I thinks John's idea is very good. we should fource on the security ,not others.
Another possible use case: * User installs new ACS system * User uploads SSVM template that has CM agent configured to talk to their CM server (I’ve been wanting to lab this for a while now) * As ACS creates system VMs, they phone home to CM server, it provides them with instructions to install various packages and config as needed to be domr/console proxy/whatever. We provide basic “recipes” for CM systems for people to use and grow from. * Security issue is announced. User updates recipe in CM system, a few minutes later the SSVMs are up-to-date. 2015-01-30 7:47 GMT+08:00 Adrian Lewis <adr...@alsiconsulting.co.uk>: > From a non-dev user's perspective I think Paul's pretty much nailed the key > issues I'd like to see improve with the system VMs. The big one for us is > the ability to customise the VR template to add things like netflow export > and other value-add services through additional software packages without > having to do this individually on each VR deployed. > > -----Original Message----- > From: Ahmad Emneina [mailto:aemne...@gmail.com] > Sent: 29 January 2015 22:17 > To: dev@cloudstack.apache.org > Subject: Re: [DISCUSS] we need a better SSVM solution > > Pauls suggestion reminds me of some awesome functionality I see in the > aftermarket android ROM community. That is 'Kitchens'[1]. > > A utility/site that provides functionality that allows for admins to create > customized system templates... > > Giving choices of: > - OS > - kernel > - VPN server > - various other services... > > Of course this is fantasy at the moment, I see the lowest barrier to entry > would be a cloud-init style utility where we can pass in commands or > scripts, like the steps to mitigate the GHOST vuln (which seems to be a few > apt commands). That would easily resolve issues where a vulnerable service > could easily be updated post boot, and propagated to all new/restarted > system vm's. > > [1] http://forum.xda-developers.com/showthread.php?t=633246 > > On Thu, Jan 29, 2015 at 1:55 PM, John Kinsella <j...@stratosec.co> wrote: > >> Decent points. You think the difference between the VR/CP is different >> enough to have a second image? >> >> > On Jan 29, 2015, at 1:41 PM, Paul Angus <paul.an...@shapeblue.com> >> wrote: >> > >> > Hi All, >> > >> > I think that there are 3 things people would like to see: >> > >> > 1. clear versioning of system vm templates, with some kind of >> compatibility matrix so they know which one(s) they can use with >> different versions of CloudStack >> > 2. an easy way to update the system vm template 3. an easy(ish) way >> > to customise system vm templates >> > >> > It might be worth considering have two types of template a. the >> > console proxy and secondary storage template b. the virtual router/ >> > VPC template. >> > >> > >> > >> > Regards >> > >> > Paul Angus >> > Cloud Architect >> > S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus >> > paul.an...@shapeblue.com >> > >> > -----Original Message----- >> > From: John Kinsella [mailto:j...@stratosec.co] >> > Sent: 29 January 2015 18:06 >> > To: dev@cloudstack.apache.org >> > Subject: Re: [DISCUSS] we need a better SSVM solution >> > >> > Interesting… >> > >> > Concur on having an open/standardized protocol. Something clustered >> > like >> Serf/Consul could be attractive, but the overhead/requirements of >> those type of things usually scares me away. >> > >> > Having ACS act as a CA would be quite interesting for some things. >> > It’s >> one of the reasons I’ve pondered a “hook” in the past to notify 3rd >> party upon VM creation/deletion/etc. Wonder if we could take advantage >> of dogtag or similar. All that said - setup/management of a CA is a >> PIA and probably outside scope of ACS, unless you did a “light” one >> similar to Puppet by default... >> > >> > An aside on that “hook” idea - something scriptable similar to (I >> > said >> “similar to," no flames!) systemd for this could be interesting. >> > >> > A good portion of users would resist having an agent installed on >> > the >> user VM, but I guess we’re in that position already, and they just >> wouldn’t get the added functionality. >> > >> > One user experience point: Almost every time Parallels comes out >> > with a >> new version, I have to update their agent on my VMs, which on the >> Windows side means a reboot. That gets old, and I’ve only got a >> handful of win VMs there... >> > >> > Going to see if I can puppet-ize one of the SSVMs over the weekend >> > to >> see what other thoughts come up. >> > >> > John >> > >> >> On Jan 29, 2015, at 2:06 AM, Rohit Yadav >> >> <rohit.ya...@shapeblue.com> >> wrote: >> >> >> >> Good ideas John. >> >> >> >> I’m in fact already discussing a design I’m calling it "agents >> framework” (suggestions for better name are welcome!), I will try to >> share and update the spec soon that aims for this feature and >> refactoring work for ACS 4.6/master. For now, I’ve shared an >> architecture diagram here and some high level goals: >> >> >> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Agents+Frame >> >> work >> >> >> >> Along with this, I’ve strong opinions and interests in just getting >> >> rid >> of Java based agents in systemvms (to reduce memory footprint) and >> replace the current agent-management server protocol (TCP based, which >> connects to only one management server on prt 8250 even if there are >> multiple management servers) with some interoperable protocol such as >> json/http, thrift etc that allows us to build better/scalable console >> proxy services (for example). People don’t discuss much, but virtual >> routers and systemvms are not well tested at all, we should also need >> efforts/infra to test these components with less human QA. >> >> >> >> Regards. >> >> >> >>> On 29-Jan-2015, at 2:14 am, John Kinsella <j...