Hi,
Continuing the discussion from: http://lists.fedoraproject.org/pipermail/devel/2010-February/131318.html
I am looking at: http://github.com/huff/kickstart-stuff/blob/master/fedora-ec2-min.ks
In the big picture I think we need to tease apart a few different concepts:
* Stuff generic to fully automating creating a small-ish server skeleton accessible over ssh (target case: virt-install) * Stuff specific to EC2 * "Minimization" - For example, removing localization
Let me reattach my proposed file here.
Also, I would really like to have this be an Official Fedora Spin, by which I mean, you guys can't keep disabling SELinux. And it should be hosted in spin-kickstarts.
Other random stuff: * Why acpid explicitly? Kill it, kill it dead.
On Fri, Feb 26, 2010 at 1:49 PM, Colin Walters walters@verbum.org wrote:
In the big picture I think we need to tease apart a few different concepts:
Yep, agreed.
- Stuff generic to fully automating creating a small-ish server
skeleton accessible over ssh (target case: virt-install)
The package set here seems almost reasonable (although removing SELinux is kind of a no no); it has its warts, but it's part of being "Fedora-y")
- Stuff specific to EC2
Yeah, this should definitely be split out.
- "Minimization" - For example, removing localization
And I'm going to go out on a limb and say that this has no place in any general purpose image. With AOS where you're going for the absolute smallest size that you can get, meh, I guess. More general purpose, the locale support keeps us from making the system inaccessible to other parts of the world.
Let me reattach my proposed file here.
Basically, I guess I'm saying I agree more with your config than huff's :-)
- Jeremy
On 02/26/2010 10:13 PM, Jeremy Katz wrote:
On Fri, Feb 26, 2010 at 1:49 PM, Colin Walterswalters@verbum.org wrote:
In the big picture I think we need to tease apart a few different concepts:
Yep, agreed.
- Stuff generic to fully automating creating a small-ish server
skeleton accessible over ssh (target case: virt-install)
The package set here seems almost reasonable (although removing SELinux is kind of a no no); it has its warts, but it's part of being "Fedora-y")
- Stuff specific to EC2
Yeah, this should definitely be split out.
- "Minimization" - For example, removing localization
And I'm going to go out on a limb and say that this has no place in any general purpose image. With AOS where you're going for the absolute smallest size that you can get, meh, I guess. More general purpose, the locale support keeps us from making the system inaccessible to other parts of the world.
Let me reattach my proposed file here.
Basically, I guess I'm saying I agree more with your config than huff's :-)
I never said mine was perfect, however a good starting point for this type of discussion, which I have been wanting to have for a long time.
When we started the AOS (like 2 years ago) the base requirements were basically: DHCP, sshd, yum, and selinux (which was disabled in EC2 due to issues w/ their infrastructure).
ACPI was explicitly added, as Garrett noted, for the VM's to restart correctly, remembered EC2 is Xen biased, however this may not be necessary any longer.
-D
On Mon, Mar 1, 2010 at 10:38 AM, David Huff dhuff@redhat.com wrote:
I never said mine was perfect, however a good starting point for this type of discussion, which I have been wanting to have for a long time.
Yep, it's good to be having the discussion
When we started the AOS (like 2 years ago) the base requirements were basically: DHCP, sshd, yum, and selinux (which was disabled in EC2 due to issues w/ their infrastructure).
Since we're going to be using our own kernels, we can definitely use SELinux now as our kernels have it enabled. And I don't think that going with @base (which we consider to be a "base" Fedora system) actually hurts things.
ACPI was explicitly added, as Garrett noted, for the VM's to restart correctly, remembered EC2 is Xen biased, however this may not be necessary any longer.
You need something to listen to the ACPI events, but that's something devicekit-y for any other Fedora system, not acpid. We should be doing the same here probably. And this is where the extremely minimal approach of the original AOS kickstart falls down. By trying to hand-pick every single component to get the smallest size rather than using the default groupings that are made available in Fedora, those hand-picked components have to be constantly updated to reflect changes in the OS.
