Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 17DD518495 for ; Mon, 22 Feb 2016 09:37:12 +0000 (UTC) Received: (qmail 26286 invoked by uid 500); 22 Feb 2016 09:36:49 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 26222 invoked by uid 500); 22 Feb 2016 09:36:49 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 26210 invoked by uid 99); 22 Feb 2016 09:36:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Feb 2016 09:36:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id B6091C00ED for ; Mon, 22 Feb 2016 09:36:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=li.nux.ro Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id dZqLxFJuA-Ww for ; Mon, 22 Feb 2016 09:36:46 +0000 (UTC) Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 9D2215FBC4 for ; Mon, 22 Feb 2016 09:36:45 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) by mailserver.lastdot.org (Postfix) with ESMTP id 1BA9629CD78 for ; Mon, 22 Feb 2016 09:36:39 +0000 (GMT) Received: from mailserver.lastdot.org ([IPv6:::1]) by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id F_0RNVo8RByV for ; Mon, 22 Feb 2016 09:36:38 +0000 (GMT) Received: from localhost (localhost [IPv6:::1]) by mailserver.lastdot.org (Postfix) with ESMTP id 0062829CD79 for ; Mon, 22 Feb 2016 09:36:37 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.9.2 mailserver.lastdot.org 0062829CD79 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=li.nux.ro; s=C605E3A6-F3C6-11E3-AEB0-DFF9218DCAC4; t=1456133798; bh=Y2hgvxnhI8nt96HnzUQI6KeTMq9moEOyzxjcVdt1mtE=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding; b=k4z8Me0XxB0uDcgtsYH1tw+DU8y+3GGPmR8meklBty9b7Y5mUf8HT1kz8d2YhLpYV YC0DVbBtt3jpy8WDoR8leyw5wDpItFkzij8M1WTw8I3WxgAgerxZjpRshSDQugoMQp J3SKD0nE5S7QwGYm6sUXg03aCS2PZdStTEDYdPps= X-Virus-Scanned: amavisd-new at mailserver.lastdot.org Received: from mailserver.lastdot.org ([IPv6:::1]) by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id SEbOS9M61Fcd for ; Mon, 22 Feb 2016 09:36:37 +0000 (GMT) Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196]) by mailserver.lastdot.org (Postfix) with ESMTP id B4AC929CD78 for ; Mon, 22 Feb 2016 09:36:37 +0000 (GMT) Date: Mon, 22 Feb 2016 09:36:36 +0000 (GMT) From: Nux! To: dev@cloudstack.apache.org Message-ID: <738440032.58182.1456133796839.JavaMail.zimbra@li.nux.ro> In-Reply-To: References: Subject: Re: [DISCUSS] Keeping system vms up to date MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Mailer: Zimbra 8.6.0_GA_1191 (ZimbraWebClient - FF38 (Linux)/8.6.0_GA_1191) Thread-Topic: Keeping system vms up to date Thread-Index: SE1E0Gz2FCKQC0mlKFixD5il33vcyw== Hi Erik, Legit worry point. IMHO the updates of the VR and so on should be the job of whoever runs the cloud, just like it's the same person's job to keep the HVs up to date. I'm sure it's possible to get all the VRs registered in some sort of ansible/puppet thingy and keep track of them this way. Regarding up to date VM templates, I think part of the problem is solved as Jenkins is building 4.6 frequently: http://jenkins.buildacloud.org/job/build-systemvm64-master/ It might just be a matter of uploading those to cloudstack.apt-get.eu. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Erik Weber" > To: "dev" > Sent: Monday, 22 February, 2016 08:53:48 > Subject: [DISCUSS] Keeping system vms up to date > As of 4.6 or so, we don't really need to distribute new system vm templates > all that often, and that is great for upgrades, but less so from a security > perspective. > > With the current approach we ship old system vm templates, with out of date > packages, and there is currently no good out of the box way to handle that. > > There is a few ways to handle it, including, but not limited to: > > 1) Introduce a configuration value that specifies if you want to run > apt-get update && apt-get upgrade on boot. This slows down deployments and > will only get worse as times passes and there are more packages to update. > An alternative is to specify a list of packages we _HAVE_ to keep updated > and only update those. > > 2) Package new system vms for all releases, but not bump the version number > (or introduce a patch version number). This is ment to ensure that new > cloud deployments are somewhat up to date, but won't update existing ones > nor ensure that the deployment is kept up to date. > > 3) Add an optional? cronjob that does apt-get update && apt-get upgrade, > the downside is that you risk having some downtime for certain services. > > 4) A combination of the previous 3. > > And most likely other options I haven't thought of. > > I feel we need to address this somehow or else we risk ending up as a very > negative headliner when the right (or wrong) bug/exploit gets out and takes > down a bunch of clouds.. > > -- > Erik