** Tags added: id-5e61f7e9c860ee02a619532e
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage notifications about this bug go to:
Override component to main
ec2-instance-connect 1.1.12+dfsg1-0ubuntu3 in focal: universe/net -> main
ec2-instance-connect 1.1.12+dfsg1-0ubuntu3 in focal amd64:
universe/net/optional/100% -> main
ec2-instance-connect 1.1.12+dfsg1-0ubuntu3 in focal arm64:
universe/net/optional/100% -> main
** Changed in: ec2-instance-connect (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage
Sorry for rolling down one key obviously Rbalint not Rbaling ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage notifications about this bug go
** Merge proposal linked:
https://code.launchpad.net/~rbalint/ubuntu-seeds/+git/ubuntu/+merge/381842
** Merge proposal linked:
https://code.launchpad.net/~rbalint/ubuntu-seeds/+git/platform/+merge/381844
** Merge proposal linked:
While this potentially valuable feature will impact boot speed
performance, the issue is not enough to NACK the MIR. Therefore, this
MIR should continue to be processed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
@Rbaling - This isn't in
https://people.canonical.com/~ubuntu-archive/component-mismatches.html yet.
Once seeded or depended on set it to Fix Committed and ask ubuntu-archive to
promote.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
While there are still plenty of concerns left this formally fulfills the
requirements now.
Therefore it is ready to be promoted.
** Changed in: ec2-instance-connect (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs,
@raharper,
Your statement that this will be opt-in (disabled by default) does not
reflect our intentions with this package. Upon review, my earlier
statement was not as clear as I wish it was. In comment #31 I said:
> CPC (public cloud team) will continue with our baseline testing and for
>
@Balint,
Apologies for not responding sooner.
Perf-wise, the delta between with and without worst-case values from your
results:
(0.959 - 0.624) = .335s
is a non-trivial amount (almost 50% more) overhead for a single
connection.
Users (or programs) may run concurrent ssh sessions, which I
@raharper Could you please check if you find my recent answers in #30
satisfying for your concerns?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To
@raharper Could you please check if you find my recent answers in #30
satisfying for your concerns?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To
@raharper Could you please check if you find my recent answers in #30
satisfying for your concerns?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To
On the topic of testing raised in earlier comments. CPC will continue
with our baseline testing and for releases earlier than focal where we
will be pre-installing the package in AWS images with the service
disabled (opt-in) we will test that the service is correctly disabled.
This testing is
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: (unassigned) => Matthias Klose (doko)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage
@raharper Copying my answer in #27 again because it is not easily
readable due to answering in email:
On Thu, Feb 13, 2020 at 4:51 PM Ryan Harper <1835...@bugs.launchpad.net> wrote:
>
> On Thu, Feb 13, 2020 at 6:20 AM Balint Reczey
> wrote:
>
> > @raharper I agree with the concern regarding the
On Tue, Feb 25, 2020 at 04:21:05PM -, Balint Reczey wrote:
> This is a temporary key and it is indeed available to everyone being
> able to run curl on the system:
> https://www.reddit.com/r/aws/comments/85vkq6/question_about_accesskeyid_secretaccesskey_in/
>
> The package does not change the
Hi Seth,
Thanks for the new review.
On Fri, Feb 21, 2020 at 5:15 AM Seth Arnold <1835...@bugs.launchpad.net> wrote:
>
> This new version of ec2-instance-connect is significantly better, thanks
> for all the work.
>
> I was wrong about the dedicated user: using the ec2-instance-connect
> user is
On Thu, Feb 13, 2020 at 4:51 PM Ryan Harper <1835...@bugs.launchpad.net> wrote:
>
> On Thu, Feb 13, 2020 at 6:20 AM Balint Reczey
> wrote:
>
> > @raharper I agree with the concern regarding the manipulation of sshd
> > config. To minimize the collision with cloud-init this package does not
> >
This new version of ec2-instance-connect is significantly better, thanks
for all the work.
I was wrong about the dedicated user: using the ec2-instance-connect
user is definitely an improvement.
My one specific concern:
- AWS_SECRET_ACCESS_KEY (and the ability to get one) appears to be
The hex encoded version of the key is also passed to openssl:
$ echo abcdef0123456789 | /usr/bin/od -A n -t x1 | /bin/sed ':a;N;$!ba;s/[\n
]//g'
616263646566303132333435363738390a
$ aa-decode 616263646566303132333435363738390a
Decoded: abcdef0123456789
# Sign a message with a given key
# sign
printf is a shell built-in which does not exec a new process like echo;
I believe this is a reasonable replacement for use of echo -n
printf "%s" ${1}
Alternatively, if you drop the /bin/echo and use bash's built-in echo;
that also will work as it won't exec a new process.
--
You received this
That's got to be my one super-power -- asking a question and finding out
that no, I didn't find a bug, but by asking the question someone *else*
spots a bug.
How about this?
# Derive a sigv4 signing key for the given secret
# get_sigv4_key [key] [datestamp] [region name] [service name]
@seth-arnold The daemon-reload is added automatically by debhelper:
...
# Automatically added by dh_systemd_start/11.1.6ubuntu2
if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true
fi
# End automatically added section
...
Since it is also added to the
Is the postrm script missing a systemctl daemon-reload?
==> postrm <==
#!/bin/sh
set -e
#DEBHELPER#
case "$1" in
purge|remove|abort-install|disappear)
deb-systemd-helper purge ec2-instance-connect
# Delete system user
deluser --system --quiet ec2-instance-connect
@seth-arnold could you please review the latest version? It would be
nice to have the Security Team's approval or the list of security-
related issues to be fixed to gain approval.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
On Thu, Feb 13, 2020 at 6:20 AM Balint Reczey
wrote:
> @raharper I agree with the concern regarding the manipulation of sshd
> config. To minimize the collision with cloud-init this package does not
> change /etc/ssh/sshd_config like cloud-init does, but overrides the
> configuration value with
@raharper I agree with the concern regarding the manipulation of sshd
config. To minimize the collision with cloud-init this package does not
change /etc/ssh/sshd_config like cloud-init does, but overrides the
configuration value with a systemd drop-in. The drop-in is placed at the
time the AMI is
I'm sorry that I have not yet returned to review the new version; this
is written without having read the new changes.
On Mon, Feb 10, 2020 at 11:33:27AM -, Christian Ehrhardt wrote:
> > > - the service should not run as root, use PrivateTmp and maybe a few
> > > other systemd service
** Bug watch added: github.com/aws/aws-ec2-instance-connect-config/issues #15
https://github.com/aws/aws-ec2-instance-connect-config/issues/15
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
On Wed, Feb 5, 2020 at 10:55 PM Balint Reczey
wrote:
> @paelzer I attempt to answer the review comments below
>
Thank you @Rbalint for picking this up and driving it.
I'll skip sections that are ok now - thanks for adding/fixing all those!
> > - an ack by the cloud-init Team that this does
>From a cloud-init perspective, one area of concern is around
manipulation of sshd config.
Cloud-init does make changes to sshd config, in particular it controls
the PasswordAuthentication value based on cloud-config values,
ssh_pwauth: .
Cloud-init will read in sshd, update a key/value and
@paelzer I attempt to answer the review comments below
> [Summary]
> It seems mostly to me packaging wise, but I think there are a bunch of things
> needed to be doen to complete this. We need:
> - an ack by the cloud-init Team that this does not conflict with our usual
> services provided
Hi,
this was waiting for updates/fixes to a bunch of things as identified in former
reviews before being re-reviewed.
The correct state of this is "incomplete" until all that was requested is
provided.
(And even then it just means to restart review without guarantees to pass
cleanly).
**
** Tags added: id-5e21ca0949c79659969a46bd
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage notifications about this bug go to:
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: Balint Reczey (rbalint) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To
** Tags added: id-5e1e340b6338410899d33213
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage notifications about this bug go to:
** Changed in: ec2-instance-connect (Ubuntu)
Status: Expired => New
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: (unassigned) => Balint Reczey (rbalint)
** Description changed:
[Availability]
- ec2-instance-connect is in the Ubuntu archive, and available for all
I've been reminded that set -o pipefail is not perfect. I'm going to
quote from the excellent bash faq:
http://mywiki.wooledge.org/BashFAQ/105
> though with pipefail in effect, code like this will sometimes cause an
> error, depending on whether the output of somecmd exceeds the size of the
>
If this is going to be addressed via code changes rather than a rewrite,
I'd like to suggest the following order:
- remove all evals
- add set -o pipefail to help catch errors in pipelines
- add set -u to help catch unset variables
- replace /tmp/sigline with mktemp -d
Thanks
--
You received
[Expired for ec2-instance-connect (Ubuntu) because there has been no
activity for 60 days.]
** Changed in: ec2-instance-connect (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
At a high level I'm concerned about several parts of this tool's design:
- First, it puts an incredibly high level of trust in the metadata
service. This may make sense in the context of executing on the Amazon
platform, but is positively dangerous outside the Amazon platform. It's
** Attachment added: "shellcheck.txt"
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+attachment/5282470/+files/shellcheck.txt
** Changed in: ec2-instance-connect (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this
Also while thinking about it, ~5-8 curl calls fro every SSH login can be quite
expensive.
I know it fortunately has an early exit but that still is 2 curl requests.
If this is installed in any place without the endpoint at
169.254.169.254 being responsive and super fast this could lead to a
very
** Tags added: id-5cbf801e21a2a0662e2718a9
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage notifications about this bug go to:
Since before we had a lot of text @cloud-nit team - please review and
ack that this is no conflict with what/how cloud-init is/will provide.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
[Summary]
It seems mostly to me packaging wise, but I think there are a bunch of things
needed to be doen to complete this. We need:
- an ack by the cloud-init Team that this does not conflict with our usual
services provided through cloud init
- I'm subscribing the cloud-init Team to give it
$ shellcheck ec2-instance-connect/eic_curl_authorized_keys ec2-instance-
connect/eic_parse_authorized_keys ec2-instance-
connect/eic_run_authorized_keys
In ec2-instance-connect/eic_curl_authorized_keys line 36:
elif [ ! $(cat /sys/devices/virtual/dmi/id/board_asset_tag) = $instance ] ;
then
The code is four shell scripts which still have a lot of findings in shellcheck.
As usual the majority are minor issues, but unused variables and word split can
often lead to real bad/unexpected behavior later on.
I'm continuing the review, but do you think we could rais this upstream
to get at
In ec2-instance-connect/eic_harvest_hostkeys line 21:
elif [ $(cat /sys/hypervisor/uuid | cut -c1-3) != "ec2" ] ; then
^-- SC2046: Quote this to prevent word splitting.
^-- SC2002: Useless cat. Consider 'cmd < file | ..' or 'cmd file |
..' instead.
In
Adam mentioned fixing the Pre-Depends on adduser (moving adduser to
postinst rather than preinst) and the ancient coreutils Depends; I'll
take care of fixing those.
Aside from that, AFAIK the package is good to go, but asking for a
second opinion so I don't just approve my own MIR.
--
You
51 matches
Mail list logo
