You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/rants/2023-05-21-patching/index.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,14 +9,14 @@ date = 2023-05-21
9
9
10
10
If you're professionally responsible for one or more computers, part of that responsibility likely includes installing security updates. You probably have some sort of mandate from your CISO or security department (if you have either of those) to install security updates within a specified timeframe, and maybe even some reporting on how well you're actually keeping up with that. This is effectively just a requirement of being on the internet these days. Sure, people get worked up about 0-days and APTs, but [the most basic thing that's going to ruin your day is some workaday ransomware crew exploiting years-old vulnerabilities](https://www.cpomagazine.com/cyber-security/new-study-finds-that-ransomware-attacks-are-heavily-relying-on-old-vulnerabilities-unpatched-issues-dating-back-to-2010-still-exploited/). Running old, vulnerable software is just asking for trouble; the internet equivalent of wearing a "kick me" sign on the school playground.
11
11
12
-
Hence device management tools that nag users, remotely install updates, report on compliance, and even block network access as required to get updates installed. This all makes sense for traditional IT - laptops, desktops, smartphones and such; probably even for physical servers if you're unlucky enough to still have any of those. But, I'm here to tell you, it does _not_ make any sense in the cloud. In fact, it's a sign that something is horribly wrong with how you build, test, and deploy software.
12
+
Hence, device management tools that nag users, remotely install updates, report on compliance, and even block network access as required to get updates installed. This all makes sense for traditional IT - laptops, desktops, smartphones and such; probably even for physical servers if you're unlucky enough to still have any of those. But, I'm here to tell you, it does _not_ make any sense in the cloud. In fact, it's a sign that something is horribly wrong with how you build, test, and deploy software.
13
13
14
14
15
15
## The cloud is magical
16
16
17
-
You - yes _you_, dear reader - have the ability to conjure computers into existence in mere seconds. That's what `aws ec2 run-instances` does, and all the other cloud providers have something equivalent. Even if you're running on-premises servers, you're probably not running them on bare metal - virtualization platforms like VMware make life so much easier you've either got to be a masochist or doing something special like HPC to be bothered. So servers are something that come and go at your whims. You might even have automation that launches new servers when you need to scale up under load, and shuts them down again when it gets quiet.
17
+
You - yes _you_, dear reader - have the ability to conjure computers into existence in mere seconds. That's what `aws ec2 run-instances` does, and all the other cloud providers have something equivalent. Even if you're running on-premises servers, you're probably not running them on bare metal; virtualization makes life so much easier you've either got to be a masochist or doing something special like HPC to be bothered running on physical machines. So servers are something that come and go at your whims. You might even have automation that launches new servers when you need to scale up under load, and shuts them down again when it gets quiet.
18
18
19
-
But that's not even the magical part. The _really_ cool thing is that when you create a virtual machine, you specify the contents of its boot volume. You get to choose exactly what software it runs, right from the get-go! This is amazingly powerful. If you (or your build system) creates a disk image with your software and all its dependencies already installed, a lot of things get better:
19
+
But that's not even the magical part! The _really_ cool thing is that when you create a virtual machine, you specify the contents of its boot volume. Thus, you get to choose exactly what software it runs, right from the get-go! This is amazingly powerful. If you (or your build system) creates a disk image with your software and all its dependencies already installed, a lot of things get better:
20
20
21
21
* Deployments are now just creating machines with your new image, and shutting down the old ones
22
22
* Rollbacks are the same, but with the old version instead
0 commit comments