On Mon, Feb 22, 2016 at 11:42 AM, Remi Bergsma <rberg...@schubergphilis.com> wrote:
> Hi Erik, > > The version might not change, but Jenkins builds new ones every night with > latest OS patches: > http://jenkins.buildacloud.org/job/build-systemvm64-master/ > > Option 1) and 3) will work once we allow more space on the systemvm > template for it to actually handle installing stuff. You then also assume > they have internet acces, which may not be true. > > If they aren't accessible from the internet then securing them isn't as important either. You still have to factor in the internal risk, but that is generally far lower than the external risk. In cases where it is accessible from the internet, but does not have outgoing access to the internet you're up for a treat. > Option 2) I think we already do that? > > Unless the web server is lying to me, then no: eriweb@eriweb:~$ curl -Is http://cloudstack.apt-get.eu/systemvm/4.6/systemvm64template-4.6.0-kvm.qcow2.bz2 | grep Last-Modified Last-Modified: Mon, 09 Nov 2015 11:30:30 GMT You can always upload a new template and replace it (a global config like > systemvm.minversion or so exists). This will require to reboot all routers > currently. > > Sure I know that, but to replace the whole system vm just to update glibc, haproxy or what have you seems a bit extreme. My intention for this thread was to figure out if we can provide cloudstack users a way to ensure their system vms are kept up to date. It should be optional so that more advanced users or those without internet etc. don't run into issues because of it, while still keeping all those small clouds that 'just works' safe and secure. -- Erik
