From nobody Mon Jan 19 19:16:02 2026 X-Original-To: freebsd-cloud@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dw0YK27qjz6PDrn for ; Mon, 19 Jan 2026 19:16:05 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dw0YJ6d58z3YjB; Mon, 19 Jan 2026 19:16:04 +0000 (UTC) (envelope-from cperciva@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768850165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=jhwHYgcAI/SKEbnMiSh6rGfE8WEzWjKsxeGHeJeRwLw=; b=EvRlFeLFTYdG8KfhOKTSayxLAL/dY+yte3XgzVJi82oAEjrcynu3KG9dbaLMxlFUtPWcmP +KW6d5yNtWTLGQaPhUcEPYnByZ3ecyDCmrQWgc46pU08iTOEnnoOt+4CAS2IzFFk8UKB8Z 4GOCFlwlLLaow9ZBIh4aP/X7/NVjLWefenLz4pf2bQ2KAcubd4sqHMZYOHcBPxZnLWGdtg ukyxbowjuVT9mMQFSjw79alMx7BXuTlHA2AWk9RVbZVHGv+pixr6/v804/JTq8z38UWW5U 4J8vvnlRfCTT77bLWazj78KFZf49/OfDDTz58w/CiA7e7Yi9e7tXDfVRAFs6qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768850165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=jhwHYgcAI/SKEbnMiSh6rGfE8WEzWjKsxeGHeJeRwLw=; b=USVBGomrWUgI5Or3eLmQElcPkefabEeqZV8+vMkyhyz9Ca1VLEid8tmit1RqNj/IEsl1tL 6RSciPYyw02PRDobro1UZPSbHFWhqsz/lgr4ivSuweOBDuh6mV7+PDfocAg/v6/+lfTLhk btmu5Ex7ZgMQUOqZrJYGdWOHvuLvByb5mr+/t65C0UBwjzagKOUTv35wHF1rYRetUnlyu4 pMaKK4Qb1G66f1+n+g34u7N8o4rKjmWDmgLTIzs1DxQ6DVQM2sVN0WDMUa2ddpqZp7F/hb PvqeCTxdqDRXHHejt6q04bdCltUIEFQkthcRuIRd7VtZlA2+LlEKDHRmDKViVg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768850165; a=rsa-sha256; cv=none; b=X79deBZrxUOarLiFqpx6IuHo0H78B0VaS9HBEkmUP65rOc4u0vPj566B36lvn59KLmbcJz Lb+YIVGXP3OT+BOwChBHIx3q/vtR0IRl6T0ugWZ48lkZlz3LX4XxpZyvJh5B2E3D3GHxST aZN7rHrR8a4AIPocQp38BY7v3PdqSQHGykNb17VPKadp6w6F8iaL3mRPKyYiTqmch04zmF Z7YFb87AOWEqzJRwtsHn6OcN3DRGaI6Neai8CbAmIMS7r2/KyjZHtIVIJPTsNwOopQOFox BHn6aH/TNcMgjtnS5ywkgdLtOZfL+Le6GNc53Un2ZGyF3SOVZqqdtwHH156lRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [192.168.6.36] (S0106684a76304d01.vf.shawcable.net [70.69.240.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: cperciva/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dw0YJ3XJnzG9H; Mon, 19 Jan 2026 19:16:04 +0000 (UTC) (envelope-from cperciva@freebsd.org) Message-ID: <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> Date: Mon, 19 Jan 2026 11:16:02 -0800 List-Id: FreeBSD on cloud platforms (EC2, GCE, Azure, etc.) List-Archive: https://lists.freebsd.org/archives/freebsd-cloud List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-cloud@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: RFC: EC2 "pre-patched" AMIs To: Pete Wright , "freebsd-cloud@freebsd.org" Cc: FreeBSD Release Engineering Team References: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> Content-Language: en-US From: Colin Percival Autocrypt: addr=cperciva@freebsd.org; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFARnJlZUJTRC5vcmc+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSrYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT++ ig/9GZKdN2fHSyrANKZX38ivd7IX2wAYouqH9DrQM94W8IciaDLmarN4Pl9mY+aucMwQUSyp uNtKOJwKqhVVaalF9Zw0sRMH4CJuvT7vKCtZ3q1Okb7soRvFte4d+vXhvPxCvBFDA5JzU7Lg DR5eqqcvF1dN1OuCq16pl0zCOSH/Jr5ToE3LM3Av1KBGcZD7ZSzHRWsFjV5AOUJKySuA3GwJ e/jASQcQ0YfCnru8ntLmYg/2SKvZFlfthZiCBnAppMt4n4BUAw3TDvf10HIDtdneejawcbLS gofLCvGqumwbZYAMKWrFzT4+7KQvr0pOw8QD7EbxnB4f9hQ7UiVF8qWsyKU3iv6b5JLhbS59 ooKRccyOvdMLcVJ0ZdpqoxrNv061ZUqLL5RiWjBlc1qjBnDxeg5oyM0rT8WLftdgvyH6RQt0 KWngumBAT5AT2DUYL8Uz1490cqfO9K4yEGZAJB9XRVX1g2IWTOjae+0g9ZII+h91UngFz+Rz aKDeseKBbCGDOFXx1TqKiHl2g255ZnUxKYTlucFtguv4gDGBgEk4G9JaEWBw1IWblcKhxH7L 2vWsUhvwghjIxHdO/RkeIeHvSp4YZxCJ7a3TaJLYAlwYopfTKVzNhcDY5h5syEuoHjyJCxXK SyoJYAVu8Yl2KUhvOtOmL1VZ6xyHnpdMRWKJZ5jOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw== In-Reply-To: <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 1/5/26 15:45, Pete Wright wrote: > On 1/5/26 10:09, Colin Percival wrote: >> I'm doing some work, with Amazon sponsorship, to bring "pre-patched" EC2 >> AMIs to FreeBSD.  The goal here is that soon after any security advisory >> or errata notice there will be e.g. FreeBSD 15.0-RELEASE-p2 AMIs available >> so that people can launch those and not need to launch the -RELEASE and >> then apply updates after the instance boots. >> >> I have a couple design questions which I'd like input on: >> >> 1. AMI flavours: We publish four flavours, "base", "small", "cloud-init", >> and "AMI Builder".  The AMI Builder images (which are what I'll be using to >> build updated AMIs) are designed to construct "base" images.  How useful >> would it be to have other flavours? I changed my plans and am now building updates for all four flavours. These are now live for 15.0-RELEASE-p1. >> 2. SSM paths: The plan is to publish the updated AMI Ids via the SSM Parameter >> Store; instead of looking up >>    /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE >> you would be able to look up something like >>    /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/p1 >> to get 15.0-RELEASE-p1, and something like >>    /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/latest >> to get 15.0-RELEASE-p.  I'd like feedback >> on the "something like" paths -- are those good ones, or can someone suggest >> better names for the SSM parameters? > > short answer the paths seem reasonable to me, although i tend to prefer > explicit paths rather than "/latest" just to remove all doubt as to what > version i should expect. Right, I went with this plan, whereby you can launch .../latest to get the latest version, or .../p to get that particular patchlevel. > I am not a fan of how AWS implemented SSM, and the tooling is pretty awkward > as well imho.  it would be super handy to have a page listing all of the AMI's > available in an easy to parse method. Good idea. Which would be more useful, a single large page listing lots of AMIs, or a search form? -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid From nobody Wed Jan 21 00:28:36 2026 X-Original-To: freebsd-cloud@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dwlRl3PQDz6PMrK for ; Wed, 21 Jan 2026 00:28:51 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mail.nomadlogic.org (mail.nomadlogic.org [46.21.153.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dwlRk0Hlzz4LSQ; Wed, 21 Jan 2026 00:28:49 +0000 (UTC) (envelope-from pete@nomadlogic.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=nomadlogic.org header.s=04242021 header.b="WpuYA6/D"; dmarc=pass (policy=quarantine) header.from=nomadlogic.org; spf=pass (mx1.freebsd.org: domain of pete@nomadlogic.org designates 46.21.153.22 as permitted sender) smtp.mailfrom=pete@nomadlogic.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org; s=04242021; t=1768955316; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2ahyCJMjJhxKVwY3KVVBb6ck97TpvyktivQ8DS0AyNU=; b=WpuYA6/D62Mm+Kssk+FUzYY/JxEG4x5PTRl9XRTywb2T2Pg32dTGZd4CZiw+7pCMfiO6Yr rFCEOL2LYMLTsaopR6uFGVcBKAgoeVRCgPv8HOMluJ+n2Gr632mQud3bwLFAvz/Pz5pTIl qbEPY+5SkJ+n5C0yh6KeXNEegFBP1WE= Received: from topanga (47-143-52-179.fdr01.snmn.ca.ip.frontiernet.net [47.143.52.179]) by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id 575b0f19 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 21 Jan 2026 00:28:35 +0000 (UTC) Date: Tue, 20 Jan 2026 16:28:36 -0800 From: Pete Wright To: Colin Percival Cc: "freebsd-cloud@freebsd.org" , FreeBSD Release Engineering Team Subject: Re: RFC: EC2 "pre-patched" AMIs Message-ID: References: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> List-Id: FreeBSD on cloud platforms (EC2, GCE, Azure, etc.) List-Archive: https://lists.freebsd.org/archives/freebsd-cloud List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-cloud@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.49 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; DMARC_POLICY_ALLOW(-0.50)[nomadlogic.org,quarantine]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[nomadlogic.org:s=04242021]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:29802, ipnet:46.21.153.0/24, country:US]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MLMMJ_DEST(0.00)[freebsd-cloud@freebsd.org]; DKIM_TRACE(0.00)[nomadlogic.org:+] X-Rspamd-Queue-Id: 4dwlRk0Hlzz4LSQ On Mon, Jan 19, 2026 at 11:16:02AM -0800, Colin Percival wrote: > > > > short answer the paths seem reasonable to me, although i tend to prefer > > explicit paths rather than "/latest" just to remove all doubt as to what > > version i should expect. > > Right, I went with this plan, whereby you can launch .../latest to get the > latest version, or .../p to get that particular patchlevel. > nice! > > I am not a fan of how AWS implemented SSM, and the tooling is pretty > > awkward as well imho.  it would be super handy to have a page listing > > all of the AMI's available in an easy to parse method. > > Good idea. Which would be more useful, a single large page listing lots of > AMIs, or a search form? > i personally like the way that Alma linux did it in their wiki. having a table with the AMI's listed is easier for me, but either would be sweet. i may take a stab at automating this on my end if i end up with any cycles one of these days. -pete From nobody Wed Jan 21 00:59:15 2026 X-Original-To: freebsd-cloud@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dwm6s6vQsz6PPSF for ; Wed, 21 Jan 2026 00:59:17 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dwm6s6BfCz4MhG; Wed, 21 Jan 2026 00:59:17 +0000 (UTC) (envelope-from cperciva@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768957157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=gOGndlQPAZa1N71QziWk8SXXprL4imJ0XN+Za8x4V+Q=; b=cMC4YN16w8BKnUoT2LvE8qE7f9UwklivpCLabjUjKrhhA1egBISZe4mmexrs3Czyh+fOQE wzhXk5dZi3S/+rXfYPvkBw1+dpkXRd4exPud4ovApUgRviVsRxDPWNDxXWnFe1L4R8mUNd pEvdq1rSHImTsgDnPGWkjP1nQlZqb6dSxuP8AqHu25o/zSZSiXI99JonVrzxYG33ylkTXF yttisiQSIyk1PFXAo3euZlQjzX/TBiavLShh6Hx91qto2RVxxVNrjaajVqGIXCtfDFqn4n M6nDX/qOjrbS1Jzx0hH+R0fVtLVKDQ2D3iYskUmRL8ptdyXOEknecvMMGQeheA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768957157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=gOGndlQPAZa1N71QziWk8SXXprL4imJ0XN+Za8x4V+Q=; b=v/k2YI8+WeYXpLAatMKvie0MbtqP4u0UWjmzwqoipeFp7uQppu4B0jXZIGuEM+LO7IfK7B V5FamJKmRucWZPi5o9lJKfQO7Uuls6XlUDggzrnT7ghIOn1cwngEUlhds8QUf3XIustHlM APZjWLcTIgDFB8ML7P1hXS7DDSmVsuij7gKqs5cQA05NHp+cs849ZkDTuOs7VQk3DiNPSz rtLUqHGH2Xr7Gr4kS7OiSapzBL5YjdZz8r5FiSbfbcnJH/7LV4XskiwwcUQ4FIUzY8TgXX VkeAq7vQsaveFz01iHIgSyCQVMs9+Ocu0Vn2ndmNDuVqLuBOiWtCqWyE7kQJ1w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768957157; a=rsa-sha256; cv=none; b=GhhfOY/j2oMJNUsALAxtTfMZjQkj7I3LmJnaxeqyTc3u/blWCjr7ds1a53iLhB7MYx9vPL DPqrj+j9ongdTN1v9SX3rg9UEFuYRzZc4gh9tfw+OyJGGr46oWMo8IRfKhDg0luBjCC23J Gci/GVzumXpYaghEmXCG5ws8ZikogU5scGRNre7OLzXoruPj5ABaiKCuUsaR658UHI+vVR UfdqhT9AlDG1pqsk7pea6mo0ske1wSDvZTXKciVcoXXCDSWTeRrK4DQi6gqyqSGiiSVbs5 VUYTx4pYwTS42YzJ6pesuPf12IU8QUgIWwQQp0+rnspvGC2KZ+AQ7Rvti74eLw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [192.168.6.36] (S0106684a76304d01.vf.shawcable.net [70.69.240.