Debian Cloud - building the Debian AMIs

Debian-Cloud: EC2 AMIs
James Bromberger
<jeb@debian.org>

Agenda
• What is Debian
• What is AWS EC2
• A meander through block storage for EC2
instances
• Types of images
• Generating & distributing Debian’s AMIs
• Debuab Image lifecycle and security
• If there is time: Debian via Cloudfront CDN

What is Debian
• Computer Operating System
– 14 CPU/kernel architectures
– 37,500 packages of software
– Translated into a bunch of languages

What is Debian
• Primarily of free and open-source software
– GNU General Public License and many other
licenses

What is Debian
• Started 1993
– 21 years old now
• Democratic, volunteer organisation - ~1,000 people
(please join!)
– Zero payed employees

What is AWS and EC2
• AWS = Amazon Web Services
• EC2 = Elastic Compute Cloud
– Virtual servers running Linux, Windows, BSD
• Started 2006
• Now with 11 Regions and 52 Edge Locations
• Compute, storage, platform, infrastructure – as-a-service
– typically billed by the hour or by the month
Amazon EC2

What is EC2
• Compute requires:
– CPU, Memory (RAM)
– Block Storage (disk)
– Network
– Automation & bootstrapping
– Self-service
instance
Amazon EBS
Amazon VPC

What is EC2
• Amount of CPU & Memory is combined into
“instance type”:
– Small
– Medium
– Large
– ...
instance
instance
instance

What is EC2
• Several instance types are grouped into an
“instance family”:
– General Purpose (balanced memory:cpu)
– Memory Optimised (more memory:cpu)
– CPU Optimised (more cpu:memory)
– Storage Optimised (more ‘ephemerial’ storage)
– GPU (CUDA, OpenCL)
– Cluster Nodes (10 GB/sec networking and more)

What is EC2
• EC2 instance run on real servers!
instance instance instance instance
Total number of
(hyperthread)
CPU cores, each
dedicated* to an
instance
Disk inside the
physical server is
deemed
‘ephemeral’. Not
raid, but is local to
CPU and Memory.
Different amounts
of storage
depending on
instance type
RAM is dedicated
to each instance
Each instance can
send a certain
number of packets
per second

Ephemeral (instance) Storage

Persistent (EBS) Storage
Amazon EBS

Amazon EBS
Mechanical disk
General Purpose SSD (GP2)
Provisioned IOPS (SSD)
Amazon S3

Amazon EBS
Mechanical disk
General Purpose SSD (GP2)
Provisioned IOPS (SSD)
Amazon S3
AFR of a typical standard HDD
Designed for 99.999% availability
(5.26 min/yr)
Single instance attach only
(currently)
1GB..1TB (currently)
Your choice of file-system
Optional transparent encryption
by AWS
Network attached to your
instance back in the EC2
environment
99.999999999% durability
Replicated multiple times
within the same Region
Check-summed and re-check-
summed periodically
Designed for 99.99%
availability (SLA at 99.9%)
Can be shared with other
customers (specific, or all)
unless AWS-encrypted
Can be used to create a
new EBS volume
EBS snapshots cannot be
seen in your S3 buckets

Instance stop w/EBS
instance instance instance
Amazon EBS

Instance restart w/EBS
Amazon EBS
EBS volume(s) reattached, ephemeral volume(s) blank

Amazon Machine Images
• AMI is “golden master”
• Start as many instances as you like*
AMI
instance
instance
instance

Ephemeral and EBS
• Why is the Ephemeral and EBS storage options
important in AMIs?
Your root volume
/ -> persistent (EBS)
/ -> transitory (Ephemeral)

Ephemeral and EBS
important in AMIs?
Your root volume
1,000 systems for 24 hours,
8 GB EBS each in SYD: ~$30.85

Ephemeral and EBS
important in AMIs?
Your root volume
1,000 systems for 24 hours,
Ephemeral in SYD: $0

Ephemeral and EBS
important in AMIs?
Amazon S3 S3 backed AMI
snapshot
EBS backed AMI

CPU Architectures
• EC2 currently supports 2 architectures:
EBS backed AMI S3 backed AMI EBS backed AMI S3 backed AMI

Virtualisation Types
• EC2 uses (highly customised) Xen, and
supports two virtualisation types:
Para-
Virtualization
(threads)
Hardware
Virtualization
(emulation)
EBS backed AMI S3 backed AMIEBS backed AMI S3 backed AMI EBS backed AMI S3 backed AMIEBS backed AMI S3 backed AMI

Each Region is independent
Para-
Virtualization
(threads)
Hardware
Virtualization
(emulation)
AP... US West 1 US East 1

Now multiply that by:
• Wheezy
• Jessie
• Sarge
• ...

