Overview
The Managed OS Service enables the customer to transfer operating tasks in the Enterprise Service Cloud environment to Swisscom at operating system level. This includes antivirus protection, patching and monitoring of system-relevant parameters (monitoring and alarming), as well as incident management. The use of Managed OS components meets high quality requirements and is suitable for business-critical applications.
The Managed OS Service is characterized by the following features: Swisscom ensures the secure and reliable operation of the operating system and thus enables the customer to use IT resources at the application level.
This document describes possible use cases for Managed OS (Windows) and Managed OS (Red Hat Enterprise Linux).
Prerequisites and basic conditions
In order to guarantee the services for Managed OS, a few basic conditions for Managed OS must be taken into account.
This will ensure that the Managed OS operation teams can take over the responsibility for the Managed OS VM.
Please note the basic conditions below, before you install or configure an application on a Managed OS VM.
To ensure that the basic conditions for a Managed OS VM are met, a Compliance Check will be used. This check is executed whenever a Managed OS VM is being transferred to the Full Managed state.
The details of the checks which are carried out can be found in the Technical Description.
Basic conditions for Managed Windows
Further prerequisites and general conditions are described in the Technical Description.
Basic conditions for Managed RHEL
These are the most important basic conditions which apply for Managed RHEL:
- Managed RHEL is not suitable for container services like Docker, Openshift, etc. because of the difficult separation of responsibilities between the operating system, the application and container services.
- The OS is configured with Puppet, so OS configurations are enforced regularly by Puppet. It should not be attempted to overwrite this configuration with a scheduled job.
- All additional software which will be installed, must be installed on additional disks. Also, all application related logfiles must be written to a partition on an additional disk. All partitions created during VM provisioning are reserved for the operating system. These partitions are monitored by the operations team and therefore may not be used for the application software and application logs.
- The firewall service 'iptables' must run, additional rules must be configured in the /etc/sysconfig/iptables.custom file. Puppet then will apply this rules every 60 minutes.
- SELinux must be running and active in the permissive mode, if this is not the case each Puppet run will fail.
- No cronjobs are allowed for the user root. Only the Managed OS operation team can configure cronjobs with privileged permissions.
- No additional processes are allowed which run under the user root.
- Sudo rules must be ordered via service request. This ensures that the Managed OS operation teams can control which rules are ordered and can take over the responsibility for the Managed OS VM.
Further prerequisites and general conditions are described in the Technical Description.
Service States
For Managed OS we differentiate between the following service states:
- Full Managed
- Provider Maintenance
- Customer Maintenance
- Temp Admin
Full Managed
Swisscom is responsible for the server.
The customer has no administration or root permission on the operating system. This should be the default state for a Managed OS VM. Otherwise the VM has no SLA, Monitoring and the VM will not be patched.
For more Information see the Technical Description.
Provider Maintenance
Swisscom is responsible for the server.
The customer has no administration or root permission on the operating system.
Swisscom can carry out maintenance work on the server. It is not possible for the customer to switch into this state.
For more Information see the Technical Description.
Customer Maintenance
The customer is responsible for the server.
In this state, the customer can perform certain actions (e.g. reconfigure vm, reboot or shut down the server) without having to switch to the Temp Admin state. The Service Level Agreements at OS level are suspended in this state.
For more Information see the Technical Description.
Temp Admin
The customer is responsible for the server.
The customer receives temporary administration or root permissions on the OS. The Service Level Agreements at OS level are suspended in this state. Only for Windwos VMs The VM will continue to receive OS patches.
This state should only be a temporary state. The VM should be switched back to the Full Managed state as soon as possible!
For more Information see the Technical Description.