On Mon, Jul 15, 2013 at 11:34:33AM +0100, Daniel P. Berrange wrote: > What's our update story for cloud images ? We have the ability to do ad-hoc updates for critical flaws -- we did that once for F17/F18 in the last few months. But in general, the primary approach is yum update. > While you could run 'yum update' when first booting a cloud image, that > leaves open a window of vulnerability. With an anaconda install you can > enables the updates repo at time of installation to remove this window > of vulnerability. So I think we need to solve it for cloud images too > if we're going to promote them as equal options. We're helped a little bit by the fact that the default image is reasonably minimal. One could bring it up with the cloud infrastructure's protections in place (for example, security groups), run yum update where needed and install the actual services meant to run in the image, and then remove the restrictions. > I'm not suggesting we need to rebuild images for every update, but at a > minimum, when we issue CVE / security errata that affects an image, I'd > expect us to also rebuild and publish new cloud images pretty much > synchronously. We're definitely not there yet. We're working on a process to automatically build and upload images -- for F20, this is meant for test releases, but we could aim to do it in production too for F21. In the meantime, if there are critical network-exploitable flaws I expect we will do an update "by hand". -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
