From owner-freebsd-cloud@freebsd.org Fri Apr 2 07:45:14 2021 Return-Path: Delivered-To: freebsd-cloud@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 83F935C5FEF for ; Fri, 2 Apr 2021 07:45:14 +0000 (UTC) (envelope-from raf+I7=cac077e6@rafal.net) Received: from smtp-out-4.mxes.net (smtp-out-4.mxes.net [IPv6:2605:d100:2f:10::315]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FBXCF5jXsz4Tcn for ; Fri, 2 Apr 2021 07:45:13 +0000 (UTC) (envelope-from raf+I7=cac077e6@rafal.net) Received: from Customer-MUA (mua.mxes.net [10.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4FBXC5665xz3cBl; Fri, 2 Apr 2021 03:45:05 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Rafal Lukawiecki Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not booting Date: Fri, 2 Apr 2021 08:45:03 +0100 Message-Id: <680DE2C3-E67A-4C76-9CED-848EB54E637D@rafal.net> References: <0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@email.amazonses.com> Cc: Connor Sheridan , freebsd-cloud@freebsd.org In-Reply-To: <0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@email.amazonses.com> To: Colin Percival X-Mailer: iPad Mail (18D70) X-Sent-To: X-Rspamd-Queue-Id: 4FBXCF5jXsz4Tcn X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[mxes.net:s=mta,rafal.net:s=tm]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2605:d100:2f:10::/112]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; SPAMHAUS_ZRD(0.00)[2605:d100:2f:10::315:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[mxes.net:+,rafal.net:+]; DMARC_POLICY_ALLOW(-0.50)[rafal.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2605:d100:2f:10::315:from]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:19844, ipnet:2605:d100::/32, country:US]; TAGGED_FROM(0.00)[I7=cac077e6]; MAILMAN_DEST(0.00)[freebsd-cloud] X-BeenThere: freebsd-cloud@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "FreeBSD on cloud platforms \(EC2, GCE, Azure, etc.\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2021 07:45:14 -0000 I may be missing a point, but I create a regular, non-encrypted snapshot usi= ng Colin=E2=80=99s AMI maker, which then gets copied across regions into an e= ncrypted one. =46rom that one, I can successfully boot a larger, encrypted E= BS instance. The main reasons for using encrypted EBS are two: compliance with =E2=80=9Cb= est effort=E2=80=9D in case the discarded data storage fell into someone=E2=80= =99s hands, and an onion-like approach to security, getting an extra (though= thin) layer at pretty much no cost. I cannot see a reason why not to use th= at feature provided it works in the background without any visible performan= ce issues. Many thanks, Rafal -- Rafal Lukawiecki Pardon errors, mobile device. > On 2 Apr 2021, at 08:40, Colin Percival wrote: >=20 > =EF=BB=BFOh, I should have clarified -- the default size is 10 GB but the s= napshot > itself is 4 GB; you can create a volume any size from 4 GB upwards. (That= > size varies from release to release, btw.) >=20 > Colin Percival >=20 >> On 4/1/21 4:17 PM, Connor Sheridan wrote: >> Even trying to provision an encrypted volume at the default size results i= n the same behavior. I hesitate to assert that FreeBSD on encrypted EBS is b= roken, but it seems to be. >>=20 >> -----Original Message----- >> From: Colin Percival =20 >> Sent: Thursday, April 1, 2021 6:46 PM >> To: Connor Sheridan ; freebsd-cloud@freebsd.org >> Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not bootin= g >>=20 >> #2 certainly works. I think #1 would work, but honestly I don't use encr= ypted volumes; I've never been able to think up a plausible attack which the= y would protect against. >>=20 >> If you try #1, please let me know how it goes, so I can relay that to the= next person to ask. >>=20 >> Colin Percial >>=20 >>> On 4/1/21 3:30 PM, Connor Sheridan wrote: >>> That's precisely the situation, yes. 32GB EBS volume. So, would either o= f the following work? >>>=20 >>> 1. Provisioning an encrypted volume at the snapshot size, then extending= the size of the volume. >>> 2. Provisioning an unencrypted volume at the desired size. >>>=20 >>> Obviously #1 would be preferable. >>>=20 >>> -----Original Message----- >>> From: Colin Percival >>> Sent: Thursday, April 1, 2021 6:29 PM >>> To: Connor Sheridan ; freebsd-cloud@freebsd.org >>> Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not=20 >>> booting >>>=20 >>> On 4/1/21 2:57 PM, Connor Sheridan wrote: >>>> I've attempted to provision x86_64 instances in AWS region us-east-2 fr= om both the Marketplace AMIs and the specific AMI ID provided by the 12.2-RE= LEASE announcement, and they just get stuck in an endless boot loop. Appears= to load the kernel, then reboot instantly. Are there any known gotchas abou= t provisioning this release or anything I can do to get these running? >>>=20 >>> There seems to be an issue related to encrypted disks -- possibly specif= ically related to creating an EBS encrypted volume which is larger than the b= acking snapshot. >>>=20 >>> Are you using an encrypted disk? >>>=20 >>> -- >>> Colin Percival >>> Security Officer Emeritus, FreeBSD | The power to serve Founder,=20 >>> Tarsnap | www.tarsnap.com | Online backups for the truly paranoid >>>=20 >>=20 >> -- >> Colin Percival >> Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap |= www.tarsnap.com | Online backups for the truly paranoid >> _______________________________________________ >> freebsd-cloud@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-cloud >> To unsubscribe, send any mail to "freebsd-cloud-unsubscribe@freebsd.org" >>=20 >=20 > --=20 > Colin Percival > Security Officer Emeritus, FreeBSD | The power to serve > Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid= > _______________________________________________ > freebsd-cloud@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-cloud > To unsubscribe, send any mail to "freebsd-cloud-unsubscribe@freebsd.org"