[Fedora-legal-list] Hosting Fedora cloud images

Richard W.M. Jones rjones at redhat.com
Mon Oct 28 09:48:52 UTC 2013 

[NB: CC'd to the Fedora cloud SIG mailing list]

On Tue, Oct 01, 2013 at 09:22:44AM -0400, Matthew Miller wrote:
> On Tue, Oct 01, 2013 at 02:20:11PM +0100, Richard W.M. Jones wrote:
> > > Is there a reason to not use the official Fedora cloud images?
> > That's part 2 of this exercise.  Would like to talk to you
> > about that separately at some point.
> 
> Okay. Any time. :)

So there are a few immediate problems (some of them in virt-builder
itself).

(1) Virt-builder really needs to be able to source images from
multiple places.  At the moment there is only one source location
allowed, unless the user clumsily uses the --source option to point at
another one.

(2) Virt-builder currently assumes the image format is xz-compressed.
Actually I notice the raw.xz images are in the correct format already,
so we're good here.

(3) Virt-builder requires all images to be GPG-signed.  It worries me
that these images are neither signed nor downloaded over https.

(4) Virt-builder requires a (signed) index file describing each cloud
image.  I believe it would be a good thing for the cloud images to
include an index file, so that tools can automatically find out what's
there.  The format of the index file is described here:

http://libguestfs.org/virt-builder.1.html#creating-and-signing-the-index-file

However having the index file will be less useful until (1) is fixed.

(5) Digital signatures: Currently virt-builder requires all indexes
and images to be signed by yours truly unless you go through an
involved process described here:

http://libguestfs.org/virt-builder.1.html#setting-up-a-gpg-key

We need to fix this, but key management is a non-trivial problem,
since we cannot host the public key in the same place as the index &
images (an attacker could replace both the images & key at the same
time).  What's the strategy going to be for signing these cloud images?

----------------------------------------------------------------------

To test this out, I created an index file for the 64 bit Fedora 19
cloud image, which is attached.  I also signed it (signature also
attached).  You can test this if you want by putting all 3 files into
a directory anywhere and using commands such as:

  virt-builder --source file:///path/to/index.asc -l

  virt-builder --source file:///path/to/index.asc --notes fedora-cloud-19

  virt-builder --source file:///path/to/index.asc \
    fedora-cloud-19 \
    --size 20G \
    --root-password password:123456 \
    --install @development-tools

And basically it works:

  $ virt-builder --source file:///mnt/scratch/index.asc fedora-cloud-19 --size 20G --root-password password:123456 --install @development-tools[   0.0] Downloading: file:///mnt/scratch/Fedora-x86_64-19-20130627-sda.raw.xz
  [   0.0] Creating disk image: fedora-cloud-19.img
  [   1.0] Uncompressing: file:///mnt/scratch/Fedora-x86_64-19-20130627-sda.raw.xz
  [  14.0] Running virt-resize to expand the disk to 20.0G
  [  44.0] Opening the new disk
  [  47.0] Setting a random seed
  [  47.0] Setting root password
  [  47.0] Installing packages: @development-tools
  [ 156.0] Finishing off
  Output: fedora-cloud-19.img
  Total usable space: 19.7G
  Free space: 18.6G (94%)

I didn't test this one to see if it boots.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[fedora-cloud-19]
name=Fedora® 19 Cloud (x86-64)
osinfo=fedora19
file=Fedora-x86_64-19-20130627-sda.raw.xz
sig=Fedora-x86_64-19-20130627-sda.raw.xz.sig
format=raw
size=2147483648
compressed_size=135178796
expand=/dev/sda1
notes=Fedora® 19 Cloud (x86-64) image
 
 Fedora and the Infinity design logo are trademarks of Red Hat, Inc.
 Source and further information is available from http://fedoraproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSbi9hAAoJEJFzj3Pht2igv48QAIktAqSBCEdenDFH+dMM13LW
Go/AjPKWzlEp21fDaTuUZaIGx+dqf23FnUuJeAU0s84aAXqU0Umtsskk0se0oM0s
ETKt5JVJ7ec8sowaHjOENWYQHCfKgq4qTpFjk/luzFJzpZUjTUfw0+9p1BND9iwm
UPtbf2JqMDu3j89LmeSCmF5lW2ndcFpondIou1Rn1eoEEzFi9JoNIsX+cx+JPRqm
3vNUiHPru5UKxXpYNyxU34gk667limhdqhhy4kCLzet8qqtK7zoFaAr6HFCY5cra
3k8tUDuJ1cpefEvA+6L6yIurrUqJ2vcrKrl3nq/UDtFmhZ3zqJLZ6Aes746fit9G
YrC6BAg1WGWPYBUN/S8U/8YRIcLxj5DIj2oVtsQPyAC9N3mTJgKPQF+tKP8+Uy5u
JDCjzFY3AcgZfzNg9Y/lmVOGIaSWVMo64S4jPOI96Jsue9xfSVfViKWY7iIbjA7f
k6t1kz+8CTJY5ESDiVWH8ToWPGkYfljs6P6LBLuW0fQmeMFOfmJhZwGqa5tuMzon
eQudmdtz65sehlW9SgAGzAUF7d2PhKCqCpI6gtxYCVCDw5Vec4n7JRAhB4/WiCeC
tJFQkchM4r4qnnQF+7rztDLc9OEsLHJv7VuBshylu9Sk15TInxijnvzX2BqYdVgB
GL/J99TGzXgrARv4C0nu
=vS+q
-----END PGP SIGNATURE-----
-------------- next part --------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAABAgAGBQJSbi+RAAoJEJFzj3Pht2ig7HIQAMBXSKYAmKbkfDpv3lMTz7L6
zoYN7rQslQbX7zs4H8Tjg0vRLKFjAntGFW022dak9uJfMl+KicHJV72WS94L8JFK
j9w29Y0vR8mps0/R9inAj3DHfNruyyZ9FwRb4slhZgLkktz/Ncc4p+u951cUvNec
MeF6ERR5v0gadbt0e0yh0JfuI1Xt2GsAnoJBpUpDYG0tgFZK3VwY4IF8311hbmXR
vWB6JdtWUh742GsZK490E51C28T1NY05F5/sjcAb5fpoj0Cz0F4sMcXwcX6XXC+M
0y0yHlk26abpWM9kXaM640EhlCmtExGByBpf913t7CgdXo/OAlXg75+f+D33tXGW
8AmM0WHGXFbfZ2JSC4KACwvHfI8XRJhN6VFi1hs6g5L+/hHpVtviaJ2vzaXLlmwY
xYMNahrTF/M1EX9XiNODLBg2vxG3DmRJ+JRTf/yVw0p3CImVGPh25r8Pbk3iEod3
MpdBFibEa1gyalw4+OAS7F8hcBLPHIx/wFWGEXRd7zalQ2tSnzq/j9Kaa4FPW3nm
neN2gkaN/NJ5Sjq9tal0oGBYm1lkZYoe6OfSjw0SV3dTHi2kE4IsyklECopIF4bN
rGqLwkJdauPDVLtPOKoPKMJzaVRYvwtzRkRgoxbcBkPCmww1mjgIAGzQJGGBSHpK
LuVoWG3zH9oCv9BTrr8K
=VBMh
-----END PGP SIGNATURE-----

More information about the cloud mailing list