Re: RFC: EC2 "pre-patched" AMIs
- Reply: Pete Wright : "Re: RFC: EC2 "pre-patched" AMIs"
- In reply to: Pete Wright : "Re: RFC: EC2 "pre-patched" AMIs"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 19 Jan 2026 19:16:02 UTC
On 1/5/26 15:45, Pete Wright wrote: > On 1/5/26 10:09, Colin Percival wrote: >> I'm doing some work, with Amazon sponsorship, to bring "pre-patched" EC2 >> AMIs to FreeBSD. The goal here is that soon after any security advisory >> or errata notice there will be e.g. FreeBSD 15.0-RELEASE-p2 AMIs available >> so that people can launch those and not need to launch the -RELEASE and >> then apply updates after the instance boots. >> >> I have a couple design questions which I'd like input on: >> >> 1. AMI flavours: We publish four flavours, "base", "small", "cloud-init", >> and "AMI Builder". The AMI Builder images (which are what I'll be using to >> build updated AMIs) are designed to construct "base" images. How useful >> would it be to have other flavours? I changed my plans and am now building updates for all four flavours. These are now live for 15.0-RELEASE-p1. >> 2. SSM paths: The plan is to publish the updated AMI Ids via the SSM Parameter >> Store; instead of looking up >> /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE >> you would be able to look up something like >> /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/p1 >> to get 15.0-RELEASE-p1, and something like >> /aws/service/freebsd/amd64/base/ufs/15.0/RELEASE/latest >> to get 15.0-RELEASE-p<whatever the latest patchlevel is>. I'd like feedback >> on the "something like" paths -- are those good ones, or can someone suggest >> better names for the SSM parameters? > > short answer the paths seem reasonable to me, although i tend to prefer > explicit paths rather than "/latest" just to remove all doubt as to what > version i should expect. Right, I went with this plan, whereby you can launch .../latest to get the latest version, or .../p<number> to get that particular patchlevel. > I am not a fan of how AWS implemented SSM, and the tooling is pretty awkward > as well imho. it would be super handy to have a page listing all of the AMI's > available in an easy to parse method. Good idea. Which would be more useful, a single large page listing lots of AMIs, or a search form? -- Colin Percival FreeBSD Release Engineering Lead & EC2 platform maintainer Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid