Bug#971545: cloud.debian.org: Provide AMI image ID that is always recent

2020-10-02 Thread Adam Bolte 
On 2/10/20 3:55 am, Ross Vandegrift wrote:
> On Thu, Oct 01, 2020 at 05:16:36PM +0200, tkoeck wrote:
>> is there an AMI image ID that is always the recent one?
> 
> Instead of hardcoding an AMI somewhere, you can search to find the
> current release.  With awscli, try something like this:
> $ aws ec2 describe-images \
>   --output text \
>   --owners 136693071363 \
>   --filters Name=name,Values="debian-10-amd64-*" \
>   --query 'Images[].[Name,ImageId]' \
>   | sort -rn \
>   | head -n 1 \
>   | awk '{print $2}'


There's a small tool I wrote earlier in the year to address the problem
of quickly finding the latest AMI for a given type. It is now hosted here:

https://github.com/sitepoint/amifinder

eg. running something like:

amifinder --name 'debian-10-amd64-*' 136693071363

in the us-west-2 region would give you:

Name: debian-10-amd64-20200928-407
Architecture: x86_64
CreationDate: 2020-09-28T23:58:51.000Z
ImageId: ami-06d8a32aedc6986f5
ImageLocation: 136693071363/debian-10-amd64-20200928-407
ImageType: machine
Public: True
OwnerId: 136693071363
State: available
  DeviceName: /dev/xvda
DeleteOnTermination: True
SnapshotId: snap-01eca3d280b2d9f69
VolumeSize: 8
VolumeType: gp2
Encrypted: False
Description: Debian 10 (20200928-407)
EnaSupport: True
Hypervisor: xen
RootDeviceName: /dev/xvda
RootDeviceType: ebs
SriovNetSupport: simple
VirtualizationType: hvm

I feel it makes things a fair bit easier.

Cheers,
Adam



signature.asc
Description: OpenPGP digital signature

Bug#971545: cloud.debian.org: Provide AMI image ID that is always recent

2020-10-01 Thread Ross Vandegrift 
On Thu, Oct 01, 2020 at 05:16:36PM +0200, tkoeck wrote:
> is there an AMI image ID that is always the recent one?

That's not how AWS works - every image is always a different ID, just
like every instance is always a different ID.

Instead of hardcoding an AMI somewhere, you can search to find the
current release.  With awscli, try something like this:
$ aws ec2 describe-images \
--output text \
--owners 136693071363 \
--filters Name=name,Values="debian-10-amd64-*" \
--query 'Images[].[Name,ImageId]' \
| sort -rn \
| head -n 1 \
| awk '{print $2}'


If you're using terraform, the aws_ami data source works like this:
data "aws_ami" "debian10" {
  most_recent = true
  owners  = ["136693071363"]

  filter {
name = "name"
values = ["debian-10-amd64-*"]
  }
}

Ross

Bug#971545: cloud.debian.org: Provide AMI image ID that is always recent

2020-10-01 Thread Noah Meyerhans 
On Thu, Oct 01, 2020 at 05:16:36PM +0200, tkoeck wrote:
> is there an AMI image ID that is always the recent one?
> 
> As far as I have seen the AMI image ID always changes for every
> subversion (e.g. Debian 10.0 to 10.1)?
> 
> It would be interesting to have an AMI image ID which would always
> represent the newest Debian 10 AMI image with all security updates
> installed.

We publish updated AMIs (and images for other cloud services) when
necessary, not just on stable point releases.  You can see the history
for buster and stretch AMIs at the following locations.  Note especially
the updates addressing DSAs for core packages such as the kernel, libc,
or openssl.

https://wiki.debian.org/Cloud/AmazonEC2Image/Buster and
https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch

We don't necessarily publish updates for every package in the base image
that gets an update.  Many package updates are for relatively minor
issues with a limited exposure.  Cloud-init provides a simple mechanism
allowing packages to be updated upon instance launch, and we run
unattended-upgrades by default.  Primarily, the packages that trigger an
AMI update are packages that require a reboot in order to be effectively
applied.

I think our current approach provides a good balance between up-to-date
contents and excessive churn.  However, if you really want something
more likely to be up-to-date, we generate images daily, and you can use
them.  You should understand that these daily builds are mostly intended
for testing purposes, and they could disappear with little to no
warning.  See
https://noah.meyerhans.us/2020/03/04/daily-vm-image-builds-are-available-from-the-cloud-team/
for details about where to find them.

noah

Bug#971545: cloud.debian.org: Provide AMI image ID that is always recent

2020-10-01 Thread tkoeck 
Package: cloud.debian.org
Severity: wishlist

Dear Maintainer,

is there an AMI image ID that is always the recent one?

As far as I have seen the AMI image ID always changes for every
subversion (e.g. Debian 10.0 to 10.1)?

It would be interesting to have an AMI image ID which would always
represent the newest Debian 10 AMI image with all security updates
installed.

Greetings
Tobias

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-2-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled