Hi, [I'm not subscribed, so please CC me] I'm new to this cloud image stuff, so may well have made broken assumptions in the following -- please correct me if I'm wrong. I see that `machinectl` (from systemd-container) has the subcommands pull-raw and pull-tar, so I went looking for Debian images that might be expected to work with those. I'm assuming that the files found here are a somewhat reasonable choice: https://cloud.debian.org/images/cloud/trixie/daily/latest/ or https://cloud.debian.org/images/cloud/bullseye/latest/ Since the .tar files there are a fraction of the size of the .raw files, and pull-tar is mentioned first in the manpage, it seems to make sense to try a variation on the example given, thus: machinectl pull-tar https://cloud.debian.org/images/cloud/trixie/daily/latest/debian-13-nocloud-amd64-daily.tar.xz trixie This fails for multiple reasons: 1) there's no signature (I note you're soliciting for help with that, hence this email), so one might think that --verify=checksum would help with that, but it doesn't, because: 2) There are no sha256 checksums, so one actually needs --verify=no to get it going, which seems a bit sad. (BTW Even if there were signed sha256 checksums available, we'd still need to add the signing key to the shipped /usr/lib/systemd/import-pubring.gpg for this to work out of the box -- at present we only ship Fedora & Ubuntu keys AFAICS) 3) if one tries this with --verify=no, then it downloads something, but it doesn't work, because it seems to be expecting the tarball to contain a tar-ed up filesystem, whereas we seem to be producing a tar that contains just 'disk.raw' -- is this intentional? So, abandoning that, if one instead tries pull-raw, against the uncompressed .raw images, it does work - e.g.: machinectl pull-raw --verify=no https://cloud.debian.org/images/cloud/trixie/daily/latest/debian-13-nocloud-amd64-daily.raw trixie Is there a reason not to simply xz compress the raw image (rather than wrapping it in a tarball first)? The fedora example in the manpage shows that they publish a .raw.xz, so I guess it would work -- are there consumers of the .raw images that need them uncompressed? If so, would it be OK to publish both? I'd have thought that we could significantly improve the situation by making the tarballs contain the unpacked files, rather than the disk.raw, and also publishing SHA256SUMS files, since at least --verify=checksum and pull-tar would then work. It would also help to mention (on https://cloud.debian.org/images/cloud/) that --verify=signature isn't going to work until we both sign things, and then people get hold of the key somehow, so one should currently use --verify=checksum. I presume that the infrastructure for actually signing things while keeping the keys safe is missing at present. Is there anything already planned for fixing that? Anyway, assuming that I've got the situation approximately correct, I'm happy to put some effort into making things better, so feel free to point me at the right place to contribute. Cheers, Phil. -- Philip Hands -- https://hands.com/~phil
Attachment:
signature.asc
Description: PGP signature