From the Canyon Edge -- :-Dustin

Tuesday, March 30, 2010

UEC and Launchpad.net


Building on ssh-import-lp-id, you can now launch an instance in UEC (Ubuntu Enterprise Cloud) and have it seeded with one or more public keys securely retrieved from Launchpad.net!

Let's assume you have some registered Ubuntu 10.o4 LTS (Lucid) $EMI ...

Normally, you would need to first have the Cloud Controller (or Amazon) generate a public/private keypair. And personally, I don't like it when anyone other than me has seen my private key. To do this in UEC, you could run:

if [ ! -e ~/.euca/mykey.priv ]; then
touch ~/.euca/mykey.priv
chmod 0600 ~/.euca/mykey.priv
euca-add-keypair mykey > ~/.euca/mykey.priv
fi

And then you'd start an instance like this:

euca-run-instances -k mykey $EMI

And to access the instance:

ssh -i ~/.euca/mykey.priv ubuntu@10.1.1.100

I find this clunky, as I don't use this generated mykey business for anything else, and I can't very easily share access to this VM. The private key has already been known by the Cloud Controller (though it discards it). It's not a real security concern, but it bothers me on principle.

So we (Mathias Gug, Scott Moser, and I) thought we'd make this a bit more fluid for Ubuntu users who have Launchpad.net accounts. Launchpad.net actually provides a free, authenticated, SSL-served Public SSH key-server. You can register and share your Public SSH keys there without compromising your private key. We created a wrapper script called uec-run-instances that takes a new option -l|--launchpad-id, which is a comma-separated list of Launchpad.net id's. The tool will add a bit logic in the user-data that will have the instance retrieve and install the public SSH keys of each of the specified users at boot. The syntax looks like this:

uec-run-instances -l kirkland,mathiaz,smoser $EMI

And then you can just:

ssh ubuntu@10.1.1.100

How cool is that!?!

:-Dustin