// Alibaba Cloud ECS Patch Management Skill. Use for scanning and installing OS patches on ECS instances via OOS (Operation Orchestration Service). Triggers: "patch management", "scan patches", "install patches", "OS update", "security patches", "ACS-ECS-BulkyApplyPatchBaseline", "oos patch", "系统补丁扫描", "系统补丁安装".
Entry skill for the aliyun CLI distribution of CloudMonitor (CMS). Use when the user mentions aliyun cms2, CloudMonitor, CMS commands, or any CMS module operation such as Integration Policy/Center, APM, RUM, Prometheus Service, Recording rule, alert rule, alert template, alert history, event hub, SLS event, PromQL, cloud resource, service observability, monitoring onboarding, metric query, etc.
Use this skill when users want to search, discover, browse, or find Alibaba Cloud (阿里云) agent skills. Triggers include: "find a skill for X", "search alicloud skills", "阿里云有什么 skill","阿里云", "搜索阿里云技能", "有没有管理 ECS/RDS/OSS 的 skill", "阿里云 skills 有哪些类目", "帮我找一个 skill", "browse alicloud skills", "list alicloud skill categories", "is there an alicloud skill that can...", "what alicloud skills are available", "XX Skill 的内容是什么", "我想了解阿里云 XX Skill 具体做什么","帮我安装阿里云 Skill","使用阿里云相关的skill", "阿里云 agent skill 市场", "搜一下阿里云的 skill".
Alibaba Cloud RDS Copilot intelligent operations assistant skill. Used for RDS-related intelligent Q&A, SQL optimization, instance operations, and troubleshooting. Calls RdsAi OpenAPI through Alibaba Cloud CLI to get real-time RDS Copilot responses. Triggers: "RDS Copilot", "RDS Assistant", "SQL optimization", "RDS troubleshooting", "RDS operations", "database diagnosis"
Alibaba Cloud PAI-DLC (Deep Learning Containers) job management skill. Covers: distributed training job CRUD, monitoring (logs and events), and GPU sanity check. Triggers: "DLC", "PAI-DLC", "create-job", "list-jobs", "get-job", "stop-job", "update-job", "get-pod-logs", "get-job-events", "get-pod-events", "list-job-sanity-check-results".
Send WhatsApp messages via Alibaba Cloud Chat App Message Service (CAMS). Supports both template messages and custom (free-form) messages. Use this skill when the user wants to send WhatsApp messages, broadcast notifications, marketing campaigns, verification codes, reply to customer messages, view available message templates, or query template structure and variables.
PAI-DLC job diagnostics and health inspection. Queuing-stuck root cause analysis, failed-job localization, cluster health checks. Companion to the `alibabacloud-pai-dlc-job` skill (read-only — no writes). Triggers: "diagnose", "diagnose job", "job stuck", "why queuing", "queue stuck", "stuck in queue", "job failed", "failure reason", "healthcheck", "health check", "inspect job", "inspection".
| name | alibabacloud-ecs-patch-management |
| description | Alibaba Cloud ECS Patch Management Skill. Use for scanning and installing OS patches on ECS instances via OOS (Operation Orchestration Service). Triggers: "patch management", "scan patches", "install patches", "OS update", "security patches", "ACS-ECS-BulkyApplyPatchBaseline", "oos patch", "系统补丁扫描", "系统补丁安装". |
Scan and install operating system patches on Alibaba Cloud ECS instances using the OOS ACS-ECS-BulkyApplyPatchBaseline template.
ECS + OOS + Cloud Assistant + Snapshot (optional)
ACS-ECS-BulkyApplyPatchBaseline — built-in public template for batch patch operationsRun
aliyun versionto verify >= 3.3.3. If not installed or version too low, runcurl -fsSL https://aliyuncli.alicdn.com/setup.sh | bashto install/update, or seereferences/cli-installation-guide.mdfor installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run
aliyun configure set --auto-plugin-install trueto enable automatic plugin installation. [MUST] runaliyun plugin updateto ensure that any existing plugins are always up-to-date.
