUDES>Optional list of packages to exclude from updating. If this argument is specified, machines running Yum exclude the given list of packages using the Yum `--exclude` flag
--yum-exclusive-packages <YUM_EXCLUSIVE_PACKAGES>An exclusive list of packages to be updated. These are the only packages that will be updated. If these packages are not installed, they will be ignored
--yum-minimalIf specified, machines running Yum use the command `yum update-minimal`; otherwise the patch uses `yum-update`
--yum-securityIf specified, machines running Yum append the `--security` flag to the patch command
--zypper-categories <ZYPPER_CATEGORIES>If specified, machines running Zypper install only patches with the specified categories. Categories include security, recommended, and feature
--zypper-exclusive-patches <ZYPPER_EXCLUSIVE_PATCHES>An exclusive list of patches to be updated. These are the only patches that will be installed using the 'zypper patch patch:<patch_name>' command
--zypper-severities <ZYPPER_SEVERITIES>If specified, machines running Zypper install only patch with the specified severities. Severities include critical, important, moderate, and low
--zypper-with-optionalIf specified, machines running Zypper add the `--with-optional` flag to `zypper patch`
--zypper-with-updateIf specified, machines running Zypper add the `--with-update` flag to `zypper patch`