Install and manage the Ops Agent by using VM Extension Manager policies

You can install and manage the Ops Agent on a fleet of Compute Engine VMs within a specific zone by using VM Extension Manager policies. For example, you can use these policies to perform tasks like the following:

• Fleetwide installation: Install the Ops Agent on all VMs in a zone or on a set of subset of VMs identified by labels in a zone.

• Version control:

  • Keep the Ops Agent updated to the latest version.
  • Pin the Ops Agent version to a specific release.

• Configuration management: Apply a custom configuration to the Ops Agent on all VMs managed by a policy.

With VM Extension Manager, you create policies that declare which extensions you want to install on VMs. The Ops Agent is one of the available extensions. VM Extension Manager policies can manage the Ops Agent version 2.58.0 or newer, when the Ops Agent has been installed by using VM Extension Manager. These policies can't manage versions of the Ops Agent earlier than version 2.58.0, Ops Agent instances installed by using other means, or any version of the legacy Monitoring agent or Logging agent.

You can create and manage VM extension policies by using the Google Cloud console or the Google Cloud CLI, gcloud.

Before you begin

Before starting to using VM Extension Manager extension policies, do the following:

• Review supported operating systems to verify that both the Ops Agent and VM Extension Manager are supported on your operating systems.
• Grant the roles required to use VM Extension Manager.
• If you want to use a command-line interface to create and manage extension policies, then install the Google Cloud CLI.
• Uninstall any observability agents already installed on your VMs.

Review supported operating systems

Before attempting to use VM Extension Manager policies to manage the Ops Agent, verify that your target operating system is compatible with both the Ops Agent and VM Extension Manager.

VM Extension Manager supports all operating systems supported by the Ops Agent, except for SUSE Linux Enterprise Server (SLES) and Ubuntu. For more information about the operating systems supported by the Ops Agent, see Operating systems.

If your operating system is supported by both the Ops Agent and VM Extension Manager, then follow the rest of this document.

Enable the APIs required to use the Ops Agent

To use the Ops Agent to write logs and metrics, you must enable the Cloud Logging API and Cloud Monitoring API on your Google Cloud project.

Enable the APIs

Grant roles required to use the Ops Agent

To get the permissions that you need to use the Ops Agent to write logs and metrics, ask your administrator to grant you the following IAM roles on your service account:

• To write logs: Logging Logs Writer (roles/logging.logWriter)
• To write metrics: Monitoring Metric Writer (roles/monitoring.metricWriter)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For more information about roles and the Ops Agent, see Authorize the Ops Agent.

Grant roles required to use VM Extension Manager

To get the permissions that you need to create, view, modify, and delete VM extension policies, ask your administrator to grant you the following IAM roles on the project:

• To create extension policies: VM Extension Policy Admin (roles/compute.vmExtensionPolicyAdmin)
• To view extension policies:
  • VM Extension Policy Viewer (roles/compute.vmExtensionPolicyViewer)
  • VM Extension Policy Admin (roles/compute.vmExtensionPolicyAdmin)
• To modify extension policies: VM Extension Policy Admin (roles/compute.vmExtensionPolicyAdmin)
• To delete extension policies: VM Extension Policy Admin (roles/compute.vmExtensionPolicyAdmin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create, view, modify, and delete VM extension policies. To see the exact permissions that are required, expand the Required permissions section:

You might also be able to get these permissions with custom roles or other predefined roles.

For more information about IAM roles and permissions in Compute Engine, see Compute Engine roles and permissions.

Install the Google Cloud CLI

You can create and manage VM extension policies by using the Google Cloud console or the Google Cloud CLI, gcloud. To use gcloud, you must first install it by performing the following steps:

1. If you haven't done so already, install the Google Cloud CLI.

   The extension policies described in this document use the beta command group.

1. If you haven't done so already, install the beta component of the gcloud CLI by running the following command:

   gcloud components install beta
   

   To check if you have the beta component installed, run the following command:

   gcloud components list
   

   If you previously installed the beta component, verify that have the latest version:

   gcloud components update
   

Uninstall any observability agents

Before creating a VM Extension Manager policy to manage the Ops Agent on a VM, ensure that there are no instances of the Ops Agent or the legacy Monitoring agent and Logging agent already on the VM. Running the Ops Agent and the legacy agents on the same VM can cause ingestion of duplicate logs or conflicts in metrics ingestion.

If you use an extension policy to install the Ops Agent on a VM where another observability agent is already installed, then the policy installs the agent, but the agent fails to run because a conflict is detected.

How you remove existing agents depends on how those agents were installed.

• Agents installed by a VM Manager OS Config policy, which includes the following:

  • Ops Agent installed by using the Google Cloud console during VM creation.
  • Ops Agent installed by a GA VM Manager OS Config policy.
  • Ops Agent, or legacy Monitoring agent or Logging agent installed by a beta VM Manager OS Config policy.

  For information about identifying VMs using these policies, see Find VMs covered by Ops Agent OS policies.

  For information about uninstalling the agent and removing the OS Config policies, see Uninstall the Ops Agent on VMs covered by Ops Agent OS policies.

• Agents installed manually by using an installation script. For information about uninstalling the agents, see the following:

  • Ops Agent: Uninstall the agent.
  • Legacy Monitoring agent: Uninstall the agent.
  • Legacy Logging agent: Uninstall the agent.

Install the Ops Agent by creating VM extension policies

Create VM extension policies to automatically install and manage the Ops Agent on a fleet of Compute Engine virtual machines (VMs). By defining a policy, you can ensure that specific extensions, like the Ops Agent, are installed and maintained on any VMs that match criteria you specify, such as VM labels.

Policy conflicts and priorities

VM Extension Manager associates a priorty with each new policy, with lower numbers indicating higher priorities; the default priority is 1000. A VM can be covered by multiple policies for an extension like the Ops Agent, but only one policy for the Ops Agent extension is effective on the VM.

VM Extension Manager uses priorities to resolve conflicts among policies applied to a VM. For more information about the resolution process, see Policy priority and conflict resolution.

Install the latest Ops Agent on all VMs in a zone

To create a policy that installs the latest version of the Ops Agent on all VMs in a zone, and updates the Ops Agent when a new version is released, do the following:

gcloud beta compute zone-vm-extension-policies create POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE \
  --extensions=ops-agent

Pin the Ops Agent to a specific version on all VMs in a zone

To create a policy that installs a specific version of the Ops Agent on all VMs in a zone, do the following:

gcloud beta compute zone-vm-extension-policies create POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE \
  --extensions=ops-agent
  --version=ops-agent=VERSION

For a list of Ops Agent versions, see the Ops Agent releases page on GitHub.

Install the Ops Agent on VMs in a zone with a specific label

To create a policy that installs the latest version of Ops Agent on the VMs in a zone that have a specific label, do the following:

gcloud beta compute zone-vm-extension-policies create POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE \
  --extensions=ops-agent
  --inclusion-labels=KEY1=VALUE1,KEY2=VALUE2

Install the Ops Agent with a custom configuration on all VMs in a zone

To create a policy that installs the latest version of the Ops Agent on all VMs in a zone, and provides custom configuration for the Ops Agent, do the following:

gcloud beta compute zone-vm-extension-policies create POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE \
  --extensions=ops-agent
  --config-from-file=ops-agent="OPS_AGENT_CONFIG_PATH"

If you provide a custom configuration for the Ops Agent when creating or updating an extension policy, then the policy deploys the Ops Agent with the custom configuration. You don't need to manually restart the agent.

The configuration is stored with the extension policy, so don't include sensitive data like passwords in the configuration. Because the configuration is stored with the extension policy, modifying the configuration file does not change the configuration of the agent. You must update the configuration stored with the policy by using the gcloud beta compute zone-vm-extension-policies update command.

When you provide a custom configuration for the Ops Agent, VM Extension Manager copies the configuration to the location used by the Ops Agent for user-specified configuration files on the target VM:

• Linux: /etc/google-cloud-ops-agent/config.yaml
• Windows: C:\Program Files\Google\Cloud Operations\Ops Agent\config\config.yaml

If there is a config.yaml file present on the VM, the extension policy overwrites it.

For general information about using the Google Cloud console and the gcloud CLI to create VM extension policies, see Install VM extensions by creating extension policies .

Manage the Ops Agent by updating VM extension policies

To change how a policy manages the Ops Agent, update the policy. When you update a policy, VM Extension Manager rolls out the changes to all applicable VMs, typically within one minute. If you modify inclusion labels, then the Ops Agent might be installed on new VMs or uninstalled from existing VMs based on whether the VMs match the updated labels.

The following sections show how to manage the Ops Agent to do the following:

• Update the pinned version of the agent on all VMs in a zone
• Modify the configuration of the Ops Agent on all VMs in a zone

Update the pinned version of the Ops Agent on all VMs in a zone

To change the pinned version of the Ops Agent on all VMs in a zone, do the following:

gcloud beta compute zone-vm-extension-policies update POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE \
  --extensions=ops-agent
  --version=ops-agent=VERSION

Modify the configuration of the Ops Agent on all VMs in a zone

To modify the configuration of the Ops Agent on all VMs in a zone, do the following:

gcloud beta compute zone-vm-extension-policies update POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE \
  --extensions=ops-agent
  --config-from-file=ops-agent="OPS_AGENT_CONFIG_PATH"

If you provide a custom configuration for the Ops Agent when creating or updating an extension policy, then the policy deploys the Ops Agent with the custom configuration. You don't need to manually restart the agent.

The configuration is stored with the extension policy, so don't include sensitive data like passwords in the configuration. Because the configuration is stored with the extension policy, modifying the configuration file does not change the configuration of the agent. You must update the configuration stored with the policy by using the gcloud beta compute zone-vm-extension-policies update command.

When you provide a custom configuration for the Ops Agent, VM Extension Manager copies the configuration to the location used by the Ops Agent for user-specified configuration files on the target VM:

• Linux: /etc/google-cloud-ops-agent/config.yaml
• Windows: C:\Program Files\Google\Cloud Operations\Ops Agent\config\config.yaml

If there is a config.yaml file present on the VM, the extension policy overwrites it.

For general information about using the Google Cloud console and the gcloud CLI to manage VM extension policies, see Modify extensions by updating a VM extension policy.

Uninstall the Ops Agent by deleting VM extension policies

To uninstall the Ops Agent, delete the VM extension policy that manages the agent. If another active, lower-priority policy applies to a VM and also manages the Ops Agent, then the agent remains installed on that VM based on the lower-priority policy.

VM Extension Manager removes the Ops Agent from all accessible VMs within one minute of policy deletion. If a VM is inaccessible, then VM Extension Manager skips deletion of the agent. If the VM becomes available again, then VM Extension Manager removes the agent at that time.

gcloud beta compute zone-vm-extension-policies delete POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE

Retrieve information about VM extension policies

You can retrieve the following information about existing VM extension policies:

• A list of all policies in your Google Cloud project.
• Configuration information about a specific policy.

gcloud beta compute zone-vm-extension-policies list \
  --project=PROJECT_ID \
  --zone=ZONE \
  --page-size=PAGE_SIZE_INTEGER

gcloud beta compute zone-vm-extension-policies describe POLICY_NAME \
  --project=PROJECT_ID \
  --zone=ZONE

For general information about using the Google Cloud console and the gcloud CLI to retrieve information about VM extension policies, see View extension policies.

Verify the installation of the Ops Agent

This section describes how to do the following:

• Verify the status or version of an Ops Agent installation
• Verify that the Ops Agent is collecting telemetry

Verify the status or version of an Ops Agent installation

To determine the status or version of the Ops Agent, use one of the following Google Cloud console pages:

When the Ops Agent has been installed on the VM and is collecting logs and metrics, the agent's status is marked with a green checkmark next to the Ops Agent label.

To determine the version of the installed agent, hover over the Ops Agent label on the Compute Engine or Monitoring dashboard.

Verify that the Ops Agent is collecting telemetry

If the Ops Agent has been successfully installed and is running correctly, then it sends metrics to Cloud Monitoring and logs to Cloud Logging.

• For information about verifying collection of metrics, see Agent is running, but data is not ingested.
• For information about verifying collection of logs, see Verify successful log collection.

Restart an Ops Agent installed by an extension policy

When the Ops Agent is installed and managed by VM Extension Manager, the Ops Agent isn't managed by the system-management service of the operating system, that is, systemd on Linux or the Windows Service Manager on Windows. Therefore, Linux systemctl commands and Windows *-Service commands don't work with an Ops Agent installed by an extension policy.

To restart an Ops Agent that was installed by an extension policy, do one of the following:

• Recreate the policy.

  1. Delete the policy. Deleting the policy stops and uninstalls the Ops Agent.

  2. Create a new policy. The new policy installs the Ops Agent and starts it.

• Use a temporary, higher-priority policy. If the original policy affects a large number of VMs but you only want to restart the Ops Agent on a small number, add a label to those VMs and configure the new policy to filter on the label.

  For example, if a policy with priority 1000 failed to start the Ops Agent on a VM, you could add a label like status=failed to the VM. Then create a new policy with a higher priority, like 500. For example, a Google Cloud CLI command might look like the following:

  gcloud beta compute zone-vm-extension-policies create POLICY_NAME \
    --project=PROJECT_ID \
    --zone=ZONE \
    --extensions=ops-agent
    --inclusion-labels=status=failed \
    --priority=500 \
    --config-from-file=ops-agent=/usr/ops-agent-config.yaml
  

  Replace the following variables in the command:

  • POLICY_NAME: A name for the VM extension policy.
  • PROJECT_ID: The identifier of the project.
  • ZONE: The target zone; for example, us-central1-f.

  After the new policy successfully installs the Ops Agent, delete the policy and remove the label from the VMs. The Ops Agent remains installed on the VM because the original policy is still active.

Enable guest agent debug log on the VM

VM Extension Manager policies use the Compute Engine guest agent to manage the Ops Agent as a VM extension. For information about enabling debug logging for the guest agent, see View debug logs for the guest agent.

Troubleshoot extension policies

This section provides information about troubleshooting the use of extension policies to manage the Ops Agent:

• gcloud beta compute zone-vm-extension-policies commands fail
• The extension policy is created, but the Ops Agent status is "not detected"
• Linux systemctl and Windows Service Manager don't work with the Ops Agent

For information about troubleshooting the Ops Agent, see Troubleshoot the Ops Agent.

gcloud beta compute zone-vm-extension-policies commands fail

When a gcloud beta compute zone-vm-extension-policies command fails, the response includes troubleshooting suggestions. Correct any errors in the command flags or arguments suggested by the error message.

If the output of the command mentions insufficient IAM permissions, then review the necessary roles and permissions described in Grant the roles required to use VM Extension Manager.

The extension policy is created, but the Ops Agent status is "not detected"

You successfully created an extension policy, but the Ops Agent shows a "not detected" status on the VM.

The Ops Agent might show as "not detected" if either of the following occurs:

• The extension policy fails to install the Ops Agent.
• An installed Ops Agent encounters an error condition that prevents it from running.

The following sections describe how to diagnose these cases.

Verify that the Ops Agent was installed by the policy

VM Extension Manager policies use the Compute Engine guest agent to manage the Ops Agent as a VM extension.

To determine if the Ops Agent was installed by the extension policy, use one of the following to look for log entries from the guest agent:

If you see logs containing a string like Failed to install plugin "ops-agent-plugin" ..., or the query returns no logs, then the extension policy failed to install the Ops Agent. For next steps, see Extension policy fails to install the Ops Agent.

