Re: Providing official virtualisation images of Debian

To: debian-devel@lists.debian.org
Subject: Re: Providing official virtualisation images of Debian
From: graziano obertelli <graziano@eucalyptus.com>
Date: Sat, 30 Jul 2011 13:58:33 -0700
Message-id: <[🔎] 4E347079.7040401@eucalyptus.com>
In-reply-to: <[🔎] 20110730141459.GH32189@merveille.plessy.net>
References: <[🔎] 20110726072829.GA1798@xanadu.blop.info> <[🔎] 20110726233839.GG10020@merveille.plessy.net> <[🔎] 420A98A4-A37E-4E7C-8F4E-19F5E2BBD2E1@boeing.com> <[🔎] 20110730141459.GH32189@merveille.plessy.net>

I'm working at Eucalyptus Systems: I have been away at a conference, so
my apologies if this has already been mentioned.

On 07/30/2011 07:14 AM, Charles Plessy wrote:
> Le Tue, Jul 26, 2011 at 08:41:06PM -0400, Kyle Moffett a écrit :
>>
>> My current work is here:
>>   http://opensource.exmeritus.com/debian-ami/
>>
>> Please report any success or problems!
> 
> Dear Kyle,
> 
> I am studying debian-installer and your procedure.  I see that in you patch for
> network-console, the public keys provided by the user to the instance running
> debian-installer are used not only for d-i's network console, but also copied
> to the AMI in preparation.  I think that this would prevent to share the AMI
> publicly, as explained in http://alestic.com/2011/06/ec2-ami-security
> (authorized_keys).  Others often use a rc.local or an init.d script to install
> user-provided public keys each time the instance is ran, like for instance:
> https://github.com/camptocamp/ec2debian-build-ami/blob/master/init.d/ec2-get-credentials
>
> This is actually one of the reasons why I was wondering if a package containing
> such files would help to progress towrards a procedure to create AMIs using
> only material distributed in Debian.

Amazon's EMI and Ubuntu images are using cloud-init to pull in the keys,
and to do more (like installing packages, running user's scripts etc..).
I seem to remember that Scott Moser (author of cloud-init) was talking
of getting it into Debian, but I'm not sure about the progress.

We do provide some images to our users to test their Eucalyptus
installation, and we are in the process of refreshing them. Here is the
relevant part of rc.local we use (in case you can find it useful). We
pull in the public-keys then we look at the user-data and if it is a
script we execute it.

# simple attempt to get the user ssh key using the meta-data service
mkdir -p /root/.ssh
echo >> /root/.ssh/authorized_keys
curl -m 10 -s
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key | grep
'ssh-rsa' >> /root/.ssh/authorized_keys
echo "AUTHORIZED_KEYS:"
echo "************************"
cat /root/.ssh/authorized_keys
echo "************************"

# check if the user-data is a script, and if so execute it
TMP_FILE="/tmp/user-data-$$"
curl --retry 3 --retry-delay 10 -o $TMP_FILE
http://169.254.169.254/latest/user-data
if [ -s $TMP_FILE ]; then
        echo "Downloaded user data in $TMP_FILE"
        if [ "`head -c 2 $TMP_FILE`" = "#!" ]; then
                chmod 700 $TMP_FILE
                echo "User data is a script: executing it"
                sh $TMP_FILE
        fi
fi

cheers
graziano


> Have a nice week-end,
> 

-- 
Graziano Obertelli
Eucalyptus Systems, Inc.

Reply to:

References:
- Re: Providing official virtualisation images of Debian
  - From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
- Re: Providing official virtualisation images of Debian
  - From: Charles Plessy <plessy@debian.org>
- Re: Providing official virtualisation images of Debian
  - From: Kyle Moffett <Kyle.D.Moffett@boeing.com>
- Re: Providing official virtualisation images of Debian
  - From: Charles Plessy <plessy@debian.org>

Prev by Date: Bug#636081: ITP: prayerwheel -- Tibetan prayer wheel
Next by Date: Re: Bug#636081: ITP: prayerwheel -- Tibetan prayer wheel
Previous by thread: Re: Providing official virtualisation images of Debian
Next by thread: Re: Providing official virtualisation images of Debian
Index(es):
- Date
- Thread