[ec2-beta] some feedback on the i386 image

Alex Polvi alex at polvi.net
Mon Jan 12 16:36:00 GMT 2009

On Mon, Jan 12, 2009 at 3:12 AM, Eric Hammond <ehammond at thinksome.com> wrote:
> Alex Polvi wrote:
>> [...] ubuntu images is because I trust Canonical. I would prefer to get an
>> image from Canonical, than I would from a random provider (i.e. alestic)
> Heh.  The reason I built the AMIs listed on http://alestic.com was
> because I didn't trust ones built by random strangers either :)

Ha! Small world. Thanks for creating those, they been very helpful. :)

> I'm now working with Canonical and I support the development of the
> official Ubuntu images (and will continue supporting the ones I build
> for the community for as long as needed).
>> 1) The initial login experience is odd. I'm after root on the box, not
>> to be forced to login with the ubuntu user.
> Ubuntu does approach default security a bit differently from other
> distros.  Generally the root account is never logged in to directly, but
> instead you use a normal user ("ubuntu" in this case) and sudo to root
> when you need to do something with privs.
> [...]
> There are different approaches which were considered for users and login
> for Ubuntu on EC2.  Perhaps this is a topic that deserves more
> discussion to find out what other users in the community think.

Ah yes, I guess it just depends who the target user is. Ubuntu has
proven quiet successful by taking approaches others are not used to --
this may be another example of that! However, it will probably just
cause me to create a derivative image.

>> Also, would be great if you could provide an EC2 local mirror in the
>> default sources.list (bandwidth is free within EC2). I would be happy
>> to help with this!
> I've been working on a couple approaches to this, but it's been slow
> going.  You can read about the status in this thread:
>  http://mirror-for-ec2.notlong.com
> I have a couple companies (including Canonical) who are interested in
> supporting this.  Please contact me off list and we can chat about ways
> you might be able to help speed up the effort.

Great, thanks for pointing this out!

>> One last thing, why are the host keys regenerated in firstboot.sh?
> The ssh host keys need to be regenerated on the first boot of any public
> AMI to avoid some esoteric security holes.  To really close the holes,
> you need to make sure the ssh host key fingerprint in the console output
> matches the one offered to you on first ssh in.
> If you are interested, the following thread has more information that
> you'd ever want to know about it:
>  http://ssh-paranoia-ec2.notlong.com

(!) The first time I read that, I was shocked. The same host key on
all machines? Crazy. Thanks for the fix.

Thanks again for putting these images together!



More information about the Ec2-beta mailing list