Golden Images – Best Practices
Build and test
When creating the golden image, it may make sense to use the latest version of an application and operating system. Not only does this ensure that the virtual machines will be consistent across the board, it also provides an opportunity to thoroughly test the software before rolling out to site.
Building a golden image is about selection of the correct software, configuring it for the specific use case, and then testing both compatibility and security, before committing it to use.
Maintain a golden image update schedule
Applications and operating systems are able to update themselves to the latest software version (or can be updated by IT tools such as Microsoft SCCM). It is therefore not usually necessary to keep a golden image up to date with every small patch that comes out. The overhead of creating and distributing the new image is simply not worth the time.
However, it is important to create new golden images for larger software updates, or to roll-up several weeks’ worth of patches. Doing so can significantly reduce installation time for new systems, as fewer application and operating system updates need to be downloaded and applied.
Keep the image as simple as possible
A golden image is usually intended to deliver an application for a specific use case. It is not delivering a ‘general purpose’ operating system – The exception is, perhaps, when delivering virtual desktops to end users.
When creating and maintaining a golden image, it makes sense that the images themselves should not be overly complicated, nor include unnecessary software packages or operating system features. The more complicated the image is, the more time and effort have to be invested in maintaining it. Also, reducing the ‘footprint’ of the golden image improves system security by removing functions that could otherwise be a source of exploits.
Assigning unique ID
In addition to the consistent software and configuration, one other thing is needed: A way to assign identity. When a golden image is installed in a virtual machine it is a clone of the original, source image. But to operate in each virtual machine it is deployed to, it must adopt an identity.
As far as the operating system is concerned, identity can be as simple as assigning a unique ID (UUID) and host name. For the application, assigning identity may be much more complex, needing to consider the location and role of each individual virtual machine.
Once a plan for assigning identity is understood, it can be automated. Typically, a ‘run once’ script does housekeeping work like this during the first boot of the Virtual Machine after the golden image has been deployed.
Don’t get complacent when it comes to security.
Network virtualization brings with it a number of security benefits, due to the way that information is stored and distributed.
This does not mean, however, that every precaution should not be taken. It’s best to apply all security measures to the golden image.