Getting Started with OS Management Hub

Get started with OS Management Hub by ensuring service prerequisites are met before registering instances.

Enable OS Management Hub Using the Policy Advisor

You can configure IAM policies in various ways. The policy advisor provides one way to setup policies quickly within a compartment. If you have specific policy requirements or use cases, see the following for complete information on IAM policy requirements:

Use the policy advisor to quickly enable OS Management Hub for a specific compartment. The advisor defines the necessary user groups, dynamic group, and policies required to use OS Management Hub and Resource Discovery and Monitoring. See What does the policy advisor create?

Note

You must run the policy advisor in each compartment (and subcompartment) that you want to use with the service.
  1. Verify you have the following permissions. If you only have read or use permissions, you'll get an authorization failed error when running the advisor.

    • manage dynamic-groups in tenancy
    • manage groups in tenancy
    • manage policies in tenancy
  2. Open the navigation menu and click Observability & Management. Under OS Management Hub, click Overview.
  3. Under List Scope, select the compartment you want to use for OS Management Hub.
  4. Click Enable OS Management Hub.
  5. Review the problems identified with the current policies and groups. Click Next.
  6. Review the actions the advisor will take. Click Setup.
  7. Confirm by clicking Setup.
  8. Add users to the osmh-admins and osmh-operators group. See Managing Groups.

For complete details on the policy advisor, see Using the Policy Advisor.

Managment Agent Cloud Service Keys (for non-OCI instances only)

On-premises or third-party cloud instances use the Management Agent Cloud Service (MACS). You must create the Management Agent Cloud Service (MACS) install keys for management stations and instances with OS Management Hub.

You specify the key when registering a management station or instance. The key provides the initial OCI authorization token and determines the compartment of the management station or instance. Create a MACS install key for each compartment that you want manage instances in.

See Understanding the Agent for more information on the OS Management Hub agent.

Note

OCI instances use the Oracle Cloud Agent and don't require a MACS key.

Supported Environments

OS Management Hub is an Oracle Cloud Infrastructure service which can manage OCI instances and on-premises or third-party cloud instances. Verify that the OS version of an instance is supported in the environment you want to manage.

Note

OS Management Hub isn't available on the Oracle Cloud Free Tier instances. If you're using Oracle Cloud Application tenancies, you might not have the required OCI access. Contact your sales representative. Learn more about Oracle's cloud services.

Subscription Requirements

  • Oracle Cloud Infrastructure Compute instances (OCI instances) receive Premier Support for free.
  • For on-premises or third-party cloud environments, you must have a valid Oracle Linux Basic or Premier Support subscription to use OS Management Hub.

Supported OS Versions

OCI instances

OS Management Hub is supported on Oracle Linux and Windows platform images for the following OS versions. You can also configure custom images for OS Management Hub by installing the required Oracle Cloud Agent and enabling the OS Management Hub Agent plugin.

  • Oracle Linux 6, 7, 8, or 9

  • Windows Server 2016, 2019, or 2022 Standard, Datacenter
Important

OS Management Hub requires minimum Oracle Cloud Agent version 1.40. For instances using platform images released before April 2024, upgrade the Oracle Cloud Agent to 1.40 or later.
On-premises or third-party cloud instances
  • Oracle Linux 7, 8, or 9

Supported third-party clouds

OS Management Hub can manage Oracle Linux instances in the following third-party clouds:

  • Amazon Web Services (AWS)
  • Microsoft Azure

Compartment Considerations

Use compartments to organize and isolate OS Management Hub resources. Follow best practices when allocating resources to particular compartments.

The following resources have compartment restrictions:

  • Software sources: Vendor software sources always reside in the root compartment, but can be replicated to other compartments. Custom software sources can reside in any compartment.
  • Profiles: Service-provided profiles and default profiles always reside in the root compartment. All other profiles can reside in any compartment. See Understanding Profiles.

Best Practices for Compartments

See Learn Best Practices for Setting Up Your Tenancy for general OCI compartment best practices.

For OS Management Hub best practices, when creating groups or lifecycle environments, limit instance members to the same compartment as the group or lifecycle environment. OS Management Hub displays instance members, jobs, and reports for a single compartment at a time. When all instance members are in the same compartment, you have a direct view of all members, jobs, and reports associated with the group or lifecycle environment.

If instance members are in several compartments, your view of instances, jobs, and reports is limited to the selected compartment. You must change the compartment scope when viewing members, examining job logs, and running reports. For example, when looking at a job for a multi-compartment group, you would need to change compartments to view all the associated children jobs. Additionally, depending on your policies, a user might not have permissions to all the compartments for the instance members. These users will have an incomplete view of the group or lifecycle environment.

Moving Resources Between Compartments

You can move most resources between compartments within the same region of your tenancy. However, any scheduled jobs associated with the resource don't move to the destination compartment. They continue to reside in the source compartment. For example, if you move a group, any scheduled jobs associated with the group remain in the old compartment.

Before moving resources, verify that policies and permissions are correctly set so that you don't accidentally lose access to the resource.

To move resources, see:

For general information about moving resources between compartments in OCI, see Moving Resources Between Compartments. To move OCI instances, see Moving Compute Resources to a Different Compartment.

Ksplice Considerations (for Oracle Linux only)

For OS Management Hub to apply Ksplice updates, Oracle Linux instances must have access to the Ksplice software sources and the Ksplice client installed.

To use Ksplice, you will need to:

  • Add Ksplice software sources to the service. For on-premises or third-party cloud instances, you must also enable an entitlement to use the Ksplice software sources.
  • Attach the Ksplice software sources to instances or groups.
  • Ensure the correct Ksplice client is installed on the instance.

See Using Ksplice for Oracle Linux for details.

Networking Requirements

Verify your network is configured to support OS Management Hub resources. Networking requirements depend on instance location.

OCI instances

Oracle Linux

Attach instances to a virtual cloud network (VCN) that has one of the following:

  • A private subnet with a service gateway that uses the All <region> Services in Oracle Services Network CIDR label.

  • A private subnet with a NAT gateway.

  • A public subnet with an internet gateway.

For detailed instructions, see Access to Oracle Services: Service Gateway.

Microsoft Windows

Define the security lists or network rules to allow Windows instances access to the Windows update server. For more information, see Windows OS Updates for Windows Images.

On-premises or supported third-party cloud instances

Ensure the instance assigned the role of management station can reach the OCI network on port tcp/443.

  • For on-premises, verify your network allows traffic on the proxy and mirror listening ports for your management station.
  • For Microsoft Azure, verify that your Azure Virtual Network allows traffic on the proxy and mirror listening ports for your management station.
  • For Amazon Web Services (AWS), verify that your Amazon Virtual Private Cloud (VPC) allows traffic on the proxy and mirror listening ports for your management station.

For more information, see Creating a Management Station.