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: cperciva/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dwm6s2ZF3z19w7; Wed, 21 Jan 2026 00:59:17 +0000 (UTC) (envelope-from cperciva@freebsd.org) Message-ID: <8372af52-7d99-4e55-819a-79b48aa2722f@freebsd.org> Date: Tue, 20 Jan 2026 16:59:15 -0800 List-Id: FreeBSD on cloud platforms (EC2, GCE, Azure, etc.) List-Archive: https://lists.freebsd.org/archives/freebsd-cloud List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-cloud@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: RFC: EC2 "pre-patched" AMIs To: Pete Wright Cc: "freebsd-cloud@freebsd.org" , FreeBSD Release Engineering Team References: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> Content-Language: en-US From: Colin Percival Autocrypt: addr=cperciva@freebsd.org; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFARnJlZUJTRC5vcmc+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSrYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT++ ig/9GZKdN2fHSyrANKZX38ivd7IX2wAYouqH9DrQM94W8IciaDLmarN4Pl9mY+aucMwQUSyp uNtKOJwKqhVVaalF9Zw0sRMH4CJuvT7vKCtZ3q1Okb7soRvFte4d+vXhvPxCvBFDA5JzU7Lg DR5eqqcvF1dN1OuCq16pl0zCOSH/Jr5ToE3LM3Av1KBGcZD7ZSzHRWsFjV5AOUJKySuA3GwJ e/jASQcQ0YfCnru8ntLmYg/2SKvZFlfthZiCBnAppMt4n4BUAw3TDvf10HIDtdneejawcbLS gofLCvGqumwbZYAMKWrFzT4+7KQvr0pOw8QD7EbxnB4f9hQ7UiVF8qWsyKU3iv6b5JLhbS59 ooKRccyOvdMLcVJ0ZdpqoxrNv061ZUqLL5RiWjBlc1qjBnDxeg5oyM0rT8WLftdgvyH6RQt0 KWngumBAT5AT2DUYL8Uz1490cqfO9K4yEGZAJB9XRVX1g2IWTOjae+0g9ZII+h91UngFz+Rz aKDeseKBbCGDOFXx1TqKiHl2g255ZnUxKYTlucFtguv4gDGBgEk4G9JaEWBw1IWblcKhxH7L 2vWsUhvwghjIxHdO/RkeIeHvSp4YZxCJ7a3TaJLYAlwYopfTKVzNhcDY5h5syEuoHjyJCxXK SyoJYAVu8Yl2KUhvOtOmL1VZ6xyHnpdMRWKJZ5jOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 1/20/26 16:28, Pete Wright wrote: > On Mon, Jan 19, 2026 at 11:16:02AM -0800, Colin Percival wrote: >>> I am not a fan of how AWS implemented SSM, and the tooling is pretty >>> awkward as well imho.  it would be super handy to have a page listing >>> all of the AMI's available in an easy to parse method. >> >> Good idea. Which would be more useful, a single large page listing lots of >> AMIs, or a search form? >> > i personally like the way that Alma linux did it in their wiki. having a table with the AMI's listed is easier for me, but either would be sweet. i may take a stab at automating this on my end if i end up with any cycles one of these days. Hmm, Alma Linux has far fewer images than us... for each release, they have an amd64 image and an arm64 image, while we have 16 (ufs vs zfs filesystem, and "base", "small", "cloud-init" and "builder" flavours). That's 480 AMIs we provide for each release, or possibly more if Amazon added more regions while I wasn't paying attention. So it might make for a very large table, but it's certainly doable. I don't think a wiki is a good place for this though, just from the perspective of wanting to make sure that nobody tampers with the list of AMIs. -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid From nobody Wed Jan 21 01:47:44 2026 X-Original-To: freebsd-cloud@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dwnBw1Dwsz6PSXt for ; Wed, 21 Jan 2026 01:47:52 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mail.nomadlogic.org (mail.nomadlogic.org [46.21.153.