einfra logoDocumentation
Technical reference

Image Rotation

What is IaaS image-rotation?

IaaS image-rotation service renews each public OpenStack Glance image when new is available upstream. Private images are excluded from image-rotation process. Image rotation on particular image is normally no sooner than 6 months. That can be seen as particular public cloud image is not older that such period. Not used rotated i.e. old and “deprecated” images are:

  1. First visible under different name (suffixed)
  2. After 6 months made hidden (available on image id only)
  3. After 2 years are deleted in case they are not used at all otherwise kept indefinitelly.

What IaaS image-rotation does?

IaaS image-rotation service performs following actions:

  • Detects whether images are fresh.
  • Uploads fresh images to OpenStack.
  • Renames both images the way that original name is now pointing to fresh OpenStack Glance image.

This procedure makes OpenStack Glance images fresh and well memorable resulting in more secure cloud computing.

Why is IaaS image-rotation deployed?

IaaS image-rotation engine is deployed for following reasons:

  1. security reasons to make cloud users use fresh operating systems i.e. to make cloud computing less vulnerable
  2. to speed up VM operating system upgrades

How does it work ?

Every 2 months, the mechanism checks all official images and compares them with their upstream version.

If any image is not up-to-date, it is “rotated”, i.e., its latest version takes its place under the same name.

The older image is renamed. Its name is in the format: {OFFICIAL_IMAGE_NAME}-{ROTATION_DATE}

Example

The official image is named:

centos-7-x86_64

Mechanism swapped this image and saved its latest version under the same name centos-7-x86_64. The older version was renamed to :

centos-7-x86_64-2021-12-15

where a suffix 2021-12-15 represents the date image was rotated.

Older images are later still available under new name or its original ID.

You can find image ID by using command:

openstack image show <IMAGE_NAME | IMAGE_ID>

or

you can find it in Horizon dashboard by clicking at specific image.

Older images are kept for another 2 months as public. After that their visibility is changed to community.

Community images are still available in OpenStack. You can list all community images via command:

openstack image list --community

They will not appear in your dashboard however. To use them you have to use CLI command:

openstack server create --image <IMAGE_NAME | IMAGE_ID> [ADDITIONAL_PARAMS] <SERVER_NAME>

After 1 year community images are deleted if they are not used anymore.

Terraform VM Creation with Image Rotation

IaaS infrastructures deployed by IaC tools like Terraform has to be aware of IaaS image-rotation service. Not taking image-rotation process into account results in sudden infra refreshes caused by image rotations (same image name got different id). These example snippets shows how to create a VM via Terraform while supporting image rotation.

Last updated on

publicity banner

On this page

What is IaaS image-rotation?
What IaaS image-rotation does?
Why is IaaS image-rotation deployed?
How does it work ?
Terraform VM Creation with Image Rotation
einfra banner