By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is Amazon Linux 2023 supported by SSM Patch Manager?

0

I can notice that there is a patch baseline AWS-AmazonLinux2023DefaultPatchBaseline. However, when the task is run, some errors are returned and indicated that the OS basline does not match. It looks like something have to be done with Operating System of Baseline Override.

/usr/bin/python3
/usr/bin/yum
/usr/bin/dnf
Using python binary: 'python3'
Using Python Version: Python 3.9.16
04/20/2023 08:21:04 root [INFO]: Downloading payload from https://s3.dualstack.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.106.tar.gz
04/20/2023 08:21:05 root [INFO]: Attempting to import entrance file os_selector
04/20/2023 08:21:05 root [INFO]: Running with snapshot id =  and operation = Install
04/20/2023 08:21:05 root [INFO]: Downloading Baseline Override from s3://aws-quicksetup-patchpolicy-xxxxxxxxxxx-snhqg/baseline_overrides.json
04/20/2023 08:21:05 botocore.credentials [INFO]: Found credentials in shared credentials file: /var/lib/amazon/ssm/credentials
04/20/2023 08:21:05 botocore.credentials [INFO]: Found credentials in shared credentials file: /var/lib/amazon/ssm/credentials
04/20/2023 08:21:06 root [ERROR]: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023
Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 126, in _get_snapshot_info
    patch_snapshot = _get_snapshot_with_client(ssm_client, instance_id, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 428, in _get_snapshot_with_client
    return ssm_client.get_deployable_patch_snapshot_for_instance(
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 276, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 586, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023
04/20/2023 08:21:06 root [INFO]: Unable to retrieve snapshot with default ssm client, retry with fallback ssm client
04/20/2023 08:21:06 botocore.credentials [INFO]: Found credentials in shared credentials file: /var/lib/amazon/ssm/credentials
04/20/2023 08:21:06 root [ERROR]: Error loading entrance module.
Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 126, in _get_snapshot_info
    patch_snapshot = _get_snapshot_with_client(ssm_client, instance_id, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 428, in _get_snapshot_with_client
    return ssm_client.get_deployable_patch_snapshot_for_instance(
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 276, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 586, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 102, in _get_snapshot_info_with_fallback_ssm_client
    patch_snapshot = _get_snapshot_with_client(fallback_ssm_client, instance_id, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 428, in _get_snapshot_with_client
    return ssm_client.get_deployable_patch_snapshot_for_instance(
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 276, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 586, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_startup_entrance.py", line 203, in execute
    exit(   entrance_module.execute(*argv))
  File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 54, in execute
    common_os_selector_methods.fetch_snapshot(operation_type, instance_id, region, reboot_option, document_step,
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 280, in fetch_snapshot
    snapshot_info = _get_snapshot_info(instance_id, snapshot_id, region, baseline_override_dict)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 136, in _get_snapshot_info
    return _get_snapshot_info_with_fallback_ssm_client(instance_id, region, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 111, in _get_snapshot_info_with_fallback_ssm_client
    raise PatchManagerError("Get Snapshot failed", ExitCodes.SNAPSHOT_API_ERROR, e)
patch_common.exceptions.PatchManagerError: ('Get Snapshot failed', 144)
 Caused By: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023
04/20/2023 08:21:06 root [ERROR]: ('Get Snapshot failed', 144)
 Caused By: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023
Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 126, in _get_snapshot_info
    patch_snapshot = _get_snapshot_with_client(ssm_client, instance_id, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 428, in _get_snapshot_with_client
    return ssm_client.get_deployable_patch_snapshot_for_instance(
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 276, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 586, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 102, in _get_snapshot_info_with_fallback_ssm_client
    patch_snapshot = _get_snapshot_with_client(fallback_ssm_client, instance_id, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 428, in _get_snapshot_with_client
    return ssm_client.get_deployable_patch_snapshot_for_instance(
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 276, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/log/amazon/ssm/patch-baseline-operations/botocore/client.py", line 586, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/var/log/amazon/ssm/patch-baseline-operations/common_startup_entrance.py", line 203, in execute
    exit(   entrance_module.execute(*argv))
  File "/var/log/amazon/ssm/patch-baseline-operations/os_selector.py", line 54, in execute
    common_os_selector_methods.fetch_snapshot(operation_type, instance_id, region, reboot_option, document_step,
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 280, in fetch_snapshot
    snapshot_info = _get_snapshot_info(instance_id, snapshot_id, region, baseline_override_dict)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 136, in _get_snapshot_info
    return _get_snapshot_info_with_fallback_ssm_client(instance_id, region, snapshot_id, baseline_override)
  File "/var/log/amazon/ssm/patch-baseline-operations/common_os_selector_methods.py", line 111, in _get_snapshot_info_with_fallback_ssm_client
    raise PatchManagerError("Get Snapshot failed", ExitCodes.SNAPSHOT_API_ERROR, e)
patch_common.exceptions.PatchManagerError: ('Get Snapshot failed', 144)
 Caused By: An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023
  • Alan So
    a year ago

    I launched another instance today with the same settings. The issue has gone away. It looks like AWS has done somethings. I can find the key/value pair 'operatingSystem': 'AMAZON_LINUX_2023' from the baseline override.

    04/25/2023 01:41:07 root [INFO]: Patch Baseline: {'accountId': 'xxxxxxxxxxx', 'baselineId': 'pb-0c4f8f1faeb89596e', 'name': 'Baseline Override', 'globalFilters': {'filters': [{'key': 'PRODUCT', 'values': ['*']}]}, 'approvalRules': {'rules': [{'filterGroup': {'filters': [{'key': 'CLASSIFICATION', 'values': ['Security']}, {'key': 'SEVERITY', 'values': ['Critical', 'Important']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False, 'approveAfterDays': 7, 'approveUntilDate': None}, {'filterGroup': {'filters': [{'key': 'CLASSIFICATION', 'values': ['Bugfix']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False, 'approveAfterDays': 7, 'approveUntilDate': None}]}, 'approvedPatches': [], 'approvedPatchesComplianceLevel': 'UNSPECIFIED', 'approvedPatchesEnableNonSecurity': False, 'rejectedPatches': [], 'rejectedPatchesAction': 'ALLOW_AS_DEPENDENCY', 'createdTime': 1682386867.215, 'modifiedTime': 1682386867.215, 'description': None, 'operatingSystem': 'AMAZON_LINUX_2023', 'sources': []}

Topics
Management & GovernanceCompute
Tags
AWS Systems ManagerAmazon Linux
Language
English
Alan So
asked a year ago686 views
1 Answer
2

I believe its a conflict based on the BaselineOverride parameter

An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023

Parameter name: InstallOverrideList

Using InstallOverrideList, you specify an https URL or an Amazon S3 path-style URL to a list of patches to be installed. This patch installation list, which you maintain in YAML format, overrides the patches specified by the current default patch baseline. This provides you with more granular control over which patches are installed on your managed nodes.

Sample scenario for using the InstallOverrideList parameter in AWS-RunPatchBaseline or AWS-RunPatchBaselineAssociation

You can use the InstallOverrideList parameter when you want to override the patches specified by the current default patch baseline in Patch Manager, a capability of AWS Systems Manager. This topic provides examples that show how to use this parameter to achieve the following:

  • Apply different sets of patches to a target group of managed nodes.
  • Apply these patch sets on different frequencies.
  • Use the same patch baseline for both operations.

Say that you want to install two different categories of patches on your Amazon Linux 2 managed nodes. You want to install these patches on different schedules using maintenance windows. You want one maintenance window to run every week and install all Security patches. You want another maintenance window to run once a month and install all available patches, or categories of patches other than Security.

However, only one patch baseline at a time can be defined as the default for an operating system. This requirement helps avoid situations where one patch baseline approves a patch while another blocks it, which can lead to issues between conflicting versions.

With the following strategy, you use the InstallOverrideList parameter to apply different types of patches to a target group, on different schedules, while still using the same patch baseline:

  1. In the default patch baseline, ensure that only Security updates are specified.
  2. Create a maintenance window that runs AWS-RunPatchBaseline or AWS-RunPatchBaselineAssociation each week. Don't specify an override list.
  3. Create an override list of the patches of all types that you want to apply on a monthly basis and store it in an Amazon Simple Storage Service (Amazon S3) bucket.
  4. Create a second maintenance window that runs once a month. However, for the Run Command task you register for this maintenance window, specify the location of your override list.

The result: Only Security patches, as defined in your default patch baseline, are installed each week. All available patches, or whatever subset of patches you define, are installed each month.

Using the BaselineOverride parameter

You can define patching preferences at runtime using the baseline override feature in Patch Manager, a capability of AWS Systems Manager. Do this by specifying an Amazon Simple Storage Service (Amazon S3) bucket containing a JSON object with a list of patch baselines. The patching operation uses the baselines provided in the JSON object that match the host operating system instead of applying the rules from the default patch baseline.

Using the patch baseline override with Snapshot Id or Install Override List parameters

There are two cases where the patch baseline override has noteworthy behavior.

Using baseline override and Snapshot Id at the same time

Snapshot Ids ensure that all managed nodes in a particular patching command all apply the same thing. For example, if you patch 1,000 nodes at one time, the patches will be the same.

When using both a Snapshot Id and a patch baseline override, the Snapshot Id takes precedence over the patch baseline override. The baseline override rules will still be used, but they will only be evaluated once. In the earlier example, the patches across your 1,000 managed nodes will still always be the same. If, midway through the patching operation, you changed the JSON file in the referenced S3 bucket to be something different, the patches applied will still be the same. This is because the Snapshot Id was provided.

Using baseline override and Install Override List at the same time

You can't use these two parameters at the same time. The patching document fails if both parameters are supplied, and it doesn't perform any scans or installs on the managed node.

AWS
abemusa
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content