Alestic.com - A Personal AWS Blog by Eric Hammond

Ubuntu 10.04 Lucid was released on Amazon EC2 right on schedule today along with the rest of the normal Ubuntu image download channels.

Congrats to all the Ubuntu folks who were involved in putting this together! Though I’ve enjoyed contributing to the cause over the years, I’m happy to say that I had very little involvement with this release on EC2, leaving me more time to focus on my startup and family. Though many individuals are involved, I’d like to acknowledge the hard work of Scott Moser who has taken the point for publishing official Ubuntu EC2 images these last couple releases.

This is also the first Ubuntu release on EC2 that includes officially supported EBS boot AMIs, taking yet another task off my plate and providing a trusted source for this useful image type.

I’ve listed all of the current Ubuntu and Debian AMI ids in the table at the top of Alestic.com. Simply click on the EC2 region where you want to run your instances to find the AMI ids.

If you’re running an older release of Ubuntu on EC2, see my recommended upgrade paths.

Ubuntu 10.04 Lucid is expected to be released this Thursday (April 29, 2010). This is the first LTS (long term support) release since Ubuntu 8.04 Hardy, which has itself been a stable and reliable server platform for years both inside and outside of Amazon EC2.

If you’re starting a new server project on EC2, Ubuntu 10.04 Lucid would be a great release to start with. It will be supported for five years with security patches and major bug fixes.

If you are already running a different Ubuntu release on EC2, you should consider planning an upgrade to Lucid. Here are my thoughts for each release you might currently be running on EC2:

• Ubuntu 8.04 Hardy should continue to be fairly stable for a while, though there does not appear to be a lot of EC2-specific development being applied to the AMIs, so you may want to upgrade to Lucid LTS at your leisure. You will probably want to start new instances, though with Scott’s comment below, it might be possible to upgrade in-place on EBS boot from Hardy to Lucid. If you happen to still be running the Alestic Hardy AMIs, you should at least consider upgrading to the Hardy AMIs published by Canonical and listed at the top of Alestic.com.

• Ubuntu 8.10 Intrepid has reached its end of life and should no longer be used on EC2. If you are still running Intrepid, you should immediately start upgrading to Karmic or Intrepid through starting new instances.

• Ubuntu 9.04 Jaunty on EC2 is still running on an old Fedora 8 kernel and is not supported by Ubuntu. I’ve been recommending an upgrade from Jaunty for a while. I continue to recommend upgrading to Karmic (if you want something that has been tested in production for a while) or Lucid (once you’re comfortable with the release).

• Ubuntu 9.10 Karmic still works great on EC2, though there are a couple bothersome bugs (like hostname reset on reboot) that should be fixed by upgrading to Lucid. If you are running an EBS boot Karmic instance, then it is possible to upgrade in place, but it’s also fine to simply start new instances.

• Ubuntu 10.04 Lucid pre-release instances should be upgraded to the released version. If you are running EBS boot Lucid, then it is possible to upgrade in place even if there are a newer kernel and ramdisk.

Scott Moser of Canonical has laid out the steps necessary to upgrade an EC2 instance in place without having to start a new EC2 instance. This only works for instances that are currently running an EBS boot pre-release Lucid AMI or an EBS boot 9.10 Karmic AMI. All other servers will need to be upgraded by starting new Lucid instances to replace the old instances. Fortunately, EC2 makes that easy.

In fact, EC2 makes starting new replacement instances so convenient, I would recommend following that procedure in most cases even if you think you can upgrade a server in place. If you encounter any troubles in getting your service to run on Lucid, running a new instance makes it straight forward to fall back to the old server. And, once you are happy with the new server, make it your production system, terminate the old one and don’t look back.

Welcome to the new world of cloud computing where you can instantly acquire and discard server hardware for mere dollars without worrying about large investments, complicated provisioning, and long term support costs.

I will add the new Lucid AMI ids to the table at the top of Alestic.com as soon as I get word that they are ready.

Note: I do not recommend that new users start with these AMIs. These AMIs run with older versions of Amazon’s Fedora 8 kernel which have some incompatibilities with Ubuntu and Debian (e.g., XFS is broken). My strong recommendation is for all users to convert to one of the Ubuntu 9.10 Karmic or Ubuntu 8.04 Hardy AMIs which run with a modern, compatible Ubuntu kernel.

I have released updates of the following legacy Ubuntu and Debian S3-based AMIs published in the “alestic” buckets:

• Ubuntu: 8.04 Hardy, 8.10 Intrepid, 9.04 Jaunty
• Debian: 4.0 Etch, 5.0 Lenny

I welcome testing and feedback from folks who are already using the older versions of these AMIs.

In addition to upgraded software packages, the following enhancements are in this release:

• Wait for meta-data before deciding whether to generate ssh host key (Thanks to Dmitry for catching)

• Patch from Tom White to support compressed user-data scripts

• Allow user-data script to remove the “been run” file so that it is run on every boot instead of just the first

• Upgrade EC2 AMI tools to 1.3-34544

• Debian: Add Alestic PPA to apt sources

• Debian: Install runurl from Alestic PPA

I would like to reiterate that these AMIs are not recommended for anybody except folks who are already using older versions of these AMIs and I would encourage you to upgrade to an Ubuntu 9.10 Karmic AMI or the upcoming Ubuntu 10.04 Lucid AMI which will be released in April. The base Ubuntu image building responsibilities have been transfered to Canonical and I don’t have any plans to release new AMIs in the older Ubuntu or Debian series beyond what I am announcing here.

I have not yet posted the AMI ids on https://alestic.com pending testing and feedback, but here are the ids for those who need to run them:

us-east-1

ami-1116f978 Ubuntu 9.04 Jaunty   server  32-bit
ami-e116f988 Ubuntu 9.04 Jaunty   server  64-bit
ami-cd16f9a4 Ubuntu 9.04 Jaunty   desktop 32-bit
ami-c316f9aa Ubuntu 9.04 Jaunty   desktop 64-bit

ami-1316f97a Ubuntu 8.10 Intrepid server  32-bit
ami-e316f98a Ubuntu 8.10 Intrepid server  64-bit
ami-cb16f9a2 Ubuntu 8.10 Intrepid desktop 32-bit
ami-c116f9a8 Ubuntu 8.10 Intrepid desktop 64-bit

ami-e916f980 Ubuntu 8.04 Hardy    server  32-bit
ami-e716f98e Ubuntu 8.04 Hardy    server  64-bit
ami-1716f97e Ubuntu 8.04 Hardy    desktop 32-bit
ami-e516f98c Ubuntu 8.04 Hardy    desktop 64-bit

ami-eb16f982 Ubuntu 6.06 Dapper   server  32-bit
ami-f916f990 Ubuntu 6.06 Dapper   server  64-bit

ami-ed16f984 Debian 5.0 Lenny     server  32-bit
ami-fb16f992 Debian 5.0 Lenny     server  64-bit
ami-cf16f9a6 Debian 5.0 Lenny     desktop 32-bit
ami-c516f9ac Debian 5.0 Lenny     desktop 64-bit

ami-ef16f986 Debian 4.0 Etch      server  32-bit
ami-fd16f994 Debian 4.0 Etch      server  64-bit

us-west-1

ami-197a2b5c Ubuntu 9.04 Jaunty   server  32-bit
ami-237a2b66 Ubuntu 9.04 Jaunty   server  64-bit
ami-357a2b70 Ubuntu 9.04 Jaunty   desktop 32-bit
ami-c97a2b8c Ubuntu 9.04 Jaunty   desktop 64-bit

ami-257a2b60 Ubuntu 8.10 Intrepid server  32-bit
ami-2d7a2b68 Ubuntu 8.10 Intrepid server  64-bit
ami-377a2b72 Ubuntu 8.10 Intrepid desktop 32-bit
ami-d57a2b90 Ubuntu 8.10 Intrepid desktop 64-bit

ami-277a2b62 Ubuntu 8.04 Hardy    server  32-bit
ami-2f7a2b6a Ubuntu 8.04 Hardy    server  64-bit
ami-cf7a2b8a Ubuntu 8.04 Hardy    desktop 32-bit
ami-d77a2b92 Ubuntu 8.04 Hardy    desktop 64-bit

ami-217a2b64 Ubuntu 6.06 Dapper   server  32-bit
ami-e77a2ba2 Ubuntu 6.06 Dapper   server  64-bit

ami-d37a2b96 Debian 5.0 Lenny     server  32-bit
ami-df7a2b9a Debian 5.0 Lenny     server  64-bit
ami-e37a2ba6 Debian 5.0 Lenny     desktop 32-bit
ami-db7a2b9e Debian 5.0 Lenny     desktop 64-bit

ami-d17a2b94 Debian 4.0 Etch      server  32-bit
ami-dd7a2b98 Debian 4.0 Etch      server  64-bit

eu-west-1

ami-a798b3d3 Ubuntu 9.04 Jaunty   server  32-bit
ami-af98b3db Ubuntu 9.04 Jaunty   server  64-bit
ami-9798b3e3 Ubuntu 9.04 Jaunty   desktop 32-bit
ami-9d98b3e9 Ubuntu 9.04 Jaunty   desktop 64-bit

ami-a198b3d5 Ubuntu 8.10 Intrepid server  32-bit
ami-a998b3dd Ubuntu 8.10 Intrepid server  64-bit
ami-9198b3e5 Ubuntu 8.10 Intrepid desktop 32-bit
ami-9998b3ed Ubuntu 8.10 Intrepid desktop 64-bit

ami-a398b3d7 Ubuntu 8.04 Hardy    server  32-bit
ami-ab98b3df Ubuntu 8.04 Hardy    server  64-bit
ami-9398b3e7 Ubuntu 8.04 Hardy    desktop 32-bit
ami-8798b3f3 Ubuntu 8.04 Hardy    desktop 64-bit

ami-ad98b3d9 Ubuntu 6.06 Dapper   server  32-bit
ami-9598b3e1 Ubuntu 6.06 Dapper   server  64-bit

ami-8398b3f7 Debian 5.0 Lenny     server  32-bit
ami-8f98b3fb Debian 5.0 Lenny     server  64-bit
ami-8998b3fd Debian 5.0 Lenny     desktop 32-bit
ami-8b98b3ff Debian 5.0 Lenny     desktop 64-bit

ami-8198b3f5 Debian 4.0 Etch      server  32-bit
ami-8d98b3f9 Debian 4.0 Etch      server  64-bit

Scott Moser (Canonical) built and released new Ubuntu 8.04.3 LTS Hardy images and AMIs for Amazon EC2. I also published new EBS boot AMIs using the same images. I’ve listed all of the AMI ids on https://alestic.com (pick your region at the top).

These AMIs should work better in the us-west-1 region (apt sources.list) and have updated software packages so upgrades on new instances should be faster.

If you’ve been following along, you probably know that I have been recommending that folks using EC2 switch to the official Ubuntu AMIs published by Canonical (Hardy or Karmic). I have been building and publishing Ubuntu AMIs since 2007 (including Dapper, Edgy, Feisty, Gutsy, Hardy, Intrepid, Karmic), but the last year my focus on this project has been to transition these responsibilities to Canonical who have more time and resources to support the initiative.

I’m happy to say that I’ve finally followed my own advice. For my personal Amazon EC2 servers (including for the Alestic.com web site) I am using Ubuntu 9.10 Karmic images published for EC2 by Canonical.

While I was making the transition, I also switched to EBS boot AMIs. However, since it sounds like Canonical is not planning to publish EBS boot AMIs until Lucid, I decided to continue in service to the community and make available EBS boot AMIs for running Ubuntu on EC2.

I have published EBS boot AMIs for Ubuntu 9.10 Karmic and Ubuntu 8.04 Hardy, both 32- and 64-bit architectures, in all current EC2 regions, for a total of a dozen new AMIs.

