From nobody Mon Jan 19 19:16:02 2026 X-Original-To: freebsd-cloud@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dw0YK27qjz6PDrn for ; Mon, 19 Jan 2026 19:16:05 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dw0YJ6d58z3YjB; Mon, 19 Jan 2026 19:16:04 +0000 (UTC) (envelope-from cperciva@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768850165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=jhwHYgcAI/SKEbnMiSh6rGfE8WEzWjKsxeGHeJeRwLw=; b=EvRlFeLFTYdG8KfhOKTSayxLAL/dY+yte3XgzVJi82oAEjrcynu3KG9dbaLMxlFUtPWcmP +KW6d5yNtWTLGQaPhUcEPYnByZ3ecyDCmrQWgc46pU08iTOEnnoOt+4CAS2IzFFk8UKB8Z 4GOCFlwlLLaow9ZBIh4aP/X7/NVjLWefenLz4pf2bQ2KAcubd4sqHMZYOHcBPxZnLWGdtg ukyxbowjuVT9mMQFSjw79alMx7BXuTlHA2AWk9RVbZVHGv+pixr6/v804/JTq8z38UWW5U 4J8vvnlRfCTT77bLWazj78KFZf49/OfDDTz58w/CiA7e7Yi9e7tXDfVRAFs6qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768850165; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=jhwHYgcAI/SKEbnMiSh6rGfE8WEzWjKsxeGHeJeRwLw=; b=USVBGomrWUgI5Or3eLmQElcPkefabEeqZV8+vMkyhyz9Ca1VLEid8tmit1RqNj/IEsl1tL 6RSciPYyw02PRDobro1UZPSbHFWhqsz/lgr4ivSuweOBDuh6mV7+PDfocAg/v6/+lfTLhk btmu5Ex7ZgMQUOqZrJYGdWOHvuLvByb5mr+/t65C0UBwjzagKOUTv35wHF1rYRetUnlyu4 pMaKK4Qb1G66f1+n+g34u7N8o4rKjmWDmgLTIzs1DxQ6DVQM2sVN0WDMUa2ddpqZp7F/hb PvqeCTxdqDRXHHejt6q04bdCltUIEFQkthcRuIRd7VtZlA2+LlEKDHRmDKViVg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768850165; a=rsa-sha256; cv=none; b=X79deBZrxUOarLiFqpx6IuHo0H78B0VaS9HBEkmUP65rOc4u0vPj566B36lvn59KLmbcJz Lb+YIVGXP3OT+BOwChBHIx3q/vtR0IRl6T0ugWZ48lkZlz3LX4XxpZyvJh5B2E3D3GHxST aZN7rHrR8a4AIPocQp38BY7v3PdqSQHGykNb17VPKadp6w6F8iaL3mRPKyYiTqmch04zmF Z7YFb87AOWEqzJRwtsHn6OcN3DRGaI6Neai8CbAmIMS7r2/KyjZHtIVIJPTsNwOopQOFox BHn6aH/TNcMgjtnS5ywkgdLtOZfL+Le6GNc53Un2ZGyF3SOVZqqdtwHH156lRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [192.168.6.36] (S0106684a76304d01.vf.shawcable.net [70.69.240.84]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: cperciva/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dw0YJ3XJnzG9H; Mon, 19 Jan 2026 19:16:04 +0000 (UTC) (envelope-from cperciva@freebsd.org) Message-ID: <3fb002f8-55c0-4e60-9391-3ee9c8dd207e@freebsd.org> Date: Mon, 19 Jan 2026 11:16:02 -0800 List-Id: FreeBSD on cloud platforms (EC2, GCE, Azure, etc.) List-Archive: https://lists.freebsd.org/archives/freebsd-cloud List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-cloud@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: RFC: EC2 "pre-patched" AMIs To: Pete Wright , "freebsd-cloud@freebsd.org" Cc: FreeBSD Release Engineering Team References: <2b292b81-1912-4914-a4f2-cf3afc5461a3@freebsd.org> <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> Content-Language: en-US