Another area you see this, for example, is that the config still uses mkinitrd instead of dracut to build the initramfs.
- Jeremy
On Mon, Mar 01, 2010 at 10:38:25AM -0500, David Huff wrote:
I never said mine was perfect, however a good starting point for this type of discussion, which I have been wanting to have for a long time.
When we started the AOS (like 2 years ago) the base requirements were basically: DHCP, sshd, yum, and selinux (which was disabled in EC2 due to issues w/ their infrastructure).
Do we know what these issues were, and whether they still exist? Do the F12 updates kernels currently being tested allow a guest to run on EC2 with selinux enabled?
Ewan
On Mon, Mar 1, 2010 at 12:29 PM, Ewan Mac Mahon ewan@macmahon.me.uk wrote:
On Mon, Mar 01, 2010 at 10:38:25AM -0500, David Huff wrote:
I never said mine was perfect, however a good starting point for this type of discussion, which I have been wanting to have for a long time.
When we started the AOS (like 2 years ago) the base requirements were basically: DHCP, sshd, yum, and selinux (which was disabled in EC2 due to issues w/ their infrastructure).
Do we know what these issues were, and whether they still exist? Do the F12 updates kernels currently being tested allow a guest to run on EC2 with selinux enabled?
The Amazon provided kernels have SELinux disabled. When we're running newer kernels, it shouldn't be an issue/concern
- Jeremy
On Mon, 1 Mar 2010, Jeremy Katz wrote:
On Mon, Mar 1, 2010 at 12:29 PM, Ewan Mac Mahon ewan@macmahon.me.uk wrote:
On Mon, Mar 01, 2010 at 10:38:25AM -0500, David Huff wrote:
I never said mine was perfect, however a good starting point for this type of discussion, which I have been wanting to have for a long time.
When we started the AOS (like 2 years ago) the base requirements were basically: DHCP, sshd, yum, and selinux (which was disabled in EC2 due to issues w/ their infrastructure).
Do we know what these issues were, and whether they still exist? Do the F12 updates kernels currently being tested allow a guest to run on EC2 with selinux enabled?
The Amazon provided kernels have SELinux disabled. When we're running newer kernels, it shouldn't be an issue/concern
How does Amazon keep their images up to date? On a 0 day kernel exploit, the first place I'd turn is the amazon ip space.
-Mike
On 3/1/2010 19:14, Mike McGrath wrote:
How does Amazon keep their images up to date? On a 0 day kernel exploit, the first place I'd turn is the amazon ip space.
EC2 doesn't lend itself well to kernel updates. EBS-backed instances aren't really problematic because one only needs to update kernel packages, stop the instances, change kernels+initramfs images to newer ones that Fedora has presumably already made available, and then restart them.
Instances that don't have EBS-backed root filesystems can't be stopped, and termination destroys them utterly. So one has to either rebundle Fedora's image as one backed by EBS or start up a new instance with the new kernel+initramfs, move everything over, then terminate the old one.
Hi,
On Fri, Feb 26, 2010 at 6:49 PM, Colin Walters walters@verbum.org wrote:
Hi,
Continuing the discussion from: http://lists.fedoraproject.org/pipermail/devel/2010-February/131318.html
I am looking at: http://github.com/huff/kickstart-stuff/blob/master/fedora-ec2-min.ks
In the big picture I think we need to tease apart a few different concepts:
- Stuff generic to fully automating creating a small-ish server
skeleton accessible over ssh (target case: virt-install)
- Stuff specific to EC2
- "Minimization" - For example, removing localization
Let me reattach my proposed file here.
Also, I would really like to have this be an Official Fedora Spin, by which I mean, you guys can't keep disabling SELinux. And it should be hosted in spin-kickstarts.
Other random stuff:
- Why acpid explicitly? Kill it, kill it dead
I agree with most of the above but I don't really see that this, AOS or a minimal (minimum?) install should be any different, and even the Amazon image should only add EC2 stuff on top of that so should be able to include this .ks and add a few pacakges and what ever scripting is needed for the ec2 images.
