cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Weber <terbol...@gmail.com>
Subject Re: [DISCUSS] we need a better SSVM solution
Date Wed, 28 Jan 2015 20:58:39 GMT
On Wed, Jan 28, 2015 at 9:44 PM, John Kinsella <jlk@stratosec.co> wrote:

> Every time there’s an issue (security or otherwise) with the system VM
> ISOs, it’s a relative pain to fix. They’re sort of a closed system, people
> know little (relative to other ACS parts, IMHO) about their innards, and
> updating them is more difficult than it should be.
>
> I’d love to see a Better Way. I think these things could be dynamically
> built, with the option to have them connect to a configuration management
> (CM) system such as Puppet, Chef, Salt-Stack or whatever else floats
> people’s boat.
>
>
Totally agree, but we should consider the fact that users might not use our
builds and make it equally easy to update with a custom one.

One possible use case:
> * User installs new ACS system.
> * User logs into mgmt server, goes to Templates area, clicks button to
> fetch default SSVM image. UI allows providing alternative URL, other
> options as needed.
> * (time passes)
> * Security issue is announced. User goes back into Templates area, selects
> SSVM template, clicks “Download updated template” and it does. Under
> infrastructure/system VMs and infrastrucutre/virtual routers, there’s
> buttons to update one or more running instances to use the new template
>
>
If the user is using one of the published templates, why not just download
the new one and send a notification that a new template is ready and that
systemvms should be scheduled for a restart?


> Another possible use case:
> * User installs new ACS system
> * User uploads SSVM template that has CM agent configured to talk to their
> CM server (I’ve been wanting to lab this for a while now)
> * As ACS creates system VMs, they phone home to CM server, it provides
> them with instructions to install various packages and config as needed to
> be domr/console proxy/whatever. We provide basic “recipes” for CM systems
> for people to use and grow from.
> * Security issue is announced. User updates recipe in CM system, a few
> minutes later the SSVMs are up-to-date.
>
> Modification on that use case: We ship the SSVM with puppet/chef/blah
> installed, part of the SSVM “patch” process configures appropriate CM
> system.
>
> What might make the second use case easier would be to have some hooks in
> ACS that when a system is created/destroyed/modified, it informs 3rd party
> via API.
>
> (Obviously API calls for all of the above to allow process without
> touching the UI)
>
> Thoughts?
>
>
I've wondered for quite some time why we haven't had a simple checkbox in
the template register view that says 'Use as System VM' or similar.

Anyway, huge +1

-- 
Erik

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message