View Issue Details

IDProjectCategoryView StatusLast Update
0017789Cloud Instance SIG[All Projects] generalpublic2020-10-28 01:17
Reporterdavdunc 
PrioritylowSeverityminorReproducibilityN/A
Status newResolutionopen 
PlatformAmazon EC2OSOS Version
Summary0017789: Add CentOS Version to AWS Marketplace as "Sold by AWS"
DescriptionThe AWS Marketplace team has created an opportunity to deliver the official images to customers via a ''provided by AWS'' account. This would provide full searchability and detail regarding the official CentOS images and all published images could be listed for AWS customer use. This will automatically provide customers the ability to leverage public parameters in SSM to associate "latest" to the most recent fedora release as well as more consistent searchability in the AWS console.

Deploying Images across partitions requires a significant amount of effort, including certifications and permissions for ITAR regions or opt-in only regions where AMI delivery best practices requires a significant number of accounts to separate publications. To bypass these requirements, the CentOS images can be published using the existing scanning and certification systems put in place by the AWS Marketplace team to simplify Amazon Partner Network participants. This makes it possible to clone images built today by the Red Hat CPE as community images, but then have the added benefit of making the images available in regions where the CPE would be required to have signed legal agreements and credentials on file. Moreover, personal liability would be necessary for the project leadership. Other options additionally require intermediate business agreements further derivative from the original project leadership.

There are also Amazon EC2 users who have developed policies requiring all images used to pass through AWS Marketplace Security scanning to avoid concerns related to security issues, such as the one outlined at [https://nvd.nist.gov/vuln/detail/CVE-2018-15869 CVE-2018-15869]. While the CentOS community already does an excellent job of producing a curated list of current AMIs, this allows the images to be integrated more deeply into the AWS ecosystem. Ultimately, this is expected to lead to increased adoption, community participation, and increased visibility for the CentOS cloud images.

This is intended to be consistent with the upstream details for handling this for the Fedora community approved here: https://pagure.io/Fedora-Council/tickets/issue/332
TagsAmazon, AMI

Activities

davdunc

davdunc

2020-10-16 00:03

reporter   ~0037812

The AWS Marketplace team is now publishing base images mirrored from the official AMIs with updates across all regions, including the govcloud regions, in this new profile: https://aws.amazon.com/marketplace/seller-profile?id=045847c6-6990-4bdb-b490-0b159744e3a4 ''Note'': No modification or deviation from the updates provided by the CPE team are made to these images.
angelangeles

angelangeles

2020-10-16 16:01

reporter   ~0037813

David this is awesome! I'm glad to finally see unmodified AMIs properly available for CentOS 8 on the AWS Marketplace. A couple of questions/concerns:

1. Why are these images being loaded against a separate "Amazon Web Services" Marketplace profile instead of the existing "Amazon Web Services" profile that currently hosts all the other official AMIs: https://aws.amazon.com/marketplace/seller-profile?id=e6a5002c-6dd0-4d1e-8196-0a1d1857229b ?

This current implementation makes things confusing when searching for images for instance that a look at this search result:
https://aws.amazon.com/marketplace/search/results?page=1&filters=vendor_id&vendor_id=045847c6-6990-4bdb-b490-0b159744e3a4%2Ce6a5002c-6dd0-4d1e-8196-0a1d1857229b&searchTerms=linux+8

In the above-referenced search result if I'm filtering by "Vendors" I have to select two different "Amazon Web Services" to include all results.

2. Will these mirrored AMIs include the ARM (aarch64) images?

3. The current description of the CentOS 8 listing calls it a "default CentOS-7 image" instead of a "default CentOS 8 image".

4. Similar to other mirrored AMIs listed by the "Amazon Web Services" can we ensure these listing show the proper CentOS Marks/Branding.

Another concern that warrants discussion is all countless CentOS images on the AWS Marketplace that illegitimately utilize the CentOS Marks/Branding and/or with a vendor profile name that purports/suggests it to be an official image when it is not. This search result highlights this issue: https://aws.amazon.com/marketplace/search/results?page=1&filters=VendorId&VendorId=cb14f0b8-1ca0-4485-bc79-a2cb2b9a4feb%2C79e4b2cd-a4a8-47b7-a0f2-db8b7a69f8fb&searchTerms=centos+8

Ultimately I want to avoid scenarios similar to CVE-2018-15869 https://nvd.nist.gov/vuln/detail/CVE-2018-15869 (which David referenced in the upstream Fedora Council ticket), where-in an AWS Marketplace user could believe they are deploying the official unmodifed CentOS AMI but are instead deploying a potentially re-packaged version from a commercial vendor.
davdunc

davdunc

2020-10-27 01:52

reporter   ~0037826

Hi, angelangeles! thanks for the encouragement!

1) The other Amazon Web Services Marketplace is used for commercial product built for APN partners, like Red Hat, SUSE, and Canonical. This second account distinguishes the Community projects, like CentOS as "Provided by AWS" because there is no associated software cost and the images are not modified in any way outside of running updates on the configuration and then using virt-sysprep to prepare them for customer use. The goal is to maintain consistency with the CPE and community work. It is as much to make the distinction internally as much as externally as an extension of community participation and engagement. We want this to continue to grow in scope from efforts strictly handled in the context of the CentOS cloud instance SIG. Fedora instances will also be published from this account as well.
2) The ARM images are already in place, but have a couple of minor issues. I'll be filing a bug on the ARM instance after I reply to this ticket as there partitions are created out of order and it is preventing growfs from working as expected. We'll fix that in the upstream!
3) OOPS! I caught that the other day and have a new update that has the description (on the image and the snapshot) corrected. It's in the analysis phase now and was produced after the updates were released and announced on the 20th. That's a copy-paste (i know how bad that sounds) artifact from my scripting. I'll be making the process and the scripts public. It's not rocket science, what I am doing here, and I look forward to having community transparency and help from people like you.
4) I have an update request in for the marketplace team to have the proper logo associated with the images themselves. I was rushing to make them available and I left that as as "fixme" for later.

The other concern: It's difficult to prevent, but we definitely don't encourage the practice. Now, if there is a serious trademark issue to which the AWS Marketplace team is alerted, they will take immediate action on notification and you should report any known concerns at https://aws.amazon.com/contact-us/ for review and it will get immediate and serious attention.

These images we are providing will be used to keep projects like our FPGA instance with the Neuron SDK, AWS Parallelcluster, etc. ready for quick deployment and ready for use with the latest security updates, like IMDSv2 where there is support (like 7.9 and 8.2+) they will remain true to the principals and practices of the CPE so that others may deploy and modify them as they see fit, but they will begin . Our enthusiasm here is for getting pristine CentOS images with the latest updates into the hands of customers who are themselves enthusiastic in their use of CentOS across all regions, including Govcloud, and in support of all instance types.

With respect to the referenced CVE-2019-15869: That refers to the community AMI space, that is images shared directly through AWS accounts without the additional security audits provided by the AWS Marketplace. Any of those illigetimately published marketplace listings that are listed in Marketplace are run through security auditing and validated to be free of known vulnerabilities and malware before publication. Clearly they missed my type-o, but they take security very seriously. These images go through the same stringent review before publications in addition to the already very stringent review they get before publication

Issue History

Date Modified Username Field Change
2020-10-09 17:39 davdunc New Issue
2020-10-09 17:39 davdunc Tag Attached: Amazon
2020-10-09 17:39 davdunc Tag Attached: AMI
2020-10-16 00:03 davdunc Note Added: 0037812
2020-10-16 16:01 angelangeles Note Added: 0037813
2020-10-27 01:52 davdunc Note Added: 0037826