[NB: CC'd to the Fedora cloud SIG mailing list]
On Tue, Oct 01, 2013 at 09:22:44AM -0400, Matthew Miller wrote:
On Tue, Oct 01, 2013 at 02:20:11PM +0100, Richard W.M. Jones wrote:
> > Is there a reason to not use the official Fedora cloud images?
> That's part 2 of this exercise. Would like to talk to you
> about that separately at some point.
Okay. Any time. :)
So there are a few immediate problems (some of them in virt-builder
itself).
(1) Virt-builder really needs to be able to source images from
multiple places. At the moment there is only one source location
allowed, unless the user clumsily uses the --source option to point at
another one.
(2) Virt-builder currently assumes the image format is xz-compressed.
Actually I notice the raw.xz images are in the correct format already,
so we're good here.
(3) Virt-builder requires all images to be GPG-signed. It worries me
that these images are neither signed nor downloaded over https.
(4) Virt-builder requires a (signed) index file describing each cloud
image. I believe it would be a good thing for the cloud images to
include an index file, so that tools can automatically find out what's
there. The format of the index file is described here:
http://libguestfs.org/virt-builder.1.html#creating-and-signing-the-index-...
However having the index file will be less useful until (1) is fixed.
(5) Digital signatures: Currently virt-builder requires all indexes
and images to be signed by yours truly unless you go through an
involved process described here:
http://libguestfs.org/virt-builder.1.html#setting-up-a-gpg-key
We need to fix this, but key management is a non-trivial problem,
since we cannot host the public key in the same place as the index &
images (an attacker could replace both the images & key at the same
time). What's the strategy going to be for signing these cloud images?
----------------------------------------------------------------------
To test this out, I created an index file for the 64 bit Fedora 19
cloud image, which is attached. I also signed it (signature also
attached). You can test this if you want by putting all 3 files into
a directory anywhere and using commands such as:
virt-builder --source file:///path/to/index.asc -l
virt-builder --source file:///path/to/index.asc --notes fedora-cloud-19
virt-builder --source file:///path/to/index.asc \
fedora-cloud-19 \
--size 20G \
--root-password password:123456 \
--install @development-tools
And basically it works:
$ virt-builder --source file:///mnt/scratch/index.asc fedora-cloud-19 --size 20G
--root-password password:123456 --install @development-tools[ 0.0] Downloading:
file:///mnt/scratch/Fedora-x86_64-19-20130627-sda.raw.xz
[ 0.0] Creating disk image: fedora-cloud-19.img
[ 1.0] Uncompressing: file:///mnt/scratch/Fedora-x86_64-19-20130627-sda.raw.xz
[ 14.0] Running virt-resize to expand the disk to 20.0G
[ 44.0] Opening the new disk
[ 47.0] Setting a random seed
[ 47.0] Setting root password
[ 47.0] Installing packages: @development-tools
[ 156.0] Finishing off
Output: fedora-cloud-19.img
Total usable space: 19.7G
Free space: 18.6G (94%)
I didn't test this one to see if it boots.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top