Peter
On Feb 27, 2010, at 1:21, Peter Robinson wrote:
Hi,
On Fri, Feb 26, 2010 at 6:49 PM, Colin Walters walters@verbum.org wrote: Hi,
Continuing the discussion from: http://lists.fedoraproject.org/pipermail/devel/2010-February/131318.html
I am looking at: http://github.com/huff/kickstart-stuff/blob/master/fedora-ec2-min.ks
In the big picture I think we need to tease apart a few different concepts:
- Stuff generic to fully automating creating a small-ish server
skeleton accessible over ssh (target case: virt-install)
- Stuff specific to EC2
- "Minimization" - For example, removing localization
Let me reattach my proposed file here.
Also, I would really like to have this be an Official Fedora Spin, by which I mean, you guys can't keep disabling SELinux. And it should be hosted in spin-kickstarts.
Other random stuff:
- Why acpid explicitly? Kill it, kill it dead
I agree with most of the above but I don't really see that this, AOS or a minimal (minimum?) install should be any different, and even the Amazon image should only add EC2 stuff on top of that so should be able to include this .ks and add a few pacakges and what ever scripting is needed for the ec2 images.
I agree - it's generally easier to install packages than to remove them and all their leftover dependencies.
Isn't acpid necessary to get VMs to reboot and shut off properly?
Maybe we could have a generic kickstart for all VM images and then %include it in all the vendor-specific (e.g., EC2) kickstarts, which contain the bits that aren't portable between environments.
On Mon, Mar 1, 2010 at 12:50 AM, Garrett Holmstrom gholms@fedoraproject.org wrote:
Isn't acpid necessary to get VMs to reboot and shut off properly?
Meh; I think we should just stick this in init, but OK let's ignore this for now.
Maybe we could have a generic kickstart for all VM images and then %include it in all the vendor-specific (e.g., EC2) kickstarts, which contain the bits that aren't portable between environments.
Yes. Ok, so can we agree that this should live in spin-kickstarts? Does the current cloud SIG have commit access there, and if not, can you guys get it?
On Wed, Mar 3, 2010 at 12:06 PM, Colin Walters walters@verbum.org wrote:
Maybe we could have a generic kickstart for all VM images and then %include it in all the vendor-specific (e.g., EC2) kickstarts, which contain the bits that aren't portable between environments.
Yes. Ok, so can we agree that this should live in spin-kickstarts? Does the current cloud SIG have commit access there, and if not, can you guys get it?
I went ahead and Just Did It:
http://git.fedorahosted.org/git/?p=spin-kickstarts.git;a=commit;h=8500904f56...
Still hoping that we can get separate patches in spin-kickstarts for:
1) Truly EC2 specific stuff, like setting up the fstab 2) Generic minimization - removing localization, wireless networking
On Sat, Feb 27, 2010 at 2:21 AM, Peter Robinson pbrobinson@gmail.com wrote:
I agree with most of the above but I don't really see that this, AOS or a minimal (minimum?) install should be any different, and even the Amazon image should only add EC2 stuff on top of that so should be able to include this .ks and add a few pacakges and what ever scripting is needed for the ec2 images.
The problem with the whole AOS/jeos/minimal OS idea is that it's a race to the bottom. There's this whole sub-culture of "let's see just how tiny we can make it because *clearly* it's easier to add things than remove them" when the end result of that is just a kernel and a shell.
I don't know, I just don't find that interesting or useful[1]. I'd rather actually have utilities and the things I'd expect to find on a Fedora system and not have to play games downloading packages for ages and paying the bandwidth charges to do so as well.
- Jeremy
[1] I guess there is a small set of cases where resources really are constrained enough that it matters. But even in many of those cases, what becomes eventually apparent is that some push back instead on the constraint leads to a better end result for everyone.
On Sun, 28 Feb 2010, Jeremy Katz wrote:
On Sat, Feb 27, 2010 at 2:21 AM, Peter Robinson pbrobinson@gmail.com wrote:
I agree with most of the above but I don't really see that this, AOS or a minimal (minimum?) install should be any different, and even the Amazon image should only add EC2 stuff on top of that so should be able to include this .ks and add a few pacakges and what ever scripting is needed for the ec2 images.
The problem with the whole AOS/jeos/minimal OS idea is that it's a race to the bottom. There's this whole sub-culture of "let's see just how tiny we can make it because *clearly* it's easier to add things than remove them" when the end result of that is just a kernel and a shell.
I don't know, I just don't find that interesting or useful[1]. I'd rather actually have utilities and the things I'd expect to find on a Fedora system and not have to play games downloading packages for ages and paying the bandwidth charges to do so as well.
I'm kind of with you on that. I don't think the smallest / tiniest footprint is as important as a known starting point. The funny thing is that anything beyond that is more subjective. The example I'd give is what editor to include, vim/emacs or joe.
-Mike
On Mon, Mar 1, 2010 at 2:22 AM, Mike McGrath mmcgrath@redhat.com wrote:
On Sun, 28 Feb 2010, Jeremy Katz wrote:
On Sat, Feb 27, 2010 at 2:21 AM, Peter Robinson pbrobinson@gmail.com
wrote:
I agree with most of the above but I don't really see that this, AOS or
a
minimal (minimum?) install should be any different, and even the Amazon image should only add EC2 stuff on top of that so should be able to
include
this .ks and add a few pacakges and what ever scripting is needed for
the
ec2 images.
The problem with the whole AOS/jeos/minimal OS idea is that it's a race to the bottom. There's this whole sub-culture of "let's see just how tiny we can make it because *clearly* it's easier to add things than remove them" when the end result of that is just a kernel and a shell.
I don't know, I just don't find that interesting or useful[1]. I'd rather actually have utilities and the things I'd expect to find on a Fedora system and not have to play games downloading packages for ages and paying the bandwidth charges to do so as well.
I'm kind of with you on that. I don't think the smallest / tiniest footprint is as important as a known starting point. The funny thing is that anything beyond that is more subjective. The example I'd give is what editor to include, vim/emacs or joe.
Definately pico ..... just joking!
I agree with that you don't want it too small. It needs to be usable. But I also don't see the point in installing say a 'http' service where it could easily be used as a db node or whatever. All the other base utils for IP, networking, editing, package mangement, NAS drives etc should be there but someone wanting to use it as a DB server shouldn't have to remove something. Once that bit is worked out the only difference between the base 'virtual server' image and say that of a EC2 image should be the tools that EC2 need.
Peter
On 2/28/2010 20:17, Jeremy Katz wrote:
The problem with the whole AOS/jeos/minimal OS idea is that it's a race to the bottom. There's this whole sub-culture of "let's see just how tiny we can make it because *clearly* it's easier to add things than remove them" when the end result of that is just a kernel and a shell.
I don't know, I just don't find that interesting or useful[1]. I'd rather actually have utilities and the things I'd expect to find on a Fedora system and not have to play games downloading packages for ages and paying the bandwidth charges to do so as well.
I can see where you're coming from; a VM should certainly be useful out of the box. But I view this not as a "how small can we make this" contest, though, but instead as a "why install stuff that won't likely be used" question. For example, I think it would be silly to assume that most Fedora VMs will be web servers and install httpd by default.
Last I heard, the plan was to host a Fedora mirror in every availability zone, hopefully making concerns about bandwidth charges for yum downloads baseless. What people do have to pay for, though, is S3 storage for images and EBS volumes that are based on public Fedora images. I would certainly appreciate having a base image that starts out a few hundred MB lighter on things I don't need if possible - multiple EBS volumes add up quickly.
So what starting point would make sense for most users, given that everyone just gets shell access to start with? @core is obviously not enough to yield useful EC2 images, but all of @base is too much since it includes a bunch of things that don't make sense on EC2 VMs, such as Bluetooth, VLAN, and wireless support.