I'm working at Eucalyptus Systems: I have been away at a conference, so my apologies if this has already been mentioned.
On 07/30/2011 07:14 AM, Charles Plessy wrote: > Le Tue, Jul 26, 2011 at 08:41:06PM -0400, Kyle Moffett a écrit : >> >> My current work is here: >> http://opensource.exmeritus.com/debian-ami/ >> >> Please report any success or problems! > > Dear Kyle, > > I am studying debian-installer and your procedure. I see that in you patch > for > network-console, the public keys provided by the user to the instance running > debian-installer are used not only for d-i's network console, but also copied > to the AMI in preparation. I think that this would prevent to share the AMI > publicly, as explained in http://alestic.com/2011/06/ec2-ami-security > (authorized_keys). Others often use a rc.local or an init.d script to install > user-provided public keys each time the instance is ran, like for instance: > https://github.com/camptocamp/ec2debian-build-ami/blob/master/init.d/ec2-get-credentials > > This is actually one of the reasons why I was wondering if a package > containing > such files would help to progress towrards a procedure to create AMIs using > only material distributed in Debian. Amazon's EMI and Ubuntu images are using cloud-init to pull in the keys, and to do more (like installing packages, running user's scripts etc..). I seem to remember that Scott Moser (author of cloud-init) was talking of getting it into Debian, but I'm not sure about the progress. We do provide some images to our users to test their Eucalyptus installation, and we are in the process of refreshing them. Here is the relevant part of rc.local we use (in case you can find it useful). We pull in the public-keys then we look at the user-data and if it is a script we execute it. # simple attempt to get the user ssh key using the meta-data service mkdir -p /root/.ssh echo >> /root/.ssh/authorized_keys curl -m 10 -s http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key | grep 'ssh-rsa' >> /root/.ssh/authorized_keys echo "AUTHORIZED_KEYS:" echo "************************" cat /root/.ssh/authorized_keys echo "************************" # check if the user-data is a script, and if so execute it TMP_FILE="/tmp/user-data-$$" curl --retry 3 --retry-delay 10 -o $TMP_FILE http://169.254.169.254/latest/user-data if [ -s $TMP_FILE ]; then echo "Downloaded user data in $TMP_FILE" if [ "`head -c 2 $TMP_FILE`" = "#!" ]; then chmod 700 $TMP_FILE echo "User data is a script: executing it" sh $TMP_FILE fi fi cheers graziano > Have a nice week-end, > -- Graziano Obertelli Eucalyptus Systems, Inc. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e347079.7040...@eucalyptus.com
