Patch Job No Longer Active Message When Deploying Auto-Defend in GCP
2849
Created On 09/15/22 18:13 PM - Last Modified 11/21/24 19:24 PM
Symptom
- When deploying Auto Defend in GCP (Manage > Defenders > Deploy > Host Auto-Defend), customer may receive a failed defender installation error indicating "Patch job no longer active"
Environment
- Prisma Cloud Compute
- Deploy Defender
- Auto Defend Hosts
- Deploy Defender
- Google Cloud Platform
Prerequisites:
- Host auto-defend lets you automatically deploy Host Defenders on virtual machines/instances in Google Cloud accounts. This covers GCP Compute Engine instances.
- The installation uses OS Patch Management service, which is a part of a broader VM Manager service to deploy the host defenders.
- Prisma Cloud creates an OS patch job with the information of the installation script stored in the temporarily created storage bucket and the list of instances on which to deploy the Host defender as shown below:
Cause
- OS Patch Management and VM Manager configuration missing details
- The service account user doesn't have adequate permissions to create and delete the temp bucket.
Resolution
- To use OS Patch Management, the VM host must have access to the package updates or patches.
- OS Patch Management does not host or maintain package updates or patches.
- To use the OS Patch Management feature, one must set up the OS Config API and install the OS Config Agent. For detailed instructions, see Setting up VM Manager .
- In some scenarios your VM might not have access to the updates. In these scenarios, one must complete additional permissions to allow access to the updates or patches.
- Specifically, ensure OSconfig=enabled in the GCE metadata.
Additional Information
In summary, when you enable VM Manager, whether automatically or manually, the following setup takes place:
- OS Config service API and Container Analysis API are enabled on the Google Cloud project.
- The OS Config Agent, running on each selected VM, is activated by setting the required instance metadata values. Note: OS Config is preinstalled on most VMs but is not activated until instance metadata is set.
- The OS Config service enables patch management in your environment while the OS Config Agent uses the update mechanism for each operating system to apply patches.