Getting Started with Autonomous Linux

Set up policies and create an Autonomous Linux instance.

The following sections describe how to get started with the Autonomous Linux service.

Prerequisites

  • Supported Image: Use the August 2021 Oracle Autonomous Linux platform image or later.
  • IAM policies: Set the IAM policies required for the Autonomous Linux service. For more information about the required IAM policies, see Setting Up Required IAM Policies for Autonomous Linux.
  • Oracle Cloud Agent: Ensure that the Oracle Cloud Agent software is installed and running on the instance. By default, the Oracle Cloud Agent is installed and running on the Oracle Autonomous Linux platform image. For more information about the Oracle Cloud Agent, see Managing Plugins with Oracle Cloud Agent.
  • OS Management Service Agent and Oracle Autonomous Linux plugins: Ensure that the OS Management Service Agent and Oracle Autonomous Linux plugins are enabled and running on the instance. These plugins are enabled and running by default on the Oracle Autonomous Linux platform image. For more information about the Oracle Autonomous Linux plugin, see Autonomous Linux Components and Features.
Important

  • Beginning August 31, 2021, Oracle Autonomous Linux instances created using Oracle-Autonomous-Linux-7.9-2021.08-0 platform image or later are integrated with the OS Management service and not supported in the Oracle Cloud Free Tier. See Known Issues. Existing instances that were launched before August 31, 2021 can be migrated using the alx-migrate script.
  • Autonomous Linux instances based on custom images are not supported.

Setting Up Required IAM Policies for Autonomous Linux

Note

You must have the required privileges to create the policy. If you do not have required privileges, you should work with the administrator for your tenancy to either obtain the privileges to create the policies or to have the policies created for you.

Required Dynamic Group

Before you create the required IAM policies for Autonomous Linux, you need to create a dynamic group. A dynamic group can include instances based on instance OCID or include instances that reside in a compartment based on compartment OCID. For more information about dynamic groups, see Managing Dynamic Groups.

Required User Group

Before you create the required IAM policies for Autonomous Linux, you need to create a user group for non-admin users. This user group is used in a policy to allow users to view and manage events. For more information about user groups, see Managing Groups.

Required IAM Policies

For an Autonomous Linux instance to register with the OS Management service and manage autonomous updates and events, you must create the required IAM policies for Autonomous Linux.

Before you create the IAM policies, you first need to create a dynamic group and a user group.

Required IAM Policies for a Tenancy

To apply the policies for Autonomous Linux to the tenancy, use the following policy statements. The first three policy statements are required for OS Management and might already be specified for your dynamic group (if you are adding to existing policies).

For a dynamic group:

Allow dynamic-group <dynamic_group_name> to read instance-family in tenancy
Allow dynamic-group <dynamic_group_name> to use osms-managed-instances in tenancy
Allow dynamic-group <dynamic_group_name> to use ons-topics in tenancy
Allow dynamic-group <dynamic_group_name> to manage osms-events in tenancy

For non-admin users:

Allow group <group_name> to manage osms-events in tenancy
Required IAM Policies for a Compartment

To apply the policies for Autonomous Linux only to a compartment inside the tenancy, use the following policy statements. The first three policy statements are required for OS Management and might already be specified for your dynamic group (if you are adding to existing policies).

Important

The policy statement Allow service osms to read instances in tenancy must be set in tenancy. The other policy statements can be applied to a compartment inside the tenancy.

For a dynamic group:

Allow dynamic-group <dynamic_group_name> to read instance-family in compartment <compartment_name>
Allow dynamic-group <dynamic_group_name> to use osms-managed-instances in compartment <compartment_name>
Allow dynamic-group <dynamic_group_name> to use ons-topics in compartment <compartment_name>
Allow dynamic-group <dynamic_group_name> to manage osms-events in compartment <compartment_name>

For non-admin users:

Allow group <group_name> to manage osms-events in compartment <compartment_name>
Required IAM Policy for Metrics

To allow the OS Management service to emit metrics, use the following policy.

