Google Cloudintermediate

GCP OS Patch Management Guide

Complete guide to automating patch management with GCP OS Config. Learn to create patch jobs, deployments, compliance reporting, and vulnerability remediation.

10 min readUpdated 2026-01-14

Unpatched systems are among the most common attack vectors in cloud environments. GCP OS Config provides native patch management capabilities that automate patching across your Compute Engine fleet, ensuring systems stay secure and compliant without manual intervention.

This guide covers setting up OS Config, creating patch jobs and deployments, configuring maintenance windows, and generating compliance reports. For comprehensive cloud security practices, see our 30 Cloud Security Tips for 2026 guide.

Prerequisites

  • Compute Instance Admin role for VM management
  • OS Config Patch Job Executor role for running patch jobs
  • OS Config API enabled
  • VMs running supported OS images with OS Config agent installed

Enable OS Config API

# Enable the OS Config API
gcloud services enable osconfig.googleapis.com

# Verify it's enabled
gcloud services list --enabled | grep osconfig

Step 1: Install and Verify OS Config Agent

Most GCP-provided images include the OS Config agent by default. Verify and install if needed:

Check Agent Status

# Check if OS Config agent is running (Linux)
gcloud compute ssh INSTANCE_NAME --zone=ZONE --command="sudo systemctl status google-osconfig-agent"

# Check agent status (Windows)
gcloud compute ssh INSTANCE_NAME --zone=ZONE --command="Get-Service google_osconfig_agent"

Install Agent if Missing

# Install on Debian/Ubuntu
sudo apt-get update && sudo apt-get install -y google-osconfig-agent

# Install on RHEL/CentOS
sudo yum install -y google-osconfig-agent

# Enable and start
sudo systemctl enable google-osconfig-agent
sudo systemctl start google-osconfig-agent

Enable OS Config Metadata

Enable OS Config at the project level:

# Enable OS Config for all VMs in the project
gcloud compute project-info add-metadata --metadata=enable-osconfig=TRUE

# Or enable for specific VM
gcloud compute instances add-metadata INSTANCE_NAME \
    --zone=ZONE \
    --metadata=enable-osconfig=TRUE

Step 2: Create a Patch Job (One-Time)

Patch jobs apply updates immediately to selected VMs:

Via Google Cloud Console

    - Navigate to [Compute Engine > OS patch management](https://console.cloud.google.com/compute/osconfig/patchJobs) - Click **New patch job** - Configure instance selection:

    • Instance filter: Select by name, zone, or labels

    • Zones: Choose specific zones or all zones

    • Configure patch options:

    • Reboot setting: Reboot if needed, always, or never

    • Patch window: Interrupt or wait for maintenance window

    • Click Create to start the patch job

Via gcloud CLI

# Patch all VMs in the project
gcloud compute os-config patch-jobs execute \
    --instance-filter-all \
    --reboot-config=DEFAULT \
    --description="Security patch update $(date +%Y-%m-%d)"

# Patch VMs with specific labels
gcloud compute os-config patch-jobs execute \
    --instance-filter-names="web-server-*" \
    --instance-filter-zones="us-central1-a,us-central1-b" \
    --reboot-config=ALWAYS \
    --description="Web server security update"

# Patch using label filters
gcloud compute os-config patch-jobs execute \
    --instance-filter-group-labels="environment=production" \
    --reboot-config=NEVER \
    --description="Production patch - no reboot"

Advanced Patch Configuration

# Linux-specific patch settings
gcloud compute os-config patch-jobs execute \
    --instance-filter-all \
    --apt-excludes="mysql-*" \
    --yum-security \
    --yum-excludes="kernel*" \
    --reboot-config=DEFAULT

# Windows-specific patch settings
gcloud compute os-config patch-jobs execute \
    --instance-filter-names="windows-*" \
    --windows-update-classifications="CRITICAL,SECURITY" \
    --windows-excludes="KB5001234" \
    --reboot-config=ALWAYS

