- Newest
- Most votes
- Most comments
I believe its a conflict based on the BaselineOverride
parameter
An error occurred (ValidationException) when calling the GetDeployablePatchSnapshotForInstance operation: Operating System of Baseline Override was AMAZON_LINUX_2, expected AMAZON_LINUX_2023
Parameter name: InstallOverrideList
Using InstallOverrideList, you specify an https URL or an Amazon S3 path-style URL to a list of patches to be installed. This patch installation list, which you maintain in YAML format, overrides the patches specified by the current default patch baseline. This provides you with more granular control over which patches are installed on your managed nodes.
Sample scenario for using the InstallOverrideList
parameter in AWS-RunPatchBaseline
or AWS-RunPatchBaselineAssociation
You can use the InstallOverrideList
parameter when you want to override the patches specified by the current default patch baseline in Patch Manager, a capability of AWS Systems Manager. This topic provides examples that show how to use this parameter to achieve the following:
- Apply different sets of patches to a target group of managed nodes.
- Apply these patch sets on different frequencies.
- Use the same patch baseline for both operations.
Say that you want to install two different categories of patches on your Amazon Linux 2 managed nodes. You want to install these patches on different schedules using maintenance windows. You want one maintenance window to run every week and install all Security patches. You want another maintenance window to run once a month and install all available patches, or categories of patches other than Security.
However, only one patch baseline at a time can be defined as the default for an operating system. This requirement helps avoid situations where one patch baseline approves a patch while another blocks it, which can lead to issues between conflicting versions.
With the following strategy, you use the InstallOverrideList parameter to apply different types of patches to a target group, on different schedules, while still using the same patch baseline:
- In the default patch baseline, ensure that only Security updates are specified.
- Create a maintenance window that runs
AWS-RunPatchBaseline
orAWS-RunPatchBaselineAssociation
each week. Don't specify an override list. - Create an override list of the patches of all types that you want to apply on a monthly basis and store it in an Amazon Simple Storage Service (Amazon S3) bucket.
- Create a second maintenance window that runs once a month. However, for the Run Command task you register for this maintenance window, specify the location of your override list.
The result: Only Security patches, as defined in your default patch baseline, are installed each week. All available patches, or whatever subset of patches you define, are installed each month.
Using the BaselineOverride parameter
You can define patching preferences at runtime using the baseline override feature in Patch Manager, a capability of AWS Systems Manager. Do this by specifying an Amazon Simple Storage Service (Amazon S3) bucket containing a JSON object with a list of patch baselines. The patching operation uses the baselines provided in the JSON object that match the host operating system instead of applying the rules from the default patch baseline.
Using the patch baseline override with Snapshot Id or Install Override List parameters
There are two cases where the patch baseline override has noteworthy behavior.
Using baseline override and Snapshot Id at the same time
Snapshot Ids ensure that all managed nodes in a particular patching command all apply the same thing. For example, if you patch 1,000 nodes at one time, the patches will be the same.
When using both a Snapshot Id and a patch baseline override, the Snapshot Id takes precedence over the patch baseline override. The baseline override rules will still be used, but they will only be evaluated once. In the earlier example, the patches across your 1,000 managed nodes will still always be the same. If, midway through the patching operation, you changed the JSON file in the referenced S3 bucket to be something different, the patches applied will still be the same. This is because the Snapshot Id was provided.
Using baseline override and Install Override List at the same time
You can't use these two parameters at the same time. The patching document fails if both parameters are supplied, and it doesn't perform any scans or installs on the managed node.
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated 3 months ago
- How do I use the Microsoft KB number in Patch Manager to install a specific patch or set of patches?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 3 years ago
I launched another instance today with the same settings. The issue has gone away. It looks like AWS has done somethings. I can find the key/value pair 'operatingSystem': 'AMAZON_LINUX_2023' from the baseline override.
04/25/2023 01:41:07 root [INFO]: Patch Baseline: {'accountId': 'xxxxxxxxxxx', 'baselineId': 'pb-0c4f8f1faeb89596e', 'name': 'Baseline Override', 'globalFilters': {'filters': [{'key': 'PRODUCT', 'values': ['*']}]}, 'approvalRules': {'rules': [{'filterGroup': {'filters': [{'key': 'CLASSIFICATION', 'values': ['Security']}, {'key': 'SEVERITY', 'values': ['Critical', 'Important']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False, 'approveAfterDays': 7, 'approveUntilDate': None}, {'filterGroup': {'filters': [{'key': 'CLASSIFICATION', 'values': ['Bugfix']}]}, 'complianceLevel': 'UNSPECIFIED', 'enableNonSecurity': False, 'approveAfterDays': 7, 'approveUntilDate': None}]}, 'approvedPatches': [], 'approvedPatchesComplianceLevel': 'UNSPECIFIED', 'approvedPatchesEnableNonSecurity': False, 'rejectedPatches': [], 'rejectedPatchesAction': 'ALLOW_AS_DEPENDENCY', 'createdTime': 1682386867.215, 'modifiedTime': 1682386867.215, 'description': None, 'operatingSystem': 'AMAZON_LINUX_2023', 'sources': []}