Oracle Cloud Infrastructure Documentation

Understanding Dynamic Sets

Use dynamic sets to organize instances based on specific attributes within OS Management Hub. Dynamic sets let you manage specific segments of the environment, run update jobs, and run reports.

What's a Dynamic Set?

A dynamic set is a collection of instances that automatically includes members based on predefined criteria. Instead of manually adding instances, when you create a dynamic set, you define criteria using attributes (such as tags, OS version, location). OS Management Hub continuously evaluates these rules and updates the set as instances or their attributes change. Dynamic sets offer flexible membership. You can include multiple compartments and their children, making it easy to target specific segments of the environment for updates or patches.

How set members are identified

  1. Define Rules: Specify the conditions for membership (such as all instances with the 'Finance' tag within the tenancy). Dynamic set members can span compartments.

  2. Automatic Evaluation: OS Management Hub scans the environment and adds instances that match the criteria to the set.

  3. Continuous Monitoring: The service keeps the set membership up-to-date by:

Note

When using dynamic sets with scheduled jobs, the target instances are identified at runtime, not when the job is created. This means set members can change between the time you created the scheduled job and when it runs.

Difference between a dynamic sets and groups

The key difference is how members are identified and the flexibility offered.

Dynamic Sets Groups

Members are automatically identified based on rules.

Members are manually added or removed.

Can include instances with different OSs and architectures (such as Oracle Linux 9, Windows Server 2022).

All members must share the same OS and architecture (such as Oracle Linux 9 x86_64).

Instances can belong to other dynamic sets or a group.

Instances can belong to only one group.

Using dynamic sets and groups together

Combine dynamic sets and groups to streamline software and patch management. An instance can belong to a single group while also being part of one or more dynamic sets. This approach lets administrators:

  • Use groups to manage software availability by attaching software sources using the group manifest.
  • Use dynamic groups to target specific segments of the environment for updates.

By using both groups and dynamic sets, administrators can precisely control software content availability and manage staged patch rollouts across their environments. See Example: Monthly Patch Rollout with Staged Deployment.

Not all actions apply to all members

Dynamic sets can contain instances with a mix of OSs and architectures. So certain actions (such as package installation) might not apply to all the members of the set. For example, you might create a job to install a specific Oracle Linux package. In this case, any Windows instances would be skipped as the action is incompatible with the OS. See also Understanding Jobs.

Required Policies

Dynamic sets need the ability to list a user's instances. Before using dynamic sets, configure the required policies. See Manually Creating OS Management Hub Policies

Compartment-level policies

In OCI, let dynamic sets list all instances in the specified compartment:

Allow any-user to inspect instances in compartment compartment_name where request.principal.type='osmh-dynamic-sets'

For on premises installations, let dynamic sets list all management agents in the specified compartment:

Allow any-user to inspect management-agents in compartment compartment_name where request.principal.type='osmh-dynamic-sets'
Tenancy-level policies

In OCI, let dynamic sets list all instances in the specified tenancy:

Allow any-user to inspect instances in tenancy where request.principal.type='osmh-dynamic-sets'

For on premises installations, let dynamic sets list all management agents in the specified tenancy:

Allow any-user to inspect management-agents in tenancy where request.principal.type='osmh-dynamic-sets'

Matching Rule Conditions

Use matching rule conditions to identify the instances to include in the dynamic set. A dynamic set without any rule conditions includes all instances within a compartment.

Difference between 'Match any' and 'Match all'

When creating a dynamic set, you specify how OS Management Hub evaluates the rule conditions. The options are:

  • Match any conditions: Includes instances that match at least one of the rule conditions. Use this to define a set with a broad scope, as it acts like a logical OR (such as Condition 1 OR Condition 2 OR Condition 3).
  • Match all conditions: Includes instances that meet all the defined conditions. Use this to define a set with a narrow scope, defining a set with a narrow scope, as it acts like a logical AND (such as Condition 1 AND Condition 2 AND Condition 3).

Conditions

Possible matching conditions include:

  • Tags: Includes instances based on a specific tag. For OCI instances, this is the tag on the Compute instance. For on-premises or third-party cloud instances, this is the tag on the Management Agent resource.

    • For OCI instances, this evaluates the tag on the Compute instance.
    • For on-premises or third-party cloud instances, this evaluates the tag on the Management Agent resource.
  • OS version: Includes instances running the specified OS version.
  • Architecture: Includes instances with the specified hardware architecture.
  • Location: Includes instances in the specified location.
  • Status: Includes instances that are in the specified operational state.
  • Group: Includes instances that are members of the specified group.
  • Reboot status: Includes instances that are in the specified reboot state.
  • Instance name: Includes instances that have the specified name.
    • The name must match exactly for the instance to be included. Wildcards aren't allowed.

Example: Monthly Patch Rollout with Staged Deployment

Consider a common scenario, a monthly patch update cadence for an environment with a mix of Oracle Linux 8 and Oracle Linux 9 instances. Each month, an administrator prepares custom software sources containing the latest patches for both Oracle Linux 8 and Oracle Linux 9. The goal is to deploy these patches to a small subset of instances for validation before applying them more generally. This can be done by using dynamic sets and groups.

  1. Group Organization: The admin creates two groups: one for Oracle Linux 8 instances and another for Oracle Linux 9 instances. These groups ensure that the correct patches are associated with the appropriate OS versions.

  2. Tagging to Categorize Instances: The admin uses tags to segment the fleet:

    • A small subset of Oracle Linux 8 and Oracle Linux 9 instances are tagged as 'Pilot' instances for initial testing.
    • The remaining instances are tagged as 'Production' instances for broader deployment.

  3. Dynamic Set Creation: The admin creates two dynamic sets:

    • One set contains all 'Pilot' instances (both Oracle Linux 8 and Oracle Linux 9).
    • The other set contains all 'Production' instances (both Oracle Linux 8 and Oracle Linux 9).

  4. Patch Deployment: After preparing the monthly custom software source, the admin attaches them to the Oracle Linux 8 and Oracle Linux 9 groups, making the patches available to the entire fleet.

  5. Staged Rollout: The admin applies the monthly patch in stages.

    • The admin runs an update job on the 'Pilot' dynamic set, applying patches to the test instances.
    • After validating stability, the admin runs another update job on the 'Production' dynamic set, completing the rollout.