Date: Mon, 19 Jan 2026 11:16:02 -0800 From: Colin Percival <cperciva@freebsd.org> To: Pete Wright <pete@nomadlogic.org>, "freebsd-cloud@freebsd.org" <freebsd-cloud@freebsd.org> Cc: FreeBSD Release Engineering Team <re@FreeBSD.org> Subject: Re: RFC: EC2 "pre-patched" AMIs Message-ID: <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> In-Reply-To: <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> References: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org>
index | next in thread | previous in thread | raw e-mail
On 1/5/26 15:45, Pete Wright wrote: > On 1/5/26 10:09, Colin Percival wrote: >> I'm doing some work, with Amazon sponsorship, to bring "pre-patched" EC2 >> AMIs to FreeBSD. The goal here is that soon after any security advisory >> or errata notice there will be e.g. FreeBSD 15.0-RELEASE-p2 AMIs available >> so that people can launch those and not need to launch the -RELEASE and >> then apply updates after the instance boots. >> >> I have a couple design questions which I'd like input on: >> >> 1. AMI flavours: We publish four flavours, "base", "small", "cloud-init", >> and "AMI Builder". The AMI Builder images (which are what I'll be using to >> build updated AMIs) are designed to construct "base" images. How useful >> would it be to have other flavours? I changed my plans and am now building updates for all four flavours. These are now live for 15.0-RELEASE-p1. >> 2. SSM paths: The plan is to publish the updated AMI Ids via the SSM Parameter >> Store; instead of looking up >> /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE >> you would be able to look up something like >> /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/p1 >> to get 15.0-RELEASE-p1, and something like >> /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/latest >> to get 15.0-RELEASE-p<whatever the latest patchlevel is>. I'd like feedback >> on the "something like" paths -- are those good ones, or can someone suggest >> better names for the SSM parameters? > > short answer the paths seem reasonable to me, although i tend to prefer > explicit paths rather than "/latest" just to remove all doubt as to what > version i should expect. Right, I went with this plan, whereby you can launch .../latest to get the latest version, or .../p<number> to get that particular patchlevel. > I am not a fan of how AWS implemented SSM, and the tooling is pretty awkward > as well imho. it would be super handy to have a page listing all of the AMI's > available in an easy to parse method. Good idea. Which would be more useful, a single large page listing lots of AMIs, or a search form? -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoidhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3fb002f8-55c0-4e60-9391-3ee9c8dd207e>