• 2 architectures
• 2 virtualisation types
• 2 root volume types
• 11 Regions
• 3 Debian releases
= 198 images
(Plus images currently being end-of-lifed,
experimented with, and used for other purposes)

Current Debian AMIs: Squeeze (6)
Architecture EBS Backed S3 Backed
32 bit PVM Yes
64 bit PVM Yes
32 bit HVM
64 bit HVM

Current Debian AMIs: Wheezy (7)
32 bit PVM Yes
64 bit PVM Yes Yes
32 bit HVM
64 bit HVM Yes (experimental)

Future Debian AMIs: Jessie (8)
32 bit PVM
64 bit PVM Yes
32 bit HVM
64 bit HVM Yes Yes*

Two ways of creating AMIs
Start from scratch
• Uses a fresh, blank volume,
install as a debootstrap
Update existing
• Start existing instance,
customise, create new
image

EBS Backed AMI overview
instance
volume
/
volume
/target
snapshot
EC2 API
Endpoint
AMI

Let’s create a Jessie image
• Fire up an existing instance (easiest is to use
an existing Debian AMI)
• Install git, debootstrap, python-boto, python-jsonschema,
and some other python bits
– Configure your AWS IAM credentials for boto
• Grab bootstrap-vz from Github

Distributing images globally
Each region has separate copies of AMIs

Distributing images
Three “groups” of Regions:
• GovCloud
• Beijing
• Everywhere else*

Debian AWS Accounts
Region AWS Account ID
Beijing 673060587306*
Gov Cloud 256493402735**
Standard Regions 379101102735

Community Shared AMIs
• Un-vetted by AWS
– Trojan horses
– Left over SSH keys in other accounts
– Cron jobs that go bump in the night
• Anyone can share any AMI under their control
(provided they have access within their AWS account to do so – IAM Policy)
– Caveat emptor

Pushing images to Marketplace
Vendor
AWS
Account ID
Vendor
Display
Name
Product ID Version ID ASIN SKU Software
by
Title Version
Title
Release
Notes
Short
Description
Description Highlight1

AMI Lifecycle
Our aim is to keep the final point release AMI
available for each Debian major release,
starting from Squeeze:
• 6.0.10
• 7.7

AMI Lifecycle
Wheezy 7.4
Wheezy 7.5
Try to keep a 2 – 5
week overlap for point
releases, then un-share
Wheezy 7.6
for a period,
Wheezy
7.6.aws.
1
Wheezy
7.6.aws.2
Wheezy 7.7
then delete
Time
Occasionally security
releases that are urgent
in BASE images (AMIs)
force additional version
numbers out of step with
Debian. This was
shellshock,

Security in base images
• EC2 instances may be deployed such that they
don’t have direct access to fetch updates
• Administrators may chose not to install
updates unattended

Workflow overview
1. Generate AMIs in US East 1
2. Tag AMIs and Snapshot
3. Test image in US East 1
4. Copy to all Standard Regions (python script)
5. Mark AMI and Snapshot as Public (python script)
6. Generate in Beijing and Gov Cloud, tag, mark public
7. Generate signed message to the Debian-cloud mailing list, update wiki
8. Wait a few days (for bugs to surface), then push to AWS Marketplace
9. Announce deprecation of previous versions (typically 3 – 5 weeks notice)
in signed email to Debian-cloud ML
10. After elapsed period, remove public sharing from AMI and Snapshots
(python script)
11. A day or so later, deregister the AMI and delete the snapshot (python
script)

What’s new in Jessie EC2 images
• Single Root IO Virtualisation (Enhanced
Networking)
• Multiple Network Interfaces (ENI)
• Multiple sub-interfaces
• AWS CLI and python-boto installed in base
image
• Cloud-init (since Wheezy 7.4)

Cloud-init
• Insert this as “User
Data”
• Can be embedded into
CloudFormation
templates
#cloud-config
package_update: true
package_upgrade: true
package_reboot_if_required: true
packages:
- pwgen
- less
locale: fr_FR.UTF-8
ssh_authorized_keys:
- ssh-rsa AAAAB3Nz....89dGp5 me@mykey1
- ssh-rsa AAAAB3Nz....89dGp5 me@mykey2
final_message: "The system is finally up,
after $UPTIME seconds"

Debian Archive via CDN
• Default apt sources.list
for EC2 images uses
cloudfront.debian.net
• Primarily for EC2
instances, but is active
in all 52 Cloudfront
locations world-wide
CloudFront

Cloudfront.debian.net
• Each edge location is
independent of all
others
edge location
edge location
edge location
traditional server

• However, Debian HTTP
servers don’t put any
cache advisory headers
on how long objects
(files) may be cached
for; some of these are
quite volatile, and some
are very stable
edge location
edge location
edge location
traditional server

• Luickly, Cloudfront
supports “Cache
behaviours”, mapping
different URL paths to
alternate origin servers
edge location
edge location
edge location
traditional server

• Default: => S3 bucket
• /debian/ => ftp.us.debian.org
• /debian/dists => my proxy server edge location
edge location
edge location
bucket
http://ftp.us.debian.org
Elastic Load instances
Balancing

Jessie on Ice
(ie, Jessie is frozen)

Debian 9:
Stretch
Debian 10: Buster
1.1 (‘96)
1.2
1.3
2
2.1
2.2
3 (2002)
3.1
4
5
6
7
8 (2015)

James Bromberger
E: jeb@debian.org
T: @JamesBromberger
L: https://www.linkedin.com/in/jamesbromberger
Perth, Australia
GPG: 4096R/9D85C53C 2011-11-29
Key fingerprint = 8591 20FE 0D9F A6A5 B054 C775 AEC8 2874 9D85 C53C
https://github.com/JamesBromberger/bootstrap-vz
https://wiki.debian.org/Cloud/AmazonEC2Image
https://aws.amazon.com/marketplace/pp/B00AA27RK4
https://lists.debian.org/debian-cloud/

Debian Cloud - building the Debian AMIs

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Debian Cloud - building the Debian AMIs

Similar to Debian Cloud - building the Debian AMIs (20)

More from James Bromberger

More from James Bromberger (6)

Recently uploaded

Recently uploaded (20)

Debian Cloud - building the Debian AMIs