Step 3: Create a Patch Deployment (Scheduled)

Patch deployments automate recurring patch operations:

Via Console

    - Go to **OS patch management > Patch deployments** - Click **Create patch deployment** - Configure:

    • Name: weekly-security-patches

    • Instance filter: Select target VMs

    • Schedule: Weekly on Saturday at 2:00 AM

    • Duration: 4 hours

    • Rollout: Percentage or zone-by-zone

    • Click Create

Via gcloud CLI

# Create weekly patch deployment
gcloud compute os-config patch-deployments create weekly-security-patches \
    --instance-filter-all \
    --recurring-schedule-frequency=WEEKLY \
    --recurring-schedule-weekly-day-of-week=SATURDAY \
    --recurring-schedule-time-of-day="02:00" \
    --recurring-schedule-time-zone="America/New_York" \
    --duration="4h" \
    --reboot-config=DEFAULT \
    --description="Weekly security patches for all VMs"

# Create monthly deployment with rollout strategy
gcloud compute os-config patch-deployments create monthly-production-patches \
    --instance-filter-group-labels="environment=production" \
    --recurring-schedule-frequency=MONTHLY \
    --recurring-schedule-monthly-day-of-month=1 \
    --recurring-schedule-time-of-day="03:00" \
    --recurring-schedule-time-zone="UTC" \
    --duration="6h" \
    --rollout-mode=ZONE_BY_ZONE \
    --rollout-disruption-budget-percent=25 \
    --reboot-config=ALWAYS

Rollout Strategies

# Zone-by-zone rollout (high availability)
gcloud compute os-config patch-deployments create ha-patches \
    --instance-filter-all \
    --recurring-schedule-frequency=WEEKLY \
    --recurring-schedule-weekly-day-of-week=SUNDAY \
    --recurring-schedule-time-of-day="04:00" \
    --rollout-mode=ZONE_BY_ZONE \
    --rollout-disruption-budget-percent=10

# Concurrent rollout with disruption budget
gcloud compute os-config patch-deployments create concurrent-patches \
    --instance-filter-all \
    --recurring-schedule-frequency=WEEKLY \
    --recurring-schedule-weekly-day-of-week=SATURDAY \
    --recurring-schedule-time-of-day="02:00" \
    --rollout-mode=CONCURRENT_ZONES \
    --rollout-disruption-budget-fixed=5

Step 4: Configure Pre and Post-Patch Scripts

Run custom scripts before and after patching:

# Create patch job with pre/post scripts
gcloud compute os-config patch-jobs execute \
    --instance-filter-names="app-server-*" \
    --pre-patch-linux-executable="/opt/scripts/pre-patch.sh" \
    --post-patch-linux-executable="/opt/scripts/post-patch.sh" \
    --reboot-config=ALWAYS

Example pre-patch script (pre-patch.sh):

#!/bin/bash
# Stop application services before patching
systemctl stop myapp
# Create backup
tar -czf /backup/app-$(date +%Y%m%d).tar.gz /var/myapp
echo "Pre-patch complete" >> /var/log/patching.log

Example post-patch script (post-patch.sh):

#!/bin/bash
# Start application services after patching
systemctl start myapp
# Verify service is running
if systemctl is-active myapp; then
    echo "Post-patch: App started successfully" >> /var/log/patching.log
else
    echo "Post-patch: App failed to start" >> /var/log/patching.log
    exit 1
fi

Step 5: View Patch Compliance

Monitor patching status and compliance across your fleet:

View Patch Job Status

# List recent patch jobs
gcloud compute os-config patch-jobs list --limit=10

# Get details of a specific patch job
gcloud compute os-config patch-jobs describe PATCH_JOB_ID

# List instance details for a patch job
gcloud compute os-config patch-jobs list-instance-details PATCH_JOB_ID

Generate Compliance Reports

# Get inventory data for compliance
gcloud compute os-config inventories describe INSTANCE_NAME \
    --zone=ZONE \
    --view=FULL

# List all installed packages
gcloud compute os-config inventories describe INSTANCE_NAME \
    --zone=ZONE \
    --view=FULL \
    --format="table(items.installedPackage.aptPackage.packageName,items.installedPackage.aptPackage.version)"

Export to BigQuery for Analysis

Export OS inventory data to BigQuery for advanced compliance reporting:

    - Go to **OS patch management > OS inventory** - Click **Export to BigQuery** - Select or create a BigQuery dataset - Configure export schedule

Query compliance data:

-- Find VMs missing critical patches
SELECT
  instance_name,
  zone,
  installed_packages,
  available_packages
FROM `project.dataset.os_inventory`
WHERE available_packages IS NOT NULL
  AND ARRAY_LENGTH(available_packages) > 0
ORDER BY ARRAY_LENGTH(available_packages) DESC;

Step 6: Set Up Alerting

Create alerts for patch failures:

# Create log-based alert for patch failures
gcloud logging read 'resource.type="gce_instance" AND protoPayload.methodName="google.cloud.osconfig.v1.OsConfigService.ExecutePatchJob" AND severity>=ERROR' \
    --limit=50

Create a Cloud Monitoring alert:

    - Go to **Monitoring > Alerting** - Click **Create Policy** - Add condition for patch job failures - Configure notification channels

Best Practices for OS Patch Management

  • Use labels for VM grouping - Organize VMs by environment, team, or application for targeted patching
  • Implement staged rollouts - Patch dev/staging first, then production with zone-by-zone deployment
  • Schedule during maintenance windows - Minimize user impact with off-hours patching
  • Test patches in non-production - Validate updates before production deployment
  • Configure disruption budgets - Ensure availability during patching with percentage limits
  • Use pre/post scripts - Gracefully stop/start applications and verify health
  • Monitor compliance regularly - Export to BigQuery for dashboards and reporting
  • Document exclusions - Track packages excluded from patching and reasons

Troubleshooting Common Issues

Agent Not Reporting

# Check agent logs
sudo journalctl -u google-osconfig-agent -f

# Restart agent
sudo systemctl restart google-osconfig-agent

# Verify metadata
curl -H "Metadata-Flavor: Google" \
  "http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-osconfig"

Patch Job Stuck

# Cancel a stuck patch job
gcloud compute os-config patch-jobs cancel PATCH_JOB_ID

# Check instance-level details
gcloud compute os-config patch-jobs list-instance-details PATCH_JOB_ID \
    --filter="state=RUNNING"

Need help implementing automated patch management for compliance? Contact InventiveHQ for expert guidance on cloud security and vulnerability management.

Frequently Asked Questions

Find answers to common questions

Patch jobs are one-time operations that immediately apply patches to selected VMs. Patch deployments are scheduled, recurring operations that automatically patch VMs based on a defined schedule (daily, weekly, monthly). Use patch jobs for urgent security patches or testing, and patch deployments for regular maintenance windows and compliance automation.

Expert GCP Management

From architecture design to managed operations, we handle your Google Cloud infrastructure.

Learn About Cloud Infrastructure ManagementExplore Cloud Optimization

Related Articles

How to Enable Cloud Audit Logs in GCP

Complete guide to enabling and configuring Google Cloud Audit Logs. Learn to set up Admin Activity logs, Data Access logs, log sinks, exports to BigQuery, and retention policies for compliance and security monitoring.

Read More →

GCP Cloud Armor Setup Guide: WAF, Rate Limiting, and DDoS Protection

Complete guide to setting up Google Cloud Armor for web application security. Covers WAF policies, OWASP Top 10 protection, rate limiting, adaptive protection, and DDoS mitigation for applications behind load balancers.

Read More →

GCP Data Loss Prevention (DLP) API Guide

Discover and protect sensitive data with Google Cloud DLP API. Learn to configure InfoTypes, run inspection jobs, implement de-identification, and integrate with BigQuery.

Read More →
Back to Google Cloud