cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Weber <>
Subject Re: [DISCUSS] we need a better SSVM solution
Date Wed, 28 Jan 2015 20:58:39 GMT
On Wed, Jan 28, 2015 at 9:44 PM, John Kinsella <> wrote:

> Every time there’s an issue (security or otherwise) with the system VM
> ISOs, it’s a relative pain to fix. They’re sort of a closed system, people
> know little (relative to other ACS parts, IMHO) about their innards, and
> updating them is more difficult than it should be.
> I’d love to see a Better Way. I think these things could be dynamically
> built, with the option to have them connect to a configuration management
> (CM) system such as Puppet, Chef, Salt-Stack or whatever else floats
> people’s boat.
Totally agree, but we should consider the fact that users might not use our
builds and make it equally easy to update with a custom one.

One possible use case:
> * User installs new ACS system.
> * User logs into mgmt server, goes to Templates area, clicks button to
> fetch default SSVM image. UI allows providing alternative URL, other
> options as needed.
> * (time passes)
> * Security issue is announced. User goes back into Templates area, selects
> SSVM template, clicks “Download updated template” and it does. Under
> infrastructure/system VMs and infrastrucutre/virtual routers, there’s
> buttons to update one or more running instances to use the new template
If the user is using one of the published templates, why not just download
the new one and send a notification that a new template is ready and that
systemvms should be scheduled for a restart?

> Another possible use case:
> * User installs new ACS system
> * User uploads SSVM template that has CM agent configured to talk to their
> CM server (I’ve been wanting to lab this for a while now)
> * As ACS creates system VMs, they phone home to CM server, it provides
> them with instructions to install various packages and config as needed to
> be domr/console proxy/whatever. We provide basic “recipes” for CM systems
> for people to use and grow from.
> * Security issue is announced. User updates recipe in CM system, a few
> minutes later the SSVMs are up-to-date.
> Modification on that use case: We ship the SSVM with puppet/chef/blah
> installed, part of the SSVM “patch” process configures appropriate CM
> system.
> What might make the second use case easier would be to have some hooks in
> ACS that when a system is created/destroyed/modified, it informs 3rd party
> via API.
> (Obviously API calls for all of the above to allow process without
> touching the UI)
> Thoughts?
I've wondered for quite some time why we haven't had a simple checkbox in
the template register view that says 'Use as System VM' or similar.

Anyway, huge +1


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message