Date: Fri, 2 Apr 2021 08:45:03 +0100 From: Rafal Lukawiecki <raf@rafal.net> To: Colin Percival <cperciva@tarsnap.com> Cc: Connor Sheridan <cws@nullsec.sh>, freebsd-cloud@freebsd.org Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not booting Message-ID: <680DE2C3-E67A-4C76-9CED-848EB54E637D@rafal.net> In-Reply-To: <0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@email.amazonses.com> References: <0100017890e5a39d-464806cc-158c-4895-8a0d-bf7444ff4c77-000000@email.amazonses.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I may be missing a point, but I create a regular, non-encrypted snapshot usi= ng Colin=E2=80=99s AMI maker, which then gets copied across regions into an e= ncrypted one. =46rom that one, I can successfully boot a larger, encrypted E= BS instance. The main reasons for using encrypted EBS are two: compliance with =E2=80=9Cb= est effort=E2=80=9D in case the discarded data storage fell into someone=E2=80= =99s hands, and an onion-like approach to security, getting an extra (though= thin) layer at pretty much no cost. I cannot see a reason why not to use th= at feature provided it works in the background without any visible performan= ce issues. Many thanks, Rafal -- Rafal Lukawiecki Pardon errors, mobile device. > On 2 Apr 2021, at 08:40, Colin Percival <cperciva@tarsnap.com> wrote: >=20 > =EF=BB=BFOh, I should have clarified -- the default size is 10 GB but the s= napshot > itself is 4 GB; you can create a volume any size from 4 GB upwards. (That= > size varies from release to release, btw.) >=20 > Colin Percival >=20 >> On 4/1/21 4:17 PM, Connor Sheridan wrote: >> Even trying to provision an encrypted volume at the default size results i= n the same behavior. I hesitate to assert that FreeBSD on encrypted EBS is b= roken, but it seems to be. >>=20 >> -----Original Message----- >> From: Colin Percival <cperciva@tarsnap.com>=20 >> Sent: Thursday, April 1, 2021 6:46 PM >> To: Connor Sheridan <cws@nullsec.sh>; freebsd-cloud@freebsd.org >> Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not bootin= g >>=20 >> #2 certainly works. I think #1 would work, but honestly I don't use encr= ypted volumes; I've never been able to think up a plausible attack which the= y would protect against. >>=20 >> If you try #1, please let me know how it goes, so I can relay that to the= next person to ask. >>=20 >> Colin Percial >>=20 >>> On 4/1/21 3:30 PM, Connor Sheridan wrote: >>> That's precisely the situation, yes. 32GB EBS volume. So, would either o= f the following work? >>>=20 >>> 1. Provisioning an encrypted volume at the snapshot size, then extending= the size of the volume. >>> 2. Provisioning an unencrypted volume at the desired size. >>>=20 >>> Obviously #1 would be preferable. >>>=20 >>> -----Original Message----- >>> From: Colin Percival <cperciva@tarsnap.com> >>> Sent: Thursday, April 1, 2021 6:29 PM >>> To: Connor Sheridan <cws@nullsec.sh>; freebsd-cloud@freebsd.org >>> Subject: Re: FreeBSD 12.2-RELEASE x86_64 EC2 AMIs in us-east-2 not=20 >>> booting >>>=20 >>> On 4/1/21 2:57 PM, Connor Sheridan wrote: >>>> I've attempted to provision x86_64 instances in AWS region us-east-2 fr= om both the Marketplace AMIs and the specific AMI ID provided by the 12.2-RE= LEASE announcement, and they just get stuck in an endless boot loop. Appears= to load the kernel, then reboot instantly. Are there any known gotchas abou= t provisioning this release or anything I can do to get these running? >>>=20 >>> There seems to be an issue related to encrypted disks -- possibly specif= ically related to creating an EBS encrypted volume which is larger than the b= acking snapshot. >>>=20 >>> Are you using an encrypted disk? >>>=20 >>> -- >>> Colin Percival >>> Security Officer Emeritus, FreeBSD | The power to serve Founder,=20 >>> Tarsnap | www.tarsnap.com | Online backups for the truly paranoid >>>=20 >>=20 >> -- >> Colin Percival >> Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap |= www.tarsnap.com | Online backups for the truly paranoid >> _______________________________________________ >> freebsd-cloud@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-cloud >> To unsubscribe, send any mail to "freebsd-cloud-unsubscribe@freebsd.org" >>=20 >=20 > --=20 > Colin Percival > Security Officer Emeritus, FreeBSD | The power to serve > Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid= > _______________________________________________ > freebsd-cloud@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-cloud > To unsubscribe, send any mail to "freebsd-cloud-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?680DE2C3-E67A-4C76-9CED-848EB54E637D>