If you see logs containing a string like Successfully installed plugin "ops-agent_nnnnnnnn", then the extension policy successfully installed the Ops Agent. For next steps, see Installed Ops Agent is "not detected".

Extension policy fails to install the Ops Agent

An extension policy might be ineffective if one of the following is true:

• The guest agent is not installed on the VM. To diagnose and fix this condition, do the following:

  1. Verify that the VM is using one of the operating systems supported for the Compute Engine guest environment.

  2. View the packages installed on the VM to verify that google-guest-agent is included.

  3. If the google-guest-agent is not installed, then install the guest agent.

• The guest agent is installed but outdated. To diagnose and fix this condition, do the following:

  1. Validate the guest environment to determine the version of the google-guest-agent package. VM Extension Manager requires version 20241209.01 or newer.

  2. If the version of the google-guest-agent is older than 20241209.01, then update the guest environment.

• The VM's operating system is not supported by VM Extension Manager. For more information, see Review supported operating systems.

Installed Ops Agent has status "not detected"

The Ops Agent can have a status of "not detected" if one of the following is true:

• There are observability agents installed on the VM already. Existing agents can cause conflicts and must be uninstalled. For more information, see Uninstall any observability agents.

  After uninstalling any previously installed agents, you can restart the Ops Agent.

• The Ops Agent has insufficient permissions to send data to Cloud Logging and Cloud Monitoring. For more information, see Common reasons for telemetry-transmission failures.

Verify that the Ops Agent configuration is valid

You provided a custom configuration to the Ops Agent by creating or updating an extension policy, but the agent status is "not detected". The problem might be an error in your custom configuration. Use the guest agent debug logs to look for configuration errors.

Enable guest agent debug logging

For information about enabling debug logging for the guest agent, see View debug logs for the guest agent.

Examine debug logs

If you see logs containing the string The agent config file is not valid, then the custom configuration for the Ops Agent you provided when creating or updating the extension policy is invalid.

To fix this problem, do the following:

• Correct the configuration by referring to Configure the Ops Agent. For information about the structure of an Ops Agent configuration file.

• Update the extension policy with the corrected configuration.

Linux systemctl status and Windows Get-Service commands don't work with the Ops Agent

You run a command like sudo systemctl status google-cloud-ops-agent"*" but it returns no information.

When the Ops Agent is installed and managed by VM Extension Manager, the Ops Agent isn't managed by the system-management service of the operating system, that is, systemd on Linux or the Windows Service Manager on Windows.

To find the status information for an Ops Agent managed by VM Extension Manager, see the following:

• Agent health checks
• Agent self logs.

Linux systemctl restart and Windows Restart-Service commands don't work with the Ops Agent

You run a command like sudo systemctl restart google-cloud-ops-agent but the Ops Agent isn't restarted.

When the Ops Agent is installed and managed by VM Extension Manager, the Ops Agent isn't managed by the system-management service of the operating system, that is, systemd on Linux or the Windows Service Manager on Windows. Therefore, you can't stop or start the Ops Agent manually, and commands like the following don't work with the Ops Agent:

• Linux: sudo systemctl [stop|start|restart]
• Windows: Stop-Service, Start-Service, Restart-Service

To stop or restart an Ops Agent managed by VM Extension Manager, you must uninstall the agent by deleting the extension policy. For more information about stopping or restarting the Ops Agent, see Restart an Ops Agent installed by an extension policy.

Additional troubleshooting information

For more information about troubleshooting the creation and use of VM Extension Manager policies, see Troubleshoot VM extensions.

For more information about troubleshooting the Ops Agent, see Troubleshoot the Ops Agent.

Quota

For information about the number of extension policies you can create in a Google Cloud project, see Quota.

Pricing

For information about costs associated with using VM Extension Manager, see Pricing.

If you install the Ops Agent, then you might be charged for the metrics, logs, or traces that the agent sends to your Google Cloud project. For pricing information, see Google Cloud Observability pricing.

What's next

• View detailed information about configuring the Ops Agent.
• Learn more about VM Extension Manager.