From: Colin Percival Autocrypt: addr=cperciva@freebsd.org; keydata= xsFNBGWMSrYBEACdWRqDn3B3SKO7IG0/fGHYtfs26f3Q5QeAcasy1fQLniwGQWn5rlILhbCD K/jdNoDm5Zxq20eqyffoDNObCjnHgg4tGANdi+RmDy+7CDpE789H8dss9y7Pt5DlGGAXQQnt hxush3EYS/Ctprd9UUL/lzOOLOU1aNtzB84tNrJBtcJmL7OYHfyTSNFxvedqJrrasejIQOLI t/DQ89BPzz+vsKHz7FJPXh3fsVkzLA00DJYcfkgxyABfJNA7U6yMwd4DVSdx/SsvfIDMVXnu UXCXswo106WPZbYGlZPpq0wW6iibtTerJix+8AeuwXvl9O1p8yESK4ErkIxCnmghTSz+pdzj z/6xBRkdDM9VdZ0r+CzsaNXMpDOzFuKyjaiYBdgCLljbDnXIHFcqXenrZ7Xwkm09g/M4uVSh pIUG2RYa6tsHSQoGCp3f2RZv1znfViKQFbbL83QjtPA20AhseZSYbHp1FPhXyy9J0wkGL16L e99g6gdGeIRE82BZjBjKGDkoyDPq+oDRSFl8NtzmIKy+cfz00nViqcTF4bREXEawFGhlpO0X O9q8mijI9iFB6zaPBiSdJGBL5ML5qLTNCl8Zlf4m1TBvmRTqF/lzMHVXHidDoUhpSh/y3AFZ 1KrYc27ztJQywDJPJPWPbtY8YhFLFs377gfP8WldsZjzp8nvoQARAQABzSVDb2xpbiBQZXJj aXZhbCA8Y3BlcmNpdmFARnJlZUJTRC5vcmc+wsGRBBMBCAA7FiEEglY7hNBiDtwN+4ZBOJfy 4i5lrT8FAmWMSrYCGwMICwkNCAwHCwMFFQoJCAsFFgMCAQACHgUCF4AACgkQOJfy4i5lrT++ ig/9GZKdN2fHSyrANKZX38ivd7IX2wAYouqH9DrQM94W8IciaDLmarN4Pl9mY+aucMwQUSyp uNtKOJwKqhVVaalF9Zw0sRMH4CJuvT7vKCtZ3q1Okb7soRvFte4d+vXhvPxCvBFDA5JzU7Lg DR5eqqcvF1dN1OuCq16pl0zCOSH/Jr5ToE3LM3Av1KBGcZD7ZSzHRWsFjV5AOUJKySuA3GwJ e/jASQcQ0YfCnru8ntLmYg/2SKvZFlfthZiCBnAppMt4n4BUAw3TDvf10HIDtdneejawcbLS gofLCvGqumwbZYAMKWrFzT4+7KQvr0pOw8QD7EbxnB4f9hQ7UiVF8qWsyKU3iv6b5JLhbS59 ooKRccyOvdMLcVJ0ZdpqoxrNv061ZUqLL5RiWjBlc1qjBnDxeg5oyM0rT8WLftdgvyH6RQt0 KWngumBAT5AT2DUYL8Uz1490cqfO9K4yEGZAJB9XRVX1g2IWTOjae+0g9ZII+h91UngFz+Rz aKDeseKBbCGDOFXx1TqKiHl2g255ZnUxKYTlucFtguv4gDGBgEk4G9JaEWBw1IWblcKhxH7L 2vWsUhvwghjIxHdO/RkeIeHvSp4YZxCJ7a3TaJLYAlwYopfTKVzNhcDY5h5syEuoHjyJCxXK SyoJYAVu8Yl2KUhvOtOmL1VZ6xyHnpdMRWKJZ5jOwU0EZYxKtgEQANYfgbtUMVnhjxDHhWLp g5kLHK3YW0TfJKzpXqDB7NiqxHofn4OcbZnVC3MKggcbs9o1/UtsjnlsG8550PfiYkDXvPiO RJwgbGs6MGIDK797C6cnBLQ8xwBa9SL4cl5iQFnhWmt6vwnJ+an/cm5JpYves3wL7jV09qU9 57hkHXEUcl38r4FssZzVcLKPUVTa3Un+QGRTGDGe/f4ctjMaqv0ZCM+l2ixPhf/vqESrfSLv V/+T3dmtUfXjazO3SABvsHwxgGuTTYOlKoPCaebr+BRdqm0xeIShoIlhvTI8y4clchqx/Uxg UG5X2kvU13k3DS3Q8uLE4Et9x1CcZT6WGgBZSR6R0WfD0SDnzufNnRWJ0dEPA2MtJHE7+85R Vi9j/IgZV+y5Ur+bnPkjDG1s2SVciX5v9HQ0oilcBhvx0j5lGE9hhurD9F+fCvkr4KdbCknE 6Y8ce8pCNBUoB/DqibJivOzTk9K9MGB5x0De5TerIrFiaw3/mQC9nGeO9dtE7wvDJetWeoTq 4BEaCzpufNqbkpOaTQILr4V6Gp7M6v97g83TVAwZntz/q8ptwuKQPZ2JaSFLZn7oWUpYXA5s +SIODFHLn6iMoYpBQskHQjnj4lEPJadl4qj+ZKA89iDAKsniyoFXsbJe2CPbMS1yzBxKZq6K D/jpt7BOnuHr/JrXABEBAAHCwXYEGAEIACAWIQSCVjuE0GIO3A37hkE4l/LiLmWtPwUCZYxK tgIbDAAKCRA4l/LiLmWtP3jmEACQrh9gWe8F1Tkw3m6VoHKwLc5he4tX3WpQa//soPO6iGG3 S3WPruQ46NrAaAojoOcKI9UONDO5rxG0ZTX53S+lu2EO47jbcLwOCjaEpjKpDRt9ZXBQE8Xl mtBE9Bp3W9gpjB1nE3KNM1mJYgsK0QdRpwwfh4pVgGpOj8j23I6MCK+v99zEBnpgCn2GX8W/ kctRXHqWwndHysOJtRP/zrl7dDaABF1f9efUl0LL3TD3GJ9VDz+DNOin/uK2a1hiJo8QzTRk