Managing VMs is key to maintaining good security. Preparing a plan to patch, reboot and migrate to new OSes is the best way to ensure maintenance is carried out regularly.

👁️ Overview

As a user of the STFC Cloud, you are responsible for your machines (see Terms Of Service ), whilst the Cloud team is responsible for the Cloud supplied OS images. This article describes the do’s and don’ts of using a VM on the STFC Cloud.

Do’s

Keeping you VMs healthy

Some steps you can take to keep your machines in good condition are:

• Comply with security notifications from the Cloud team

• Update VMs regularly, and reboot them (many updates do not take effect until after a reboot)

• Cycling out VMs on a schedule (ideally once every 6 months)

Patching and rebooting VMs will extend their lifecycle by a certain amount, but eventually all will need to be replaced.

The general attitude towards VMs should be that they are cattle, not pets - any services/workflows running on a VM should be easily replicable so that an individual host is not required to be kept around indefinitely. There are many ways to simplify setting up a VM, such as Magnum and Heat.

A good lifecycle management process also promotes good service management practices.

...

VMs should not be left to age for too long for a few reasons, primarily security - vulnerabilities are more common in older machines, not all are patched. Also the hardware underneath and the flavor of the VM are not immortal - at some point they will no longer work/be supported.

...

We recommend getting rid of VMs at an age of 6 months if possible, and older than a year is usually not ideal. If your machines are approaching this age, consider migrating to newer flavors. It is also suggested that VMs are rebooted about every 6 weeks, as this allows some updates to be applied.

Steps to take

As a user of the STFC Cloud, you are responsible for your machines, whilst the Cloud team is responsible fo the OS images (excluding custom images). Some steps you can take to keep your machines in good condition are:

• Cycling out VMs on a schedule (ideally once every 6 months)

• Update VMs regularly, and reboot them (many updates do not take effect until after a reboot)

• Comply with security notifications from the Cloud team

Patching and rebooting VMs will extend their lifecycle by a certain amount, but eventually all will need to be replaced.

...

High availability

Don’t have your services dependent on just one VM (if the VM goes down, so does the service!). Instead make your service have high availability, spreading it across multiple machines with a single-entry point. This can be done with loadbalancers and kubernetes clusters.

Configuration management

Configuration management is your friend - can create machines with packages

...

If you’re running a service - design for high availability so that one machine going down for maintenance doesn’t take the service down with it

...

automatically installed and configured for you. This can be done with configuration management software such as ansible (see our advanced workshop for more information)

Data storage

Use Volume Management in OpenStack or other non-root-disk storage so that data isn’t lost when cycling VMs

...

Stick to a reboot schedule

Finally, the Cloud team are here to help - submit a ticket if you have issues or use the Slack to ask questions.. STFC Cloud has a variety of different storage solutions, with different use-cases:

• Manila: relatively performant general purpose storage

• Cinder: relatively well performing scratch space

• Swift: object store; lower performance but much larger capacity

Don’ts (Please do not do these)

• Keeping a VM up for years

• Not keeping up to date with security patches (This is against terms of service and could result in your VM being terminated)

• Keeping VMs on deprecated flavors (such as c-flavors)

• Removing the Cloud admin SSH key (this means that we are limited in being able to provide support) (This is against terms of service and could result in your VM being terminated)

📚  Related articles