← Back to team overview

cloud-init-dev team mailing list archive

[Bug 1835114] Re: [MIR] ec2-instance-connect


@raharper I agree with the concern regarding the manipulation of sshd
config. To minimize the collision with cloud-init this package does not
change /etc/ssh/sshd_config like cloud-init does, but overrides the
configuration value with a systemd drop-in. The drop-in is placed at the
time the AMI is built thus there is no race with cloud-init here, and if
upgrade of ec2-instance-connect has a race with cloud-init then there is
a race with the potential upgrade of sshd as well.

Regarding the potential user confusion when the user also sets ssh keys
using cloud-init eic_run_authorized_keys is designed to _merge_ the keys
used by Instance Connect with the other keys in use thus the users can
continue to use their keys deployed by cloud-init or the ones deployed
by other means.

I also agree that there is additional overhead for each ssh connection,
but while testing the package I have not found that excessive. We may
need further evaluation of the impact on the ssh service before adding
the package to the AMIs by default, but I think this can be done after
finishing the MIR process.

Upstream already answered @paelzer's caching proposal, and the package
is installed on Amazon Linux 2 by default already, thus I believe
upstream's attention is warranted regarding the overhead.

You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.

  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:

Bug description:
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an

  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:

Follow ups