VM orchestration, updating Best practices

["X. S." <no...@hotmail.de>]

Hey!

I have several choices to make regarding orchestration of VMs:

- when and where should I assign a role to a template/VM?

- Should I have a Database template, a Webserver template etc? Or should I just have one basic ubuntu template with chef/puppet installed and pass the role somehow differently to the VM (how?) so all the rest of the installation is taken care of by those tools?

- Should I turn on automatic updates in Ubuntu and how often should I create a new, up to date template?

- is puppet/chef really worth having to change the recipes on every minor new version and coming up with a recipe every time I want to install something new? Is there a way of installing security patches etc. automatically but handle new versions manually via chef or puppet?

- I guess the best way for updates would be to start a new VM with the new software and one by one move the workload to the updated VMs. On the other hand this seems not very feasible for the daily updates on the OS level!?

I have been researching this for a few weeks. Maybe you can share a thing or two before my head explodes...

Thank you!
Lisa 		 	   		  

Re: VM orchestration, updating Best practices

[Kambiz Darabi <da...@m-creations.com>]

Hi Lisa,

Erik Weber <te...@gmail.com> wrote:
> 
> One way is to let puppet or whatever decide based on hostname, and pass the
> role that way. Or you could look at userdata, but that is hard to change
> later.
>
> Erik
> 26. mars 2014 18:47 skrev "X. S." <no...@hotmail.de> følgende:
>
>> Hey!
>>
>> I have several choices to make regarding orchestration of VMs:
>>
>> - when and where should I assign a role to a template/VM?
>>
>> - Should I have a Database template, a Webserver template etc? Or should I
>> just have one basic ubuntu template with chef/puppet installed and pass the
>> role somehow differently to the VM (how?) so all the rest of the
>> installation is taken care of by those tools?

we use the following combination of tools/strategies:

- match host names by regular expressions in puppet

with this, every host with name www... has the role web-server

node /^www.*\.example\.com$/ inherits 'web-server-node' {
...
}

you can also use 'if' or 'case' statement inside definitions/classes

- specify a specific version of the package in puppet

package { 'tomcat7':
  ensure => '7.0.26-1ubuntu1.2'
}

- a proxy repository for OS packages

A caching proxy for the OS packages is a good measure to be able to
control which packages are available for installation in your VMs. Even
if the upstream repositories remove certain packages, your cache still
keeps them. We use apt-cacher on Ubuntu 12.04.


>> - Should I turn on automatic updates in Ubuntu and how often should I
>> create a new, up to date template?
>>
>> - is puppet/chef really worth having to change the recipes on every minor
>> new version and coming up with a recipe every time I want to install
>> something new? Is there a way of installing security patches etc.
>> automatically but handle new versions manually via chef or puppet?

It depends on what you want to achieve. From your questions above, I
have the impression that strict control of package versions is your
goal. With puppet, you can be strict for certain packages and lenient
for others, as you can also just specify that a package should just be
present without giving a specific number:

package { 'tomcat7':
  ensure => 'present'
}

or tell puppet to always upgrade to the latest version with 'ensure =>
latest'.

cf. http://docs.puppetlabs.com/references/latest/type.html#package-attribute-ensure

>> - I guess the best way for updates would be to start a new VM with the new
>> software and one by one move the workload to the updated VMs. On the other
>> hand this seems not very feasible for the daily updates on the OS
>> level!?

The way we do it is to create a template from a running VM, start that
template, change the versions of the relevant packages in the puppet
configuration to 'latest', and test the functionality.

If everything is OK, the versions which have been tested are written
into the puppet configuration and 'frozen' from that moment on until the
next round of updates.

>> I have been researching this for a few weeks. Maybe you can share a thing
>> or two before my head explodes...
>>
>> Thank you!
>> Lisa

HTH

Kambiz

Re: VM orchestration, updating Best practices

[Erik Weber <te...@gmail.com>]

One way is to let puppet or whatever decide based on hostname, and pass the
role that way. Or you could look at userdata, but that is hard to change
later.

Erik
26. mars 2014 18:47 skrev "X. S." <no...@hotmail.de> følgende:

> Hey!
>
> I have several choices to make regarding orchestration of VMs:
>
> - when and where should I assign a role to a template/VM?
>
> - Should I have a Database template, a Webserver template etc? Or should I
> just have one basic ubuntu template with chef/puppet installed and pass the
> role somehow differently to the VM (how?) so all the rest of the
> installation is taken care of by those tools?
>
> - Should I turn on automatic updates in Ubuntu and how often should I
> create a new, up to date template?
>
> - is puppet/chef really worth having to change the recipes on every minor
> new version and coming up with a recipe every time I want to install
> something new? Is there a way of installing security patches etc.
> automatically but handle new versions manually via chef or puppet?
>
> - I guess the best way for updates would be to start a new VM with the new
> software and one by one move the workload to the updated VMs. On the other
> hand this seems not very feasible for the daily updates on the OS level!?
>
> I have been researching this for a few weeks. Maybe you can share a thing
> or two before my head explodes...
>
> Thank you!
> Lisa