Security Rules:
- NEVER read, echo, or print AK/SK values
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use
aliyun configure setwith literal credential values- ONLY use
aliyun configure listto check credential statusaliyun configure listCheck the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via
aliyun configurein terminal or environment variables in shell profile)- Return and re-run after
aliyun configure listshows a valid profile
At the start of the Core Workflow (before any CLI invocation): [MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution. Run the following commands before any CLI invocation:
aliyun configure ai-mode enable aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ecs-patch-management"[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed. AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
aliyun configure ai-mode disable
Required permissions for this skill:
| Service | Actions | Purpose |
|---|---|---|
| OOS | StartExecution, ListExecutions, CancelExecution, ListTemplates, GetTemplate | Manage patch executions |
| OOS | ListPatchBaselines, GetPatchBaseline, ListInstancePatches, ListInstancePatchStates | Patch baseline and status queries |
| ECS | DescribeInstances, DescribeInvocations, DescribeInvocationResults, InvokeCommand, | Instance verification and Cloud Assistant |
| ECS | CreateSnapshot, DescribeSnapshots | Snapshot management (optional) |
Full details: references/ram-policies.md
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
- Read
references/ram-policies.mdto get the full list of permissions required by this SKILL- Use
ram-permission-diagnoseskill to guide the user through requesting the necessary permissions- Pause and wait until the user confirms that the required permissions have been granted
IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance IDs, action type, snapshot settings, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
| Parameter | Required | Description | Default |
|---|---|---|---|
RegionId | Yes | Alibaba Cloud region ID (e.g., cn-hangzhou, cn-shanghai) | None |
InstanceIds | Yes | Target ECS instance IDs (e.g., ["i-bp1example0000000001"]) | None |
Action | Yes | Operation type: scan (scan only) or install (scan + install) | None |
rebootIfNeed | No (install only) | Whether to reboot the instance if patches require it | false |
whetherCreateSnapshot | No (install only) | Whether to create a snapshot before installing patches | false |
retentionDays | No (install only) | Snapshot retention period in days (1-65536) | 7 |
patchBaselineName | No | Custom patch baseline name (uses default system baseline if not specified) | System default |
rebootMethod | No (install only) | Reboot method: later (reboot later), immediately (reboot immediately), never (never reboot) | later |
loopMode | No | Batch mode: Automatic, FirstBatchPause, EveryBatchPause | Automatic |
safetyCheck | No | Security check: Skip, ConfirmEveryHighRiskAction | ConfirmEveryHighRiskAction |
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ecs-patch-management"
aliyun version
aliyun configure list
Confirm the target ECS instances exist and are in Running status:
aliyun ecs describe-instances \
--region <RegionId> \
--instance-ids '<InstanceIds_JSON>' \
--cli-query 'Instances.Instance[].{InstanceId:InstanceId, Status:Status, OSName:OSName}'
Prerequisite: Target ECS instances must have the Cloud Assistant client installed and running. Most Alibaba Cloud public images include it by default.
[MUST] StartExecution is asynchronous. The response only confirms that the execution has been submitted, not that it has finished. The response returns an
ExecutionIdin the formatexec-xxx(e.g.,exec-example0000000001). You MUST capture thisExecutionIdand pollListExecutions(Step 4) untilStatusreaches a terminal value (SuccessorFailed) before considering the operation complete. Do NOT treat a successful StartExecution response as proof that the patch operation succeeded.