I chose to use the exact Ubuntu images which Canonical built for running Ubuntu on EC2. This means that these EBS boot AMIs work exactly the same as the official Canonical AMIs including ssh to the ubuntu user. Again, even though I’m publishing the EBS boot AMIs for Karmic and Hardy, the contents of the image were built by Canonical.

The EBS boot AMIs are listed on Alestic.com. I have restructured the table to better feature Canonical AMIs, and now you need to pick an EC2 region to see the IDs.

Give the EBS boot AMIs a spin and let me know if you run into any issues.

In the last article, I described how to use the vmbuilder software to build an EBS boot AMI from scratch for running Ubuntu on EC2 with a persistent root disk.

In the ec2ubuntu Google group, Scott Moser pointed out that users can take advantage of the Ubuntu images for EC2 that Canonical has already built with vmbuilder. This can simplify and speed up the process of building EBS boot AMIs for the rest of us.

Let’s walk through the steps, creating an EBS boot AMI for Ubuntu 9.10 Karmic.

1. Run an instance of the Ubuntu 9.10 Karmic AMI, either 32-bit or 64-bit depending on which architecture AMI you wish to build. Make a note of the resulting instance id:

    # 32-bit
    instanceid=$(ec2-run-instances   \
      --key YOURKEYPAIR              \
      --availability-zone us-east-1a \
      ami-1515f67c |
      egrep ^INSTANCE | cut -f2)
    echo "instanceid=$instanceid"
   
    # 64-bit
    instanceid=$(ec2-run-instances   \
      --key YOURKEYPAIR              \
      --availability-zone us-east-1a \
      --instance-type m1.large       \
      ami-ab15f6c2 |
      egrep ^INSTANCE | cut -f2)
    echo "instanceid=$instanceid"
   

   Wait for the instance to move to the “running” state, then note the public hostname:

    while host=$(ec2-describe-instances "$instanceid" | 
      egrep ^INSTANCE | cut -f4) && test -z $host; do echo -n .; sleep 1; done
    echo host=$host
   

   Copy your X.509 certificate and private key to the instance. Use the correct locations for your credential files:

    rsync                            \
      --rsh="ssh -i YOURKEYPAIR.pem" \
      --rsync-path="sudo rsync"      \
      ~/.ec2/{cert,pk}-*.pem         \
      ubuntu@$host:/mnt/
   

   Connect to the instance:

    ssh -i YOURKEYPAIR.pem ubuntu@$host
   

2. Install EC2 API tools from the Ubuntu on EC2 ec2-tools PPA because they are more up to date than the ones in Karmic, letting us register EBS boot AMIs:

    export DEBIAN_FRONTEND=noninteractive
    echo "deb http://ppa.launchpad.net/ubuntu-on-ec2/ec2-tools/ubuntu karmic main" |
      sudo tee /etc/apt/sources.list.d/ubuntu-on-ec2-ec2-tools.list &&
    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9EE6D873 &&
    sudo apt-get update &&
    sudo -E apt-get dist-upgrade -y &&
    sudo -E apt-get install -y ec2-api-tools
   

3. Set up some parameters:

    codename=karmic
    release=9.10
    tag=server
    if [ $(uname -m) = 'x86_64' ]; then
      arch=x86_64
      arch2=amd64
      ebsopts="--kernel=aki-fd15f694 --ramdisk=ari-c515f6ac"
      ebsopts="$ebsopts --block-device-mapping /dev/sdb=ephemeral0"
    else
      arch=i386
      arch2=i386
      ebsopts="--kernel=aki-5f15f636 --ramdisk=ari-0915f660"
      ebsopts="$ebsopts --block-device-mapping /dev/sda2=ephemeral0"
    fi
   

4. Download and unpack the latest released Ubuntu server image file. This contains the output of vmbuilder as run by Canonical.

    imagesource=http://uec-images.ubuntu.com/releases/$codename/release/unpacked/ubuntu-$release-$tag-uec-$arch2.img.tar.gz
    image=/mnt/$codename-$tag-uec-$arch2.img
    imagedir=/mnt/$codename-uec-$arch2
    wget -O- $imagesource |
      sudo tar xzf - -C /mnt
    sudo mkdir -p $imagedir
    sudo mount -o loop $image $imagedir
   

5. [OPTIONAL] At this point /mnt/$image contains a mounted filesystem with the complete Ubuntu image as released by Canonical. You can skip this step if you just want an EBS boot AMI which is an exact copy of the released S3 based Ubuntu AMI from Canonical, or you can make any updates, installations, and customizations you’d like to have in your resulting AMI.

   In this example, we’ll perform similar steps as the previous tutorial and update the software packages to the latest releases from Ubuntu. Remember that the released EC2 image could be months old.

    # Allow network access from chroot environment
    sudo cp /etc/resolv.conf $imagedir/etc/
    # Fix what I consider to be a bug in vmbuilder
    sudo rm -f $imagedir/etc/hostname
    # Add multiverse
    sudo perl -pi -e 's%(universe)$%$1 multiverse%' \
      $imagedir/etc/ec2-init/templates/sources.list.tmpl
    # Add Alestic PPA for runurl package (handy in user-data scripts)
    echo "deb http://ppa.launchpad.net/alestic/ppa/ubuntu karmic main" |
      sudo tee $imagedir/etc/apt/sources.list.d/alestic-ppa.list
    sudo chroot $imagedir \
      apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BE09C571
    # Add ubuntu-on-ec2/ec2-tools PPA for updated ec2-ami-tools
    echo "deb http://ppa.launchpad.net/ubuntu-on-ec2/ec2-tools/ubuntu karmic main" |
      sudo tee $imagedir/etc/apt/sources.list.d/ubuntu-on-ec2-ec2-tools.list
    sudo chroot $imagedir \
      apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9EE6D873
    # Upgrade the system and install packages
    sudo chroot $imagedir mount -t proc none /proc
    sudo chroot $imagedir mount -t devpts none /dev/pts
    cat <<EOF > $imagedir/usr/sbin/policy-rc.d
    #!/bin/sh
    exit 101
    EOF
    chmod 755 $imagedir/usr/sbin/policy-rc.d
    DEBIAN_FRONTEND=noninteractive
    sudo chroot $imagedir apt-get update &&
    sudo -E chroot $imagedir apt-get dist-upgrade -y &&
    sudo -E chroot $imagedir apt-get install -y runurl ec2-ami-tools
    sudo chroot $imagedir umount /proc
    sudo chroot $imagedir umount /dev/pts
    rm -f $imagedir/usr/sbin/policy-rc.d
   

   Again, the above step is completely optional and can be skipped to create the EBS boot AMI that Canonical would have published.

6. Copy the image files to a new EBS volume, snapshot it, and register the snapshot as an EBS boot AMI. Make a note of the resulting AMI id:

    size=15 # root disk in GB
    now=$(date +%Y%m%d-%H%M)
    prefix=ubuntu-$release-$codename-$tag-$arch-$now
    description="Ubuntu $release $codename $tag $arch $now"
    export EC2_CERT=$(echo /mnt/cert-*.pem)
    export EC2_PRIVATE_KEY=$(echo /mnt/pk-*.pem)
    volumeid=$(ec2-create-volume --size $size --availability-zone us-east-1a |
      cut -f2)
    instanceid=$(wget -qO- http://instance-data/latest/meta-data/instance-id)
    ec2-attach-volume --device /dev/sdi --instance "$instanceid" "$volumeid"
    while [ ! -e /dev/sdi ]; do echo -n .; sleep 1; done
    sudo mkfs.ext3 -F /dev/sdi
    ebsimage=$imagedir-ebs
    sudo mkdir $ebsimage
    sudo mount /dev/sdi $ebsimage
    sudo tar -cSf - -C $imagedir . | sudo tar xvf - -C $ebsimage
    sudo umount $ebsimage
    ec2-detach-volume "$volumeid"
    snapshotid=$(ec2-create-snapshot "$volumeid" | cut -f2)
    ec2-delete-volume "$volumeid"
    while ec2-describe-snapshots "$snapshotid" | grep -q pending
      do echo -n .; sleep 1; done
    ec2-register                   \
      --architecture $arch         \
      --name "$prefix"             \
      --description "$description" \
      $ebsopts                     \
      --snapshot "$snapshotid"
   

7. Depending on what you want to keep from the above process, there are various things that you might want to clean up.

   If you no longer want to use an EBS boot AMI:

    ec2-deregister $amiid
    ec2-delete-snapshot $snapshotid
   

   When you’re done with the original instance:

    ec2-terminate-instance $instanceid
   

In this example, I set /mnt to the first ephemeral store on the instance even on EBS boot AMIs. This more closely matches the default on the S3 based AMIs, but means that /mnt will not be persistent across a stop/start of an EBS boot instance. If Canonical starts publishing EBS boot AMIs, they may or may not choose to make the same choice.

Community feedback, bug reports, and enhancements for these instructions are welcomed.

[Update 2009-01-14: Wrapped upgrade/installs inside of /usr/sbin/policy-rc.d setting to avoid starting daemons in chroot environment.]

[Update 2010-01-22: New location for downloadable Ubuntu images.]

[Update 2010-03-26: Path tweak, thanks to paul.]

Here’s my current recipe for how to build an Ubuntu 9.10 Karmic AMI, either the new EBS boot or the standard S3 based, using the Ubuntu vmbuilder software. The Ubuntu vmbuilder utility replaces ec2ubuntu-build-ami for building EC2 images and it can build images for a number of other virtual machine formats as well.

There is a lot of room for simplification and scripting in the following instructions, but I figured I’d publish what is working now so others can take advantage of the research to date. Happy New Year!

Some sections are marked [For EBS boot AMI] or [For S3 based AMI] and should only be followed when you are building that type of AMI. The rest of the sections apply to either type. It is possible to follow all instructions to build both types of AMIs at the same time.

1. Run an instance of Ubuntu 9.10 Karmic AMI, either 32-bit or 64-bit depending on which architecture AMI you wish to build. I prefer the c1.* instance types to speed up the builds, but you can get by cheaper with the m1.* instance types. Make a note of the resulting instance id:

    # 32-bit
    instanceid=$(ec2-run-instances   \
      --key YOURKEYPAIR              \
      --availability-zone us-east-1a \
      --instance-type c1.medium      \
      ami-1515f67c |
      egrep ^INSTANCE | cut -f2)
    echo "instanceid=$instanceid"
   
    # 64-bit
    instanceid=$(ec2-run-instances   \
      --key YOURKEYPAIR              \
      --availability-zone us-east-1a \
      --instance-type c1.xlarge      \
      ami-ab15f6c2 |
      egrep ^INSTANCE | cut -f2)
    echo "instanceid=$instanceid"
   

   Wait for the instance to move to the “running” state, then note the public hostname:

    while host=$(ec2-describe-instances "$instanceid" | 
      egrep ^INSTANCE | cut -f4) && test -z $host; do echo -n .; sleep 1; done
    echo host=$host
   

2. Copy your X.509 certificate and private key to the instance. Use the correct locations for your credential files:

    rsync                            \
      --rsh="ssh -i YOURKEYPAIR.pem" \
      --rsync-path="sudo rsync"      \
      ~/.ec2/{cert,pk}-*.pem         \
      ubuntu@$host:/mnt/
   

3. Connect to the instance:

    ssh -i YOURKEYPAIR.pem ubuntu@$host
   

4. Install the image building software. We install the python-vm-builder package from Karmic, but we’re going to be using the latest vmbuilder from the development branch in Launchpad because it has good bug fixes. We also use the EC2 API tools from the Ubuntu on EC2 ec2-tools PPA because they are more up to date than the ones in Karmic, letting us register EBS boot AMIs:

    export DEBIAN_FRONTEND=noninteractive
    echo "deb http://ppa.launchpad.net/ubuntu-on-ec2/ec2-tools/ubuntu karmic main" |
      sudo tee /etc/apt/sources.list.d/ubuntu-on-ec2-ec2-tools.list &&
    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9EE6D873 &&
    sudo apt-get update &&
    sudo -E apt-get upgrade -y &&
    sudo -E apt-get install -y \
      python-vm-builder ec2-ami-tools ec2-api-tools bzr &&
    bzr branch lp:vmbuilder
   

   You can ignore the “Launchpad ID” warning from bzr.

