Staying up to date with Glance Images

Jared Baker

Nov. 18, 2016

Introduction

When users deploy instances in the Cloud the first thing they often do is update their instance with the latest packages & security fixes. That’s good practice and we should all be doing that, but as a user I get irritated when a brand new instance requires hundreds of packages to be updated because the cloud image is old and full of vulnerabilities.

:(

As a Cloud admin, part of my job is to provide an efficient but secure user experience. In this post I will share with you how we achieve that by keeping our Glance images in OpenStack up to date. Unfortunately Glance does not have any auto-update mechanism for cloud images, nor could I find any 3rd party solutions so I wrote a bash script to do this for us.

:)

What does it do?

  • Check for new cloud images for various distributions (Ubuntu, CentOS, Debian)
  • Alert Cloud admins via email when a new image is available
  • Perform checksums along the way to ensure valid images are being downloaded
  • Maintain a friendly and consistent image name in OpenStack (ie “CentOS 7 - latest”) so users of the cloud can use predictable names in their automated workflows.
  • Log script output to a file that is handled by logstash
  • By default run as a check & notifier via cron but be able to run interactively to update with added syntax (–update)

Prerequisites

The Bash script

Disclaimer

I come from a IP Networking & technical support background. I don’t claim to be of a developers mindset and clearly you will see that in my rudimentary implementation of automating this task. I encourage you to take this script and make it your own.

Available here

Usage

We run the script once a day with cron. If nothing needs to be updated then no email will be sent and the output of the script is quietly logged. Otherwise if there is any images that are out of date an email will be sent saying what needs to be updated. At that point you can decide to run the script interactively using the –update argument. We chose to not automatically update the images because we often want to review release notes, check compatibility, etc.

#./image_refresh.sh
Thu Nov 17 15:42:00 EST 2016
Ubuntu 14.04 Update available. Run with --update
Ubuntu 16.04 online checksum matches local, nothing to do
CentOS 7 online checksum matches local, nothing to do
Debian 8 online checksum matches local, nothing to do
#./image_refresh.sh --update
RUNNING SCRIPT IN UPDATE MODE

Wish List

These are just a few things I would like to improve upon when I get a bit more time and develop my skills in bash scripting. I will update the script on github when time permits to make these modifications and more!

  • Make the script easier to maintain by using for loops
  • Check for successful openstack image creation before deletion
  • Improve the logging to contain timestamps on each log entry

Conclusion

Users will now deploy instances from our public images that contain the latest builds from each Linux distribution. This cuts down on deployment time for the users and reduces exposure to potential vulnerabilities.

Nice and clean!

Glance / OpenStack / Bash / Linux / Images

Jared Baker, Cloud Specialist
Infrastructure guy & sys admin. Advocate of read-only fridays. Allergic to downtime.
Blog Posts » GitHub
New OpenStack Whitepaper
Shading Elasticsearch