#94 Producing Updated Cloud/Atomic Images
Closed None Opened 8 years ago by dustymabe.

We need to finalize our policy around producing updated images and then start doing it.

Right now we have loosely decided to release new images once a month or whenever security updates require it.

Additionally, as part of this we should also decide on a policy that determines when we stop updating images for a particular release. I imagine that we don't want to be producing updated images for Fedora X, Y, and Z all at the same time. Ideally we would only be producing updated images for the current/latest major version.

For this, we need to figure out a couple things:
- Cadence (I think monthly was discussed on list)
- Who's going to file tickets with websites to update ids on getfedora.org/cloud
- Are we updating the whole image, or just somethings
- What does releng need from us in order to kick off the builds
- ... (I'm sure there's more here)

I sent an email to rel-eng1 and spoke briefly with dgilmore. The releng process for this is on his to-do list. Ultimately, for an updated build, we'll file a ticket with releng, who will make the build and post it to staging. From there, QA will be pushing it live.

And FWIW, I'm cool with being the guy to file the ticket with the new AMI IDs.

Just noting1, and that there's apparently been progress some sort of script Dennis has developed to help facilitate this process.

To keep everyone updated:

At the Cloud team meeting yesterday, it was determined that the ball is now in our (Cloud's) court at this point. I spoke to Kushal about this means for us. Until we formalize this updates process (possibly next month), the process is something like:

  1. Test images
  2. Fix any issues
  3. Wait for next nightly build
  4. Repeat 1-3 until satisfied
  5. Ask rel-eng to build a new tree and build the image

So the ball is in our court and we have everything we need (as far as I know). We have decided a few things in the meeting today:

1 - Since it is so late in F21 we will start doing this for F22 rather than start now in F21.
2 - We will initially only release updated images for the "current" release. Meaning as soon as F23 comes out we will no longer release updated images for F22.

If this model doesn't turn out to be good we can vote to change it.

opening back up and tagging with 'meeting' since F22 has been released. Now we can actually go through the process of releasing images with updates.

We are going to try to get an updated image out at the end of the month and do this monthly for F22. Lets target maybe thursday 06/25 for the release of the updated images.

Here are some things that I would like to target for the first image update:

  • put out qcow2 v2 formatted image
  • Fix selinux policy for dnf/cloud-init BZ#1227484 [1]
  • include updated packages.
  • cockpit resolution for atomic [2]

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1227484
[2] - https://fedorahosted.org/cloud/ticket/105

Two other bugs to consider as blockers for atomic:


There is a new nfs-utils package out can we get some karma please:

walters is there any more to these two bugs than the updated nfs-utils package?

https://lists.projectatomic.io/projectatomic-archives/atomic/2015-June/msg00001.html is also critical to get in. Should just happen when a respin of images happens.

For NFS, I believe that update should work once it gets karma but I didn't retest.

For "put out qcow2 v2 formatted image" there is this bug:


See: https://fedoraproject.org/wiki/Changes/Two_Week_Atomic

While this proposed change covers just the Atomic image, basically the same thing could work for Cloud Base images as well (and Docker base image). It might be nice to add a layer of human testing to those, however — perhaps integration with Bodhi?

Opened a ticket with rel-eng for the first set of updated cloud images.


Might consider waiting to pull in: https://admin.fedoraproject.org/updates/libuser-0.62-1.fc22

It's an easily exploitable local root escalation in the default install.

What is the status on this? Does someone own this?

Kushal just mentioned this morning that this is something he is and or did work on. Reassigning to Kushal and he can fill in details.

This is still outstanding, right?

Replying to [comment:20 walters]:

This is still outstanding, right?

Walters.. correct. We discussed this at the meeting today and decided to concentrate on the F23 release for now and use the infrastructure that was built for this to produce updated images for F23 and onward. Since F23 is a little over a month away I think this is reasonable.


in the meeting today we decided that f23 is a reasonable goal. the short summary is that the infrastructure is in place for this all we need to do is start testing and releasing images on a cadence, which we will do after f23 release.

The atomic two week images updated plan approved by FESCo: https://fedorahosted.org/fesco/ticket/1452

Login to comment on this ticket.