[ec2-beta] ec2-beta and upcoming Ubuntu 9.04

[Eric Hammond]

Chuck:

As background, the AMI bundles which are uploaded and registered on EC2
are encrypted with two public keys: the user who created the bundle, and
a special Amazon EC2 cloud identity.

This lets the user decrypt the bundle if they want to get direct access
to the contents at a later date (which is rare) and it lets the EC2 data
center software decrypt the bundle when it is setting up a new instance
to run that AMI (for a user who has been authorized through other means).

In theory, the Amazon EC2 cloud private key would be kept very secret
even inside Amazon.  Only the Amazon software needs to have access to it
to run images.  I imagine the defauld EC2 public key is built in to
ec2-bundle-image.

If somebody is running their own EC2-like cloud using Eucalyptus, they
would need to have the same type of functionality, but would not have
access to Amazon's private key.  So, they need to create and use their
own pk/cert.

[The above is just my general understanding of the process not having
used Eucalyptus personally.]

François, I've submitted the following request against vmbuilder.  Let
me know if I got anything wrong:

 https://bugs.launchpad.net/vmbuilder/+bug/353401

--
Eric Hammond
ehammond at thinksome.com



Francois Deppierraz wrote:
> Chuck Short wrote:
> 
>> Ummm...no it doesnt.
> 
> Ummm, well, yes it does.
> 
> Eucalyptus requires a specific *cloud* certificate (--ec2cert) in
> addition to the *user* certificate (--cert).
> 
> # ec2-bundle-image --help | grep ec2cert
>         --ec2cert PATH               The path to the EC2 X509 public key
> certificate bundled into the AMI.
> 
> François
>