Google Git
Sign in
cos / cos / policymanager / 78f915b34a128a81a375290b576b472807e08579
commit78f915b34a128a81a375290b576b472807e08579[log] [tgz]
authorRayan Dasoriya <dasoriya@google.com>Tue Dec 21 02:29:15 2021 +0000
committerRayan Dasoriya <dasoriya@google.com>Wed Dec 22 18:27:54 2021 +0000
treecdecd65a32803e490316941ee37d1870982583ab
parent3343c26f0cd838e7b4e969e39816a91bdb0916c2 [diff]
Rewrite metadata retriever implementation to save cpu util

CPU utilization was increasing due to repeated calls to metadata
server. This implementation of metadata retriever saves the call
to metadata server and parses the metadata string in policy manager.

BUG=b/209939594
TEST=presubmit and started a VM
RELEASE_NOTE=None

Change-Id: Ibd3d4f159826f1d8548c38d9a21c55c2dca5fdb6
7 files changed
tree: cdecd65a32803e490316941ee37d1870982583ab
  1. cmd/
  2. pkg/
  3. protos/
  4. third_party/
  5. .gitignore
  6. CONTRIBUTING.md
  7. gen_proto.sh
  8. go.mod
  9. go.sum
  10. LICENSE
  11. main.go
  12. OWNERS
  13. PRESUBMIT.cfg
  14. README.md
README.md

Policy Manager for COS(Container-Optimized OS) Image

Overview

Policy Manager is the client for the COS control plane. It is responsible for reporting current instance status and fetching device update config.

It is designed to be a system daemon that's started immediately after boot. It sends status update to an update manager, which will respond with the appropriate update config.

Using the update config, it will generate the appropriate update policy blobs to enforce the update strategy set by the user.

How to run

  • Policy Manager must be run with root privileges in order to access update_engine status and control device policy.
  • Run modes:
    • Daemon Mode Continuously reports status and fetches update policy from metadata server.
    • Non-Daemon Mode Prints the current status to stdout.

What's up with update [policy, strategy, config]?

Part of Policy Manager's features is to allow users to control the OS update behavior of their COS instances.

COS has defined 2 update stategies that users can choose:

  1. All Updates Instances will receive all OS updates.

  2. Critical Updates Only Instances will only receive updates within their major release version. For example, if both 12.1.0 and 13.0.0 are available, an instance running 12.0.0 will only get updated to 12.1.0 if it has this strategy.

The update manager generates update config that is fetched by Policy Manager when it reports its status to the update manager. The config depends on the instance‘s status and the user’s update strategy.

The actual enforcement of the strategies are done by the update policy, which is a Chrome OS feature. An update policy is a protobuf blob that contains the parameters that will be used to fetch updates from Omaha. Policy Manager is responsible for generating the update policy blobs from update config.

Building

  • To build and test Policy Manager, please run FEATURES=test emerge-lakitu policymanager

Protobufs

  • To compile protobuf definitions, run ./gen_proto.sh.
  • Do NOT submit the generated protobufs into the repo.