[ec2-beta] some feedback on the i386 image

Mon Jan 12 11:12:08 GMT 2009

Alex Polvi wrote:
> Just got a chance to play with the beta (ami-814aaee8), and wanted to
> provide some feedback.

Fantastic input!  Thanks so much for taking the time to write all this down.

> [...] ubuntu images is because I trust Canonical. I would prefer to get an
> image from Canonical, than I would from a random provider (i.e. alestic)

Heh.  The reason I built the AMIs listed on http://alestic.com was
because I didn't trust ones built by random strangers either :)

I'm now working with Canonical and I support the development of the
official Ubuntu images (and will continue supporting the ones I build
for the community for as long as needed).

> 1) The initial login experience is odd. I'm after root on the box, not
> to be forced to login with the ubuntu user.

Ubuntu does approach default security a bit differently from other
distros.  Generally the root account is never logged in to directly, but
instead you use a normal user ("ubuntu" in this case) and sudo to root
when you need to do something with privs.

When building the Ubuntu AMIs listed on http://alestic.com I chose to
default to the non-Ubuntu approach because (1) it was what the existing
EC2 users were familiar with and (2) I had trouble coming up with a
clean way to do things the Ubuntu way in a public image without making
folks jump through hoops or reducing security in other ways.

I had originally backed the current approach on the official Ubuntu beta
AMIs, but after working with it for a while I agree that it is a bit of
a pain and I find myself working around the intended purpose.

I like that I can get to the "ubuntu" user using my personal ssh key,
but I don't like having to keep track of dozens of randomly generated
passwords for different instances whenever I want to sudo.

[Don't tell anybody, but] here are two tricks which work with the
current official Ubuntu beta AMIs and which I end up using regularly to
get quick jobs done on EC2 instances:

1. When the initial "Please select software that you wish to install:"
prompt shows up, hit ^C to get a prompt as root.  There is a limited
time where this can be done.

2. If the blue dialog box shows up, hit <Tab> <Enter> to close it and
the connection.  Run the ssh command again to get in as root with no
dialog box.

There are different approaches which were considered for users and login
for Ubuntu on EC2.  Perhaps this is a topic that deserves more
discussion to find out what other users in the community think.

> 2) I would much prefer a bare-bones, ec2 tailored image, instead of an
> install dialog.

The goal here was to help new Ubuntu users on EC2 see how easy it is to
set up various server options.  As an advanced user who likes to
automate my own software installation I would agree again that this
starts to get in my way as I run dozens of instances for various
purposes, hardly any of which need the software offered and I wouldn't
use that approach even if they did.

I really like being able to type "ec2intrepid" or "ec2hardy" (custom
commands) and within a minute be ssh'd in to a brand new Ubuntu instance
on EC2.  Going through extra prompts and having to re-connect gets old,
especially if I have to jot down new passwords every time.

Again, though, I don't consider myself to be a normal user, so I'm not
sure what's best for Ubuntu.

> 3) The first apt-get update threw warnings:

I'd noticed this but I just run it again and it clears up the problem.

I've submitted a bug report (LP#316307) to track this problem.

> Also, would be great if you could provide an EC2 local mirror in the
> default sources.list (bandwidth is free within EC2). I would be happy
> to help with this!

I've been working on a couple approaches to this, but it's been slow
going.  You can read about the status in this thread:

  http://mirror-for-ec2.notlong.com

I have a couple companies (including Canonical) who are interested in
supporting this.  Please contact me off list and we can chat about ways
you might be able to help speed up the effort.

> 4) I've found the included ec2-bundling tools on the alestic images
> very helpful (ec2-bundle-vol, ec2-upload-bundle, etc), although I have
> yet to miss them on this beta image.

I previously submitted an enhancement request for this (LP#308545).
It's not clear when this might be possible as it requires Amazon to
release the software with a license for Canonical to use it officially.

Until then, see the next answer.

> 5) In fact, it would be really awesome if the
> ec2-api-tools/ec2-bundle-tools were apt-get'able -
> http://developer.amazonwebservices.com/connect/entry.jspa?externalID=351

The EC2 AMI tools are available in multiverse as "ec2-ami-tools" on
Intrepid but the version is currently a bit out of date.  I submitted
LP#310547 requesting an upgrade to the latest version.

I have submitted a request for a similar ec2-api-tools package (LP#316302)

> One last thing, why are the host keys regenerated in firstboot.sh?

The ssh host keys need to be regenerated on the first boot of any public
AMI to avoid some esoteric security holes.  To really close the holes,
you need to make sure the ssh host key fingerprint in the console output
matches the one offered to you on first ssh in.

If you are interested, the following thread has more information that
you'd ever want to know about it:

  http://ssh-paranoia-ec2.notlong.com

Through a combination of discussion in the community and insight inside
Amazon, many of the public AMIs (including those from Amazon, those on
http://alestic.com, and the official Ubuntu beta AMIs) generate a new
ssh host key on the first boot and make the fingerprint available in the
console output.

I don't know anybody who actually checks it and makes sure it matches
when ssh'ing in, but it's comforting to know it is possible to be secure
if you wanted to be :-/

One last note: If you are using the AMIs on http://alestic.com I would
encourage you to join the ec2ubuntu community to keep up to date with
the latest support news:

  http://ec2ubuntu-group.notlong.com

--
Eric Hammond
http://www.anvilon.com