Hi Wei, all, Thanks for the thread, I've no objections to either of the options, but option2 is preferred as Debian 11 security will EOL mid of this year. So, if not in 4.20, eventually we'll need to migrate systemvmtemplate base OS to Debian 12 at some point in future.
The bigger implication for users will be doubling of their memory consumption in their env for VRs. Regards. ________________________________ From: Wei ZHOU <ustcweiz...@gmail.com> Sent: Tuesday, February 6, 2024 17:33 To: dev <d...@cloudstack.apache.org>; users <users@cloudstack.apache.org> Subject: Discussion: CloudStack upgrade to JRE17 and Debian12/python3 Hi all, My colleagues and I are working on upgrading CloudStack to support the more recent JRE version, python version and Debian version for the systemvm template. We already have made some changes, if you are interested, please review the pull request: https://github.com/apache/cloudstack/pull/8497 Here are what we want to achieve in CloudStack 4.20 *1. Upgrade CloudStack to run with JRE17.* Currently we use JRE11 to build the CloudStack packages starting in 2020. CloudStack mgmt servers/usage/kvm agents run with JRE11 as well. However, JRE11 is EOL in September 2023 [1]. In CloudStack 4.20, we will build CloudStack using JRE11 (because old 4.17/4.18/4/19 systemvm template do not have JRE17 installed) , but enforce user to install JRE17 on mgmt server and kvm hosts when upgrade to CloudStack 4.20 It requires a lot of changes to build CloudStack using JRE17, so it will be mostly like done in CloudStack 4.21 or later. *2. Upgrade CloudStack VR to use python3* python2 is currently used in CloudStack VR, which is already EOL in 2020 [2]. We must migrate to python3 as soon as possible. All python scripts used in CloudStack VR will be migrated to python3. If you use a Debian11 systemvm template (4.17/4.18/4.19), you need to recreate or patch the System VMs and Virtual routers after upgrading to CloudStack 4.20. If you choose to patch a System VM and Virtual router, two packages will be installed: python-is-python3 and python3-netaddr *3. Upgrade CloudStack VR to Debian12* The more recent operating system provides more features and security. This is not urgent as Debian11 will be supported until 2026 [3]. We have tested the Debian12 systemvm templates, and found only two issues - OpenSSL has been upgraded from 1.1.0 to 3.0 in Debian12. Some algorithms are deprecated. We have to set "@SECLEVEL=0" in apache2 config and "PubkeyAcceptedAlgorithms=+ssh-rsa" to sshd config to support some old SSH keys and certificates. - The current default memory size (256MB) of virtual routers is not big enough. The Debian document says 780MB memory is required [4]. We have tested that 512MB/384MB memory is enough. It also works if memory is 320MB. But with 256MB, we got "kernel panic" when system VMs/VRs start. The memory upgrade should not be a problem for most users. If users have thousands of virtual routers, they might need to add more memory. The new debian12 template might have an impact on CKS (cloudstack kubernetes service). Until now, we have not found any issue in our testing with multiple hypervisors (ubuntu22/20, rocky8/alma8/ol8, alma9/ol9, xenserver-71, vmware 67u3/70u3/80) What's your opinion on the following two options ? - Option 1: Upgrade to JRE17 and python3 (still use Debian11) - Option 2: Upgrade to JRE17 and python3 and Debian12 Thank you ! [1] https://www.oracle.com/be/java/technologies/java-se-support-roadmap.html [2] https://www.python.org/doc/sunset-python-2/ [3] https://wiki.debian.org/LTS [4] https://www.debian.org/releases/bookworm/amd64/ch02s05.en.html
