[Openstack-operators] How to handle updates of public images?
joe at topjian.net
Thu Feb 5 15:12:35 UTC 2015
We do exactly this.
Public images are named very generically like "Ubuntu 14.04". Not even
"14.04.1" or something like that. Old images are renamed and made private.
Existing instances continue to run, but, as others have mentioned, if a
user is using a UUID to launch instances, that will break for them. This
is an acceptable trade-offf or us. Our documentation makes mention of this
and to use the names.
The OpenStack CLI tools as well as Vagrant (the two most used non-Dashboard
tools that are used) both support image names, so we haven't run into a
We have a modified MOTD that lists some different scripts that the user can
run, such as:
* Using our local apt-cache server (Ubuntu only)
* Enabling automatic updates
* Install the openstack command-line tools
We had a few debates about turning on automatic updates in the images we
provide. Ultimately we chose to not enable them and instead go with the
MOTD message. There are several reasons why having automatic updates
enabled is a benefit, but the single reason that made us not do it is
simply "if an automatic update breaks the user's instance, it's our fault."
It's a very debatable argument.
Also, we use Packer to bundle all of this. We have most of it available
In addition to all of this, we allow users to upload their own images. So
if the core set of images we provide doesn't meet their needs, they're free
to do create their own solution.
On Thu, Feb 5, 2015 at 7:02 AM, Abel Lopez <alopgeek at gmail.com> wrote:
> I always recommend the following:
> All public images are named generically enough that they can be replaced
> with a new version of the same name. This helps new instances booting.
> The prior image is renamed with -OLD-$date. This lets users know that
> their image has been deprecated. This image is made private so no new
> instances can be launched.
> All images include an updated motd that indicates available security
> We're discussing baking the images with automatic updates, but still
> haven't reached an agreement.
> On Thursday, February 5, 2015, Tim Bell <Tim.Bell at cern.ch> wrote:
>> > -----Original Message-----
>> > From: George Shuklin [mailto:george.shuklin at gmail.com]
>> > Sent: 05 February 2015 14:10
>> > To: openstack-operators at lists.openstack.org
>> > Subject: [Openstack-operators] How to handle updates of public images?
>> > Hello everyone.
>> > We are updating our public images regularly (to provide them to
>> customers in
>> > up-to-date state). But there is a problem: If some instance starts from
>> image it
>> > becomes 'used'. That means:
>> > * That image is used as _base for nova
>> > * If instance is reverted this image is used to recreate instance's disk
>> > * If instance is rescued this image is used as rescue base
>> > * It is redownloaded during resize/migration (on a new compute node)
>> > One more (our specific):
>> > We're using raw disks with _base on slow SATA drives (in comparison to
>> fast SSD
>> > for disks), and if that SATA fails, we replace it (and nova redownloads
>> stuff in
>> > _base).
>> > If image is deleted, it causes problems with nova (nova can't download
>> > The second part of the problem: glance disallows to update image
>> (upload new
>> > image with same ID), so we're forced to upload updated image with new
>> ID and
>> > to remove the old one. This causes problems described above.
>> > And if tenant boots from own snapshot and removes snapshot without
>> > instance, it causes same problem even without our activity.
>> > How do you handle public image updates in your case?
>> We have a similar problem. For the Horizon based end users, we've defined
>> a panel using image meta data. Details are at
>> For the CLI users, we propose to use the sort options from Glance to find
>> the latest image of a particular OS.
>> It would be good if there was a way of marking an image as hidden so that
>> it can still be used for snapshots/migration but would not be shown in
>> image list operations.
>> > Thanks!
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > OpenStack-operators at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators