We’ve mentioned the “Jidoteki Admin” a few times, and today we want to discuss how it can help with updating virtual appliances.
The blocked updates problem
One of the biggest issues with selling and distributing virtual appliances, is that they are often blocked from the outside world. It’s fair to ask your customers to perform online/automatic updates, but that doesn’t work for many schools, corporations, and government organizations.
Distributing your software
It’s always best to keep the virtual appliance and the actual software (your app) as separate components. This makes it easier to distribute small software update packages without forcing your customers to download an entire new virtual appliance (and saving the need to migrate data).
Jidoteki Admin
Our goal is to help you get around these problems. When you provision a virtual appliance, we add a default option to install the “Jidoteki Admin”. This is a set of open sourced scripts and tools which will modify your virtual appliance and make it easy to perform updates in the future. Offline updates.
How does it work (for us)?
We run the Ansible scripts on your appliance before provisioning it. We ensure to add an admin public SSH key which is unique to your Jidoteki user account. This is NOT the same as your unique public SSH deploy key (used for cloning git repos).
Eventually we’ll allow you to easily retrieve the SSH keypair from the account settings page. We’re still working on that, sorry.
How does it work (for you)?
The Jidoteki Admin creates an sftpadmin user for uploading software update packages, and a sudoers entry for the admin user. It creates some directories in /opt/jidoteki/admin which are secured in a way those users can’t do anything outside the scope of what is allowed.
What is allowed:
That’s all for now. You can modify the scripts and overwrite them in your own provisioning tools.
We include a wrapper.sh script to ensure only specific commands can be run, and an update_vm.sh script to perform the actual software updates (decrypt, extract, update).
How does it work (for your customers)?
Your customers can simply download your encrypted software update package, upload it to the virtual appliance using the SSH keypair for the admin/sftpadmin users (same key for both), and execute the update command over SSH.
If all goes well, their appliance will be updated.
Software update packages
We’ve also discussed this on many occasions, but to recap, these are encrypted tar files containing an update.sh, version.txt and your own update/provisioning scripts. We always recommend these to be idempotent and to handle failures gracefully. The update script we provide will catch failures and exit codes.
The software update packages should be encrypted with the updates.key file. It’s a file which is also added to the virtual appliance as part of the “Jidoteki Admin”. If you encrypt the package with that file, the appliance will be able to decrypt it.
Final thoughts
The Jidoteki Admin is designed to make your life much simpler. The task of updating a virtual appliance and performing other remote administration tasks without an internet connection can be quite difficult. We want to ensure you can offer this functionality to your customers, as easily as possible.
Feel free to contact us for advice and consulting if you need more advanced functionality from the Jidoteki Admin. Also make sure to subscribe to our newsletter, as we’re constantly updating Jidoteki with new features and functionality.