On Wed, Jan 28, 2015 at 9:44 PM, John Kinsella <j...@stratosec.co> wrote:
> Every time there’s an issue (security or otherwise) with the system VM > ISOs, it’s a relative pain to fix. They’re sort of a closed system, people > know little (relative to other ACS parts, IMHO) about their innards, and > updating them is more difficult than it should be. > > I’d love to see a Better Way. I think these things could be dynamically > built, with the option to have them connect to a configuration management > (CM) system such as Puppet, Chef, Salt-Stack or whatever else floats > people’s boat. > > Totally agree, but we should consider the fact that users might not use our builds and make it equally easy to update with a custom one. One possible use case: > * User installs new ACS system. > * User logs into mgmt server, goes to Templates area, clicks button to > fetch default SSVM image. UI allows providing alternative URL, other > options as needed. > * (time passes) > * Security issue is announced. User goes back into Templates area, selects > SSVM template, clicks “Download updated template” and it does. Under > infrastructure/system VMs and infrastrucutre/virtual routers, there’s > buttons to update one or more running instances to use the new template > > If the user is using one of the published templates, why not just download the new one and send a notification that a new template is ready and that systemvms should be scheduled for a restart? > Another possible use case: > * User installs new ACS system > * User uploads SSVM template that has CM agent configured to talk to their > CM server (I’ve been wanting to lab this for a while now) > * As ACS creates system VMs, they phone home to CM server, it provides > them with instructions to install various packages and config as needed to > be domr/console proxy/whatever. We provide basic “recipes” for CM systems > for people to use and grow from. > * Security issue is announced. User updates recipe in CM system, a few > minutes later the SSVMs are up-to-date. > > Modification on that use case: We ship the SSVM with puppet/chef/blah > installed, part of the SSVM “patch” process configures appropriate CM > system. > > What might make the second use case easier would be to have some hooks in > ACS that when a system is created/destroyed/modified, it informs 3rd party > via API. > > (Obviously API calls for all of the above to allow process without > touching the UI) > > Thoughts? > > I've wondered for quite some time why we haven't had a simple checkbox in the template register view that says 'Use as System VM' or similar. Anyway, huge +1 -- Erik
