[NB: CC'd to the Fedora cloud SIG mailing list] On Tue, Oct 01, 2013 at 09:22:44AM -0400, Matthew Miller wrote: > On Tue, Oct 01, 2013 at 02:20:11PM +0100, Richard W.M. Jones wrote: > > > Is there a reason to not use the official Fedora cloud images? > > That's part 2 of this exercise. Would like to talk to you > > about that separately at some point. > > Okay. Any time. :) So there are a few immediate problems (some of them in virt-builder itself). (1) Virt-builder really needs to be able to source images from multiple places. At the moment there is only one source location allowed, unless the user clumsily uses the --source option to point at another one. (2) Virt-builder currently assumes the image format is xz-compressed. Actually I notice the raw.xz images are in the correct format already, so we're good here. (3) Virt-builder requires all images to be GPG-signed. It worries me that these images are neither signed nor downloaded over https. (4) Virt-builder requires a (signed) index file describing each cloud image. I believe it would be a good thing for the cloud images to include an index file, so that tools can automatically find out what's there. The format of the index file is described here: http://libguestfs.org/virt-builder.1.html#creating-and-signing-the-index-file However having the index file will be less useful until (1) is fixed. (5) Digital signatures: Currently virt-builder requires all indexes and images to be signed by yours truly unless you go through an involved process described here: http://libguestfs.org/virt-builder.1.html#setting-up-a-gpg-key We need to fix this, but key management is a non-trivial problem, since we cannot host the public key in the same place as the index & images (an attacker could replace both the images & key at the same time). What's the strategy going to be for signing these cloud images? ---------------------------------------------------------------------- To test this out, I created an index file for the 64 bit Fedora 19 cloud image, which is attached. I also signed it (signature also attached). You can test this if you want by putting all 3 files into a directory anywhere and using commands such as: virt-builder --source file:///path/to/index.asc -l virt-builder --source file:///path/to/index.asc --notes fedora-cloud-19 virt-builder --source file:///path/to/index.asc \ fedora-cloud-19 \ --size 20G \ --root-password password:123456 \ --install @development-tools And basically it works: $ virt-builder --source file:///mnt/scratch/index.asc fedora-cloud-19 --size 20G --root-password password:123456 --install @development-tools[ 0.0] Downloading: file:///mnt/scratch/Fedora-x86_64-19-20130627-sda.raw.xz [ 0.0] Creating disk image: fedora-cloud-19.img [ 1.0] Uncompressing: file:///mnt/scratch/Fedora-x86_64-19-20130627-sda.raw.xz [ 14.0] Running virt-resize to expand the disk to 20.0G [ 44.0] Opening the new disk [ 47.0] Setting a random seed [ 47.0] Setting root password [ 47.0] Installing packages: @development-tools [ 156.0] Finishing off Output: fedora-cloud-19.img Total usable space: 19.7G Free space: 18.6G (94%) I didn't test this one to see if it boots. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [fedora-cloud-19] name=Fedora® 19 Cloud (x86-64) osinfo=fedora19 file=Fedora-x86_64-19-20130627-sda.raw.xz sig=Fedora-x86_64-19-20130627-sda.raw.xz.sig format=raw size=2147483648 compressed_size=135178796 expand=/dev/sda1 notes=Fedora® 19 Cloud (x86-64) image Fedora and the Infinity design logo are trademarks of Red Hat, Inc. Source and further information is available from http://fedoraproject.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSbi9hAAoJEJFzj3Pht2igv48QAIktAqSBCEdenDFH+dMM13LW Go/AjPKWzlEp21fDaTuUZaIGx+dqf23FnUuJeAU0s84aAXqU0Umtsskk0se0oM0s ETKt5JVJ7ec8sowaHjOENWYQHCfKgq4qTpFjk/luzFJzpZUjTUfw0+9p1BND9iwm UPtbf2JqMDu3j89LmeSCmF5lW2ndcFpondIou1Rn1eoEEzFi9JoNIsX+cx+JPRqm 3vNUiHPru5UKxXpYNyxU34gk667limhdqhhy4kCLzet8qqtK7zoFaAr6HFCY5cra 3k8tUDuJ1cpefEvA+6L6yIurrUqJ2vcrKrl3nq/UDtFmhZ3zqJLZ6Aes746fit9G YrC6BAg1WGWPYBUN/S8U/8YRIcLxj5DIj2oVtsQPyAC9N3mTJgKPQF+tKP8+Uy5u JDCjzFY3AcgZfzNg9Y/lmVOGIaSWVMo64S4jPOI96Jsue9xfSVfViKWY7iIbjA7f k6t1kz+8CTJY5ESDiVWH8ToWPGkYfljs6P6LBLuW0fQmeMFOfmJhZwGqa5tuMzon eQudmdtz65sehlW9SgAGzAUF7d2PhKCqCpI6gtxYCVCDw5Vec4n7JRAhB4/WiCeC tJFQkchM4r4qnnQF+7rztDLc9OEsLHJv7VuBshylu9Sk15TInxijnvzX2BqYdVgB GL/J99TGzXgrARv4C0nu =vS+q -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAABAgAGBQJSbi+RAAoJEJFzj3Pht2ig7HIQAMBXSKYAmKbkfDpv3lMTz7L6 zoYN7rQslQbX7zs4H8Tjg0vRLKFjAntGFW022dak9uJfMl+KicHJV72WS94L8JFK j9w29Y0vR8mps0/R9inAj3DHfNruyyZ9FwRb4slhZgLkktz/Ncc4p+u951cUvNec MeF6ERR5v0gadbt0e0yh0JfuI1Xt2GsAnoJBpUpDYG0tgFZK3VwY4IF8311hbmXR vWB6JdtWUh742GsZK490E51C28T1NY05F5/sjcAb5fpoj0Cz0F4sMcXwcX6XXC+M 0y0yHlk26abpWM9kXaM640EhlCmtExGByBpf913t7CgdXo/OAlXg75+f+D33tXGW 8AmM0WHGXFbfZ2JSC4KACwvHfI8XRJhN6VFi1hs6g5L+/hHpVtviaJ2vzaXLlmwY xYMNahrTF/M1EX9XiNODLBg2vxG3DmRJ+JRTf/yVw0p3CImVGPh25r8Pbk3iEod3 MpdBFibEa1gyalw4+OAS7F8hcBLPHIx/wFWGEXRd7zalQ2tSnzq/j9Kaa4FPW3nm neN2gkaN/NJ5Sjq9tal0oGBYm1lkZYoe6OfSjw0SV3dTHi2kE4IsyklECopIF4bN rGqLwkJdauPDVLtPOKoPKMJzaVRYvwtzRkRgoxbcBkPCmww1mjgIAGzQJGGBSHpK LuVoWG3zH9oCv9BTrr8K =VBMh -----END PGP SIGNATURE-----
_______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