Important

This policy must be specified at the tenancy level.
Allow service osms to read instances in tenancy

After setting the policies, you must restart the Oracle Cloud Agent.

To restart the Oracle Cloud Agent on Autonomous Linux instances:

  1. Log in to your instance. See Connecting to an Instance.
  2. Restart the Oracle Cloud Agent service.
    sudo systemctl restart oracle-cloud-agent.service
Note

For more information about each of these policies, including steps for setting up dynamic groups, see Detailed Steps. For details about Autonomous Linux permissions, see OS Management Policy Reference.
Previous IAM Policy Requirements for Autonomous Linux Instances
Important

Beginning April 29, 2022, the IAM policy for Autonomous Linux instances has been simplified to require fewer policy statements. Although the previous policies still work, you can work with your tenancy or compartment administrator to reduce your IAM policy for Autonomous Linux to use latest IAM policies.
Previous Required IAM Policies for a Tenancy

To apply the policies for Autonomous Linux to the tenancy, use the following policy statements. The first three policy statements are required for OS Management and might already be specified for your dynamic group (if you are adding to existing policies).

For a dynamic group:

Allow service osms to read instances in tenancy
Allow dynamic-group <dynamic_group_name> to read instance-family in tenancy
Allow dynamic-group <dynamic_group_name> to use osms-managed-instances in tenancy
Allow dynamic-group <dynamic_group_name> to read osms-software-sources in tenancy
Allow dynamic-group <dynamic_group_name> to manage osms-scheduled-jobs in tenancy where any {request.permission = 'OSMS_SCHEDULED_JOB_CREATE'}
Allow dynamic-group <dynamic_group_name> to manage osms-managed-instances in tenancy 
Allow dynamic-group <dynamic_group_name> to use ons-topics in tenancy 
Allow dynamic-group <dynamic_group_name> to {OSMS_EVENT_READ, OSMS_EVENT_MANAGE, OSMS_EVENT_INSPECT} in tenancy

For a non-admin user:

Allow group <group_name> to {OSMS_EVENT_READ, OSMS_EVENT_MANAGE, OSMS_EVENT_INSPECT} in tenancy
Previous Required IAM Policies for a Compartment

To apply the policies for Autonomous Linux only to a compartment inside the tenancy, use the following policy statements. The first three policy statements are required for OS Management and might already be specified for your dynamic group (if you are adding to existing policies).

Important

The policy statements that are set in tenancy must be set in tenancy. The other policy statements can be applied to a compartment inside the tenancy.

For a dynamic group:

Allow service osms to read instances in tenancy
Allow dynamic-group <dynamic_group_name> to read instance-family in compartment <compartment_name>
Allow dynamic-group <dynamic_group_name> to use osms-managed-instances in compartment <compartment_name>
Allow dynamic-group <dynamic_group_name> to read osms-software-sources in tenancy
Allow dynamic-group <dynamic_group_name> to manage osms-scheduled-jobs in compartment <compartment_name> where any {request.permission = 'OSMS_SCHEDULED_JOB_CREATE'}
Allow dynamic-group <dynamic_group_name> to manage osms-managed-instances in compartment <compartment_name> 
Allow dynamic-group <dynamic_group_name> to use ons-topics in compartment <compartment_name> 
Allow dynamic-group <dynamic_group_name> to {OSMS_EVENT_READ, OSMS_EVENT_MANAGE, OSMS_EVENT_INSPECT} in compartment <compartment_name>

For a non-admin user:

Allow group <group_name> to {OSMS_EVENT_READ, OSMS_EVENT_MANAGE, OSMS_EVENT_INSPECT} in compartment <compartment_name>
Detailed Steps
  1. Create a policy granting instances of that dynamic group permission to retrieve their details for authorization purposes.