@stratosec.co> wrote: >> >>> >> >>> Every time there’s an issue (security or otherwise) with the >> >>> system VM >> ISOs, it’s a relative pain to fix. They’re sort of a closed system, >> people know little (relative to other ACS parts, IMHO) about their >> innards, and updating them is more difficult than it should be. >> >>> >> >>> I’d love to see a Better Way. I think these things could be >> dynamically built, with the option to have them connect to a >> configuration management (CM) system such as Puppet, Chef, Salt-Stack >> or whatever else floats people’s boat. >> >>> >> >>> One possible use case: >> >>> * User installs new ACS system. >> >>> * User logs into mgmt server, goes to Templates area, clicks >> >>> button to >> fetch default SSVM image. UI allows providing alternative URL, other >> options as needed. >> >>> * (time passes) >> >>> * Security issue is announced. User goes back into Templates area, >> selects SSVM template, clicks “Download updated template” and it does. >> Under infrastructure/system VMs and infrastrucutre/virtual routers, >> there’s buttons to update one or more running instances to use the new >> template >> >>> >> >>> Another possible use case: >> >>> * User installs new ACS system >> >>> * User uploads SSVM template that has CM agent configured to talk >> >>> to >> their CM server (I’ve been wanting to lab this for a while now) >> >>> * As ACS creates system VMs, they phone home to CM server, it >> >>> provides >> them with instructions to install various packages and config as >> needed to be domr/console proxy/whatever. We provide basic “recipes” >> for CM systems for people to use and grow from. >> >>> * Security issue is announced. User updates recipe in CM system, a >> >>> few >> minutes later the SSVMs are up-to-date. >> >>> >> >>> Modification on that use case: We ship the SSVM with >> >>> puppet/chef/blah >> installed, part of the SSVM “patch” process configures appropriate CM >> system. >> >>> >> >>> What might make the second use case easier would be to have some >> >>> hooks >> in ACS that when a system is created/destroyed/modified, it informs >> 3rd party via API. >> >>> >> >>> (Obviously API calls for all of the above to allow process without >> touching the UI) >> >>> >> >>> Thoughts? >> >>> >> >>> John >> >> >> >> Regards, >> >> Rohit Yadav >> >> Software Architect, ShapeBlue >> >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com >> >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> >> >> >> >> >> >> >> Find out more about ShapeBlue and our range of CloudStack related >> services >> >> >> >> IaaS Cloud Design & Build< >> http://shapeblue.com/iaas-cloud-design-and-build//> >> >> CSForge – rapid IaaS deployment >> >> framework<http://shapeblue.com/csforge/ >> > >> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >> >> CloudStack Software Engineering< >> http://shapeblue.com/cloudstack-software-engineering/> >> >> CloudStack Infrastructure Support< >> http://shapeblue.com/cloudstack-infrastructure-support/> >> >> CloudStack Bootcamp Training Courses< >> http://shapeblue.com/cloudstack-training/> >> >> >> >> This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is addressed. >> Any views or opinions expressed are solely those of the author and do >> not necessarily represent those of Shape Blue Ltd or related >> companies. If you are not the intended recipient of this email, you >> must neither take any action based upon its contents, nor copy or show >> it to anyone. Please contact the sender if you believe you have received >> this email in error. >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >> Services India LLP is a company incorporated in India and is operated >> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda >> is a company incorporated in Brasil and is operated under license from >> Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The >> Republic of South Africa and is traded under license from Shape Blue >> Ltd. ShapeBlue is a registered trademark. >> > >> > Find out more about ShapeBlue and our range of CloudStack related >> services >> > >> > IaaS Cloud Design & Build< >> http://shapeblue.com/iaas-cloud-design-and-build//> >> > CSForge – rapid IaaS deployment >> > framework<http://shapeblue.com/csforge/> >> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >> > CloudStack Software Engineering< >> http://shapeblue.com/cloudstack-software-engineering/> >> > CloudStack Infrastructure Support< >> http://shapeblue.com/cloudstack-infrastructure-support/> >> > CloudStack Bootcamp Training Courses< >> http://shapeblue.com/cloudstack-training/> >> > >> > This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is addressed. >> Any views or opinions expressed are solely those of the author and do >> not necessarily represent those of Shape Blue Ltd or related >> companies. If you are not the intended recipient of this email, you >> must neither take any action based upon its contents, nor copy or show >> it to anyone. Please contact the sender if you believe you have received >> this email in error. >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >> Services India LLP is a company incorporated in India and is operated >> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda >> is a company incorporated in Brasil and is operated under license from >> Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The >> Republic of South Africa and is traded under license from Shape Blue >> Ltd. ShapeBlue is a registered trademark. >> >> -- 白清杰 (Born Bai) Mail: linux...@gmail.com