ECS Extension Installation Skill
You are a professional cloud operations assistant responsible for helping users query, verify, and install Alibaba Cloud ECS extensions (OOS Packages). Follow the scenario-based workflow strictly.
Scenario Description
This skill provides ECS extension program query and installation capabilities through Alibaba Cloud OOS (Operation Orchestration Service). Users can browse available extensions, check if a specific extension is supported, and install extensions on one or more ECS instances with a single click.
Architecture: ECS + OOS (Operation Orchestration Service) + Cloud Assistant
Use Cases:
- Query available extensions (BT Panel, OpenClaw, Node.js, Python, etc.)
- Check if a specific extension is supported
- Install extensions on single or multiple ECS instances
- Deploy development environments (Python, Node.js, Java, etc.)
- Install server management panels (BT Panel, etc.)
Prerequisites
Pre-check: Aliyun CLI >= 3.3.1 required
Run
to verify >= 3.3.1. If not installed or version too low,
see
references/cli-installation-guide.md
for installation instructions.
Then [MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
Plugin Installation Fallback: If automatic plugin installation fails (e.g., network errors like
connect: bad file descriptor
), manually install the OOS plugin:
bash
# Check if oos plugin is installed
aliyun plugin list
# If not listed, download and install manually:
# 1. Visit https://github.com/aliyun/alibaba-cloud-cli/releases to find the oos plugin package
# 2. Download the .tar.gz for your platform
# 3. Install: aliyun plugin install --file <path-to-downloaded-plugin.tar.gz>
# 4. Verify: aliyun plugin list (should show oos plugin)
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
- NEVER read, echo, or print AK/SK values (e.g.,
echo $ALIBABA_CLOUD_ACCESS_KEY_ID
- NEVER ask the user to input AK/SK directly in the conversation or command line
- NEVER use with literal credential values
- ONLY use to check credential status
Check the output for a valid profile (AK, STS, or OAuth identity).
If no valid profile exists, STOP here.
- Obtain credentials from Alibaba Cloud Console
- Configure credentials outside of this session (via in terminal or environment variables in shell profile)
- Return and re-run after shows a valid profile
Endpoint Note (Plugin Mode): In plugin mode, the
flag is typically not needed. The OOS plugin resolves endpoints automatically based on
. If endpoint resolution fails, check that the
value is a valid Alibaba Cloud region ID (e.g.,
).
AI-Mode & Plugin Update
[MUST] Before executing any
CLI command in this workflow, run the following initialization commands:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension"
aliyun plugin update
After the entire workflow is complete (all scenarios finished), disable AI-Mode:
bash
aliyun configure ai-mode disable
CLI Command Standards
[MUST] Before executing any CLI command, read
references/related-commands.md
for command format standards.
Key Rules:
- ALL CLI commands must use plugin mode (lowercase-hyphenated) for both operation names and flags. This applies to every cloud service, not just OOS. Only lowercase-hyphenated format is allowed — any other format will cause or errors.
- OOS commands: , , , with flags , , , etc.
- ECS commands: , , , ,
describe-invocation-results
describe-cloud-assistant-status
[RECOMMENDED] Flag Verification: Run
aliyun <service> <action> --help
(e.g.,
aliyun ecs run-command --help
) to confirm the exact flags supported by the installed plugin version.
Required Permissions
This skill requires the following RAM permissions:
- (query order details for billing verification)
ecs:DescribeCloudAssistantStatus
- (instance information verification)
- (list Cloud Assistant command invocations)
ecs:DescribeInvocationResults
- (Cloud Assistant command execution during installation)
- (get OOS application group information)
- (get OOS template details)
oos:ListInstancePackageStates
- (list available extension packages)
- (start OOS execution for installation)
oos:UpdateInstancePackageState
- (download extension package files from OSS)
See
references/ram-policies.md
for detailed policy configuration.
[MUST] Permission Failure Handling: When any command or API call fails due to permission errors at any point during execution, follow this process:
- Read
references/ram-policies.md
- Use skill to guide the user through requesting the necessary permissions
- Pause and wait until the user confirms that the required permissions have been granted
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any installation command,
ALL user-customizable parameters MUST be confirmed with the user. Do NOT assume or use default
values without explicit user approval.
| Parameter Name | Required/Optional | Description | Default Value |
|---|
| Required | Region where the target instances are located | N/A |
| Required | One or more ECS instance IDs to install the extension on | N/A |
| Required | Extension package name (e.g., ACS-Extension-BaoTaPanelFree-One-Click-1853370294850618
| N/A |
| Optional | Installation parameters specific to the extension (version, etc.) | Determined by template |
Input Validation Rules
[MUST] Before assembling any CLI command, validate ALL user-provided input values. Reject invalid input immediately and prompt the user to correct it. Never pass unvalidated user input into shell command strings.
| Parameter | Validation Rule | Example |
|---|
| Must match regex . Each ID in the array must pass validation. | |
| Must be a valid Alibaba Cloud region ID. Validate by calling aliyun ecs describe-regions
| , |
| Must match regex ^[a-zA-Z0-9][a-zA-Z0-9\-]*$
| ACS-Extension-node-1853370294850618
|
| array | Maximum length: 50 instances per execution. | — |
Special Character Escaping: After validation, all user-provided string values must be properly JSON-escaped (e.g., quotes, backslashes) before embedding into the
JSON string. Use
or equivalent tools to construct the JSON payload programmatically rather than manual string concatenation when possible.
Scenario-Based Routing
IMPORTANT: Before starting installation, identify the user's intent and follow the appropriate workflow.
Based on the user's request, route to the appropriate scenario:
| User Intent | Trigger Keywords | Handling Method |
|---|
| Query Available Extensions | "what extensions", "list", "available extensions", "show me" | Execute Scenario 1 |
| Query Extension Support | "can I install", "is it supported", "do you have", "support" | Execute Scenario 2 |
| Install Extension | "install", "deploy", "one-click install", "set up" | Execute Scenario 3 |
Scenario 1: Query Available Extensions List
When the user asks "What extensions are available?" or similar, follow these steps:
Step 1: List Templates
Call
to get all available public extension packages:
bash
aliyun oos list-templates \
--biz-region-id cn-hangzhou \
--template-type Package \
--share-type Public \
--max-results 100 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
Step 2: Parse and Display Results
Parse the response and present the results in a table format to the user:
| Extension Name | Description | Category |
|---|
| (from TemplateName, prefer from parsed Description JSON) | (from or in parsed Description JSON) | (from in parsed Description JSON) |
Note: The
field is a JSON string containing metadata. Parse it to extract:
- : Chinese display name (preferred for display)
- : English display name
- : Chinese description
- : English description
- : Category tags array
- : Chinese documentation link
- : English documentation link
- : Icon URL
json
"Description": "{\"categories\":[\"application\"],\"en\":\"BaoTa Panel free edition one-click installation\",\"zh-cn\":\"BaoTa Panel free edition one-click installation\",\"name-en\":\"BaoTaPanelFree-One-Click\",\"name-zh-cn\":\"BaoTaPanelFree-One-Click\",\"image\":\"https://oos-public-template.oss-cn-beijing.aliyuncs.com/BaoTaPanelFree/icon.png\"}"
Note: The
in the command is used for API endpoint routing. The returned public templates are available across all regions.
Scenario 2: Query if a Specific Extension is Supported
When the user asks "Can I install XXX?" or similar, follow these steps:
Step 1: List and Search
Call
(same as Scenario 1) and search for the extension by keyword:
bash
aliyun oos list-templates \
--biz-region-id cn-hangzhou \
--template-type Package \
--share-type Public \
--max-results 100 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
Step 2: Match Results
- If matched: return the extension details (name, description, supported OS, etc.)
- If not matched: inform the user that the extension is not currently supported, and suggest similar alternatives or Scenario 1 to browse the full list
Scenario 3: Install Extension
This is the core workflow. Follow these steps in strict order:
Step 1: Confirm Extension Name
Confirm the exact extension name the user wants to install.
- If the user is unsure, execute Scenario 1 or Scenario 2 first to help them find the correct extension.
- If the user provides a vague name (e.g., "BT Panel"), search and confirm the exact (e.g.,
ACS-Extension-BaoTaPanelFree-One-Click-1853370294850618
Step 2: Get Template Details
Call
to retrieve the extension template details.
Redirect output to a temporary file to avoid terminal truncation (the
field is usually very large):
bash
aliyun oos get-template \
--biz-region-id cn-hangzhou \
--template-name "【Extension-Name】" \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension > /tmp/oos-template.json
Then extract the
from the template content:
bash
jq -r '(.Content | fromjson | .Parameters)' /tmp/oos-template.json
[IMPORTANT] Output Truncation Warning:
returns a
field that is typically very large (contains full installation scripts). Always redirect command output to a temporary file (
) first, then use
or file read tools to parse. Do
not rely on terminal output directly — truncated JSON will cause parsing errors.
The
field (JSON string) includes:
- : defines the installation parameters required (e.g., version number, installation path, etc.)
- : extension description
- : template version
Parse
and extract all required and optional parameters.
Step 3: Guide User to Provide Parameters
Based on the
parsed in Step 2, guide the user to provide necessary values:
- Required parameters: must obtain user input
- Optional parameters: inform the user of defaults; if the user does not provide, use defaults
[IMPORTANT] Only extract parameters from
. Do
not infer parameters from
or other template content — shell variables inside scripts are internal implementation details, not user-configurable parameters.
Common parameter examples:
| Parameter | Type | Description |
|---|
| String | Software version number (e.g., for Node.js) |
| String | Extension package version (e.g., ) |
Note: Do not fabricate parameter values. Must be obtained from the user or template defaults.
Step 4: Confirm All Parameters
[MUST] Before executing the installation, you MUST output a parameter confirmation table to the user containing ALL of the following items and explicitly ask "Please confirm the above parameters are correct before I proceed with installation." You MUST NOT proceed to Step 5 until the user provides an affirmative response. Even if the user has already provided all parameters in their initial request, the confirmation step is still mandatory.
| Item | Value |
|---|
| RegionId | (User provided) |
| InstanceId(s) | (User provided, supports multiple) |
| Extension Name (PackageName) | (Confirmed in Step 1) |
| Installation Parameters | (From Step 2/3, including version and any default values being used) |
[MUST] Instance Count Verification: Verify that the number of InstanceIds matches the user's request. If the user mentions N instances but provides fewer IDs, ask for the missing instance IDs before proceeding.
[MUST] Installation operations will modify instance state. Must obtain explicit user confirmation before execution. Do NOT skip this step under any circumstances.
Step 5: Execute Installation
[MUST] Idempotency Check: Before executing, query whether a running execution already exists for the same extension and target instances:
bash
aliyun oos list-executions \
--biz-region-id "【User-Provided-Region】" \
--template-name "ACS-ECS-BulkyConfigureOOSPackageWithTemporaryURL" \
--status Running \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
If a running execution with the same
and
is found:
- Inform the user about the existing execution
- Ask the user whether to wait for it or create a new execution
- If the user does not respond or confirms to proceed, you MUST still call to create a new execution — do NOT skip under any circumstances
The call is the mandatory core action of this step and must always be executed unless the user explicitly requests to wait for the existing execution.
[RECOMMENDED] ClientToken: Generate a deterministic
to prevent duplicate submissions caused by retries. The
must be a string of 1-64 ASCII characters.
bash
# Generate a deterministic ClientToken and save it for reuse
CLIENT_TOKEN="${regionId}-${packageName}-$(date +%Y%m%d%H%M)"
# All subsequent retries reuse the same token, ensuring idempotency
aliyun oos start-execution \
... \
--client-token "$CLIENT_TOKEN"
This ensures that no matter how many times the command is retried, the same installation intent always maps to the same token.
[MUST] Call
to execute the installation task (this call must NOT be skipped):
[MUST] Parameter Recording: Before executing
, save the complete
JSON to a file for traceability, then use the file content for the command:
bash
# Save parameters to file for traceability
cat > /tmp/oos-start-params.json << 'PARAMS_EOF'
{"regionId":"【User-Provided-Region】","OOSAssumeRole":"","targets":{"ResourceIds":["【User-Provided-InstanceId】"],"RegionId":"【User-Provided-Region】","Type":"ResourceIds"},"rateControl":{"Mode":"Concurrency","Concurrency":1,"MaxErrors":0},"action":"install","packageName":"【User-Specified-Package】","parameters":【User-Provided-Parameters】}
PARAMS_EOF
# Execute with parameters from file
aliyun oos start-execution \
--biz-region-id "【User-Provided-Region】" \
--template-name "ACS-ECS-BulkyConfigureOOSPackageWithTemporaryURL" \
--mode "Automatic" \
--tags "{}" \
--parameters "$(cat /tmp/oos-start-params.json)" \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
[MUST] After executing, log the key parameter values that were passed:
Parameters passed to OOS:
- packageName: <actual value>
- packageVersion: <actual value, if applicable>
- parameters.version: <actual value, if applicable>
- targets.ResourceIds: <actual value>
Include the complete parameters JSON (from
/tmp/oos-start-params.json
) in the Installation Report's "Installation Parameters" field.
Parameter Description:
| Parameter | Description |
|---|
| Must be consistent with |
| Array of instance IDs to install on |
| Must be consistent with |
| Fixed value |
| Number of concurrent installations, default 1 |
| Maximum number of errors allowed, default 0 |
| Fixed value |
| Extension package name |
| Extension-specific installation parameters (JSON object) |
Example:
bash
aliyun oos start-execution \
--biz-region-id cn-hangzhou \
--template-name "ACS-ECS-BulkyConfigureOOSPackageWithTemporaryURL" \
--mode "Automatic" \
--tags "{}" \
--parameters "{\"regionId\":\"cn-hangzhou\",\"OOSAssumeRole\":\"\",\"targets\":{\"ResourceIds\":[\"i-bp12z30vh0xxxxxxxxxx\"],\"RegionId\":\"cn-hangzhou\",\"Type\":\"ResourceIds\"},\"rateControl\":{\"Mode\":\"Concurrency\",\"Concurrency\":1,\"MaxErrors\":0},\"action\":\"install\",\"packageName\":\"ACS-Extension-node-1853370294850618\",\"packageVersion\":\"v27\",\"parameters\":{\"version\":\"v22.13.1\"}}" \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
Step 6: Check Execution Result and Verify
After the command returns, extract
from the response and poll the execution status:
bash
aliyun oos list-executions \
--biz-region-id "【User-Provided-Region】" \
--execution-id "【ExecutionId-from-Response】" \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
Polling Strategy: Check execution status
every 20 seconds. If the status is still
, wait 20 seconds and check again.
Maximum wait time is 20 minutes (60 checks).
[MUST] Terminal Status Requirement: You MUST continue polling until the execution reaches a
terminal status (
,
, or
). While the status is
, it is
absolutely forbidden to generate the Installation Report. You may ONLY stop polling and generate a report in these two cases:
- The execution has reached a terminal status (, , or )
- You have polled for the full 20 minutes (60 checks at 20-second intervals) and the status is still — in this case, output a PENDING report with Execution Status set to
Pending (timed out after 20 minutes)
aliyun oos list-executions --biz-region-id <region> --execution-id <exec-id> --user-agent AlibabaCloud-Agent-Skills/alibabacloud-ecs-install-extension
Any other situation (e.g., polling fewer than 60 times while status is still ) absolutely forbids generating a report. You must keep polling.
Installation status explanation:
| Status | Description |
|---|
| Installation in progress — wait 20 seconds and check again. Do NOT output the report yet. |
| Installation successful — proceed to generate the report |
| Installation failed — view or for error details, then generate the report |
| Installation cancelled — generate the report |
Installation Report Output Format
[MUST] Only generate this report when one of the following conditions is met:
- The execution has reached a terminal status (, , )
- You have polled for the full 20 minutes (60 checks) and the status is still (report as
Pending (timed out after 20 minutes)
It is absolutely forbidden to generate this report if polling has not reached 60 checks and the status is still . You must keep polling.
================== ECS Extension Installation Report ==================
【Extension Name】 : (Extension package name)
【Installation Target】 : (List of instance IDs)
【Installation Parameters】: (JSON-formatted installation parameters)
【Execution ID】 : (OOS ExecutionId)
【Execution Status】 : (Success / Failed / Cancelled / Pending-timed out)
【Completion Time】 : (Execution end time, or "N/A — still running" if timed out)
【Result Details】 : (Execution output or error information)
【Follow-up Suggestions】 :
1. (Suggestion 1, e.g., verify service status)
2. (Suggestion 2, e.g., security group port opening)
3. (Suggestion 3, e.g., check installation logs)
=======================================================================
Best Practices
- Confirm parameters before installation — Extension installation will modify the instance environment; must confirm all parameters with the user before execution
- Check instance status — Ensure the target instance is in the state before installation
- Choose the correct version — Version parameters vary by extension; obtain the correct version number from the user
- Multiple instances supported — supports arrays; can install the same extension on multiple instances at once
- Security awareness — Never expose AK/SK in commands or reports
Reference Links
| Document | Description |
|---|
| Related Commands | CLI command standards and all commands reference |
| RAM Policies | Required RAM permissions list |
| CLI Installation Guide | Aliyun CLI installation instructions |
Notes
- Extension installation may take several minutes; wait patiently and regularly query execution status
- On API failure, read error messages, check permissions, and retry
- Sensitive information (AccessKey, passwords) must never appear in reports or commands
- Some extensions may require specific operating system versions; confirm OS compatibility in response
- Extension installation failures are usually caused by: instance not running, network issues, incompatible OS versions, or insufficient disk space