On 07/30/2011 05:51 PM, Chris Fordham wrote:
> Recently I published 20 AMIs of Debian 6.0.1 for public use under
> the RightScale OSS project.
I'm happy to see continued progress in this area for my Debian friends.
>> 3. AMIs published for EBS boot (8GB root) and instance-store (10GB
> Done, instance-store was retained as 8GB for consistency
Though the EBS volume is 8GB, the root file system uses only 5GB. It
looks like the EBS volume is partitioned and 3GB of it is devoted to swap.
Having swap on the EBS volume means:
- users are paying for swap storage. Only $0.30/month, but that could
be noticeable on a t1.micro
- users are paying for swap IO transactions
- swap is saved in EBS snapshots, increasing cost
- when users take snapshots of the instance to create a public AMI
(already not recommended) there is a risk that confidential information
could leak through swap into the public AMI like passwords or AWS
- with a partitioned EBS boot volume, it is difficult for users to run
instances of the AMI with a larger root file system
I also noticed that the instance did not have ephemeral storage attached
or mounted. It can be convenient to have easy access to a large local
disk for temporary data storage, even if it is not persistent. This is
also a useful place to drop secret files that you don't want stored with
It looks like people need a RightScale account to use this or even to
read the code.
>> 6. Some startup hooks. At a minimum, the AMIs should support user-
>> data scripts ("#!" runs on first boot of instance)
> The Alestic, ec2-run-user-data service was included and tested.
The cloud-init package is taking off across multiple distributions. I'd
recommend using it so users can take advantage of the growing software
and documentation pool with running things on EC2. It has more hooks
than just user-data scripts and can be both more powerful and simpler
depending on your needs.
I recognize that RightScale has your own instance setup hooks, but those
should integrate seamlessly and RightScale has so much more
infrastructure support to offer above and beyond startup hooks, it
shouldn't be a competitive thing.
>> 7. Creates random ssh host key on first boot of each instance for
> This is performed by the RightScale RightLink agent upon start.
I assume that requires the AMI to be run using a RightScale account.
I just ran two instances of ami-1212ef7b and both have the same ssh host
key. This means that ssh to any instance of these AMIs is unsafe and
vulnerable to man-in-the-middle attacks.
It is also important to output the new ssh host key fingerprint to the
console following the output format standard started by Amazon, so that
people can check the fingerprint on first ssh. Use
"ec2-get-console-output" to see what it looks like on any Amazon or
>> 8. Uses standard EC2 ssh key installation from instance meta-data
> An LSB compliant getsshkey service was included.
I'm curious: Why is there a /root/.ssh/KEYPAIRNAME.pem file in addition
to having the public key in /root/.ssh/authorized_keys ? Is this file
used by the system?
>> 9. No default public or private passwords pre-set for any service.
Under what circumstances do instances of the AMIs dial home to RightScale?
> I can export the build db somewhere else, but there probably isn't a point.
The point would be for people to be able to find the correct AMI id with
automated software. For example, Alestic.com uses the Canonical API to
query the latest official Ubuntu AMI ids to list in the table at the top
of the home page. Having to parse an HTML page is error prone and
likely to break as the UI changes.
At this point, I am so little involved with Debian on EC2, it probably
doesn't make sense for me to be any sort of gatekeeper for what the best
Debian AMIs are. There is so little traffic on this group that I don't
even have an idea of what people are using or if existing public Debian
AMIs are being well vetted.
I recognize that http://Alestic.com is considered an authority if just
by Google for search phrases including "debian" and "ec2" / "ami", so I
feel an obligation to point people in a good direction when they land there.
I was already planning to stop listing the Debian AMI ids that I built
years ago as they are old Debian versions and I no longer release
updates. I think the debian.org page you found would be a reasonably
official place to send folks:
Disclosure: RightScale is a long time sponsor and supporter of
Alestic.com, my personal tech blog about AWS/EC2. I am a fan of and
support RightScale, but think that a good community AMI should still be
high quality and safe when run outside of RightScale.