| |
@@ -0,0 +1,93 @@
|
| |
+ # Guidelines for changing Fedora Cloud images
|
| |
+
|
| |
+ Status: DRAFT
|
| |
+
|
| |
+ ## Preface
|
| |
+
|
| |
+ ### Purpose
|
| |
+
|
| |
+ Cloud images are highly opinionated installations of Fedora that are meant to support the widest array of cloud use cases.
|
| |
+ When cloud users deploy Fedora cloud images, they skip the usual steps of downloading media, running kickstats, or clicking through Anaconda.
|
| |
+ Changing these images requires a careful, efficient, and objective review process.
|
| |
+
|
| |
+ As mentioned in the [original mailing list thread], a strong set of guidelines for cloud images could benefit the Fedora community in many ways:
|
| |
+
|
| |
+ * Allows the Fedora Cloud SIG to review image changes more objectively
|
| |
+ * Ensures that change proposals meet a certain set of criteria
|
| |
+ * Asks the right questions up front for a more efficient review
|
| |
+ * Helps change submitters consider all the effects of their proposed change
|
| |
+
|
| |
+ [original mailing list thread]: https://lists.fedoraproject.org/archives/list/cloud@lists.fedoraproject.org/thread/3ZZC4HBUEM5CMUZLBKCGNOOEN6QTICQX/
|
| |
+
|
| |
+ ### Governance
|
| |
+
|
| |
+ These guidelines must be part of a living document.
|
| |
+ As Fedora evolves and as cloud providers offer more capabilities, many guidelines will require updates.
|
| |
+ The Fedora Cloud SIG owns the list of guidelines and reviews any potential changes before they go into effect.
|
| |
+
|
| |
+ ## Guidelines
|
| |
+
|
| |
+ Fedora cloud images serve a very specific purpose as the _foundation layer_ for cloud deployments.
|
| |
+ Just like a foundation under a house, these images should be secure, reliable, and minimal.
|
| |
+ They should support as many cloud use cases as possible and make it easy for any user to add packages or adjust configuration.
|
| |
+
|
| |
+ ### Minimalism
|
| |
+
|
| |
+ Cloud images should contain the most minimal set of packages possible.
|
| |
+ In addition, they should run the fewest number of daemons possible -- especially those that listen on TCP or UDP ports.
|
| |
+ Many cloud instances are exposed to untrusted networks or the entire internet immediately after boot.
|
| |
+
|
| |
+ ### Network filtering
|
| |
+
|
| |
+ Most public cloud providers and private cloud systems offer software-defined network segmentation or filtering.
|
| |
+ These networks and filters are handled dynamically via APIs outside of the Fedora instance and should be the primary method for securing network traffic.
|
| |
+ Fedora cloud images should not boot with network filtering enabled.
|
| |
+ This avoids confusion between a firewall ruleset in the Fedora instance and the network filters inside the cloud provider's system.
|
| |
+
|
| |
+ ### Virtual and physical systems
|
| |
+
|
| |
+ Certain changes in other parts of Fedora, such as the Workstation or Server editions, may or may not make sense in cloud deployments.
|
| |
+ Although most clouds are focused on offering shared resources from the same physical machine with a virtual layer in between, some clouds offer bare metal instance types where Fedora is deployed directly on hardware.
|
| |
+ Both use cases should be considered so that Fedora users can deploy the same images to both types of instances.
|
| |
+
|
| |
+ ### Preserve defaults
|
| |
+
|
| |
+ Default configurations used elsewhere in Fedora should be maintained in cloud images whenever possible.
|
| |
+ This allows users to flow between other editions, such as Workstation or Server, to cloud images without significant differences.
|
| |
+
|
| |
+ ## Making a Fedora cloud image change
|
| |
+
|
| |
+ Fedora cloud images must evolve over time and the Fedora Cloud SIG welcomes any proposed changes.
|
| |
+ To propose a change, copy this list of questions and paste them into an issue within the [cloud-sig] project:
|
| |
+
|
| |
+ [cloud-sig]: https://pagure.io/cloud-sig/issues
|
| |
+
|
| |
+ * **Configuration**
|
| |
+ * Does your change cause the cloud image configuration to differ from other editions, such as Workstation or Server?
|
| |
+ * If yes, explain why the defaults from the other editions cannot be used.
|
| |
+ * **Daemons & Services**
|
| |
+ * Does your change add any daemons or services that run at boot time?
|
| |
+ * If yes, do these daemons or services listen on a UNIX socket or a TCP/UDP port?
|
| |
+ * Does your change remove any daemons or services that currently run at boot time?
|
| |
+ * **Packages**
|
| |
+ * Does your change add any packages to the system?
|
| |
+ * If yes, please list each and the reason why each is required.
|
| |
+ * Does your change remove any packages from the system?
|
| |
+ * If yes, please list each and explain why they should be removed.
|
| |
+ * **User impact**
|
| |
+ * Some users deploy cloud instances for long-lived applications and they manage them by hand.
|
| |
+ How would they be affected by your change?
|
| |
+ * Some users deploy short-lived cloud instances with automation.
|
| |
+ How would they be affected by your change?
|
| |
+ * Is there something that a cloud image user should know about your change that would help them?
|
| |
+ * Is your change covered in a [Fedora change] submission?
|
| |
+ * Does your change correspond to a particular upcoming Fedora release?
|
| |
+
|
| |
+ [Fedora change]: https://docs.fedoraproject.org/en-US/program_management/changes_guide/
|
| |
+
|
| |
+ After [submitting the change proposal], monitor the issue in Pagure for any updates or other questions from the Fedora Cloud SIG.
|
| |
+ The proposal might require further discussion in a Cloud SIG meeting.
|
| |
+ [Fedora Calendar] keeps the most up to date schedule of our meetings.
|
| |
+
|
| |
+ [submitting the change proposal]: https://pagure.io/cloud-sig/issues
|
| |
+ [Fedora Calendar]: https://calendar.fedoraproject.org/list/cloud/
|
| |
Per the discussion in the mailing list thread[0] from May 2022, these image guidelines are proposed for making changes to cloud images.
[0] https://lists.fedoraproject.org/archives/list/cloud@lists.fedoraproject.org/thread/3ZZC4HBUEM5CMUZLBKCGNOOEN6QTICQX/