Hi.

Since Debian squeeze now finally hit stable, are there any plans on
releasing an updated AMI? I really like the alestic images and I would
love to start migrating my machines to a Debian Squeeze alestic
community image with a kernel > 2.6.26.

Thanks and keep up the good work!

- Daniel

Hi Daniel,

First of all I am relatively new on this topic and also looking for a
proper Debian Squeeze AMI.

As far as my research has shown me Eric Hammond the creator of the
alestic AMIs switched over using Ubuntu AMIs - which also seem get
some official love from Canonical. Please find his blogpost here
regarding stepping back from creating new debian images.
http://alestic.com/2010/03/ec2-ubuntu-ami-release#comment-357

I there is an initiative to create a community image I would gladly
contribute to the effort.

Cheers,

   Christian

On Feb 8, 3:31 pm, Daniel <d.mah...@googlemail.com> wrote:

Correct.  I have no current plans to publish Debian squeeze or any
further Debian AMI updates myself, and provided plenty of warnings and
lead time before I stopped providing this service to the community.

At the top of http://Alestic.com I list the latest Ubuntu AMIs as
published by Canonical along with some AMIs for some older versions of
Ubuntu before the work was transitioned to Canonical.  I also list
some older ids for when I was publishing Debian AMIs for EC2.

When there is a clear leader for publishing Debian AMIs I'd be happy
to list the AMI ids.  Some criteria that I'd like to see met include:

1. AMIs published for all EC2 regions
2. AMIs published for 32-bit and 64-bit architectures
3. AMIs published for EBS boot (8GB root) and instance-store (10GB
root)
4. Public documentation and tools that can be used by anybody to
reproduce the AMIs if they wish
5. AMIs with a standard, clean, base install (not a lot of extra
packages pre-installed)
6. Some startup hooks.  At a minimum, the AMIs should support user-
data scripts ("#!" runs on first boot of instance)
7. Creates random ssh host key on first boot of each instance for
security
8. Uses standard EC2 ssh key installation from instance meta-data
9. No default public or private passwords pre-set for any service.
10. No leftover log files, history files, etc. from the build process
(do build using debootstrap, not snapshotting a live server)
11. A demonstrated commitment to releasing updated AMIs on a regular
basis.
12. A clear commitment to keeping the AMIs available forever (or a
stated number of years) even when newer AMIs are published, and even
if the older AMIs might have some bugs

1, 2, and 3 above mean that there would currently be 16 unique AMIs
published for each Debian release that is supported.  11 and 12 mean
that this number will multiply regularly and never decrease, so the
backing of an established company would be ideal.

A REST API to query the latest AMI ids would be super helpful,
especially if it followed the standard started here:

  http://uec-images.ubuntu.com/query/lucid/server/released.current.txt

--
Eric Hammond
http://Alestic.com

On Feb 9, 12:29 am, Christian <christian.wei...@sage.com> wrote:

Sorry for the belated reply. Recently I published 20 AMIs of Debian 6.0.1  
for public use under the RightScale OSS project.
Eric's requirements were addressed, please see comments inline on each:

Done.

Done.

Done, instance-store was retained as 8GB for consistency.

The ServerTemplate used to build the images was released publicly,  
http://www.rightscale.com/library/server_templates/Debian-Machine-Ima...
This includes all the scripts required to build and register the images  
(the exact same revision was used for the build).
Some additional documentation may be created in the future, however the  
scripts are pretty self explanatory and have descriptions, comments etc.

Tasksel standard package and pragmatic additional packages only were  
included. No additional daemons etc.

The Alestic, ec2-run-user-data service was included and tested.

This is performed by the RightScale RightLink agent upon start.

An LSB compliant getsshkey service was included.

Done.

Raw image build only, dpkg/apt etc. cleaned as well.

No problem in doing this as new reasons to build arise. The build is  
automated and we have a test suite for QA.

