NixOS AWS - Public Room Timeline

	NixOS AWS	64 Members
		15 Servers

Load older messages

Sender	Message	Time
22 Oct 2024
Arian	https://github.com/boto/botocore/tree/develop/botocore/data/ec2	01:15:57
nh2	Alternatively, maybe I should just build my own AMI, and turn off the option there. Because I don't actually need any specific AMI. It's only needed to boot, the machine, in a reproducible fashion (and ideallly one that doesn't rename all devices after reboot when systemd decides that it's another year again where all network interfaces shall be renamed). After nixops has deployed and rebooted, the software specified by by nixpkgs pin runs anway.	01:16:04
Arian	Here are all the api versions!	01:16:05
nh2	In reply to @arianvp:matrix.org https://github.com/NixOS/amis/blob/main/upload-ami/src/upload_ami/upload_ami.py#L173 Version-pinning that here: https://github.com/NixOS/amis/blob/99b494036de3f1418c65b62c8a4197e76c10ad74/upload-ami/src/upload_ami/upload_ami.py#L173	01:17:04
Arian	Fwiw we ship udev rules that should give all network interfaces alt-names based on the AWS eni id	01:18:36
Arian	Which is stable even across instance types	01:18:50
Arian	(the systemd predictable interface names are not stable across instance types :( )	01:19:12
Arian	At least I think we ship those udev rules...	01:19:43
nh2	That is useful! I only had the problem on Hetzner dedicated so far. Upgrade to newer Nixops, be happy everything works. Next reboot, all machines disappear from the Internet	01:20:09
nh2	Since then I add an UDEV rule also to call the one network interface Hetzner gives `net0` not matter what	01:20:46
nh2	The version is defined here: https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L75 `APIVersion = boto.config.get('Boto', 'ec2_version', '2014-10-01')`	01:23:28
nh2	Now we just apply the nixpkgs wisdom a `sed` a day makes the failure go away and should be good lol	01:24:15
nh2	* Now we just apply the nixpkgs wisdom a `sed` a day makes the failure go away and should be good lol	01:24:21
Arian	Horror	01:27:04
Arian	I'm off to bed	01:29:05
nh2	Ah, the version can actually be overriden by the caller: `class EC2Connection(AWSQueryConnection): def __init__( ... api_version=None ...)` https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L86 So nixops can easily use it without having to modify `boto`.	01:29:21
nh2	* Ah, the version can actually be overriden by the caller: `class EC2Connection(AWSQueryConnection): def __init__( ... api_version=None ...)` https://github.com/boto/boto/blob/8fac1878734c5ac085b781f619c70ea4b6e913c3/boto/ec2/connection.py#L86 So nixops can easily use it without having to modify `boto`. It calls `boto.ec2.connect_to_region()` with just passes on all `kwargs` to the `EC2Connection` constructor.	01:29:54
nh2	Looking for `boto.config.get` in turn suggests that we may not need to change any code at all, as these versions can be controlled from the outside with a config file: http://boto.cloudhackers.com/en/latest/boto_config_tut.html#details Indeed this has the desired effect on that function: `BOTO_CONFIG=<(echo '[Boto]\nec2_version = 2016-11-15')`	01:44:12
nh2	* Looking for `boto.config.get` in turn suggests that we may not need to change any code at all, as these versions can be controlled from the outside with a config file: http://boto.cloudhackers.com/en/latest/boto_config_tut.html#details Indeed setting this environment variable this has the desired effect on that function: `BOTO_CONFIG=<(echo '[Boto]\nec2_version = 2016-11-15')`	01:44:31
nh2	Arian: It worked, the machine deployed. Thanks a lot for your help! https://github.com/benaco/nixops/commit/de0b958b37030c4b4b78e3e69908ad0700d6ae57 I answered the StackOverflow.	02:44:06
23 Oct 2024
commiterate	Met with EIC today, apparently they already have a Go re-implementation of the AuthorizedKeysCommand Bash scripts specifically for macOS. It's just closed source still and they haven't expanded it to cover Linux and Windows. They'll need to evaluate the differences between my implementation and theirs to figure out what to do next. No expected date though.	01:15:13
commiterate	Fixed the implementation to do the signature checking for EIC stuff. I'll leave it up to EIC's eval on whether they want to keep the EC2 Key Pair stuff (since that's vulnerable to MITM).	05:06:13
commiterate	That `openssl dgst` line was definitely what I was missing. Each public key block has a bunch of metadata comments (think of this as a header), the public key line, and a base64-encoded SHA-256 + RSA-PSS signature. This signature is for the metadata comments + public key line. Since that's signed by an EIC signer cert which rolls all the way up to an Amazon CA, it's protected from spoofing.	05:09:02
commiterate	* That `openssl dgst` line was definitely what I was missing. Each public key block has a bunch of metadata comments (think of this as a header), the public key line, and a base64-encoded SHA-256 + RSA-PSS signature. This signature is for the metadata comments + public key line. Since that's signed by an EIC signer cert which rolls all the way up to an Amazon root cert, it's protected from spoofing.	05:09:37
	@luna-null:matrix.org changed their display name from Autumn to luna-null.	09:49:18
25 Oct 2024
	lholh joined the room.	03:54:55
	shift joined the room.	12:51:26
	xenos76 joined the room.	13:58:52
	@niclasoverby:beeper.com joined the room.	13:59:32
26 Oct 2024
	dbalan joined the room.	09:49:21

Show newer messages

Back to Room ListRoom Version: 10