[ec2-beta] some feedback on the i386 image
Alex Polvi
alex at polvi.net
Mon Jan 12 16:36:00 GMT 2009
On Mon, Jan 12, 2009 at 3:12 AM, Eric Hammond <ehammond at thinksome.com> wrote:
> Alex Polvi wrote:
>> [...] ubuntu images is because I trust Canonical. I would prefer to get an
>> image from Canonical, than I would from a random provider (i.e. alestic)
>
> Heh. The reason I built the AMIs listed on http://alestic.com was
> because I didn't trust ones built by random strangers either :)
Ha! Small world. Thanks for creating those, they been very helpful. :)
> I'm now working with Canonical and I support the development of the
> official Ubuntu images (and will continue supporting the ones I build
> for the community for as long as needed).
>
>> 1) The initial login experience is odd. I'm after root on the box, not
>> to be forced to login with the ubuntu user.
>
> Ubuntu does approach default security a bit differently from other
> distros. Generally the root account is never logged in to directly, but
> instead you use a normal user ("ubuntu" in this case) and sudo to root
> when you need to do something with privs.
> [...]
> There are different approaches which were considered for users and login
> for Ubuntu on EC2. Perhaps this is a topic that deserves more
> discussion to find out what other users in the community think.
Ah yes, I guess it just depends who the target user is. Ubuntu has
proven quiet successful by taking approaches others are not used to --
this may be another example of that! However, it will probably just
cause me to create a derivative image.
>> Also, would be great if you could provide an EC2 local mirror in the
>> default sources.list (bandwidth is free within EC2). I would be happy
>> to help with this!
>
> I've been working on a couple approaches to this, but it's been slow
> going. You can read about the status in this thread:
>
> http://mirror-for-ec2.notlong.com
>
> I have a couple companies (including Canonical) who are interested in
> supporting this. Please contact me off list and we can chat about ways
> you might be able to help speed up the effort.
Great, thanks for pointing this out!
>> One last thing, why are the host keys regenerated in firstboot.sh?
>
> The ssh host keys need to be regenerated on the first boot of any public
> AMI to avoid some esoteric security holes. To really close the holes,
> you need to make sure the ssh host key fingerprint in the console output
> matches the one offered to you on first ssh in.
>
> If you are interested, the following thread has more information that
> you'd ever want to know about it:
>
> http://ssh-paranoia-ec2.notlong.com
(!) The first time I read that, I was shocked. The same host key on
all machines? Crazy. Thanks for the fix.
Thanks again for putting these images together!
Regards,
-Alex
More information about the Ec2-beta
mailing list