Hopefully RightScale is enough of a commitment. The AWS account is  
company-owned and the RightScale OSS project is an official commitment.

Tokyo was also included to make 20 images.

Images are listed on http://oss.rightscale.me/ and the RightScale  
MultiCloud MarketPlace, http://rightscale.com/library/.
I can export the build db somewhere else, but there probably isn't a point.
I did recall seeing a list of published EC2 AMIs on the Debian wiki or  
similar, but I cannot find this now.
If you know where this list is, please let me know and I'll add to it.

On 07/30/2011 05:51 PM, Chris Fordham wrote:

I'm happy to see continued progress in this area for my Debian friends.

Though the EBS volume is 8GB, the root file system uses only 5GB. It
looks like the EBS volume is partitioned and 3GB of it is devoted to swap.

Having swap on the EBS volume means:

 - users are paying for swap storage.  Only $0.30/month, but that could
be noticeable on a t1.micro

 - users are paying for swap IO transactions

 - swap is saved in EBS snapshots, increasing cost

 - when users take snapshots of the instance to create a public AMI
(already not recommended) there is a risk that confidential information
could leak through swap into the public AMI like passwords or AWS
credentials.

 - with a partitioned EBS boot volume, it is difficult for users to run
instances of the AMI with a larger root file system

I also noticed that the instance did not have ephemeral storage attached
or mounted.  It can be convenient to have easy access to a large local
disk for temporary data storage, even if it is not persistent.  This is
also a useful place to drop secret files that you don't want stored with
EBS snapshots.

It looks like people need a RightScale account to use this or even to
read the code.

The cloud-init package is taking off across multiple distributions.  I'd
recommend using it so users can take advantage of the growing software
and documentation pool with running things on EC2.  It has more hooks
than just user-data scripts and can be both more powerful and simpler
depending on your needs.

I recognize that RightScale has your own instance setup hooks, but those
should integrate seamlessly and RightScale has so much more
infrastructure support to offer above and beyond startup hooks, it
shouldn't be a competitive thing.

I assume that requires the AMI to be run using a RightScale account.

I just ran two instances of ami-1212ef7b and both have the same ssh host
key.  This means that ssh to any instance of these AMIs is unsafe and
vulnerable to man-in-the-middle attacks.

It is also important to output the new ssh host key fingerprint to the
console following the output format standard started by Amazon, so that
people can check the fingerprint on first ssh.  Use
"ec2-get-console-output" to see what it looks like on any Amazon or
Ubuntu instance.

I'm curious: Why is there a /root/.ssh/KEYPAIRNAME.pem file in addition
to having the public key in /root/.ssh/authorized_keys ?  Is this file
used by the system?

Under what circumstances do instances of the AMIs dial home to RightScale?

The point would be for people to be able to find the correct AMI id with
automated software.  For example, Alestic.com uses the Canonical API to
query the latest official Ubuntu AMI ids to list in the table at the top
of the home page.  Having to parse an HTML page is error prone and
likely to break as the UI changes.

At this point, I am so little involved with Debian on EC2, it probably
doesn't make sense for me to be any sort of gatekeeper for what the best
Debian AMIs are.  There is so little traffic on this group that I don't
even have an idea of what people are using or if existing public Debian
AMIs are being well vetted.

I recognize that http://Alestic.com is considered an authority if just
by Google for search phrases including "debian" and "ec2" / "ami", so I
feel an obligation to point people in a good direction when they land there.

I was already planning to stop listing the Debian AMI ids that I built
years ago as they are old Debian versions and I no longer release
updates.  I think the debian.org page you found would be a reasonably
official place to send folks:

  http://wiki.debian.org/Cloud/AmazonEC2Image

Disclosure: RightScale is a long time sponsor and supporter of
Alestic.com, my personal tech blog about AWS/EC2.  I am a fan of and
support RightScale, but think that a good community AMI should still be
high quality and safe when run outside of RightScale.

--
Eric Hammond