Hi Swen,
Assuming you are using advanced zones my idea below would involve:
1) Create a patching account in your CloudStack environment.
2) Spin up your repo clone boxes in this account – and configure these with
some sort of nightly synch with the RHEL / Ubuntu / CentOS / etc yum etc
repositories.
3) On the public IP address for the patching account configure firewalling /
NATing to allow anyone from the same public IP range to access the repo boxes.
4) Configure a DNS entry for this IP address on the DNS servers used by your
CloudStack infrastructure.
5) Configure cloud-init or similar to check for updates on the DNS server name
– either on reboot or with a cron type job on a specific date of the month.
Just one idea, there will be many ways to do this. The synched repo boxes don’t
need to be hosted in CloudStack, they could just be hosted externally on an IP
address accessible from your public range.
The other thing is you probably want your end users to be able to opt in or out
of this mechanism, so you may want to put in place some user key/values to
control this. If you wanted you could also rig up some automation where the VM
is snapshot’ed prior to patching so users have a rollback point.
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 19/01/2017, 14:09, "S. Brüseke - proIO GmbH" <s.brues...@proio.com> wrote:
Hi Dag,
how can I provide connection to an internal repo for all networks in my CS
installation by default?
Mit freundlichen Grüßen / With kind regards,
Swen
-----Ursprüngliche Nachricht-----
Von: Dag Sonstebo [mailto:dag.sonst...@shapeblue.com]
Gesendet: Donnerstag, 19. Januar 2017 14:41
An: users@cloudstack.apache.org
Betreff: Re: Template management
Hi Swen,
If you wanted to do this on boot with cloud-init or a similar mechanism you
would actually engineer the solution such that an internet connection wasn’t
required. If you have every VM updating over the internet you end up paying for
a lot of unnecessary bandwidth. You would instead make sure you have internal
cloned patch repositories which you synchronize hourly/daily - which means all
user VMs only pull patches on the internal network. You could even “eat your
own dogfood/drink your own champagne” and host this on one of the accounts in
the same CloudStack infrastructure – then simply set up connection on the
public network. That way the update traffic isn’t ever leaving your switches
per se.
Not sure how AWS etc. do this, but they have deep pockets…
Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue
On 19/01/2017, 13:31, "S. Brüseke - proIO GmbH" <s.brues...@proio.com>
wrote:
@Dag: Thanks for the confirmation and for the link.
@Rene: Of course it is the user's responsibility, but we want to
provide a VM with the latest updates each time you deploy a new VM. :-) I know
that cloud-init can do this on boot, but what if the network has no internet
connection?
Does anybody know how AWS or DigitalOcean is handling this?
Mit freundlichen Grüßen / With kind regards,
Swen
-----Ursprüngliche Nachricht-----
Von: Rene Moser [mailto:m...@renemoser.net]
Gesendet: Donnerstag, 19. Januar 2017 11:03
An: users@cloudstack.apache.org
Betreff: Re: Template management
Hi Swen
On 01/19/2017 10:04 AM, S. Brüseke - proIO GmbH wrote:
> I am really interested in other solutions and workflows, so please
> shoot. :-)
We decided to not doing or minimize (1-2 updates per year) templates
updates for "system updates" for two main reasons:
1. It is the user's responsibility to keep systems up to date anyway.
2. Using cfg management and/or cloud-init is more than easy to update
systems.
Regards
René
- proIO GmbH -
Geschäftsführer: Swen Brüseke
Sitz der Gesellschaft: Frankfurt am Main
USt-IdNr. DE 267 075 918
Registergericht: Frankfurt am Main - HRB 86239
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese
Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind
nicht gestattet.
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify
the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material in
this e-mail is strictly forbidden.
dag.sonst...@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
- proIO GmbH -
Geschäftsführer: Swen Brüseke
Sitz der Gesellschaft: Frankfurt am Main
USt-IdNr. DE 267 075 918
Registergericht: Frankfurt am Main - HRB 86239
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind
nicht gestattet.
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in
error) please notify
the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material in
this e-mail is strictly forbidden.
dag.sonst...@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
