Hi I don't like the idea cloudstack management handles the "apt-get update && apt-get upgrade" (I am -1 for this solution) or at least I would like to disable it by configuration, if we go this direction.
We use ansible (what a surprise) to update the VR and also add some custom patches to it. We have a dynamic inventory getting all the VR with linklocal IP as ssh host and regulary run playbooks to these VRs running by a jenkins job. This sounds a bit kind of a hack at the beginning but it has the advantage that we are able to run the very same playbooks also against our test and stage cloud. Which gives a good feeling. I would like to see an api for download and update latest system-vm template. AFAIK this is still not solved (without touching DB) to update system-vm templates having same version. This way it would be up to the user to handle the upgrade and to think a bit further we could also define a rollback scenario (use previous template). Regards René On 02/22/2016 09:53 AM, Erik Weber wrote: > As of 4.6 or so, we don't really need to distribute new system vm templates > all that often, and that is great for upgrades, but less so from a security > perspective. > > With the current approach we ship old system vm templates, with out of date > packages, and there is currently no good out of the box way to handle that. > > There is a few ways to handle it, including, but not limited to: > > 1) Introduce a configuration value that specifies if you want to run > apt-get update && apt-get upgrade on boot. This slows down deployments and > will only get worse as times passes and there are more packages to update. > An alternative is to specify a list of packages we _HAVE_ to keep updated > and only update those. > > 2) Package new system vms for all releases, but not bump the version number > (or introduce a patch version number). This is ment to ensure that new > cloud deployments are somewhat up to date, but won't update existing ones > nor ensure that the deployment is kept up to date. > > 3) Add an optional? cronjob that does apt-get update && apt-get upgrade, > the downside is that you risk having some downtime for certain services.
