From owner-freebsd-cloud@freebsd.org Fri Apr 2 04:44:34 2021 Return-Path: Delivered-To: freebsd-cloud@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 440965C14E7 for ; Fri, 2 Apr 2021 04:44:34 +0000 (UTC) (envelope-from 0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@amazonses.com) Received: from a8-56.smtp-out.amazonses.com (a8-56.smtp-out.amazonses.com [54.240.8.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FBSBn11KWz3nLB for ; Fri, 2 Apr 2021 04:44:32 +0000 (UTC) (envelope-from 0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1617338672; h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=YgKYZr7eQlb3UFmeBieeIT+h5fYOuog1YgYyPvDHZwA=; b=KpdcOEsrLviYsY2dbZaNo777831rZeK/XTSEgp9GVzjmp7Itiz1UihA6UfxVYQUf 0gVAcnEwIfFk+PZL8QGjbGEFx4zpOFke+75ugX4TmCPMLJlOY2/LsqNslOFHI++KzQa gutkDDJ+227sWaHqxKx2HMTbNJkQ960UAU0UGOM0= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1617338672; h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=YgKYZr7eQlb3UFmeBieeIT+h5fYOuog1YgYyPvDHZwA=; b=I1fXN/eqc30R3AkrQpLGSjEy8gCm/K75bgVQygLw7JINqkyOX1jTPAPaGz4g7hML dYU4OkqnCblZpSMGlpJ/AJtHcAc5225BJaQvTfaPwf8410fyEszwwn5MZOA4CS4jJ32 fwkABwqOHAfyGjv7UWIKx8tJCLvHKb4KeYjQ5D5A= Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not booting To: Connor Sheridan , "freebsd-cloud@freebsd.org" References: <010001788f8da8e9-9e6bf04e-7211-4205-b4ed-a2d43698355d-000000@email.amazonses.com> <010001788f9d41c0-5e3bc13e-ed66-45d4-a0fc-be189a9fac59-000000@email.amazonses.com> From: Colin Percival Message-ID: <0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@email.amazonses.com> Date: Fri, 2 Apr 2021 04:44:32 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-SES-Outgoing: 2021.04.02-54.240.8.56 Feedback-ID: 1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES X-Rspamd-Queue-Id: 4FBSBn11KWz3nLB X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tarsnap.com header.s=dqtolf56kk3wpt62c3jnwboqvr7iedax header.b=KpdcOEsr; dkim=pass header.d=amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=I1fXN/eq; dmarc=pass (policy=none) header.from=tarsnap.com; spf=pass (mx1.freebsd.org: domain of 0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@amazonses.com designates 54.240.8.56 as permitted sender) smtp.mailfrom=0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@amazonses.com X-Spamd-Result: default: False [-1.20 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tarsnap.com:s=dqtolf56kk3wpt62c3jnwboqvr7iedax,amazonses.com:s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RWL_MAILSPIKE_GOOD(0.00)[54.240.8.56:from]; SPAMHAUS_ZRD(0.00)[54.240.8.56:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tarsnap.com:+,amazonses.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[54.240.8.56:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[tarsnap.com,none]; FORGED_SENDER(0.30)[cperciva@tarsnap.com,0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@amazonses.com]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[54.240.8.56:from]; ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; FROM_NEQ_ENVFROM(0.00)[cperciva@tarsnap.com,0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@amazonses.com]; MAILMAN_DEST(0.00)[freebsd-cloud] X-Mailman-Approved-At: Fri, 02 Apr 2021 07:40:11 +0000 X-BeenThere: freebsd-cloud@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "FreeBSD on cloud platforms \(EC2, GCE, Azure, etc.\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2021 04:44:34 -0000 Oh, I should have clarified -- the default size is 10 GB but the snapshot itself is 4 GB; you can create a volume any size from 4 GB upwards. (That size varies from release to release, btw.) Colin Percival On 4/1/21 4:17 PM, Connor Sheridan wrote: > Even trying to provision an encrypted volume at the default size results in the same behavior. I hesitate to assert that FreeBSD on encrypted EBS is broken, but it seems to be. > > -----Original Message----- > From: Colin Percival > Sent: Thursday, April 1, 2021 6:46 PM > To: Connor Sheridan ; freebsd-cloud@freebsd.org > Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not booting > > #2 certainly works. I think #1 would work, but honestly I don't use encrypted volumes; I've never been able to think up a plausible attack which they would protect against. > > If you try #1, please let me know how it goes, so I can relay that to the next person to ask. > > Colin Percial > > On 4/1/21 3:30 PM, Connor Sheridan wrote: >> That's precisely the situation, yes. 32GB EBS volume. So, would either of the following work? >> >> 1. Provisioning an encrypted volume at the snapshot size, then extending the size of the volume. >> 2. Provisioning an unencrypted volume at the desired size. >> >> Obviously #1 would be preferable. >> >> -----Original Message----- >> From: Colin Percival >> Sent: Thursday, April 1, 2021 6:29 PM >> To: Connor Sheridan ; freebsd-cloud@freebsd.org >> Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not >> booting >> >> On 4/1/21 2:57 PM, Connor Sheridan wrote: >>> I've attempted to provision x86_64 instances in AWS region us-east-2 from both the Marketplace AMIs and the specific AMI ID provided by the 12.2-RELEASE announcement, and they just get stuck in an endless boot loop. Appears to load the kernel, then reboot instantly. Are there any known gotchas about provisioning this release or anything I can do to get these running? >> >> There seems to be an issue related to encrypted disks -- possibly specifically related to creating an EBS encrypted volume which is larger than the backing snapshot. >> >> Are you using an encrypted disk? >> >> -- >> Colin Percival >> Security Officer Emeritus, FreeBSD | The power to serve Founder, >> Tarsnap | www.tarsnap.com | Online backups for the truly paranoid >> > > -- > Colin Percival > Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid > _______________________________________________ > freebsd-cloud@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-cloud > To unsubscribe, send any mail to "freebsd-cloud-unsubscribe@freebsd.org" > -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid