cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Angus <paul.an...@shapeblue.com>
Subject RE: [DISCUSS] we need a better SSVM solution
Date Fri, 30 Jan 2015 13:55:17 GMT
...also.....
I'm not a fan of us different configuration processes for different hypervisors. I'm fairly
sure that where the hypervisor still uses the systemvm.iso it overwrites the scripts which
are already on the system vm, whereas with xenserver we only inject config in through pvgrub.

I think that the systemvm.iso should only contain the same data as is injected via xenserver
for consistency, or xenserver system vms should go back to using systemvm.iso

There are a load of global settings which allow you to specify the system vm template for
each hypervisor, I guess this effectively allows you to have different router templates to
the ssvm/consoleproxy  template.

router.template.vmwareName of the default router template on Vmware
router.template.xenName of the default router template on Xenserver

I'm not sure why it exists, you can't change the ssvm or cpvm template per hypervisor.

Regards,

Paul Angus
Cloud Architect
S: +44 20 3603 0540 | M: +447711418784 | T: @CloudyAngus
paul.angus@shapeblue.com

-----Original Message-----
From: Adrian Lewis [mailto:adrian@alsiconsulting.co.uk]
Sent: 29 January 2015 23:47
To: dev@cloudstack.apache.org
Subject: RE: [DISCUSS] we need a better SSVM solution

From a non-dev user's perspective I think Paul's pretty much nailed the key issues I'd like
to see improve with the system VMs. The big one for us is the ability to customise the VR
template to add things like netflow export and other value-add services through additional
software packages without having to do this individually on each VR deployed.

-----Original Message-----
From: Ahmad Emneina [mailto:aemneina@gmail.com]
Sent: 29 January 2015 22:17
To: dev@cloudstack.apache.org
Subject: Re: [DISCUSS] we need a better SSVM solution

Pauls suggestion reminds me of some awesome functionality I see in the aftermarket android
ROM community. That is 'Kitchens'[1].

A utility/site that provides functionality that allows for admins to create customized system
templates...

Giving choices of:
- OS
- kernel
- VPN server
- various other services...

Of course this is fantasy at the moment, I see the lowest barrier to entry would be a cloud-init
style utility where we can pass in commands or scripts, like the steps to mitigate the GHOST
vuln (which seems to be a few apt commands). That would easily resolve issues where a vulnerable
service could easily be updated post boot, and propagated to all new/restarted system vm's.

[1] http://forum.xda-developers.com/showthread.php?t=633246

On Thu, Jan 29, 2015 at 1:55 PM, John Kinsella <jlk@stratosec.co> wrote:

> Decent points. You think the difference between the VR/CP is different
> enough to have a second image?
>
> > On Jan 29, 2015, at 1:41 PM, Paul Angus <paul.angus@shapeblue.com>
> wrote:
> >
> > Hi All,
> >
> > I think that there are 3 things people would like to see:
> >
> > 1. clear versioning of system vm templates, with some kind of
> compatibility matrix so they know which one(s) they can use with
> different versions of CloudStack
> > 2. an easy way to update the system vm template 3. an easy(ish) way
> > to customise system vm templates
> >
> > It might be worth considering have two types of template a. the
> > console proxy and secondary storage template b. the virtual router/
> > VPC template.
> >
> >
> >
> > Regards
> >
> > Paul Angus
> > Cloud Architect
> > S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
> > paul.angus@shapeblue.com
> >
> > -----Original Message-----
> > From: John Kinsella [mailto:jlk@stratosec.co]
> > Sent: 29 January 2015 18:06
> > To: dev@cloudstack.apache.org
> > Subject: Re: [DISCUSS] we need a better SSVM solution
> >
> > Interesting…
> >
> > Concur on having an open/standardized protocol. Something clustered
> > like
> Serf/Consul could be attractive, but the overhead/requirements of
> those type of things usually scares me away.
> >
> > Having ACS act as a CA would be quite interesting for some things.
> > It’s
> one of the reasons I’ve pondered a “hook” in the past to notify 3rd
> party upon VM creation/deletion/etc. Wonder if we could take advantage
> of dogtag or similar. All that said - setup/management of a CA is a
> PIA and probably outside scope of ACS, unless you did a “light” one
> similar to Puppet by default...
> >
> > An aside on that “hook” idea - something scriptable similar to (I
> > said
> “similar to," no flames!) systemd for this could be interesting.
> >
> > A good portion of users would resist having an agent installed on
> > the
> user VM, but I guess we’re in that position already, and they just
> wouldn’t get the added functionality.
> >
> > One user experience point: Almost every time Parallels comes out
> > with a
> new version, I have to update their agent on my VMs, which on the
> Windows side means a reboot. That gets old, and I’ve only got a
> handful of win VMs there...
> >
> > Going to see if I can puppet-ize one of the SSVMs over the weekend
> > to
> see what other thoughts come up.
> >
> > John
> >
> >> On Jan 29, 2015, at 2:06 AM, Rohit Yadav
> >> <rohit.yadav@shapeblue.com>
> wrote:
> >>
> >> Good ideas John.
> >>
> >> I’m in fact already discussing a design I’m calling it "agents
> framework” (suggestions for better name are welcome!), I will try to
> share and update the spec soon that aims for this feature and
> refactoring work for ACS 4.6/master. For now, I’ve shared an
> architecture diagram here and some high level goals:
> >>
> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Agents+Frame
> >> work
> >>
> >> Along with this, I’ve strong opinions and interests in just getting
> >> rid
> of Java based agents in systemvms (to reduce memory footprint) and
> replace the current agent-management server protocol (TCP based, which
> connects to only one management server on prt 8250 even if there are
> multiple management servers) with some interoperable protocol such as
> json/http, thrift etc that allows us to build better/scalable console
> proxy services (for example). People don’t discuss much, but virtual
> routers and systemvms are not well tested at all, we should also need
> efforts/infra to test these components with less human QA.
> >>
> >> Regards.
> >>
> >>> On 29-Jan-2015, at 2:14 am, John Kinsella <jlk@stratosec.co> wrote:
> >>>
> >>> Every time there’s an issue (security or otherwise) with the
> >>> system VM
> ISOs, it’s a relative pain to fix. They’re sort of a closed system,
> people know little (relative to other ACS parts, IMHO) about their
> innards, and updating them is more difficult than it should be.
> >>>
> >>> I’d love to see a Better Way. I think these things could be
> dynamically built, with the option to have them connect to a
> configuration management (CM) system such as Puppet, Chef, Salt-Stack
> or whatever else floats people’s boat.
> >>>
> >>> One possible use case:
> >>> * User installs new ACS system.
> >>> * User logs into mgmt server, goes to Templates area, clicks
> >>> button to
> fetch default SSVM image. UI allows providing alternative URL, other
> options as needed.
> >>> * (time passes)
> >>> * Security issue is announced. User goes back into Templates area,
> selects SSVM template, clicks “Download updated template” and it does.
> Under infrastructure/system VMs and infrastrucutre/virtual routers,
> there’s buttons to update one or more running instances to use the new
> template
> >>>
> >>> Another possible use case:
> >>> * User installs new ACS system
> >>> * User uploads SSVM template that has CM agent configured to talk
> >>> to
> their CM server (I’ve been wanting to lab this for a while now)
> >>> * As ACS creates system VMs, they phone home to CM server, it
> >>> provides
> them with instructions to install various packages and config as
> needed to be domr/console proxy/whatever. We provide basic “recipes”
> for CM systems for people to use and grow from.
> >>> * Security issue is announced. User updates recipe in CM system, a
> >>> few
> minutes later the SSVMs are up-to-date.
> >>>
> >>> Modification on that use case: We ship the SSVM with
> >>> puppet/chef/blah
> installed, part of the SSVM “patch” process configures appropriate CM
> system.
> >>>
> >>> What might make the second use case easier would be to have some
> >>> hooks
> in ACS that when a system is created/destroyed/modified, it informs
> 3rd party via API.
> >>>
> >>> (Obviously API calls for all of the above to allow process without
> touching the UI)
> >>>
> >>> Thoughts?
> >>>
> >>> John
> >>
> >> Regards,
> >> Rohit Yadav
> >> Software Architect, ShapeBlue
> >> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> >> Blog: bhaisaab.org | Twitter: @_bhaisaab
> >>
> >>
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> services
> >>
> >> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge – rapid IaaS deployment
> >> framework<http://shapeblue.com/csforge/
> >
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Software Engineering<
> http://shapeblue.com/cloudstack-software-engineering/>
> >> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Shape Blue Ltd or related
> companies. If you are not the intended recipient of this email, you
> must neither take any action based upon its contents, nor copy or show
> it to anyone. Please contact the sender if you believe you have
> received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated
> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda
> is a company incorporated in Brasil and is operated under license from
> Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The
> Republic of South Africa and is traded under license from Shape Blue
> Ltd. ShapeBlue is a registered trademark.
> >
> > Find out more about ShapeBlue and our range of CloudStack related
> services
> >
> > IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> > CSForge – rapid IaaS deployment
> > framework<http://shapeblue.com/csforge/>
> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> > CloudStack Software Engineering<
> http://shapeblue.com/cloudstack-software-engineering/>
> > CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> > CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >
> > This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Shape Blue Ltd or related
> companies. If you are not the intended recipient of this email, you
> must neither take any action based upon its contents, nor copy or show
> it to anyone. Please contact the sender if you believe you have
> received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated
> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda
> is a company incorporated in Brasil and is operated under license from
> Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The
> Republic of South Africa and is traded under license from Shape Blue
> Ltd. ShapeBlue is a registered trademark.
>
>
Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.
Mime
View raw message