We are comparing different sources, I was comparing the 'official' e.g. the documented template, not the one regularely built by jenkins.
-- Erik On Mon, Feb 22, 2016 at 1:11 PM, Remi Bergsma <rberg...@schubergphilis.com> wrote: > It _must_ be lying :-) > > When I install a systemvm from this last build: > > http://jenkins.buildacloud.org/job/build-systemvm64-master/lastBuild/artifact/tools/appliance/dist/systemvm64template-master-4.6.0-xen.vhd.bz2 > > > It has 4.6.0 version, but /etc/cloudstack-version shows it was built today. > > cat /etc/cloudstack-release > Cloudstack Release 4.6.0 Mon Feb 22 09:33:04 UTC 2016 > > Regards, > > Remi > > > > > > > On 22/02/16 12:23, "Erik Weber" <terbol...@gmail.com> wrote: > > >On Mon, Feb 22, 2016 at 11:42 AM, Remi Bergsma < > rberg...@schubergphilis.com> > >wrote: > > > >> Hi Erik, > >> > >> The version might not change, but Jenkins builds new ones every night > with > >> latest OS patches: > >> http://jenkins.buildacloud.org/job/build-systemvm64-master/ > >> > >> Option 1) and 3) will work once we allow more space on the systemvm > >> template for it to actually handle installing stuff. You then also > assume > >> they have internet acces, which may not be true. > >> > >> > >If they aren't accessible from the internet then securing them isn't as > >important either. > >You still have to factor in the internal risk, but that is generally far > >lower than the external risk. > > > >In cases where it is accessible from the internet, but does not have > >outgoing access to the internet you're up for a treat. > > > > > > > >> Option 2) I think we already do that? > >> > >> > > > >Unless the web server is lying to me, then no: > >eriweb@eriweb:~$ curl -Is > > > http://cloudstack.apt-get.eu/systemvm/4.6/systemvm64template-4.6.0-kvm.qcow2.bz2 > >| grep Last-Modified > >Last-Modified: Mon, 09 Nov 2015 11:30:30 GMT > > > > > >You can always upload a new template and replace it (a global config like > >> systemvm.minversion or so exists). This will require to reboot all > routers > >> currently. > >> > >> > >Sure I know that, but to replace the whole system vm just to update glibc, > >haproxy or what have you seems a bit extreme. > > > >My intention for this thread was to figure out if we can provide > cloudstack > >users a way to ensure their system vms are kept up to date. > >It should be optional so that more advanced users or those without > internet > >etc. don't run into issues because of it, while still keeping all those > >small clouds that 'just works' safe and secure. > > > >-- > >Erik >