Oracle Cloud Infrastructure Documentation

Getting Started with OS Management Hub

Get started with OS Management Hub by ensuring service prerequisites are met before registering instances.

Complete the following to get started with the service:

Required IAM Policy

For OS Management Hub, you must identify which resources the service can manage and which users can manage those resources. To do this, define the following:

IAM policies specify which users and services can access certain OCI resources. If you're new to policies, see Getting Started with Policies. You can configure IAM policies in various ways. The following sections provide one example of how to set the IAM policy statements for a group of OS Management Hub administrators by using a dynamic group of resources. See Example Policies for additional non-administrator use cases.

User Group

Create a user group or identify an existing user group to administer the OS Management Hub service in the tenancy. The required policy statements then grant this administrator user group the ability to manage OS Management Hub resources.

If you need to further restrict access, you can create additional user groups and set more restrictive policy statements to limit access to specific resources. See Example Policies for non-administrator use cases. For more information about user groups, see Managing Groups.

Dynamic Group

Create a dynamic group to specify the resources OS Management Hub will manage by defining rule statements for OCI and on-premises or third-party cloud instances (non-OCI).

  1. Ensure you understand the following:

  2. Follow the steps to create a dynamic group or update an existing dynamic group and configure the matching rules as follows.

    Tip

    Reuse the same dynamic group wherever possible across services instead of creating new dynamic groups because a single resource can only belong to a maximum of five dynamic groups.

  3. For the overall matching rule setting select: Match any rules defined below.

  4. Create rule statements for the instances that OS Management Hub will manage.

    Important

    Dynamic group rules don't use compartment inheritance. You must specify a rule statement for every compartment and subcompartment that you want managed by the service.

    Rule for OCI instances

    Add a rule statement that includes each compartment (and subcompartment) that will contain instances.

    ANY {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}

    This rule will include all OCI instances in the specified compartments.

    Rule for non-OCI instances

    Add a separate rule statement for each compartment (and subcompartment) that will contain a Management Agent used by an instance.

    ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}
ALL {resource.type='managementagent', resource.compartment.id='<subcompartment_ocid>'}

    Each rule statement will include every Management Agent resource in the specified compartment. Each non-OCI instance has a corresponding agent resource and therefore the statement will include the non-OCI instances in the compartment.

  5. Click Create (if creating) or Save (if updating).
What does the dynamic group do?
The dynamic group identifies the instances that OS Management Hub will manage. You add rule statements for the compartments and subcompartments that contain instances you want managed by the service. The dynamic group grows and shrinks dynamically based on these rule statements. As instances are provisioned or retired, the dynamic group changes accordingly. The required policy statements then grant OS Management Hub the ability to access the instances within the dynamic group.

For more information on dynamic groups, see Managing Dynamic Groups .

Why are there different statements for OCI and non-OCI?

Each instance type uses a different agent which corresponds to a different resource object.

  • OCI instances use Oracle Cloud Agent (OCA) so the OCI statement specifies instance resources within a compartment.

  • On-premises and third-party cloud instances use Management Agent Cloud Service (MACS) so the non-OCI statement specifies managementagent resources within a compartment. Each Management Agent resource corresponds to a non-OCI instance. Therefore by including the Management Agent in the group, you're including the associated instance.

See also Understanding the Agent.

When to use ANY and ALL for a dynamic group?

Before writing dynamic group rule statements, it's important to understand the difference between ANY and ALL.

When defining a dynamic group, you set how the group matches the rules defined within the group:

  • Match any rules defined below includes resources that match any of the rules within the dynamic group. Select this if defining a group that includes rules for multiple compartments or multiple instance types (such as OCI and non-OCI instances). This setting tells the group to include resources that match rule 1 OR rule 2 OR rule 3, and so on.
  • Match all rules defined below includes resources that match all the rules within the dynamic group. Select this when defining a vary narrow dynamic group that includes only one compartment. This setting tells the group to include resources that match rule 1 AND rule 2 AND rule 3, and so on.

When defining individual rule statements within the dynamic group, you set the conditions for each statement:

  • All of the following (ALL) includes only resources that match all the conditions in the rule. ALL statements requires each condition to be true. Otherwise, resources aren't included for the rule.