5. Fill in your AWS credentials:

    export AWS_USER_ID=...
    export AWS_ACCESS_KEY_ID=...
    export AWS_SECRET_ACCESS_KEY=...
    export EC2_CERT=$(echo /mnt/cert-*.pem)
    export EC2_PRIVATE_KEY=$(echo /mnt/pk-*.pem)
   

   Set up parameters and create files to be used by the build process. The bucket value is only required for S3 based AMIs:

    bucket=...
    codename=karmic
    release=9.10
    tag=server
    if [ $(uname -m) = 'x86_64' ]; then
      arch=x86_64
      arch2=amd64
      pkgopts="--addpkg=libc6-i386"
      kernelopts="--ec2-kernel=aki-fd15f694 --ec2-ramdisk=ari-c515f6ac"
      ebsopts="--kernel=aki-fd15f694 --ramdisk=ari-c515f6ac"
      ebsopts="$ebsopts --block-device-mapping /dev/sdb=ephemeral0"
    else
      arch=i386
      arch2=i386
      pkgopts=
      kernelopts="--ec2-kernel=aki-5f15f636 --ec2-ramdisk=ari-0915f660"
      ebsopts="--kernel=aki-5f15f636 --ramdisk=ari-0915f660"
      ebsopts="$ebsopts --block-device-mapping /dev/sda2=ephemeral0"
    fi
    cat > part-i386.txt <<EOM
    root 10240 a1
    /mnt 1 a2
    swap 1024 a3
    EOM
    cat > part-x86_64.txt <<EOM
    root 10240 a1
    /mnt 1 b
    EOM
   

6. Create a script to perform local customizations to the image before it is bundled. This is passed to vmbuilder below using the --execscript option:

    cat > setup-server <<'EOM'
    #!/bin/bash -ex
    imagedir=$1
    # fix what I consider to be bugs in vmbuilder
    perl -pi -e "s%^127.0.1.1.*\n%%" $imagedir/etc/hosts
    rm -f $imagedir/etc/hostname
    # Use multiverse
    perl -pi -e 's%(universe)$%$1 multiverse%' \
      $imagedir/etc/ec2-init/templates/sources.list.tmpl
    # Add Alestic PPA for runurl package (handy in user-data scripts)
    echo "deb http://ppa.launchpad.net/alestic/ppa/ubuntu karmic main" |
      tee $imagedir/etc/apt/sources.list.d/alestic-ppa.list
    chroot $imagedir \
      apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BE09C571
    # Add ubuntu-on-ec2/ec2-tools PPA for updated ec2-ami-tools
    echo "deb http://ppa.launchpad.net/ubuntu-on-ec2/ec2-tools/ubuntu karmic main" |
      sudo tee $imagedir/etc/apt/sources.list.d/ubuntu-on-ec2-ec2-tools.list
    chroot $imagedir \
      sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9EE6D873
    # Install packages
    chroot $imagedir apt-get update
    chroot $imagedir apt-get install -y runurl
    chroot $imagedir apt-get install -y ec2-ami-tools
    EOM
    chmod 755 setup-server
   

7. Build the image:

    now=$(date +%Y%m%d-%H%M)
    dest=/mnt/dest-$codename-$now
    prefix=ubuntu-$release-$codename-$arch-$tag-$now
    description="Ubuntu $release $codename $arch $tag $now"
    sudo vmbuilder/vmbuilder xen ubuntu       \
      --suite=$codename                       \
      --arch=$arch2                           \
      --dest=$dest                            \
      --tmp=/mnt                              \
      --ec2                                   \
      --ec2-version="$description"            \
      --manifest=$prefix.manifest             \
      --lock-user                             \
      --part=part-$arch.txt                   \
      $kernelopts                             \
      $pkgopts                                \
      --execscript ./setup-server             \
      --debug
   

   [For S3 based AMI] include the following options in the vmbuilder command above. This does not preclude you from also building an EBS boot AMI with the same image. Make a note of the resulting AMI id output by vmbuilder:

      --ec2-bundle                            \
      --ec2-upload                            \
      --ec2-register                          \
      --ec2-bucket=$bucket                    \
      --ec2-prefix=$prefix                    \
      --ec2-user=$AWS_USER_ID                 \
      --ec2-cert=$EC2_CERT                    \
      --ec2-key=$EC2_PRIVATE_KEY              \
      --ec2-access-key=$AWS_ACCESS_KEY_ID     \
      --ec2-secret-key=$AWS_SECRET_ACCESS_KEY \
   

8. [For EBS boot AMI] Copy the image files to a new EBS volume, snapshot it, and register the snapshot as an EBS boot AMI. Make a note of the resulting AMI id:

    size=15 # root disk in GB
    volumeid=$(ec2-create-volume --size $size --availability-zone us-east-1a |
      cut -f2)
    instanceid=$(wget -qO- http://instance-data/latest/meta-data/instance-id)
    ec2-attach-volume --device /dev/sdi --instance "$instanceid" "$volumeid"
    while [ ! -e /dev/sdi ]; do echo -n .; sleep 1; done
    sudo mkfs.ext3 -F /dev/sdi
    ebsimage=$dest/ebs
    sudo mkdir $ebsimage
    sudo mount /dev/sdi $ebsimage
    imageroot=$dest/root
    sudo mkdir $imageroot
    sudo mount -oloop $dest/root.img $imageroot
    sudo tar -cSf - -C $imageroot . | sudo tar xvf - -C $ebsimage
    sudo umount $imageroot $ebsimage
    ec2-detach-volume "$volumeid"
    snapshotid=$(ec2-create-snapshot "$volumeid" | cut -f2)
    ec2-delete-volume "$volumeid"
    while ec2-describe-snapshots "$snapshotid" | grep -q pending
      do echo -n .; sleep 1; done
    ec2-register                   \
      --architecture $arch         \
      --name "$prefix"             \
      --description "$description" \
      $ebsopts                     \
      --snapshot "$snapshotid"
   

