user-data Scripts
The Ubuntu and Debian EC2 images published on http://alestic.com allow you to send in a startup script using the EC2 user-data parameter when you run a new instance. This functionality is useful for automating the installation and configuration of software on EC2 instances.
The basic rule followed by the image is:
If the instance
user-datastarts with the two characters#!then the instance runs it as the root user on the first boot.
The “user-data script” is run late in the startup process, so you can assume that networking and other system services are functional.
If you start an EC2 instance with any user-data which does not start with #! the image simply ignores it and allows your own software to access and use the data as it sees fit.
This same user-data startup script functionality has been copied in the Ubuntu images published by Canonical, and your existing user-data script should be portable across images with little change. Read a comparison of the Alestic and Canonical EC2 images.
Example
Here is a sample user-data script which sets up an Ubuntu LAMP server on a new EC2 instance:
#!/bin/bash
set -e -x
export DEBIAN_FRONTEND=noninteractive
apt-get update && apt-get upgrade -y
tasksel install lamp-server
echo "Please remember to set the MySQL root password!"
Save this to a file named, say, install-lamp and then pass it to a new EC2 instance, say, Ubuntu 9.04 Jaunty:
ec2-run-instances --key KEYPAIR --user-data-file install-lamp ami-bf5eb9d6
Please see http://alestic.com for the latest AMI ids for Ubuntu and Debian.
Note: This simplistic user-data script is for demonstration purposes only. Though it does set up a fully functional LAMP server which may be as good as some public LAMP AMIs, it does not take into account important design issues like database persistence. Read Running MySQL on Amazon EC2 with Elastic Block Store.
Debugging
Since you are passing code to the new EC2 instance, there is a very small chance that you may have made a mistake in writing the software. Well maybe not you, but somebody else out there might not be perfect, so I have to write this for them.
The stdout and stderr of your user-data script is output in /var/log/syslog and you can review this for any success and failure messages. It will contain both things you echo directly in the script as well as output from programs you run.
Tip: If you add set -x at the top of a bash script, then it will output every command executed. If you add set -e to the script, then the user-data script will exit on the first command which does not succeed. These help you quickly identify where problems might have started.
Limitations
Amazon EC2 limits the size of user-data to 16KB. If your startup instructions are larger than this limit, you can write a user-data script which downloads the full program(s) from somewhere else like S3 and runs them.
Though a shell is a handy tool for writing scripts to install and configure software, the user-data script can be written in any language which supports the shabang (#!) mechanism for running programs. This includes bash, Perl, Python, Ruby, tcl, awk, sed, vim, make, or any other language you can find pre-installed on the image.
If you want to use another language, a user-data script written in bash could install the language, install the program, and then run it.
Security
Setting up a new EC2 instance often requires installing private information like EC2 keys and certificates (e.g., to make AWS API calls). You should be aware that if you pass secrets in the user-data parameter, the complete input is available to any user or process running on the instance.
There is no way to change the instance user-data after instance startup, so anybody who has access to the instance can simply request http://169.254.169.254/latest/user-data
Depending on what software you install on your instance, even Internet users may be able to exploit holes to get at your user-data. For example, if your web server lets users specify a URL to upload a file, they might be able to enter the above URL and then read the contents.
Alternatives
Though user-data scripts are my favorite method to set up EC2 instances, it’s not always the appropriate approach. Alternatives include:
Manually ssh in to the instance and enter commands to install and configure software.
Automatically ssh in to the instance with automated commands to install and configure software.
Install and configure software using (1) or (2) and then rebundle the instance to create a new AMI. Use the new image when running instances.
The ssh options have the benefit of not putting any private information into the user-data accessible from the instance. They have the disadvantage of needing to monitor new instances waiting for the ssh server to accept connections; this complicates the startup process compared to user-data scripts.
The rebundled AMI approach and building your own AMI approach are useful when the installation and configuration of your required software take a very long time or can’t be done with automated processes (less common than you might think). A big drawback of creating your own AMIs is maintaining them, keeping up with security patches and other enhancements and fixes which might be applied by the base image maintainers.
Software
Note to AMI authors: If you wish to add to your EC2 images the same ability to run user-data scripts, feel free to include the following code and make it run on image startup:
Credits
Thanks to RightScale for the original idea of EC2 images with user-data startup hooks. RightScale has advanced startup plugins which include scripts, software packages, and attachments, all of which integrate with the RightScale service.
Thanks to Kim Scheibel and Jorge Oliveira who submitted code used in the original ec2-run-user-data script.
What do you use EC2 user-data for?
Extremely useful, thanks for the tip! And for the AMIs as well, of course.
Would it be possible for the script to somehow permanently disable or block the 169.254.169.254 server after it has grabbed the data?
tlrobinson: Interesting idea. Most of the startup use of the meta-data should be completed by the time the user-data script is run. However:
1. If you blocked 169.254.169.254 with, say, iptables, you'd need to make sure that it isn't blocked on reboot as the startup scripts would need to check meta-data on each reboot to see if they need to run certain procedures.
2. You'd need to make sure that access is blocked again, even though the user-data is not run on reboots.
3. There may be some other software you run on the instance which uses the meta-data and it may not be easy to identify it.
Another method is to pass some initial semi-private info to the instance via userdata, but to do a global change of passwords / credentials manually immediately after login (in one step).
I'm new to this, but...
Seems like if you were willing to burn your keys/certs into a private image (and, btw, how BAD is this?), you could write a script that took an url to a private s3 object and downloaded THAT and executed THAT as a script. This technique is mentioned above with regard to the 16K size limitation, but it could also be used to hide the script itself and any data in it. I think. Maybe. Ja?
Trying to run a user-script with Debian5.0 Lenny from Alestic get this error.
Aug 28 20:08:35 ip-10-245-215-80 S71ec2-run-user-data: Retrieving user-data
Aug 28 20:08:35 ip-10-245-215-80 S71ec2-run-user-data: curl: (22) The requested URL returned error: 404
Aug 28 20:08:35 ip-10-245-215-80 S71ec2-run-user-data: No user-data available
If i check the user-data with ec2-metadata is aviable.
Any ideas ?
Ian: You don't even need to put your access keys on the image to download a private S3 object. You can build S3 URLs which give access to a specific key for a specific amount of time. We use this in user-data scripts to pass in secret information which we don't want to be forever available to everybody on the instance.
neoecos: That's an odd one. If you can access the user-data, then the startup script should also be able to. If you can ever reliably reproduce this, please post to the ec2ubuntu Google group with the steps.
Eric: Thanks for this and many other great resources! Sorry if this is a silly question, but I'm rather new to EC2 and I can't seem to find *any* real details about the --user-data and --user-data-file options. Based on this article, I understand that I can do at least that much, but I'd like to know what's happening "under the hood." Where does the script "live" on the instance? You mention security concerns, but I don't fully understand, because I don't know how/where instance users might access my user data script. Is there a more detailed resource out there that I'm completely missing? Thanks again!
jamie: There isn't a whole lot of documentation available on user-data, but it is a fairly simple concept. Amazon talks about it a bit in the developer guide:
http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/index.html?AESDG-chapter-instancedata.html
The user-data is available to any user or process that can make a network connection from the instance.