    For example, to set the policy in the tenancy:

    Allow dynamic-group <dynamic_group_name> to read instance-family in tenacy

    For example, to set the policy in a specified compartment:

    Allow dynamic-group <dynamic_group_name> to read instance-family in compartment <compartment_name>
  2. Create a policy that grants instances access to the OS Management service.

    For example, to set the policy in the tenancy:

    Allow dynamic-group <dynamic_group_name> to use osms-managed-instances in tenancy

    For example, to set the policy in a specified compartment:

    Allow dynamic-group <dynamic_group_name> to use osms-managed-instances in compartment <compartment_name>
  3. Create a policy that allows instances to push notifications to topics.

    This policy allows Oracle Autonomous Linux plugin to push notifications about autonomous updates and events.

    For example, to set the policy in a tenancy:

    Allow dynamic-group <dynamic_group_name> to use ons-topic in tenancy

    For example, to set the policy in a specified compartment:

    Allow dynamic-group <dynamic_group_name> to use ons-topic in compartment <compartment_name> 
  4. Create a policy that grants instances permissions to manage events for Autonomous Linux.

    For example, to set the policy in a tenancy:

    Allow dynamic-group <dynamic_group_name> to manage osms-events in tenancy

    For example, to set the policy in a specified compartment:

    Allow dynamic-group <dynamic_group_name> to manage osms-events in compartment <compartment_name>
  5. Create a policy that grants non-admin users permissions to manage events for Autonomous Linux.

    For example, to set the policy in a tenancy:

    Allow group <group_name> to manage osms-events in tenancy

    For example, to set the policy in a specified compartment:

    Allow group <group_name> to manage osms-events in compartment <compartment_name>
  6. Create a policy that grants the OS Management service permission to read instance information in the tenancy. This policy allows the OS Management service to emit metrics.

    Important

    This policy must be specified at the tenancy level.

    For example:

    Allow service osms to read instances in tenancy

    For more information about metrics for OS Management, see OS Management Metrics.

    After setting the policies, you must restart the Oracle Cloud Agent.

    To restart the Oracle Cloud Agent on Autonomous Linux instances:

    1. Log in to your instance. See Connecting to an Instance.
    2. Restart the Oracle Cloud Agent service.
      sudo systemctl restart oracle-cloud-agent.service
Note

For more information about each of these policies, including steps for setting up dynamic groups, see Detailed Steps. For details about Autonomous Linux permissions, see OS Management Policy Reference.

Creating an Autonomous Linux Instance

Using the Console

  1. Follow the steps to create an instance using the Oracle Autonomous Linux platform image, until the advanced options. Ensure that the instance has either a public IP address or a service gateway, as described in the prerequisites.
    Note

    The Autonomous Linux service requires the OS Management Service Agent and Oracle Autonomous Linux plugins. These plugins are enabled by default in the Oracle Autonomous Linux platform image.
  2. Click Create.
  3. Proceed to Verifying the Status of the Required Oracle Cloud Agent Plugins.
Important

When registering with the OS Management service, Autonomous Linux instances subscribe to the default channel list and all other channel subscriptions are disabled. If you need to reenable any of these channels, you can do so using the Console, CLI, or REST APIs. For more information, see Managing Software Sources.
Using the API

  1. Ensure that the instance has either a public IP address or a service gateway, as described in the prerequisites.
  2. Use the LaunchInstance operation. Include the following parameters:
    {
    	"agentConfig": {
    		"isManagementDisabled": false,
    		"pluginsConfig": [
                         {
    				"name": "OS Management Service Agent",
    				"desiredState": "ENABLED"
    			},
    			{
    				"name": "Oracle Autonomous Linux",
    				"desiredState": "ENABLED"
    			}
    		]
    	}
    }
  3. Proceed to Verifying the Status of the Required Oracle Cloud Agent Plugins.
Important

When registering with the OS Management service, Autonomous Linux instances subscribe to the default channel list and all other channel subscriptions are disabled. If you need to reenable any of these channels, you can do so using the Console, CLI, or REST APIs. For more information, see Managing Software Sources.