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dwnBv3Lt9z3C48; Wed, 21 Jan 2026 01:47:51 +0000 (UTC) (envelope-from pete@nomadlogic.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org; s=04242021; t=1768960063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=q6t3hY+i2Z464mcp70G8RLhg05rYYE43XfQn0bs25B4=; b=2fFzcc/Akt8sbUnVFQi/kJEPLrG/YBDWHXGMW9JpYH6iqvGASledWKp/+mu+LhM4Sr3eTJ KLctvKw/TbN/UuAf6l0vtksEMirrNm/0lvKKSHx3FXdIfEn6vKN/Oa4phl90jKhoTetnCM uUQDP/Ke5yX7chrrGOFVytQaxCGctnw= Received: from [192.168.1.182] (47-143-52-179.fdr01.snmn.ca.ip.frontiernet.net [47.143.52.179]) by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id 61e6308e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Wed, 21 Jan 2026 01:47:42 +0000 (UTC) Message-ID: Date: Tue, 20 Jan 2026 17:47:44 -0800 List-Id: FreeBSD on cloud platforms (EC2, GCE, Azure, etc.) List-Archive: https://lists.freebsd.org/archives/freebsd-cloud List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-cloud@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: RFC: EC2 "pre-patched" AMIs To: Colin Percival Cc: "freebsd-cloud@freebsd.org" , FreeBSD Release Engineering Team References: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> <8372af52-7d99-4e55-819a-79b48aa2722f@freebsd.org> Content-Language: en-US From: Pete Wright In-Reply-To: <8372af52-7d99-4e55-819a-79b48aa2722f@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:29802, ipnet:46.21.153.0/24, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4dwnBv3Lt9z3C48 On 1/20/26 16:59, Colin Percival wrote: > On 1/20/26 16:28, Pete Wright wrote: >> On Mon, Jan 19, 2026 at 11:16:02AM -0800, Colin Percival wrote: >>>> I am not a fan of how AWS implemented SSM, and the tooling is pretty >>>> awkward as well imho.  it would be super handy to have a page listing >>>> all of the AMI's available in an easy to parse method. >>> >>> Good idea.  Which would be more useful, a single large page listing >>> lots of >>> AMIs, or a search form? >>> >> i personally like the way that Alma linux did it in their wiki. >> having a table with the AMI's listed is easier for me, but either >> would be sweet.  i may take a stab at automating this on my end if i >> end up with any cycles one of these days. > > Hmm, Alma Linux has far fewer images than us... for each release, they have > an amd64 image and an arm64 image, while we have 16 (ufs vs zfs filesystem, > and "base", "small", "cloud-init" and "builder" flavours).  That's 480 AMIs > we provide for each release, or possibly more if Amazon added more regions > while I wasn't paying attention. > > So it might make for a very large table, but it's certainly doable.  I > don't > think a wiki is a good place for this though, just from the perspective of > wanting to make sure that nobody tampers with the list of AMIs. > oh right that's a great point, in light of that a wiki page or webpage even wouldn't be very helpful. i guess one could create a csv or JSON document for easy parsing...but at the end of the day it's probably better to create a wrapper around the appropriate AWS command, or to just memorize the incantation. i don't know if its just me but this syntax has always felt awkward despite its power: aws --region us-west-2 ssm get-parameters-by-path --path /aws/service/freebsd/amd64/base/ufs/15.0/ or aws --region us-west-2 ssm get-parameters --name /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE --query 'Parameters[].Value' i will say though after playing with this some more your suggested changes definitely make sense to me. -pete -- Pete Wright pete@nomadlogic.org