cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmad Emneina <aemne...@gmail.com>
Subject Re: [DISCUSS] we need a better SSVM solution
Date Thu, 29 Jan 2015 22:17:02 GMT
Pauls suggestion reminds me of some awesome functionality I see in the
aftermarket android ROM community. That is 'Kitchens'[1].

A utility/site that provides functionality that allows for admins to create
customized system templates...

Giving choices of:
- OS
- kernel
- VPN server
- various other services...

Of course this is fantasy at the moment, I see the lowest barrier to entry
would be a cloud-init style utility where we can pass in commands or
scripts, like the steps to mitigate the GHOST vuln (which seems to be a few
apt commands). That would easily resolve issues where a vulnerable service
could easily be updated post boot, and propagated to all new/restarted
system vm's.

[1] http://forum.xda-developers.com/showthread.php?t=633246

On Thu, Jan 29, 2015 at 1:55 PM, John Kinsella <jlk@stratosec.co> wrote:

> Decent points. You think the difference between the VR/CP is different
> enough to have a second image?
>
> > On Jan 29, 2015, at 1:41 PM, Paul Angus <paul.angus@shapeblue.com>
> wrote:
> >
> > Hi All,
> >
> > I think that there are 3 things people would like to see:
> >
> > 1. clear versioning of system vm templates, with some kind of
> compatibility matrix so they know which one(s) they can use with different
> versions of CloudStack
> > 2. an easy way to update the system vm template
> > 3. an easy(ish) way to customise system vm templates
> >
> > It might be worth considering have two types of template
> > a. the console proxy and secondary storage template
> > b. the virtual router/ VPC template.
> >
> >
> >
> > Regards
> >
> > Paul Angus
> > Cloud Architect
> > S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
> > paul.angus@shapeblue.com
> >
> > -----Original Message-----
> > From: John Kinsella [mailto:jlk@stratosec.co]
> > Sent: 29 January 2015 18:06
> > To: dev@cloudstack.apache.org
> > Subject: Re: [DISCUSS] we need a better SSVM solution
> >
> > Interesting…
> >
> > Concur on having an open/standardized protocol. Something clustered like
> Serf/Consul could be attractive, but the overhead/requirements of those
> type of things usually scares me away.
> >
> > Having ACS act as a CA would be quite interesting for some things. It’s
> one of the reasons I’ve pondered a “hook” in the past to notify 3rd party
> upon VM creation/deletion/etc. Wonder if we could take advantage of dogtag
> or similar. All that said - setup/management of a CA is a PIA and probably
> outside scope of ACS, unless you did a “light” one similar to Puppet by
> default...
> >
> > An aside on that “hook” idea - something scriptable similar to (I said
> “similar to," no flames!) systemd for this could be interesting.
> >
> > A good portion of users would resist having an agent installed on the
> user VM, but I guess we’re in that position already, and they just wouldn’t
> get the added functionality.
> >
> > One user experience point: Almost every time Parallels comes out with a
> new version, I have to update their agent on my VMs, which on the Windows
> side means a reboot. That gets old, and I’ve only got a handful of win VMs
> there...
> >
> > Going to see if I can puppet-ize one of the SSVMs over the weekend to
> see what other thoughts come up.
> >
> > John
> >
> >> On Jan 29, 2015, at 2:06 AM, Rohit Yadav <rohit.yadav@shapeblue.com>
> wrote:
> >>
> >> Good ideas John.
> >>
> >> I’m in fact already discussing a design I’m calling it "agents
> framework” (suggestions for better name are welcome!), I will try to share
> and update the spec soon that aims for this feature and refactoring work
> for ACS 4.6/master. For now, I’ve shared an architecture diagram here and
> some high level goals:
> >>
> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Agents+Framework
> >>
> >> Along with this, I’ve strong opinions and interests in just getting rid
> of Java based agents in systemvms (to reduce memory footprint) and replace
> the current agent-management server protocol (TCP based, which connects to
> only one management server on prt 8250 even if there are multiple
> management servers) with some interoperable protocol such as json/http,
> thrift etc that allows us to build better/scalable console proxy services
> (for example). People don’t discuss much, but virtual routers and systemvms
> are not well tested at all, we should also need efforts/infra to test these
> components with less human QA.
> >>
> >> Regards.
> >>
> >>> On 29-Jan-2015, at 2:14 am, John Kinsella <jlk@stratosec.co> wrote:
> >>>
> >>> Every time there’s an issue (security or otherwise) with the system VM
> ISOs, it’s a relative pain to fix. They’re sort of a closed system, people
> know little (relative to other ACS parts, IMHO) about their innards, and
> updating them is more difficult than it should be.
> >>>
> >>> I’d love to see a Better Way. I think these things could be
> dynamically built, with the option to have them connect to a configuration
> management (CM) system such as Puppet, Chef, Salt-Stack or whatever else
> floats people’s boat.
> >>>
> >>> One possible use case:
> >>> * User installs new ACS system.
> >>> * User logs into mgmt server, goes to Templates area, clicks button to
> fetch default SSVM image. UI allows providing alternative URL, other
> options as needed.
> >>> * (time passes)
> >>> * Security issue is announced. User goes back into Templates area,
> selects SSVM template, clicks “Download updated template” and it does.
> Under infrastructure/system VMs and infrastrucutre/virtual routers, there’s
> buttons to update one or more running instances to use the new template
> >>>
> >>> Another possible use case:
> >>> * User installs new ACS system
> >>> * User uploads SSVM template that has CM agent configured to talk to
> their CM server (I’ve been wanting to lab this for a while now)
> >>> * As ACS creates system VMs, they phone home to CM server, it provides
> them with instructions to install various packages and config as needed to
> be domr/console proxy/whatever. We provide basic “recipes” for CM systems
> for people to use and grow from.
> >>> * Security issue is announced. User updates recipe in CM system, a few
> minutes later the SSVMs are up-to-date.
> >>>
> >>> Modification on that use case: We ship the SSVM with puppet/chef/blah
> installed, part of the SSVM “patch” process configures appropriate CM
> system.
> >>>
> >>> What might make the second use case easier would be to have some hooks
> in ACS that when a system is created/destroyed/modified, it informs 3rd
> party via API.
> >>>
> >>> (Obviously API calls for all of the above to allow process without
> touching the UI)
> >>>
> >>> Thoughts?
> >>>
> >>> John
> >>
> >> Regards,
> >> Rohit Yadav
> >> Software Architect, ShapeBlue
> >> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> >> Blog: bhaisaab.org | Twitter: @_bhaisaab
> >>
> >>
> >>
> >> Find out more about ShapeBlue and our range of CloudStack related
> services
> >>
> >> IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/
> >
> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> >> CloudStack Software Engineering<
> http://shapeblue.com/cloudstack-software-engineering/>
> >> CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> >> CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >>
> >> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
> >
> > Find out more about ShapeBlue and our range of CloudStack related
> services
> >
> > IaaS Cloud Design & Build<
> http://shapeblue.com/iaas-cloud-design-and-build//>
> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> > CloudStack Software Engineering<
> http://shapeblue.com/cloudstack-software-engineering/>
> > CloudStack Infrastructure Support<
> http://shapeblue.com/cloudstack-infrastructure-support/>
> > CloudStack Bootcamp Training Courses<
> http://shapeblue.com/cloudstack-training/>
> >
> > This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Shape Blue Ltd or related companies. If you
> are not the intended recipient of this email, you must neither take any
> action based upon its contents, nor copy or show it to anyone. Please
> contact the sender if you believe you have received this email in error.
> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
> Services India LLP is a company incorporated in India and is operated under
> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a
> company incorporated in Brasil and is operated under license from Shape
> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is
> a registered trademark.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message