9. Depending on what you want to keep from the above process, there are various things that you might want to clean up.

   If you no longer want to use an S3 based AMI:

    ec2-deregister $amiid
    ec2-delete-bundle                     \
      --access-key $AWS_ACCESS_KEY_ID     \
      --secret-key $AWS_SECRET_ACCESS_KEY \
      --bucket $bucket                    \
      --prefix $prefix
   

   If you no longer want to use an EBS boot AMI:

    ec2-deregister $amiid
    ec2-delete-snapshot $snapshotid
   

   When you’re done with the original instance:

    ec2-terminate-instance $instanceid
   

In the above instructions I stray a bit from the defaults. For example, I add the runurl package from the Alestic PPA so that it is available for use in user-data scripts on first boot. I enable multiverse for easy access to more software, and I install ec2-ami-tools which works better for me than the current euca2ools.

I also set /mnt to the first ephemeral store on the instance even on EBS boot AMIs. This more closely matches the default on the S3 based AMIs, but means that /mnt will not be persistent across a stop/start of an EBS boot instance.

Explore and set options as you see fit for your applications. Go wild with the --execscript feature (similar to the ec2ubuntu-build-ami --script option) to customize your image.

The following vmbuilder options do not currently work with creating EC2 images: --mirror, --components, --ppa. I have submitted bug 502490 to track this.

As with much of my work here, I’m simply explaining how to use software that others have spent a lot of energy building. In this case a lot of thanks go to the Ubuntu server team for developing vmbuilder, the EC2 plugin, the ec2-init startup software, and the code which builds the official Ubuntu AMIs; especially Søren Hansen, Scott Moser, and Chuck Short. I also appreciate the folks who reviewed early copies of these instructions and provided feedback including Scott Moser, Art Zemon, Trifon Trifonov, Vaibhav Puranik, and Chris.

Community feedback, bug reports, and enhancements for these instructions are welcomed.

WARNING!

Though most Ubuntu 9.04 Jaunty systems can upgrade to 9.10 Karmic in place, this is not possible on EC2 and should not be attempted. If you do try this, your system will become unusable on reboot and there will be no recovery and no access to any of the data on the boot disk or ephemeral storage.

Here’s why:

• Ubuntu 9.10 Karmic has a version of udev which requires a newer kernel than you would be running for Ubuntu 9.04 Jaunty (especially on EC2).

• You cannot upgrade the kernel used by a running instance on Amazon EC2 (not even rebooting).

• When an EC2 instance cannot boot (as in the case of the udev/kernel mismatch) your only option is to terminate it, losing the local storage.

How To Upgrade

In order to upgrade to Karmic you will need to start a new EC2 instance running a fresh copy of the appropriate Karmic AMI. I post the latest AMI ids for Karmic in the second table on https://alestic.com/.

Keep your old instance(s) running while you configure and test the new Karmic instances. EC2 makes it easy to have multiple sets of servers running in parallel instead of upgrading in place. When you are confident your new servers are functioning properly, you can discard the old ones.

The Ubuntu 9.10 Karmic AMIs released by Canonical have a number of differences from the community Ubuntu AMIs which have been published on https://alestic.com.

One of the biggest differences is that you will ssh to ubuntu@ instead of to root@ on your instance. You can then sudo to perform commands as the root user. Back in April I wrote a guide about Using sudo, ssh, rsync on the Official Ubuntu Images for EC2.

The Ubuntu server team has put a lot of work into making Ubuntu 9.10 Karmic function beautifully on Amazon EC2 and it’s been a pleasure to have a small part in the process. I’m already using the Karmic AMIs on EC2 for one of my production processes. Please give these AMIs a spin and give feedback.

New updates have been released for the Ubuntu and Debian AMIs (EC2 images) published on:

https://alestic.com

The following notes apply to this release:

• The images have been upgraded to use the newest 2.6.21 kernel, ramdisk, and kernel modules from Amazon. This fixes a serious security hole in the previous 2.6.21 kernel.

• The Alestic PPA (personal package archive) has been added to the Ubuntu AMIs. This makes it easy to install software packages listed in this PPA, including ec2-consistent-snapshot.

• The runurl package from the Alestic PPA has been pre-installed on the Ubuntu AMIs. This can be a handy tool for setting up new instances with user-data scripts.

• The EC2 AMI tools have been upgraded to version 1.3-34544.

• The ec2-ami-tools package version has been pinned so it does not get downgraded if the official Ubuntu archives still have older versions.

• All packages have been upgraded to their respective latest versions.

• The Ubuntu Karmic images were not updated and have been removed from the listings at the top of https://alestic.com. If you would like to use Ubuntu Karmic Beta, please test with the AMIs published by Canonical listed a bit lower down on the page.

Please give these new images a spin and let us know if you run into any problems.

Enjoy

At the end of July, I gave a presentation at O’Reilly’s Open Source Convention (OSCON 2009) in San Jose. The slides from the presentation have been made available on the OSCON web site in ODP and PDF formats (look for links towards the top of the page):

Building Custom Linux Images for Amazon EC2

Bonus: For folks who live around Los Angeles (or who want to fly in?), I will be giving an extended version of this talk at the UUASC-LA (Unix Users Association of Southern California, Los Angeles Chapter) meeting on Thursday, September 3, 2009. The presentation is free and open to all. Please read the directions and instructions on the UUASC web site carefully.

New updates have been released for the Ubuntu and Debian AMIs (EC2 images) published on:

https://alestic.com

The following notes apply to this release:

• The EC2 AMI tools have been upgraded to version 1.3-34544. Note that an “apt-get upgrade” will downgrade the EC2 AMI tools because the versions of the ec2-ami-tools package currently in the Ubuntu Hardy, Intrepid, Jaunty archives are outdated. If you have an easy solution to this, please let us know.

• The ssh host key regeneration has been moved to run after the RNG is seeded. This improves security, especially for folks who are verifying the ssh host key on the first connect by comparing the fingerprint to the value in the instance console output. Thanks to Andrew Becherer for suggesting this improvement.

• The Ubuntu Karmic Alpha images were not updated. Due to a new kernel requirement, Karmic will no longer run on Amazon’s 2.6.21 kernel. Once Canonical releases an Ubuntu kernel with the appropriate features, the Karmic series may be resumed. Running “apt-get upgrade” on an existing Karmic AMI will cause it to be inaccessible after rebooting.

• The Debian Etch desktop images were not updated because apparently LaTeX refuses to build a format from a source file which is more than five years old. If there is anybody who wants Etch desktops and is willing to investigate, please contact me, otherwise I plan to discontinue support for this series. If you’re using Debian, I’d encourage you to upgrade to Lenny “stable” anyway.

Please give these new images a spin and let us know if you run into any problems.

Enjoy

I will be speaking at the O’Reilly Open Source Convention (OSCON 2009) next week, giving a presentation on building custom images for Amazon EC2.

Though the presentation is primarily about doing it yourself with the practical portion focusing on Ubuntu images, I wanted to mention some of the third party services which can be used to build images of any kind for EC2.

If you run, use, or are aware of one of these AMI building services, please send me a message or post a comment on this entry.

And, for folks who still haven’t yet signed up for OSCON, here’s a code that gets you 30% off of registration: os09sphoc

NOTE: This is an article from 2009, back before EBS boot instances were available on Amazon EC2. I recommend you use EBS boot instances which make it trivial to create new AMIs (single command/API call). Please stop reading this article now and convert to EBS boot AMIs!

When you start up an instance (server) on Amazon EC2, you need to pick the image or AMI (Amazon Machine Image) to run. This determines the Linux distribution and version as well as the initial software installed and how it is configured.

There are a number of public images to choose from with EC2 including the Ubuntu and Debian image published on https://alestic.com but sometimes it is appropriate to create your own private or public images. There are two primary ways to create an image for EC2:

1. Create an EC2 image from scratch. This process lets you control every detail of what goes into the image and is the easiest way to automate image creation.

2. Rebundle a running EC2 instance into a new image. This approach is the topic of the rest of this article.

After you rebundle a running instance to create a new image, you can then run new EC2 instances of that image. Each instance starts off looking exactly like the original instance as far as the files on the disk go (with a few exceptions).

This guide is primarily written in the context of running Ubuntu on EC2, but the concepts should apply without too much changing on Debian and other Linux distributions.

To use this rebundling approach, you start by running an instance of an image that (1) is as close as possible to the image you want to create, and (2) is published by a source you trust. You then proceed to install software and configure that instance so that it contains exactly what you want to be available on new instances right down to the startup scripts.

The next step is to bundle the instance’s disk image into a new AMI, but before we get to that, it is important to understand a few things about security.

Security

If you are creating a new EC2 image, you need to be very careful what pieces of information you inadvertently leave on the image, especially if you have the goal of publishing it as a public AMI. Anybody who runs an instance of that AMI will have access to the files you included in the bundle, and there is no way to modify an AMI after it has been created (though you can delete it).

For example, you don’t want to leave your AWS certificate or private key on the disk. You’ll even want to clear out the shell history file in case you had typed secret information in commands or in setting environment variables.

You also want to consider the security concerns from the perspective of the people who run the new image. For example, you don’t want to leave any passwords active on accounts. You should also make sure you don’t include your public ssh key in authorized_keys files. Leaving a back door into other people’s servers is in poor taste even if you have no intention of ever using it.

Here are some sample commands, but only you can decide if this wipes out too much or what other files you need to exclude depending on how you set up and used the instance you are bundling:

sudo rm -f /root/.*hist* $HOME/.*hist*
sudo rm -f /var/log/*.gz
sudo find /var/log -name mysql -prune -o -type f -print | 
  while read i; do sudo cp /dev/null $i; done

Whole directories can be excluded from the image using the --exclude option of the ec2-bundle-vol command (see below).

Rebundling

Now we’re ready to bundle the actual EC2 image (AMI). To start, you need to copy your certificate and key to the instance ephemeral storage. Adjust the sample command to use the appropriate keypair file for authentication and the appropriate location of your certification and private key files. If you are not running a modern Ubuntu image, then change remoteuser to “root”.

remotehost=<ec2-instance-hostname>
remoteuser=ubuntu

rsync \
  --rsh="ssh -i KEYPAIR.pem" \
  --rsync-path="sudo rsync" \
  PATHTOKEYS/{cert,pk}-*.pem \
  $remoteuser@$remotehost:/mnt/

Set up some environment variables for convenience in the following commands. A single S3 bucket can be used for multiple AMIs. The manifest prefix should be descriptive, especially if you plan to publish the AMI publicly, as it is the only piece of documentation many users will see when they look through AMI lists. At a minimum, I recommend including the Linux distribution (e.g, “ubuntu”), the architecture (e.g., “i386” or “32”), and the date (e.g., “20090621”), as well as some tag that indicates the special nature of the image (e.g., “desktop” or “lamp”).

bucket=<your-bucket-name>
prefix=<descriptive-image-title>

On the EC2 instance itself, you also set up some environment variables to help the bundle and upload commands. You can find these values in your EC2 account.

export AWS_USER_ID=<your-value>
export AWS_ACCESS_KEY_ID=<your-value>
export AWS_SECRET_ACCESS_KEY=<your-value>

if [ $(uname -m) = 'x86_64' ]; then
  arch=x86_64
else
  arch=i386
fi

Bundle the files on the current instance into a copy of the image under /mnt:

sudo -E ec2-bundle-vol \
  -r $arch \
  -d /mnt \
  -p $prefix \
  -u $AWS_USER_ID \
  -k /mnt/pk-*.pem \
  -c /mnt/cert-*.pem \
  -s 10240 \
  -e /mnt,/root/.ssh,/home/ubuntu/.ssh

Upload the bundle to a bucket on S3:

ec2-upload-bundle \
   -b $bucket \
   -m /mnt/$prefix.manifest.xml \
   -a $AWS_ACCESS_KEY_ID \
   -s $AWS_SECRET_ACCESS_KEY

Now that the AMI files have been uploaded to S3, you register the image as a new AMI. This is done back on your local system (with the API tools installed):

ec2-register \
  --name "$bucket/$prefix" \
  $bucket/$prefix.manifest.xml

The output of this command is the new AMI id which is used to run new instances of that image.

It is important to use the same account access information for the ec2-bundle-vol and ec2-register commands even though they are run on different systems. If you don’t you’ll get an error indicating you don’t have the rights to register the image.

Public Images

By default, the new EC2 image is private, which means it can only be seen and run by the user who created it. You can share access with another individual account or with the public.

To let another EC2 user run the image without giving access to the world:

ec2-modify-image-attribute -l -a <other-user-id> <ami-id>

To let all other EC2 users run instances of your image:

ec2-modify-image-attribute -l -a all <ami-id>

Cost

AWS will charge you standard S3 charges for the stored AMI files which comes out to $0.15 per GB per month. Note, however, that the bundling process uses sparse files and compression, so the final storage size is generally very small and your resulting cost may only be pennies per month.

The AMI owner incurs no charge when users run the image in new instances. The users who run the AMI are responsible for the standard hourly instance charges.

Cleanup

Before removing any public image, please consider the impact this might have on people who depend on that image to run their business. Once you publish an AMI, there is no way to tell how many users are regularly creating instances of that AMI and expecting it to stay available. There is also no way to communicate with these users to let them know that the image is going away.

If you decide you want to remove an image anyway, here are the steps to take.

Deregister the AMI

ec2-deregister ami-XXX

Delete the AMI bundle in S3:

ec2-delete-bundle \
  --access-key $AWS_ACCESS_KEY_ID \
  --secret-key $AWS_SECRET_ACCESS_KEY \
  --bucket $bucket \
  --prefix $prefix

[Update 2009-09-12: Security tweak for running under non-root.] [Update 2010-02-01: Update to use latest API/AMI tools and work for Ubuntu 9.10 Karmic.]

Ubuntu Karmic Koala Alpha is being developed and will be released as Ubuntu 9.10 in October. If you want to play around with Karmic Alpha on Amazon EC2, I have published new AMIs in the US and EU regions for 32- and 64-bit:

https://alestic.com

A Karmic desktop image for EC2 is also available if you wish to monitor progress in that area.

Warning! Karmic is an unstable alpha developer version and is not intended for use in anything resembling a production environment.

Please note that we are still defaulting to Amazon’s 2.6.21fc8 kernel which, though functional and stable, is getting older and older for each new release of Ubuntu. One effect of this is that AppArmor will not be enabled, though this should not affect the functionality of any software.

Enjoy!

New updates have been released for the Ubuntu and Debian AMIs (EC2 images) published on:

https://alestic.com

The following improvements are included in this release:

• Ubuntu 9.04 Jaunty now uses an Ubuntu mirror inside of EC2 hosted by RightScale. This dramatically improves the performance of updates and upgrades. Hardy and Intrepid were already using the mirrors inside EC2.

• The Hardy, Intrepid, and Jaunty images have been enhanced to add failover for Ubuntu archive mirror hosts across availability zones (data centers). This change lets an Ubuntu instance perform package updates and upgrades even if one or two of the EC2 availability zones are completely unavailable.

• The denyhosts package is now installed on desktop images for improved security. The Amazon abuse team has identified the Ubuntu desktop images as a source of compromised systems. The cause for this is believed to be unsecure passwords set by users, since the desktop images have PasswordAuthentication enabled by default so that the NX client can connect. The denyhosts package blocks ssh attacks by adding remote systems to /etc/hosts.deny if they keep failing password logins.

  The published Ubuntu and Debian server images continue to have PasswordAuthentication turned off by default for improved security. If you choose to turn this on, I recommend installing a package like denyhosts and using software like the following to generate secure passwords:

    sudo apt-get install pwgen
    pwgen -s 10 1
  

• The EC2 AMI tools have been upgraded to version 1.3-31780.

• All software packages have been updated to versions current as of 2009-06-14.

Community support for Ubuntu on EC2 is available in this group:

http://groups.google.com/group/ec2ubuntu

Community support for Debian on EC2 is available in this group:

http://groups.google.com/group/ec2debian

The 32-bit Debian squeeze images and the 32-bit Debian etch desktop image have not been updated yet due to problems with initial package installation. Images will be released when these issues are resolved.

The following enhancements have been made to the ec2ubuntu-build-ami software which is used to build Ubuntu and Debian images for EC2.

• New --kernel and --ramdisk options have been added to specify AKI and ARI. If you specify a different kernel, you should also specify kernel modules with --package or install them with the --script option.

• Support has been removed for Ubuntu Edgy, Feisty, and Gutsy. These releases have reached their end of life. To improve the clarity of the code this software no longer supports building these images.

• There has been a typo fix for $originaldir for folks who were using the --script option.

• There has been a typo fix for /dev/ptmx though it apparently had no effect given how these images are built.

Thanks to Stephen Parkes and Paul Dowman for submitting patches.

Enjoy!