aliyun oos start-execution \
--region <RegionId> \
--biz-region-id <RegionId> \
--template-name ACS-ECS-BulkyApplyPatchBaseline \
--parameters '{"regionId":"<RegionId>","action":"scan","targets":{"ResourceIds":<InstanceIds_JSON>,"RegionId":"<RegionId>","Type":"ResourceIds"}}'
aliyun oos start-execution \
--region <RegionId> \
--biz-region-id <RegionId> \
--template-name ACS-ECS-BulkyApplyPatchBaseline \
--parameters '{"regionId":"<RegionId>","action":"install","rebootIfNeed":<true/false>,"whetherCreateSnapshot":<true/false>,"retentionDays":<number>,"targets":{"ResourceIds":<InstanceIds_JSON>,"RegionId":"<RegionId>","Type":"ResourceIds"}}'
Example — Scan for instance i-bp1example0000000001 in cn-hangzhou:
aliyun oos start-execution \
--region cn-hangzhou \
--biz-region-id cn-hangzhou \
--template-name ACS-ECS-BulkyApplyPatchBaseline \
--parameters '{"regionId":"cn-hangzhou","action":"scan","targets":{"ResourceIds":["i-bp1example0000000001"],"RegionId":"cn-hangzhou","Type":"ResourceIds"}}'
Example — Install patches with snapshot and auto-reboot:
aliyun oos start-execution \
--region cn-hangzhou \
--biz-region-id cn-hangzhou \
--template-name ACS-ECS-BulkyApplyPatchBaseline \
--parameters '{"regionId":"cn-hangzhou","action":"install","rebootIfNeed":true,"whetherCreateSnapshot":true,"retentionDays":7,"targets":{"ResourceIds":["i-bp1example0000000001"],"RegionId":"cn-hangzhou","Type":"ResourceIds"}}'
Extract the ExecutionId (format: exec-xxx) from Step 3's response, then poll ListExecutions until the execution reaches a terminal status:
aliyun oos list-executions \
--region <RegionId> \
--biz-region-id <RegionId> \
--execution-id <ExecutionId> \
--cli-query 'Executions.Execution[0].{ExecutionId:ExecutionId, Status:Status, StartDate:StartDate, EndDate:EndDate}'
Terminal statuses (stop polling when Status matches one of these):
| Status | Meaning | Next action |
|---|---|---|
Success | Execution finished successfully | Proceed to Step 5 (logs) and Step 6 (verify patches) |
Failed | Execution failed | Inspect logs in Step 5 to diagnose the failure |
Cancelled | Execution was cancelled | No further action; re-run if needed |
Non-terminal statuses (keep polling): Started, Running, Queued, Waiting. Continue polling at a reasonable interval (e.g., every 10–30 seconds) until a terminal status is reached. Only consider the patch operation complete once Status is Success or Failed.
aliyun oos list-execution-logs \
--region <RegionId> \
--execution-id <ExecutionId>
After a scan or install execution reaches Success, two complementary APIs report patch state on each instance:
ListInstancePatches — per-patch detail on a single instanceReturns the full list of individual patches detected on the instance, with metadata such as patch name/KB, classification, severity, and per-patch status (e.g., Installed, Missing, NotApplicable). Use this to inspect which patches are present, missing, or failed.
aliyun oos list-instance-patches \
--region <RegionId> \
--biz-region-id <RegionId> \
--instance-id <InstanceId>
ListInstancePatchStates — per-state count summary across instancesReturns aggregate counts of patches grouped by state for each instance (e.g., InstalledCount, MissingCount, FailedCount, NotApplicableCount). Use this to quickly assess how many patches fall into each category without enumerating individual patches.
aliyun oos list-instance-patch-states \
--region <RegionId> \
--biz-region-id <RegionId> \
--instance-ids '<InstanceIds_JSON>'
When to use which:
ListInstancePatchStatesListInstancePatchesaliyun configure ai-mode disable
[MUST] Always disable AI-mode at every exit point — success, failure, error, or cancellation.
See references/verification-method.md for detailed verification steps.
Quick verification checklist:
| Step | Check | Command |
|---|---|---|
| 1 | CLI version >= 3.3.3 | aliyun version |
| 2 | Credentials valid | aliyun configure list |
| 3 | Instance running | aliyun ecs describe-instances |
| 4 | Execution started | Response contains ExecutionId |
| 5 | Execution succeeded | Status = Success via list-executions |
| 6 | Patches applied | list-instance-patches shows reduced Missing count |
aliyun oos cancel-execution \
--region <RegionId> \
--execution-id <ExecutionId>
aliyun ecs describe-snapshots \
--region <RegionId> \
--instance-id <InstanceId>
aliyun ecs delete-snapshot \
--region <RegionId> \
--snapshot-id <SnapshotId>
action: scan first to understand what patches are available before committing to installation.whetherCreateSnapshot: true with an appropriate retentionDays for production instances to enable rollback.FirstBatchPause for large fleets — When patching many instances, set loopMode: FirstBatchPause to validate the first batch before proceeding.list-execution-logs to track real-time progress and troubleshoot failures.rebootIfNeed: true only when you can tolerate instance downtime. For critical services, use rebootMethod: later and reboot manually.| Resource | Path |
|---|---|
| CLI Installation Guide | references/cli-installation-guide.md |
| RAM Policies | references/ram-policies.md |
| Related Commands | references/related-commands.md |
| Verification Methods | references/verification-method.md |
| Acceptance Criteria | references/acceptance-criteria.md |