From nobody Mon Jan 5 18:09:06 2026 X-Original-To: freebsd-cloud@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlMkX2M0Pz6Mqyx for ; Mon, 05 Jan 2026 18:09:08 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dlMkX1pnSz4FFZ; Mon, 05 Jan 2026 18:09:08 +0000 (UTC) (envelope-from cperciva@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767636548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:autocrypt:autocrypt; bh=a2feCwIj30iJ1uIcrlK47t6U/NVKujA44nWtEBl/nYg=; b=x/7OuzT1f58wtngHF3qD4ixtx2wyFEKPqLigq0kmTcP4yWTJFafR65oatg5nPLqHlyn4Bp Q93EO3v0X9ZEg/t0qf+ptHAJni2GrMOego+nlNn/YkJXBgAOPZDlOVnqKIln0Ftt8+EH0z J4JMGvk4ucd3ZtTgP+y3/QeKtgyCfFJATttSzAoCPG7ggO0QweE1YEWJlvo5fkw/GhSmBi O8tismW8t/jgYw//Ox04ACxpiCl4QU6Kp7r7Mug5QWqnAhTH93OsD0b0ebytTUDVx64XIv UxVUega+UsZ0R8PegWB5gn8sRRVvplPgom0lzyYG79POns5ZJnymk1G5L6RgQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767636548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:autocrypt:autocrypt; bh=a2feCwIj30iJ1uIcrlK47t6U/NVKujA44nWtEBl/nYg=; b=WDp3HB/eAQQIP+lLo9NNPzDGJVi+rqKIBkjACujhpPxDM5YC+Kg69/D98yGwqCVkdCHYUn z/gNGei5nlWNeIrhbqz3YQK0/nE04Sbx1Lhi8uyGj/UKduYvXoU9hlQG4K5b18vc7id7Tn 6Q8PqRzHT8dFDljpOkj9x4RXd8enIrUtXwtA+7nMHMg7aJWxFaCQrQheKJrnKrsPL14+As yV8RJLzLdHmVNT//Pv7G3oMh2SBI8eQHpSzXX1YRbsAbN3IRWKYuau2i7LSTNyPW73iI6t U+gEVErULnj0IBei8sT/CqGHb8Yl6dbY1AX+X2xN6GG0euvB1JiHDbL/CcM1sQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767636548; a=rsa-sha256; cv=none; b=cIpSLpNyrR85DIWFmTS4+LENPsV4OVD5uEr/hmoCa3w8zNwnhVRFEPIuG+k5SmCVZ5U/Pd 9hhrhvldsZiUPkMUz550j9Vcl33uT0vWGo6G48ZeywTQHN2Lg/h+XAfNhWGUTc2qObLFoa B870socKiIbsNBWNiXDeLGonYZWxGooD6K5RDZUbt8b3rzE3hDftDWVUlcsoDTs12rFYWn fEQr1QY2Aj8heyFzlpuOLfHD1QS7IZbEGOrl30BSUIQdNuhFYFfyq72faOviQ/NRt+HHNd LgZpJIGlshIGKb2VEscJBpecWWqHK3xji5TMaBGB8Jvq0JbN2lAv/ZQ+9gv+kw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [192.168.6.36] (S0106684a76304d01.vf.shawcable.net [70.69.240.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: cperciva/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dlMkW6P8rzCFP; Mon, 05 Jan 2026 18:09:07 +0000 (UTC) (envelope-from cperciva@freebsd.org) Message-ID: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> Date: Mon, 5 Jan 2026 10:09:06 -0800 List-Id: FreeBSD on cloud platforms (EC2, GCE, Azure, etc.) List-Archive: https://lists.freebsd.org/archives/freebsd-cloud List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-cloud@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: "freebsd-cloud@freebsd.org" Cc: FreeBSD Release Engineering Team From: Colin Percival Subject: RFC: EC2 "pre-patched" AMIs Autocrypt: addr=cperciva@freebsd.org; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFARnJlZUJTRC5vcmc+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSrYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT++ ig/9GZKdN2fHSyrANKZX38ivd7IX2wAYouqH9DrQM94W8IciaDLmarN4Pl9mY+aucMwQUSyp uNtKOJwKqhVVaalF9Zw0sRMH4CJuvT7vKCtZ3q1Okb7soRvFte4d+vXhvPxCvBFDA5JzU7Lg DR5eqqcvF1dN1OuCq16pl0zCOSH/Jr5ToE3LM3Av1KBGcZD7ZSzHRWsFjV5AOUJKySuA3GwJ e/jASQcQ0YfCnru8ntLmYg/2SKvZFlfthZiCBnAppMt4n4BUAw3TDvf10HIDtdneejawcbLS gofLCvGqumwbZYAMKWrFzT4+7KQvr0pOw8QD7EbxnB4f9hQ7UiVF8qWsyKU3iv6b5JLhbS59 ooKRccyOvdMLcVJ0ZdpqoxrNv061ZUqLL5RiWjBlc1qjBnDxeg5oyM0rT8WLftdgvyH6RQt0 KWngumBAT5AT2DUYL8Uz1490cqfO9K4yEGZAJB9XRVX1g2IWTOjae+0g9ZII+h91UngFz+Rz aKDeseKBbCGDOFXx1TqKiHl2g255ZnUxKYTlucFtguv4gDGBgEk4G9JaEWBw1IWblcKhxH7L 2vWsUhvwghjIxHdO/RkeIeHvSp4YZxCJ7a3TaJLYAlwYopfTKVzNhcDY5h5syEuoHjyJCxXK SyoJYAVu8Yl2KUhvOtOmL1VZ6xyHnpdMRWKJZ5jOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw== Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi all, I'm doing some work, with Amazon sponsorship, to bring "pre-patched" EC2 AMIs to FreeBSD. The goal here is that soon after any security advisory or errata notice there will be e.g. FreeBSD 15.0-RELEASE-p2 AMIs available so that people can launch those and not need to launch the -RELEASE and then apply updates after the instance boots. I have a couple design questions which I'd like input on: 1. AMI flavours: We publish four flavours, "base", "small", "cloud-init", and "AMI Builder". The AMI Builder images (which are what I'll be using to build updated AMIs) are designed to construct "base" images. How useful would it be to have other flavours? 2. SSM paths: The plan is to publish the updated AMI Ids via the SSM Parameter Store; instead of looking up /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE you would be able to look up something like /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/p1 to get 15.0-RELEASE-p1, and something like /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/latest to get 15.0-RELEASE-p. I'd like feedback on the "something like" paths -- are those good ones, or can someone suggest better names for the SSM parameters? The path /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE itself will never change; it's important to have an immutable reference to the original release images. -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid