[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Images on Amazon Web Services (resent)




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
On 8/11/2012 9:54 PM, Stefano Zacchiroli wrote:
> On Thu, Nov 08, 2012 at 02:40:38PM +0100, Marco d'Itri wrote:
>> On Nov 08, Thomas Goirand <zigo@debian.org> wrote:
>>> These AMI images should be released through the official Debian mirrors,
>>> or at least from a page on Alioth, not only from Amazon itself.
>> I understand that AMIs are on S3, are these buckets publically
>> accessible?
>> As long as they are accessible to non-Amazon customers too, I see no
>> reason to distribute the images on our infrastructure too.
> Ah, good point! Not sure about accessibility to the public, though. IIRC
> they expect someone to pay for the bandwidth there? I guess others more
> knowledgeable than me on these matters could comment on that...

These are AMIs are stored as snapshots on Amazon S3. We can set the snapshot as 'public' to be viewable by anyone else with an account on AWS (this is separate form making the AMI public as a ready-to-launch image). However, we could make a EBS volume from the snapshot, and then 'dd' the image of the volume, compress up the image, and push that onto a public bucket where the world could download it. Right now, each Region's image is every so slightly different - they reference separate mirrors in /etc/apt/sources.list.

So, perhaps to keep this as low touch as possible:
* AMIs are marked as public - accessible to any AWS account
* The snapshots that create the AMIs are marked as public (so shareable within AWS, without starting the image)
* In one region, we do the snapshot->EBS->dd->gzip->S3 and thereby make it publicly downloadable. This can live in the AWS account, just as the AMIs do.

> Still, I think we should provide some trust path for people interested
> in retrieving the images. E.g. publishing image checksums signed by our
> archive key. And on that front too, we'll need to discuss with the
> archive admins what's the most appropriate work-flow.


We (Debian) can generate a digest of the snapshot (via the EBS volume we make from the snapshot), sign and publish this.



  James


- --
/Mobile:/ +61 422 166 708, /Email:/ james_AT_rcpt.to
PLUG President 2012: http://www.plug.org.au <http//www.plug.org.au>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
 
iQIcBAEBAgAGBQJQm81RAAoJEK7IKHSdhcU8onEP/1o7/p+DKUv/KFj3FFAWnCeH
mHz4GYMenRQVDyCKRgxVOUXtUFgQxRW9mMndYO8HHuNn6b3LBPYoMNw0UtGRxjIh
KKEDenAwmxN83jo0sY6VuLMzMQiK6kD312y/DTnpD96IL6Ra/HQGyfN0QREuQI7H
ImIOzZv5mcZT7RRWI1Cr5jXXaKvrb+ytJyxUTtvoyqYT60fPxEQwkasRWxry6CUo
6rCOkccGZdJ6PGwOsHIwDK3OXAgwGlUCMhidPs+C7MQ//VNdc8E5o+chbTnvZ5ZT
o/Sr1jMKwGVTML95Q4FcTe3HvOyXrDkheM8Ry8GIdkzXJuwNW4T73a5e2gPvQbsF
rYvvHvghXGzOUMX3P3RmDkOe4O907QihIC182/JgKF7WwibOwHi4blm6EqaPdTBp
2CGUe36oAzqUnDfDeI/QGx10mhhvDfK2UKatF/5rdzzUbiI8KC9ON7NlcHQYuC6Z
tghnnlzg20rNbXfjLST+O3/RpLbchLviJ+blke2ksJNBdX8hlsNWkCHPhlVBWO0m
z53i4tXDT5p88xHD/JQPOiyd2It5VjOcVlvwSxm8SrDVvZdJEVYplICv6JyIzNul
XLfXPxS5ll08W7PYyrQJ7txh82zJ9chhP2igenwFJ/v9CITWkU8TBDxSU+bTNUOp
fD83e56/Qq3MpxbvuexA
=BjVb
-----END PGP SIGNATURE-----


Reply to: