From Fedora Project Wiki

Line 7: Line 7:
 
== Motivation ==
 
== Motivation ==
  
Deploying Images across partitions requires a significant amount of effort, including certifications and permissions for ITAR regions or opt-in only regions where AMI delivery best practices requires a significant number of accounts to separate publications. To bypass these requirements, the Fedora images can be published using the existing scanning and certification systems put in place by the AWS Marketplace team to simplify Amazon Partner Network participants. This makes it possible to build images in the same way they are built today as community images, but then have the added benefit of having the images available in regions where the Fedora team would need to have signed agreements or credentials on file where personal liability would be necessary for the project leadership.  
+
Deploying Images across partitions requires a significant amount of effort, including certifications and permissions for ITAR regions or opt-in only regions where AMI delivery best practices requires a significant number of accounts to separate publications. To bypass these requirements, the Fedora images can be published using the existing scanning and certification systems put in place by the AWS Marketplace team to simplify Amazon Partner Network participants. This makes it possible to build images in the same way they are built today as community images, but then have the added benefit of having the images available in regions where the Fedora team would need to have signed agreements or credentials on file where personal liability would be necessary for the project leadership.
 +
 
 +
There are also Amazon EC2 users who have developed policies requiring all images used to pass through AWS Marketplace Security scanning to avoid concerns related to security issues, such as the one outlined at [https://nvd.nist.gov/vuln/detail/CVE-2018-15869 CVE-2018-15869]. While the Fedora community already does an excellent job of producing a curated list of current AMIs, this allows the images to be integrated more deeply into the ecosystem. Ultimately, this leads to increased participation and additional discovery for the Fedora cloud images.
  
 
== Process ==  
 
== Process ==  

Revision as of 01:15, 1 September 2020

Introduction

The AWS Marketplace team has created an opportunity to deliver the official images to customers via a Sold by AWS account. This would provide full searchability and detail regarding the official Fedora images and all published images could be listed for customers use. This will automatically provide customers the ability to leverage public parameters in SSM.


Motivation

Deploying Images across partitions requires a significant amount of effort, including certifications and permissions for ITAR regions or opt-in only regions where AMI delivery best practices requires a significant number of accounts to separate publications. To bypass these requirements, the Fedora images can be published using the existing scanning and certification systems put in place by the AWS Marketplace team to simplify Amazon Partner Network participants. This makes it possible to build images in the same way they are built today as community images, but then have the added benefit of having the images available in regions where the Fedora team would need to have signed agreements or credentials on file where personal liability would be necessary for the project leadership.

There are also Amazon EC2 users who have developed policies requiring all images used to pass through AWS Marketplace Security scanning to avoid concerns related to security issues, such as the one outlined at CVE-2018-15869. While the Fedora community already does an excellent job of producing a curated list of current AMIs, this allows the images to be integrated more deeply into the ecosystem. Ultimately, this leads to increased participation and additional discovery for the Fedora cloud images.

Process

Image Uploads

The official images will be mirrored to an internal AWS account and the snapshots will be shared specifically to the AWS Marketplace production and security scanning accounts. Once the images are shared to the account, a load form containing the marketing information and a release version identifier is submitted with the AMI-id of the images to associate the version identifier with the marketing information and the AMI identifier. Image uploads will be initiated based on detail collected from the community project message bus.

Product Load Form

Each Fedora release is a product listing. The product load form defines the product listings for the AWS Marketplace products. There is one product listing defined per line. The product definition includes the marketing material for the product listing, the regions in which the product is listed, the instance types supported by the listing, and the AMI ids that will be consumed in making the product listings.