cloud-init-dev team mailing list archive

Thread
Date

[Bug 1835114] Re: [MIR] ec2-instance-connect

To: cloud-init-dev@xxxxxxxxxxxxxxxxxxx
From: Balint Reczey <balint.reczey@xxxxxxxxxxxxx>
Date: Thu, 13 Feb 2020 12:11:57 -0000
Reply-to: Bug 1835114 <1835114@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@raharper I agree with the concern regarding the manipulation of sshd
config. To minimize the collision with cloud-init this package does not
change /etc/ssh/sshd_config like cloud-init does, but overrides the
configuration value with a systemd drop-in. The drop-in is placed at the
time the AMI is built thus there is no race with cloud-init here, and if
upgrade of ec2-instance-connect has a race with cloud-init then there is
a race with the potential upgrade of sshd as well.

Regarding the potential user confusion when the user also sets ssh keys
using cloud-init eic_run_authorized_keys is designed to _merge_ the keys
used by Instance Connect with the other keys in use thus the users can
continue to use their keys deployed by cloud-init or the ones deployed
by other means.

I also agree that there is additional overhead for each ssh connection,
but while testing the package I have not found that excessive. We may
need further evaluation of the impact on the ssh service before adding
the package to the AMIs by default, but I think this can be done after
finishing the MIR process.

Upstream already answered @paelzer's caching proposal, and the package
is installed on Amazon Linux 2 by default already, thus I believe
upstream's attention is warranted regarding the overhead.

-- 
You received this bug notification because you are a member of cloud-
init Commiters, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

Status in ec2-instance-connect package in Ubuntu:
  Incomplete

Bug description:
  [Availability]
  ec2-instance-connect is in the Ubuntu archive, and available for all supported releases. It is available on all architectures despite only being useful on Amazon EC2 instances.

  [Rationale]
  This package is useful on Amazon EC2 instances to make use of a new feature:
  Instance Connect; which allows storing SSH keys for access online in the Amazon systems. These SSH keys are then retrieved to be used by the system's SSH service, collated with pre-existing keys as deployed on the system.

  Installing the package enables the use of Instance Connect on an
  instance.

  [Security]
  This is a new package, and as such has no security history to speak of.

  [Quality Assurance]
  The package consists in a few shell scripts that are difficult to test by
  themselves due to the high reliance on Amazon's Instance Connect service;
  which is online and limited to use on Amazon instances.

  Given that it's a new package, there are no long-term outstanding bugs in
  Ubuntu or Debian. The package is only maintained in Ubuntu at the moment.

  This package deals with special "hardware"; it is only useful on Amazon
  instances, and its support is required as a default deployment on such
  instances when deployed with Ubuntu.

  [UI Standards]
  Not applicable. This service is command-line only and has no configuration options.

  [Dependencies]
  There are no special dependencies to speak of.

  [Standards Compliance]
  This package has been thoroughly reviewed by a few Canonical engineers, there are no standards violations known.

  [Maintenance]
  This package is to be owned by the Ubuntu Foundations team.

  [Background Information]
  This is Amazon-specific, as previously mentioned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions

Follow ups

Re: [Bug 1835114] Re: [MIR] ec2-instance-connect
From: Ryan Harper, 2020-02-13