+1 ! On Jan 28, 2015 10:01 PM, "Erik Weber" <terbol...@gmail.com> wrote:
> On Wed, Jan 28, 2015 at 9:44 PM, John Kinsella <j...@stratosec.co> wrote: > > > Every time there’s an issue (security or otherwise) with the system VM > > ISOs, it’s a relative pain to fix. They’re sort of a closed system, > people > > know little (relative to other ACS parts, IMHO) about their innards, and > > updating them is more difficult than it should be. > > > > I’d love to see a Better Way. I think these things could be dynamically > > built, with the option to have them connect to a configuration management > > (CM) system such as Puppet, Chef, Salt-Stack or whatever else floats > > people’s boat. > > > > > Totally agree, but we should consider the fact that users might not use our > builds and make it equally easy to update with a custom one. > > One possible use case: > > * User installs new ACS system. > > * User logs into mgmt server, goes to Templates area, clicks button to > > fetch default SSVM image. UI allows providing alternative URL, other > > options as needed. > > * (time passes) > > * Security issue is announced. User goes back into Templates area, > selects > > SSVM template, clicks “Download updated template” and it does. Under > > infrastructure/system VMs and infrastrucutre/virtual routers, there’s > > buttons to update one or more running instances to use the new template > > > > > If the user is using one of the published templates, why not just download > the new one and send a notification that a new template is ready and that > systemvms should be scheduled for a restart? > > > > Another possible use case: > > * User installs new ACS system > > * User uploads SSVM template that has CM agent configured to talk to > their > > CM server (I’ve been wanting to lab this for a while now) > > * As ACS creates system VMs, they phone home to CM server, it provides > > them with instructions to install various packages and config as needed > to > > be domr/console proxy/whatever. We provide basic “recipes” for CM systems > > for people to use and grow from. > > * Security issue is announced. User updates recipe in CM system, a few > > minutes later the SSVMs are up-to-date. > > > > Modification on that use case: We ship the SSVM with puppet/chef/blah > > installed, part of the SSVM “patch” process configures appropriate CM > > system. > > > > What might make the second use case easier would be to have some hooks in > > ACS that when a system is created/destroyed/modified, it informs 3rd > party > > via API. > > > > (Obviously API calls for all of the above to allow process without > > touching the UI) > > > > Thoughts? > > > > > I've wondered for quite some time why we haven't had a simple checkbox in > the template register view that says 'Use as System VM' or similar. > > Anyway, huge +1 > > -- > Erik >
