were these "Flatcar" images in GovCloud actually pushed by Flatcar?

[weisjohn]

Description

Flatcar has a list of AMIs https://docs.flatcar-linux.org/os/booting-on-ec2/#choosing-a-channel
and there appear to be images in GovCloud West and East, but those AMIs are not listed on the site.

Those AMI names are Flatcar-stable-2345.3.1-hvm which are listed as Stable on Flatcar's site: https://www.flatcar-linux.org/releases/#stable-release

...but how do I actually trust or validate that image?

Impact

I can't move forward with Flatcar.

Environment and steps to reproduce

there is a Flatcar image in us-gov-west-1:

images=$(aws ec2 describe-images --region us-gov-west-1 --output json \
  --owners "775307060209" \
  --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]")
ami=$(echo "$images" | jq -r '.[-1][2]')
echo $ami
# ami-07d8bb321f46b40dc

there is a Flatcar image in us-gov-east-1:

images=$(aws ec2 describe-images --region us-gov-east-1 --output json \
  --owners "775307060209" \
  --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]")
ami=$(echo "$images" | jq -r '.[-1][2]')
echo $ami
# ami-09c5b2a64dcabf07e

• Is that Owner ID correct?
• And is that AMI actually produced by the project?

Expected behavior
I believe the project would list the AMIs in GovCloud.

Additional information

[pothos]

Hello,

good that you filed a ticket, thanks!
We don't have AMIs in the GovCloud yet and I don't know who published them there and if you can trust them.

We only publish the official AMIs listed in the docs and under https://stable.release.flatcar-linux.net/amd64-usr/FLATCAR_VERSION_HERE/flatcar_production_ami_all.json. Our Owner ID is 075585003325 on the non-Gov-Cloud.

In addition we included a section of unofficial AMIs where we linked the Giant Swarm China AMIs because even though we don't publish them ourselves, we think they are trustworthy. Maybe we could do this for GovCloud, too, depending on how published them there…?

In the mean time create your own AMI
Here is how to create Flatcar AMIs yourself which you can use to provision instances. Since Flatcar updates itself, you don't need to create new AMIs when a new version is released.

Compile mantle/bin/ore yourself from https://github.com/flatcar-linux/mantle/ or download it from the mantle binary release: https://github.com/flatcar-linux/mantle/releases/tag/v0.14.0

wget https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_ami_vmdk_image.vmdk.bz2
bunzip2 flatcar_production_ami_vmdk_image.vmdk.bz2
./ore aws initialize --region=eu-central-1 --bucket my-flatcar
./ore aws upload --region=eu-central-1 --ami-name="my-flatcar-image" --ami-description="Custom Flatcar Image" --file="flatcar_production_ami_vmdk_image.vmdk" --bucket s3://my-flatcar/myprefix/

However, I can't test this because I don't have a GovCloud account. There may be something in mantle which has a wrong assumption for your case.

I guess you can also just create an AMI in the web interface since it's a one-time action.

[weisjohn]

@pothos thanks very much for the quick reply and helpful notes.

In addition we included a section of unofficial AMIs where we linked the Giant Swarm China AMIs because even though we don't publish them ourselves, we think they are trustworthy. Maybe we could do this for GovCloud, too, depending on how published them there…?

From a potential user perspective, I would be fairly upset if those images were linked on that page without a very clear warning that those images were not published by the Flatcar project and are not trustworthy.

Compile mantle/bin/ore yourself from https://github.com/flatcar-linux/mantle/ or download it from the mantle binary release: https://github.com/flatcar-linux/mantle/releases/tag/v0.14.0

I went to download the binary, but the assets on that release only specify a cork binary?
I cloned mantle and tried to build on that project, but had errors. Based on the travis.yaml in that file which specifies go1.12.x, I used gvm to install and use go1.12.17, but I still get the same error. (I realize that I'm on a Mac, and that might be unsupported.)

johnweis on weisjohn at 03:04:01 PM in ~/src/mantle on flatcar-master
λ uname -a
Darwin weisjohn 19.4.0 Darwin Kernel Version 19.4.0: Wed Mar  4 22:28:40 PST 2020; root:xnu-6153.101.6~15/RELEASE_X86_64 x86_64

johnweis on weisjohn at 03:04:28 PM in ~/src/mantle on flatcar-master
λ make build
./build
Building cork
# github.com/coreos/mantle/system/exec
system/exec/multicall.go:81:3: unknown field 'Pdeathsig' in struct literal of type syscall.SysProcAttr
system/exec/multicall.go:93:3: unknown field 'Pdeathsig' in struct literal of type syscall.SysProcAttr
make: *** [build] Error 2

(I could spin up a Linux VM to do the build but I'm out of time for now).

[pothos]

Maybe it's easier to create your AMI by hand in the web UI or with the aws command line tool.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html
In summary, what mantle's ore does is to upload the vmdk to S3 and then create an EBS snapshot from it. The S3 bucket can now be deleted. Then the AMI is created to refer to this EBS snapshot.

Yes, I meant that depending on who ("how" was a typo) published them this can be considered I think it would be nicer if we publish official AMIs there.

[jepio]

We don't publish images to GovCloud, if anyone wants them they'll need to upload them themselves.