Pauls suggestion reminds me of some awesome functionality I see in the aftermarket android ROM community. That is 'Kitchens'[1].
A utility/site that provides functionality that allows for admins to create customized system templates... Giving choices of: - OS - kernel - VPN server - various other services... Of course this is fantasy at the moment, I see the lowest barrier to entry would be a cloud-init style utility where we can pass in commands or scripts, like the steps to mitigate the GHOST vuln (which seems to be a few apt commands). That would easily resolve issues where a vulnerable service could easily be updated post boot, and propagated to all new/restarted system vm's. [1] http://forum.xda-developers.com/showthread.php?t=633246 On Thu, Jan 29, 2015 at 1:55 PM, John Kinsella <j...@stratosec.co> wrote: > Decent points. You think the difference between the VR/CP is different > enough to have a second image? > > > On Jan 29, 2015, at 1:41 PM, Paul Angus <paul.an...@shapeblue.com> > wrote: > > > > Hi All, > > > > I think that there are 3 things people would like to see: > > > > 1. clear versioning of system vm templates, with some kind of > compatibility matrix so they know which one(s) they can use with different > versions of CloudStack > > 2. an easy way to update the system vm template > > 3. an easy(ish) way to customise system vm templates > > > > It might be worth considering have two types of template > > a. the console proxy and secondary storage template > > b. the virtual router/ VPC template. > > > > > > > > Regards > > > > Paul Angus > > Cloud Architect > > S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus > > paul.an...@shapeblue.com > > > > -----Original Message----- > > From: John Kinsella [mailto:j...@stratosec.co] > > Sent: 29 January 2015 18:06 > > To: dev@cloudstack.apache.org > > Subject: Re: [DISCUSS] we need a better SSVM solution > > > > Interesting… > > > > Concur on having an open/standardized protocol. Something clustered like > Serf/Consul could be attractive, but the overhead/requirements of those > type of things usually scares me away. > > > > Having ACS act as a CA would be quite interesting for some things. It’s > one of the reasons I’ve pondered a “hook” in the past to notify 3rd party > upon VM creation/deletion/etc. Wonder if we could take advantage of dogtag > or similar. All that said - setup/management of a CA is a PIA and probably > outside scope of ACS, unless you did a “light” one similar to Puppet by > default... > > > > An aside on that “hook” idea - something scriptable similar to (I said > “similar to," no flames!) systemd for this could be interesting. > > > > A good portion of users would resist having an agent installed on the > user VM, but I guess we’re in that position already, and they just wouldn’t > get the added functionality. > > > > One user experience point: Almost every time Parallels comes out with a > new version, I have to update their agent on my VMs, which on the Windows > side means a reboot. That gets old, and I’ve only got a handful of win VMs > there... > > > > Going to see if I can puppet-ize one of the SSVMs over the weekend to > see what other thoughts come up. > > > > John > > > >> On Jan 29, 2015, at 2:06 AM, Rohit Yadav <rohit.ya...@shapeblue.com> > wrote: > >> > >> Good ideas John. > >> > >> I’m in fact already discussing a design I’m calling it "agents > framework” (suggestions for better name are welcome!), I will try to share > and update the spec soon that aims for this feature and refactoring work > for ACS 4.6/master. For now, I’ve shared an architecture diagram here and > some high level goals: > >> > >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Agents+Framework > >> > >> Along with this, I’ve strong opinions and interests in just getting rid > of Java based agents in systemvms (to reduce memory footprint) and replace > the current agent-management server protocol (TCP based, which connects to > only one management server on prt 8250 even if there are multiple > management servers) with some interoperable protocol such as json/http, > thrift etc that allows us to build better/scalable console proxy services > (for example). People don’t discuss much, but virtual routers and systemvms > are not well tested at all, we should also need efforts/infra to test these > components with less human QA. > >> > >> Regards. > >> > >>> On 29-Jan-2015, at 2:14 am, John Kinsella <j...@stratosec.co> wrote: > >>> > >>> Every time there’s an issue (security or otherwise) with the system VM > ISOs, it’s a relative pain to fix. They’re sort of a closed system, people > know little (relative to other ACS parts, IMHO) about their innards, and > updating them is more difficult than it should be. > >>> > >>> I’d love to see a Better Way. I think these things could be > dynamically built, with the option to have them connect to a configuration > management (CM) system such as Puppet, Chef, Salt-Stack or whatever else > floats people’s boat. > >>> > >>> One possible use case: > >>> * User installs new ACS system. > >>> * User logs into mgmt server, goes to Templates area, clicks button to > fetch default SSVM image. UI allows providing alternative URL, other > options as needed. > >>> * (time passes) > >>> * Security issue is announced. User goes back into Templates area, > selects SSVM template, clicks “Download updated template” and it does. > Under infrastructure/system VMs and infrastrucutre/virtual routers, there’s > buttons to update one or more running instances to use the new template > >>> > >>> Another possible use case: > >>> * User installs new ACS system > >>> * User uploads SSVM template that has CM agent configured to talk to > their CM server (I’ve been wanting to lab this for a while now) > >>> * As ACS creates system VMs, they phone home to CM server, it provides > them with instructions to install various packages and config as needed to > be domr/console proxy/whatever. We provide basic “recipes” for CM systems > for people to use and grow from. > >>> * Security issue is announced. User updates recipe in CM system, a few > minutes later the SSVMs are up-to-date. > >>> > >>> Modification on that use case: We ship the SSVM with puppet/chef/blah > installed, part of the SSVM “patch” process configures appropriate CM > system. > >>> > >>> What might make the second use case easier would be to have some hooks > in ACS that when a system is created/destroyed/modified, it informs 3rd > party via API. > >>> > >>> (Obviously API calls for all of the above to allow process without > touching the UI) > >>> > >>> Thoughts? > >>> > >>> John > >> > >> Regards, > >> Rohit Yadav > >> Software Architect, ShapeBlue > >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com > >> Blog: bhaisaab.org | Twitter: @_bhaisaab > >> > >> > >> > >> Find out more about ShapeBlue and our range of CloudStack related > services > >> > >> IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/ > > > >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >> CloudStack Software Engineering< > http://shapeblue.com/cloudstack-software-engineering/> > >> CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > >> CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > >> > >> This email and any attachments to it may be confidential and are > intended solely for the use of the individual to whom it is addressed. Any > views or opinions expressed are solely those of the author and do not > necessarily represent those of Shape Blue Ltd or related companies. If you > are not the intended recipient of this email, you must neither take any > action based upon its contents, nor copy or show it to anyone. Please > contact the sender if you believe you have received this email in error. > Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > Services India LLP is a company incorporated in India and is operated under > license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > company incorporated in Brasil and is operated under license from Shape > Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of > South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is > a registered trademark. > > > > Find out more about ShapeBlue and our range of CloudStack related > services > > > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > > CloudStack Software Engineering< > http://shapeblue.com/cloudstack-software-engineering/> > > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > > > This email and any attachments to it may be confidential and are > intended solely for the use of the individual to whom it is addressed. Any > views or opinions expressed are solely those of the author and do not > necessarily represent those of Shape Blue Ltd or related companies. If you > are not the intended recipient of this email, you must neither take any > action based upon its contents, nor copy or show it to anyone. Please > contact the sender if you believe you have received this email in error. > Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > Services India LLP is a company incorporated in India and is operated under > license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > company incorporated in Brasil and is operated under license from Shape > Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of > South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is > a registered trademark. > >