  • Any of the following (ANY) includes resources that match any of the conditions in the rule.

Examples of ANY and ALL for an individual rule statement

Consider the rule used for non-OCI instances.

Correct usage:
ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}

When using ALL, the rule includes only Management Agent resources in the specified compartment. The statement tells the dynamic group to include resources that match the management agent type AND are within the specified compartment.

Incorrect usage. Do not use:
ANY {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}

When using ANY, the rule includes every Management Agent resource in the entire tenancy and every OCI resource present in the specified compartment. While the statement will include the resources needed for OS Management Hub, it's very broad and typically not preferable.

Consider the rule used for OCI instances when specifying multiple compartments.

Correct usage:
ANY {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}

When using ANY, the rule includes every instance in each of the specified compartments. The statement tells the dynamic group to include instances in <compartment_ocid> OR <subcompartment_ocid>.

Incorrect usage. Do not use:
ALL {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}

When using ALL, the rule tells the dynamic group to include instances that are in <compartment_ocid> AND <subcompartment_ocid>. This rule won't include any instances because it's impossible for an instance to be in more than one compartment at the same time. Don't use ALL with a rule statement that specifies multiple compartments.

Policy Statements

Create a policy with statements that allow instances to register with OS Management Hub and users to manage and operate the service. The following policy statements provide an example of how to set a policy for administrators using the service. For other use cases, see Example Policies.

Note

Policy statements use the default identity domain unless you define the identity domain before the group or dynamic group name (for example, <identity_domain_name>/<dynamic_group_name>). For more information, see Policy Syntax.

You can set the IAM policy for OS Management Hub either at the tenancy or compartment level.

Prerequisites

Before creating the policy, ensure you have the following:

Tenancy-level policy statements

To apply the required IAM policy at the tenancy level, use the following policy statements:

allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id
allow group <admin_user_group> to manage osmh-family in tenancy

Include the following additional statements if managing on-premises or third-party cloud instances. These aren't required if managing only OCI instances.

allow group <admin_user_group> to manage management-agents in tenancy
allow group <admin_user_group> to manage management-agent-install-keys in tenancy
Compartment-level policy statements (if not using tenancy-level)

If the tenancy administrator doesn't permit setting IAM policies at the tenancy level, you can restrict the use of OS Management Hub resources to a compartment and its subcompartments (policies use compartment inheritance).

To apply the IAM policy to a compartment inside the tenancy, use the following policy statements:

allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment <compartment_name> where request.principal.id = target.managed-instance.id
allow group <admin_user_group> to manage osmh-family in compartment <compartment_name>

Include the following additional statements if managing on-premises or third-party cloud instances. These aren't required if managing only OCI instances.

allow group <admin_user_group> to manage management-agents in compartment <compartment_name>
allow group <admin_user_group> to manage management-agent-install-keys in compartment <compartment_name>
Tip

Confused about policies? See Example Policies for sample use cases.

Managment Agent Cloud Service Keys (for non-OCI instances only)

On-premises or third-party cloud instances use the Management Agent Cloud Service (MACS). You must create the Management Agent Cloud Service (MACS) install keys for management stations and instances with OS Management Hub.

You specify the key when registering a management station or instance. The key provides the initial OCI authorization token and determines the compartment of the management station or instance. Create a MACS install key for each compartment that you want manage instances in.

See Understanding the Agent for more information on the OS Management Hub agent.

Note

OCI instances use the Oracle Cloud Agent and don't require a MACS key.

Supported Environments

Verify the environment used for an instance is supported. OS Management Hub can manage OCI instances and on-premises or third-party cloud instances.

OS Management Hub is an Oracle Cloud Infrastructure service.

Note

OS Management Hub isn't available on the Oracle Cloud Free Tier instances. If you're using Oracle Cloud Application tenancies, you might not have the required OCI access. Contact your sales representative. Learn more about Oracle's cloud services.

Subscription Requirements

  • Oracle Cloud Infrastructure Compute instances (OCI instances) receive Premier Support for free.