Verifying the Status of the Required Oracle Cloud Agent Plugins

The Autonomous Linux service requires that both the Oracle Autonomous Linux and OS Management Service Agent plugins are enabled and running.

Important

On the Oracle Cloud Agent tab, when the Oracle Autonomous Linux plugin is enabled, the status for the plugin might not be shown properly as Running. To verify the actual status of the plugin, follow these steps.
  1. Log in to your instance. See Connecting to an Instance.
  2. Validate whether your instance can reach the OS Management ingestion service.
    
    curl https://ingestion.osms.<region>.oci.oraclecloud.com/
    

    For <region>, specify the region identifier (for example, us-phoenix-1). See Regions and Availability Domains for more information about region identifiers.

    For example, the following sample output indicates that the instance can successfully reach the OS Management ingestion service.

    Note

    The 403 Forbidden status code message is expected in the output.
    <html>
    <head><title>403 Forbidden</title></head>
    <body bgcolor="white">
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx/1.14.2</center>
    </body>
    </html>
    
  3. Verify the yum configuration.
    ls /etc/yum.repos.d
    1. Check that the existing yum repository configuration is disabled.
    2. Ensure that the *.repo files in the /etc/yum.repos.d directory are backed up to *.repo.osms-backup in the same directory.

    For example:

    $ ls /etc/yum.repos.d
    ksplice-ol7.repo.osms-backup       oracle-epel-ol7.repo.osms-backup   oracle-softwarecollection-ol7.repo.osms-backup  uek-ol7.repo.osms-backup
    oci-included-ol7.repo.osms-backup  oracle-linux-ol7.repo.osms-backup  oraclelinux-developer-ol7.repo.osms-backup      virt-ol7.repo.osms-backup
  4. Verify that the OS Management Service Agent plugin is running on the instance.
    ps -elf | grep osms-agent | grep -v grep

    For example:

    $ ps -elf | grep osms-agent | grep -v grep
    4 S root      2484  2166  0  80   0 - 62854 -      Aug04 ?        00:00:00 /usr/bin/sudo -n /usr/libexec/oracle-cloud-agent/plugins/osms/osms-agent
    4 S root      2508  2484  0  80   0 -  2688 -      Aug04 ?        00:00:00 /usr/libexec/oracle-cloud-agent/plugins/osms/osms-agent
    4 S root      2513  2508  0  80   0 - 371851 -     Aug04 ?        00:02:10 /usr/libexec/oracle-cloud-agent/plugins/osms/osms-agent
    Note

    If the OS Management Service Agent plugin is not installed or has been stopped, no output is displayed for this command.

  5. Verify that the Oracle Autonomous Linux plugin is running on the instance.
    ps -elf | grep oci-alx | grep -v grep

    For example:

    $ ps -elf | grep oci-alx | grep -v grep
    0 S oracle-+ 12519  2166  0  80   0 - 273788 -     Aug04 ?        00:00:26 /usr/libexec/oracle-cloud-agent/plugins/oci-alx/oci-alx
    Note

    If the Oracle Autonomous Linux plugin is not installed or has been stopped, no output is displayed for this command.

    Tip

    Review the /var/log/oracle-cloud-agent/agent.log and /var/log/oracle-cloud-agent/plugins/oci-alx/oci-alx.log files for more information.

After verifying that the Oracle Autonomous Linux and OS Management Service Agent plugins are running, you have completed the getting started tasks for setting up the Oracle Autonomous Linux instances. You can now use the Autonomous Linux service to manage the instance. Proceed to What to Do Next.

What to Do Next

After setting up an Oracle Autonomous Linux instance, proceed to Managing Autonomous Linux Settings where you can perform the following tasks:

  • Update the schedule for daily autonomous updates
  • Set the topic for event notifications
  • Change the event collection setting