#332 Proposal to List Fedora Amazon Machine Images in the AWS Marketplace as Provided by AWS
Closed: approved 3 months ago by mattdm. Opened 4 months ago by davdunc.


The AWS Marketplace team has created an opportunity to deliver the official images to customers via a ''provided by AWS'' account. This would provide full searchability and detail regarding the official Fedora images and all published images could be listed for customers use. This will automatically provide customers the ability to leverage public parameters in SSM to associate "latest" to the most recent fedora release as well as more consistent searchability in the AWS console.


Deploying Images across partitions requires a significant amount of effort, including certifications and permissions for ITAR regions or opt-in only regions where AMI delivery best practices requires a significant number of accounts to separate publications. To bypass these requirements, the Fedora images can be published using the existing scanning and certification systems put in place by the AWS Marketplace team to simplify Amazon Partner Network participants. This makes it possible to build images in the same way they are built today as community images, but then have the added benefit of making the images available in regions where the Fedora team would need to have signed legal agreements or credentials on file. Moreover, personal liability would be necessary for the project leadership. Other options additionally require intermediate business agreements further derivative from the original project leadership.

There are also Amazon EC2 users who have developed policies requiring all images used to pass through AWS Marketplace Security scanning to avoid concerns related to security issues, such as the one outlined at [https://nvd.nist.gov/vuln/detail/CVE-2018-15869 CVE-2018-15869]. While the Fedora community already does an excellent job of producing a curated list of current AMIs, this allows the images to be integrated more deeply into the AWS ecosystem. Ultimately, this is expected to lead to increased adoption, community participation, and increased visibility for the Fedora cloud images.


Responsible parties at AWS

Fedora team member and AWS Partner Solutions Architect for open source distribution partners [[User:Davdunc|David Duncan]] will lead the integration from inside of AWS and align that process with the community image publication. Alignment will be established with the CPE and Infrastructure teams to ensure that infrastructure requirements are correctly integrated. This alignment ensures that the internal configuration at AWS is sufficiently transparent to the community members to drive the support.

Internal to the AWS team, the [mailto:mbakeram@amazon.com Mark Baker] AWS Marketplace Sr. ''Category Manager'' for operating systems and open source software (''OS/OSS'') will be responsible for ensuring that the Marketplace accounts are provided and that the process workflow as outlined matches the requirements of the AWS Marketplace. The Category Manager will also provide guidance on the requirements of the Marketplace.

AWS Contacts the work by title are as follows:
- AWS Partner Solutions Architect, Linux
- [mailto:davdunc@amazon.com David Duncan] (A fedora project member)
- AWS Marketplace Category Manager for OS/OSS
- [mailto:mbakeram@amazon.com Mark Baker]

For matters of continuous support and any product user engagement request coming from the AWS Contacts, a github or pagure[†] project similar to [https://pagure.io/fedora-commops fedora-commops] will track issues and code deployed on AWS internal accounts not managed by Fedora Infrastructure. This repository will contain the operations specific to the Amazon publishing related to the image deployment and the aspects of organizing the project for long-term support. All application development for the AWS integration will be handled using the policy and procedures in place as established by the [https://pagure.io/fedora-infrastructure fedora-infrastructure] team wherever possible. If that is not possible a new policy will be created and stored in this new Marketplace project files.

Image Cloning for the Marketplace

Official images will be mirrored to an internal AWS account and the snapshots will be shared specifically to the AWS Marketplace production and security scanning accounts. Once the images are shared to the account, a load form containing the marketing information and a release version identifier is submitted with the AMI-id of the images to associate the version identifier with the marketing information and the AMI identifier. Image uploads will be initiated based on detail collected from the community project message bus.

Product Load Form

Each Fedora release is a product listing and for each release there can be multiple revisions, called listings_ in the AWSMP. In order to track product versions, a spreadsheet of details called the __product load form is submited with each change set. The product load form defines the listings for all of the AWS Marketplace products submitted. There is one product listing defined per spreadsheet row. The product definition includes the marketing material for the product listing, the regions in which the product is listed, the instance types supported by the listing, and the AMI ids that will be consumed in making the product listings. Details on support and content are to be approved by Fedora Marketing by pagure ticket or other acceptable, referenceable approval before any AWSMP submission is published for use.

Example Listings

The [https://aws.amazon.com/marketplace/pp/Amazon-Web-Services-Red-Hat-Enterprise-Linux-8/B07T4SQ5RZ Red Hat Enterprise Linux marketplace listing] for RHEL 8 is an example of this kind of listing. Note that the Seller of Record is AWS, but the image is a duplicate of the Red Hat golden image provided for general customer use in the Red Hat account.

† Regardless of the project location, the managing organization for issues and related operations should be Fedora.


This is very interesting, and if we can do this, I think we could set up a fedora-cloud pagure project for handling this...

This sounds amazing David. Thank you for working on this. +1 from me, and I'm putting my champagne in the fridge to chill...

Excellent! Looking forward to this. I think there's a bunch of details to work out, but this is a good proposal/framework for doing that. :) look forward to getting this going!

Excellent! Looking forward to this. I think there's a bunch of details to work out, but this is a good proposal/framework for doing that. :) look forward to getting this going!

I am looking forward to working with you to iron out the kinks!

I discussed this with @davdunc on IRC, particularly with regard to Fedora CoreOS. I initially found the above writeup confusing, but here's my understanding after that discussion.

In this proposal, AWS would manage Fedora Marketplace listings on behalf of Fedora, inside a separate account controlled by AWS. The listings would have a Fedora-controlled listing description and point to Fedora-built bits, but would be marketed as "provided by AWS". To publish images, Fedora would simply build AMIs as usual. AWS internal CI infrastructure would listen on fedmsg for new AMI builds, clone the images, submit them for Marketplace security scans, then submit them to all AWS regions including GovCloud. Fedora would never need to fill out a Marketplace load form.

The Marketplace AMIs would behave similarly to the community AMIs: there'd be a distinct AMI ID for each region, and these could be launched directly by users without clicking through a Marketplace registration page first. Because of the Marketplace publication latency (measured in hours) and the indirection through Amazon's pipeline, Fedora should probably still recommend that users stick with the community AMIs where possible. But the Marketplace AMIs would be helpful for users in additional regions, or with additional compliance requirements, not covered by the community AMIs. When new Marketplace AMIs are published, AWS infrastructure could emit a fedmsg with the corresponding AMI IDs, allowing Fedora websites etc. to be automatically updated if desired.

For additional details specific to Fedora CoreOS, see coreos/fedora-coreos-tracker#635.

Metadata Update from @bcotton:
- Issue priority set to: Next Meeting (was: Needs Review)
- Issue tagged with: trademarks

3 months ago

As discussed in the meeting, this is essentially a trademark request. Please vote accordingly.

I think this falls squarely under Virtual images or appliances with unmodified Fedora software, and therefore is usage which does not actually require explicit permission. However, I'm excited to see this happen, and see the value in affirmatively giving permission, so I'm +1 to this.

Since this is a trademark issue, this will go through the full consensus process as outlined in the council docs. We need three +1 votes and no negative votes by Monday to mark this approved.

I'm +1.


I appreciate @davdunc facilitating this in an upstream-first way. Happy to make unfakeable Linux / Fedora more accessible to more users in more environments. :tada:

Metadata Update from @mattdm:
- Issue close_status updated to: approved
- Issue status updated to: Closed (was: Open)

3 months ago

This is officially approved! Thanks @davdunc !

Login to comment on this ticket.