  • For on-premises or third-party cloud environments, you must have a valid Oracle Linux Basic and Premier Support subscription to use OS Management Hub.

Supported OS Versions

OCI instances

  • Oracle Linux 6, 7, 8, or 9

  • Windows Server 2016, 2019, or 2022 Standard, Datacenter
Important

OS Management Hub requires minimum Oracle Cloud Agent version 1.40. For instances using platform images released before April 2024, upgrade the Oracle Cloud Agent to 1.40 or later.
On-premises or third-party cloud instances
  • Oracle Linux 7, 8, or 9

Supported third-party clouds

OS Management Hub can manage Oracle Linux instances in the following third-party clouds:

  • Amazon Web Services (AWS)
  • Microsoft Azure

Compartment Considerations

Use compartments to organize and isolate OS Management Hub resources. Follow best practices when allocating resources to particular compartments.

The following resources have compartment restrictions:

  • Software sources: Vendor software sources always reside in the root compartment, but can be replicated to other compartments. Custom software sources can reside in any compartment.
  • Profiles: Service-provided profiles and default profiles always reside in the root compartment. All other profiles can reside in any compartment. See Understanding Profiles.

Best Practices

See Learn Best Practices for Setting Up Your Tenancy for general OCI compartment best practices.

For OS Management Hub best practices, when creating groups or lifecycle environments, limit instance members to the same compartment as the group or lifecycle environment. OS Management Hub displays instance members, jobs, and reports for a single compartment at a time. When all instance members are in the same compartment, you have a direct view of all members, jobs, and reports associated with the group or lifecycle environment.

If instance members are in several compartments, your view of instances, jobs, and reports is limited to the selected compartment. You must change the compartment scope when viewing members, examining job logs, and running reports. For example, when looking at a job for a multi-compartment group, you would need to change compartments to view all the associated children jobs. Additionally, depending on your policies, a user might not have permissions to all the compartments for the instance members. These users will have an incomplete view of the group or lifecycle environment.

Moving Resources Between Compartments

You can move most resources between compartments within the same region of your tenancy. However, any scheduled jobs associated with the resource don't move to the destination compartment. They continue to reside in the source compartment. For example, if you move a group, any scheduled jobs associated with the group remain in the old compartment.

Before moving resources, verify that policies and permissions are correctly set so that you don't accidentally lose access to the resource.

To move resources, see:

For general information about moving resources between compartments in OCI, see Moving Resources Between Compartments. To move OCI instances, see Moving Compute Resources to a Different Compartment.

Ksplice Considerations (for Oracle Linux only)

For OS Management Hub to apply Ksplice updates, Oracle Linux instances must have access to the Ksplice software sources and the Ksplice client installed.

To use Ksplice, you will need to:

  • Add Ksplice software sources to the service. For on-premises or third-party cloud instances, you must also enable an entitlement to use the Ksplice software sources.
  • Attach the Ksplice software sources to instances or groups.
  • Ensure the correct Ksplice client is installed on the instance.

See Using Ksplice for Oracle Linux for details.

Networking Requirements

Verify your network is configured to support OS Management Hub resources. Networking requirements depend on instance location.

OCI instances

Oracle Linux

Attach instances to a virtual cloud network (VCN) that has one of the following:

  • A private subnet with a service gateway that uses the All <region> Services in Oracle Services Network CIDR label.

  • A private subnet with a NAT gateway.

  • A public subnet with an internet gateway.

For detailed instructions, see Access to Oracle Services: Service Gateway.

Microsoft Windows

Define the security lists or network rules to allow Windows instances access to the Windows update server. For more information, see Windows OS Updates for Windows Images.

On-premises or supported third-party cloud instances

Ensure the instance assigned the role of management station can reach the OCI network on port tcp/443.

  • For on-premises, verify the firewall allows traffic on the proxy and mirror listening ports for your management station.
  • For Microsoft Azure, verify that your Azure Virtual Network allows traffic on the proxy and mirror listening ports for your management station.
  • For Amazon Web Services (AWS), verify that your Amazon Virtual Private Cloud (VPC) allows traffic on the proxy and mirror listening ports for your management station.

For more information, see Creating a Management Station.