I don't like the puppet/chef idea but at Schuberg Philis we use ansible which negates most of my opposition :p
I would rather have a 'upload or sysvmtemplate' the system vm template has some requirements so I think we would either require it to be build (on the ms?) or be checked during upload. At least the MS should allow for automatic update. Remi and I got some inspiration last night from our update of about 200 routers and some ssvm's and cpvm's. To cut it short; i'm with scenario 1. On Wed, Jan 28, 2015 at 10:09 PM, Andrija Panic <andrija.pa...@gmail.com> wrote: > +1 ! > On Jan 28, 2015 10:01 PM, "Erik Weber" <terbol...@gmail.com> wrote: > >> On Wed, Jan 28, 2015 at 9:44 PM, John Kinsella <j...@stratosec.co> wrote: >> >> > Every time there’s an issue (security or otherwise) with the system VM >> > ISOs, it’s a relative pain to fix. They’re sort of a closed system, >> people >> > know little (relative to other ACS parts, IMHO) about their innards, and >> > updating them is more difficult than it should be. >> > >> > I’d love to see a Better Way. I think these things could be dynamically >> > built, with the option to have them connect to a configuration management >> > (CM) system such as Puppet, Chef, Salt-Stack or whatever else floats >> > people’s boat. >> > >> > >> Totally agree, but we should consider the fact that users might not use our >> builds and make it equally easy to update with a custom one. >> >> One possible use case: >> > * User installs new ACS system. >> > * User logs into mgmt server, goes to Templates area, clicks button to >> > fetch default SSVM image. UI allows providing alternative URL, other >> > options as needed. >> > * (time passes) >> > * Security issue is announced. User goes back into Templates area, >> selects >> > SSVM template, clicks “Download updated template” and it does. Under >> > infrastructure/system VMs and infrastrucutre/virtual routers, there’s >> > buttons to update one or more running instances to use the new template >> > >> > >> If the user is using one of the published templates, why not just download >> the new one and send a notification that a new template is ready and that >> systemvms should be scheduled for a restart? >> >> >> > Another possible use case: >> > * User installs new ACS system >> > * User uploads SSVM template that has CM agent configured to talk to >> their >> > CM server (I’ve been wanting to lab this for a while now) >> > * As ACS creates system VMs, they phone home to CM server, it provides >> > them with instructions to install various packages and config as needed >> to >> > be domr/console proxy/whatever. We provide basic “recipes” for CM systems >> > for people to use and grow from. >> > * Security issue is announced. User updates recipe in CM system, a few >> > minutes later the SSVMs are up-to-date. >> > >> > Modification on that use case: We ship the SSVM with puppet/chef/blah >> > installed, part of the SSVM “patch” process configures appropriate CM >> > system. >> > >> > What might make the second use case easier would be to have some hooks in >> > ACS that when a system is created/destroyed/modified, it informs 3rd >> party >> > via API. >> > >> > (Obviously API calls for all of the above to allow process without >> > touching the UI) >> > >> > Thoughts? >> > >> > >> I've wondered for quite some time why we haven't had a simple checkbox in >> the template register view that says 'Use as System VM' or similar. >> >> Anyway, huge +1 >> >> -- >> Erik >> -- Daan
