[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian images on Microsoft Azure cloud


On Wed Nov 11, 2015 at 15:18:51 -0500, Brian Gupta wrote:
> (Note: Although some of you may know that I am a member of the Debian TM
> team, I am raising the following issues as a long-time participant in the
> debian-cloud group/mailing-list. I also apologize upfront for the length of
> this email, and for any inevitable omissions.)

I see some conflict of interest here, but i will answer the technical

First of all, i want to stress out, that i didn't request the trademark for the
name "Official Debian images on Microsoft Azure cloud". I am happy to help here
that we, at some future point, might reach that status, but as per discussion
(where never a final decission was made!) during DebConf15 we mostly agreed
that we should be careful what we call "Official Debian". Therefor we would
like to use "Debian Jessie/Debian Wheezy build for Microsoft Azure".

> 1) the image includes only software available in Debian [2]

Check. Our image only includes software available in Debian, except waagent.
waagent is available in Debian itself, but not the version we currently need
for the image, see my initial mail for more information.

> 2) the image generation process is controlled solely by Debian [2]

Check. Only DD have write access to the Jenkins instance used to generate
images and control the scripts used by the process. Apart from the usual vendor
operation staff, of cause.

> 3) the image is generated using tools available in Debian, or maintained [2]
>     by Debian

Check. The tools are maintained by DD.

> 4) Only DFSG-compliant Software in the image. Only main enabled, with
>     perhaps a temporary exception for backports [3], for specific enablement
>     software


> 6) the images most provide a user experience (in terms of default
>     choice of packages, or of default configuration) identical to other     
>means of installing Debian. Differences must be documented and      justified.


> 7) Debian kernel [5]

Check. For Wheezy we need to use the kernel from backports.

> 8) Built using Debian infrastructure [6] (I think this should be modified to
>     have a caveat, "to as much an extent as possible")

In general I support this idea. But for the current process of building those
images is based on a contract our company have with Microsoft. This would
violated the DMUP that clearly says: "Don't use Debian Facilities for private
financial gain or for commercial purposes, including consultancy or any other
work outside the scope of official duties or functions for the time being,
without specific authorization to do so." The process of modifing the DMUP
should be discussed elsewhere.  The publishing of images requires login
credentials to the vendors publishing API. In most cases those credentials are
in some way linked to credit card data.... Do I really need to say more?
Currently building images for whatever vendor requires root permissions on
debian.org boxes. While I have them, using them would be an abuse of my DSA
position.  Also we eat our own dogfood and use Azure images to build Azure

> There are other considerations as well that I'm not sure if we've addressed
> before.
> 1) Should we require that the images only point to Debian repos, and/or
> official
>     mirrors? If not, what are the requirements here?

That idea is complete nonsense.  a) We have several layers of checksums and
cryptographical signatures on the Debian archive and apt requiring the correct
archive signing keys, so apt would start to complain immediately. What we could
do as requirement is that every vendor needs to list all imported keys from
"apt-key list" in the published build log of the image.  b) In most cases
vendors offering Debian run mirrors internally, which are available with much
better connection than our official ones. Those can be verified by apt (see
(a)). Cloud vendors usually bill for external traffic, sometimes only one
direction, sometimes both. So your idea would result in our users needing to
pay even more money to the cloud vendors. While the cloud vendors might support
your idea, I personaly (without any hat on) think it is a very bad idea.

> 2) Require public review of images/plans (where? I think debian-cloud
>     and debian-cd are the right places, but there may be others)

I like the idea in general. Will we be able to support the review process for
all different vendors? Will we be able to verify images / review images for
cloud systems that are not that widely used as Azure, AWS, GCE or Openstack?

> 4) Documentation? Is it enough to just put it in wiki.d.o, in the cloud
> section?
started on https://wiki.debian.org/MicrosoftAzure.

> Other questions:
> 1) bootstrap-vz is used to build the AWS and GCE images. bootstrap-vz has
> also had support for Azure for at least two years. Is there a reason the
> same tool wasn't used?

The answer to this is quite simple: At the time we started to create images for
Azure, bootstrap-vz was not in shape for generating Azure images that worked.
For the demonstration purpose during DebConf15 we needed an image and Thomas
openstack-debian-images script generated an image that was more or less out of
the box usable for Azure. So we continued to use that script. Long term we plan
to support both scripts.

Best regards,

Martin Zobel-Helas
Technischer Leiter Betrieb
Tel.:   +49 (2161) 4643-0
Fax:    +49 (2161) 4643-100
E-Mail: martin.zobel-helas@credativ.de
pgp fingerprint: 6B18 5642 8E41 EC89 3D5D  BDBB 53B1 AC6D B11B 627B

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer

Attachment: signature.asc
Description: PGP signature

Reply to: