Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AlJo
Contributor

Recommended patching process for private cloud images

Just started working with the KVM images for Check Point R81.20 gateway.

After chasing things down a bit and figuring out that R81.20 completely changed the cloud-init process I have a gateway up and running under KVM.

 

I used the latest KVM qcow2 image but being a good Check Point admin, I need the image to the latest HFA.

Is there a best practice/process for deploying images at the latest HFA?  The base qcow image deploys at about 5 gig, but after running cpuse to install the latest HFA, the image checks in at over 13G of committed disk consumption. 

This isn't very cloud friendly and quite cumbersome.  Following this model up deploy, then patch,  it slows deployments considerably.

 

Am I missing something?  Is there a better way to have a vetted patched version for direct deployment?

 

Thanks for your input.

0 Kudos
13 Replies
the_rock
Legend
Legend

I will ask one of my colleagues that did this, 13 GB does not sound logical to me at all.

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin

As far as I can remember, we will release updated images that include the recommended JHF.
We do not do this for every JHF, of course.

0 Kudos
AlJo
Contributor

Why wouldn't this be done for each HFA release?  As the steward of the source code, we're reliant on Check Point to provide the latest images unless Check Point provides a tool to custom bake the HFA's into a deployable image.  I'm not expecting Check Point to provide images for all patches, but I AM expecting to see images for each "Recommended" HFA.

And, from my lab, here are the **bleep** image sizes, the First being the image directly from Check Point, the second R81.20 Gateway only, not you managed by the multi-domain manager, all I did was update to the latest HFA (Take 41)

 

-rw-r----- 1 root kvm 4589092864 Jan 4 21:12 CheckPointR81-20-GW.qcow2
-rw-r----- 1 root kvm 15321792512 Jan 8 14:35 ncflabcpfw0002.qcow2

 

(1)
PhoneBoy
Admin
Admin

I know we provide Blink images that include the most recent recommended release: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/R81.20_Downloads.htm?tocpath=_____3
We also update the images in the public cloud providers (AWS, etc).
However, I believe we only distribute a qcow for the base version. 

0 Kudos
AlJo
Contributor

Is the expectation then, that those of us doing Private Cloud infrastructure (VMWare or KVM) would have to figure out our own mechanism for keeping images current?  

For private cloud deployments I just can see that as feasible.

As things are now,  private cloud using KVM would require a base image deployment followed immediately by an HFA installation taking the time to deliver a new cluster from less than 1 minutes to 10-20 minutes, with the added bagging of the disk bloat from the upgrade process.

 

Am I missing something or is private cloud automation/deployment that much behind the public cloud provider process?

0 Kudos
the_rock
Legend
Legend

Personally, I noticed every image I deployed in the cloud ALWAYS contained whatever recommended jumbo was at the time of the installation...just my own experience.

Best,

Andy

0 Kudos
AlJo
Contributor

@the_rock Are you deploying in Public Cloud or Private Cloud?  Based on my reading of this thread, the public cloud (AWS, Azure, GCP) get the HFAs rolled in, but not the private cloud (qcow2) images.

0 Kudos
the_rock
Legend
Legend

Mostly public, but only once in private and it had updated jumbo (maybe just luck, no clue lol)

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin

I haven't asked, but that appears to be the case at present.
I see two places where you might have an issue with this process:

  • Time to deploy. This, I believe, could be mitigated by creating your own image (take base image, apply JHF via CPUSE before you run First Time Wizard).
  • Size of the resulting image. It's a bit bigger because it includes the CPUSE overhead, which wouldn't be there with a fresh install.

Will have to ask around and see if there's a better way to do this.

0 Kudos
Bob_Zimmerman
Authority
Authority

If you try to install a jumbo before completing the first-time wizard, CPUSE definitely complains at you. I'm not sure how safe an option that is.

the_rock
Legend
Legend

Totally agree with that.

0 Kudos
AlJo
Contributor

Has there been any feedback from the Check Point team on how this might be addressed?  I've raised the issue with my account team and they are as perplexed as I regarding not having "current" private cloud images available.

I'd image the images are generated programmatically, just add one more output of KVM to make available via Check Point download site.

the_rock
Legend
Legend

Hope there are some discussions about this at CPX.

Definitely valid point you made @AlJo 

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.