PpfUQ2ebzDsrd1i/pOWkMSkdH+rEu4AGrXWtaBwrMyrGkL6Icb6yO+P9/z0W2wlgBf3P1YRt JPgQt/Dj3yvA/UnaV/QmuVQPjl13o24UnJGsZM8XGnNdfWBKkC1Q6VXC4QT+dyBHYH9MuE9d 6oGl8pFM1+cTfEfbM62/rRoPkF1yHMsI/903VxEvuUIKfhEZAVLFyHldooNxuchntHQP9y8J 8Ou9bWYQP7MnEn+kwSwrZkjurfPkan+xQvp6dDYnj3V0GwA5pprBMaB928VIDVOv+1PNQI3t Cvk5VPv/skq+TJRMHW7bFSt8PRa91cUf1FOLIz9APDiJOzXkwxUEHGV3zPSaUhs1JYjyBeGT wDAvtLUdjOnRhEUOwlnIrztmvyciutjJoVzKEEjj5WXnHk9L9kQ1bpAjkjTONw== In-Reply-To: <61d82ff3-c5b1-45d0-ac55-d5bb10a30498@nomadlogic.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 1/5/26 15:45, Pete Wright wrote: > On 1/5/26 10:09, Colin Percival wrote: >> I'm doing some work, with Amazon sponsorship, to bring "pre-patched" EC2 >> AMIs to FreeBSD.  The goal here is that soon after any security advisory >> or errata notice there will be e.g. FreeBSD 15.0-RELEASE-p2 AMIs available >> so that people can launch those and not need to launch the -RELEASE and >> then apply updates after the instance boots. >> >> I have a couple design questions which I'd like input on: >> >> 1. AMI flavours: We publish four flavours, "base", "small", "cloud-init", >> and "AMI Builder".  The AMI Builder images (which are what I'll be using to >> build updated AMIs) are designed to construct "base" images.  How useful >> would it be to have other flavours? I changed my plans and am now building updates for all four flavours. These are now live for 15.0-RELEASE-p1. >> 2. SSM paths: The plan is to publish the updated AMI Ids via the SSM Parameter >> Store; instead of looking up >>    /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE >> you would be able to look up something like >>    /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/p1 >> to get 15.0-RELEASE-p1, and something like >>    /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/latest >> to get 15.0-RELEASE-p.  I'd like feedback >> on the "something like" paths -- are those good ones, or can someone suggest >> better names for the SSM parameters? > > short answer the paths seem reasonable to me, although i tend to prefer > explicit paths rather than "/latest" just to remove all doubt as to what > version i should expect. Right, I went with this plan, whereby you can launch .../latest to get the latest version, or .../p to get that particular patchlevel. > I am not a fan of how AWS implemented SSM, and the tooling is pretty awkward > as well imho.  it would be super handy to have a page listing all of the AMI's > available in an easy to parse method. Good idea. Which would be more useful, a single large page listing lots of AMIs, or a search form? -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid