Re: RFC: EC2 "pre-patched" AMIs

Mon, 19 Jan 2026 11:17:43 -0800 

On 1/5/26 15:45, Pete Wright wrote:

On 1/5/26 10:09, Colin Percival wrote:

I'm doing some work, with Amazon sponsorship, to bring "pre-patched" EC2
AMIs to FreeBSD.  The goal here is that soon after any security advisory
or errata notice there will be e.g. FreeBSD 15.0-RELEASE-p2 AMIs available
so that people can launch those and not need to launch the -RELEASE and
then apply updates after the instance boots.

I have a couple design questions which I'd like input on:

1. AMI flavours: We publish four flavours, "base", "small", "cloud-init",
and "AMI Builder".  The AMI Builder images (which are what I'll be using to
build updated AMIs) are designed to construct "base" images.  How useful
would it be to have other flavours?


I changed my plans and am now building updates for all four flavours.

These are now live for 15.0-RELEASE-p1.


2. SSM paths: The plan is to publish the updated AMI Ids via the SSM Parameter
Store; instead of looking up
   /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE
you would be able to look up something like
   /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/p1
to get 15.0-RELEASE-p1, and something like
   /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/latest
to get 15.0-RELEASE-p<whatever the latest patchlevel is>.  I'd like feedback
on the "something like" paths -- are those good ones, or can someone suggest
better names for the SSM parameters?
short answer the paths seem reasonable to me, although i tend to prefer explicit paths rather than "/latest" just to remove all doubt as to what version i should expect. 

Right, I went with this plan, whereby you can launch .../latest to get the
latest version, or .../p<number> to get that particular patchlevel.
I am not a fan of how AWS implemented SSM, and the tooling is pretty awkward as well imho.  it would be super handy to have a page listing all of the AMI's available in an easy to parse method. 

Good idea.  Which would be more useful, a single large page listing lots of
AMIs, or a search form?

--
Colin Percival
FreeBSD Release Engineering Lead & EC2 platform maintainer
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid

Reply via email to