On Mon, Oct 10, 2016 at 12:48:25AM +0200, Christian Boltz wrote:
42.1 is terribly old ;-) - what about using 42.2 for new VMs? I know 42.2 is still in beta, but that shouldn't stop us from using it already ;-) [1]
There was a reason I created 42.1: I wanted to make sure that the packages from the update channel are preferred. Now that I made sure that this behaviour is working fine, I can create the 42.2 beta as well for sure.
I had a quick look at the image. Looks good, but it's indeed very minimal ;-)
Thanks for the review! Once again, we really need the image as minimal as possible (just to be able to set its network up as a first step). It will not be used only for production machines managed via salt, but also for workers, runners, containers, testing cloud instances etc. We need just to be able to set its network as a first step.
IIRC our guidelines say all services should be protected by an AppArmor profile, so it would probably make sense to install AppArmor by default. pattern-openSUSE-apparmor should drop in what we need. If kiwi ignores recommends, also add apparmor-utils (which is not really needed for running the server, but very helpful for translating audit.log events to profile changes). Speaking of audit.log - the audit daemon (package audit) would also be helpful.
Or do you prefer to do this via salt?
That has to be done via salt afterwards
(Deploying and loading the service-specific AppArmor profiles would always be salt's job.)
BTW: IIRC Lars said that there is a set of existing salt states [2] which is used by the existing openSUSE servers/VMs. Is this available to the public (where?), or do I need a special account somewhere?
I explained the situation in a past mail, see https://lists.opensuse.org/heroes/2016-07/msg00022.html Meanwhile I started writing some salt code for opensuse, but it is in very early stages and not deployed yet. I'll keep you posted
Regards,
Christian Boltz
[1] I already have some 42.2 beta servers running for a customer (since beta 1!) without "surprises", so I don't see a reason why openSUSE itsself shouldn't use it ;-) It might even be worth a news.o.o article (or at least a note in the RC1 announcement) saying "look how good 42.2 beta is, we are already using it on $service.o.o" ;-)
[2] I'm new to salt and its terms, so I hope I grabbed the right name for the *.sls files ;-)
-- Theo Chatzimichos <tampakrap@opensuse.org> <tchatzimichos@suse.com> System Administrator SUSE Operations and Services Team