F20 System Wide Change: Visible Cloud

Daniel P. Berrange berrange at redhat.com
Mon Jul 15 16:05:47 UTC 2013 

On Mon, Jul 15, 2013 at 11:50:53AM -0400, Matthew Miller wrote:
> On Mon, Jul 15, 2013 at 11:34:33AM +0100, Daniel P. Berrange wrote:
> > What's our update story for cloud images ?
> 
> We have the ability to do ad-hoc updates for critical flaws -- we did that
> once for F17/F18 in the last few months. But in general, the primary
> approach is yum update.
> 
> > While you could run 'yum update' when first booting a cloud image, that
> > leaves open a window of vulnerability. With an anaconda install you can
> > enables the updates repo at time of installation to remove this window
> > of vulnerability. So I think we need to solve it for cloud images too
> > if we're going to promote them as equal options.
> 
> We're helped a little bit by the fact that the default image is reasonably
> minimal. One could bring it up with the cloud infrastructure's protections
> in place (for example, security groups), run yum update where needed and
> install the actual services meant to run in the image, and then remove the
> restrictions.

Yes, there are ways to apply updates securely as a user, but they're none
obvious procedures that few, if any, admins are going to figure out,
even if they realize they need to. I don't think it is acceptable to
just wash our hands of this problem & let admins deal with it.

Having a minimal package set certainly reduces the frequency at which
Fedora cloud images will be impacted by security issues, but obviously
doesn't eliminate the issue.

> > I'm not suggesting we need to rebuild images for every update, but at a
> > minimum, when we issue CVE / security errata that affects an image, I'd
> > expect us to also rebuild and publish new cloud images pretty much
> > synchronously.
> 
> We're definitely not there yet. We're working on a process to automatically
> build and upload images -- for F20, this is meant for test releases, but we
> could aim to do it in production too for F21. In the meantime, if there are
> critical network-exploitable flaws I expect we will do an update "by hand".

Regardless of whether we're going to have something to automate it, or do it
by hand, the Feature page should formally specify that we are committed to
providing updated cloud images when they're affected by any published
security errata.

IMHO a publicised security update policy for cloud images should be a
'must have' prior to promoting the images as 1st class citizens supported
by Fedora.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the devel mailing list