Alestic.com - A Personal AWS Blog by Eric Hammond

user-data Scripts

The Ubuntu and Debian EC2 images published on https://alestic.com allow you to send in a startup script using the EC2 user-data parameter when you run a new instance. This functionality is useful for automating the installation and configuration of software on EC2 instances.

The basic rule followed by the image is:

If the instance user-data starts with the two characters #! then the instance runs it as the root user on the first boot.

The “user-data script” is run late in the startup process, so you can assume that networking and other system services are functional.

If you start an EC2 instance with any user-data which does not start with #! the image simply ignores it and allows your own software to access and use the data as it sees fit.

This same user-data startup script functionality has been copied in the Ubuntu images published by Canonical, and your existing user-data script should be portable across images with little change. Read a comparison of the Alestic and Canonical EC2 images.

Example

Here is a sample user-data script which sets up an Ubuntu LAMP server on a new EC2 instance:

#!/bin/bash
set -e -x
export DEBIAN_FRONTEND=noninteractive
apt-get update && apt-get upgrade -y
tasksel install lamp-server
echo "Please remember to set the MySQL root password!"

Save this to a file named, say, install-lamp and then pass it to a new EC2 instance, say, Ubuntu 9.04 Jaunty:

ec2-run-instances --key KEYPAIR --user-data-file install-lamp ami-bf5eb9d6

Please see https://alestic.com for the latest AMI ids for Ubuntu and Debian.

Note: This simplistic user-data script is for demonstration purposes only. Though it does set up a fully functional LAMP server which may be as good as some public LAMP AMIs, it does not take into account important design issues like database persistence. Read Running MySQL on Amazon EC2 with Elastic Block Store.

Debugging

Since you are passing code to the new EC2 instance, there is a very small chance that you may have made a mistake in writing the software. Well maybe not you, but somebody else out there might not be perfect, so I have to write this for them.

The stdout and stderr of your user-data script is output in /var/log/syslog and you can review this for any success and failure messages. It will contain both things you echo directly in the script as well as output from programs you run.

Tip: If you add set -x at the top of a bash script, then it will output every command executed. If you add set -e to the script, then the user-data script will exit on the first command which does not succeed. These help you quickly identify where problems might have started.

Limitations

Amazon EC2 limits the size of user-data to 16KB. If your startup instructions are larger than this limit, you can write a user-data script which downloads the full program(s) from somewhere else like S3 and runs them.

Though a shell is a handy tool for writing scripts to install and configure software, the user-data script can be written in any language which supports the shabang (#!) mechanism for running programs. This includes bash, Perl, Python, Ruby, tcl, awk, sed, vim, make, or any other language you can find pre-installed on the image.

If you want to use another language, a user-data script written in bash could install the language, install the program, and then run it.

Security

Setting up a new EC2 instance often requires installing private information like EC2 keys and certificates (e.g., to make AWS API calls). You should be aware that if you pass secrets in the user-data parameter, the complete input is available to any user or process running on the instance.

There is no way to change the instance user-data after instance startup, so anybody who has access to the instance can simply request http://169.254.169.254/latest/user-data

Depending on what software you install on your instance, even Internet users may be able to exploit holes to get at your user-data. For example, if your web server lets users specify a URL to upload a file, they might be able to enter the above URL and then read the contents.

Alternatives

Though user-data scripts are my favorite method to set up EC2 instances, it’s not always the appropriate approach. Alternatives include:

1. Manually ssh in to the instance and enter commands to install and configure software.

2. Automatically ssh in to the instance with automated commands to install and configure software.

3. Install and configure software using (1) or (2) and then rebundle the instance to create a new AMI. Use the new image when running instances.

4. Build your own EC2 images from scratch.

The ssh options have the benefit of not putting any private information into the user-data accessible from the instance. They have the disadvantage of needing to monitor new instances waiting for the ssh server to accept connections; this complicates the startup process compared to user-data scripts.

The rebundled AMI approach and building your own AMI approach are useful when the installation and configuration of your required software take a very long time or can’t be done with automated processes (less common than you might think). A big drawback of creating your own AMIs is maintaining them, keeping up with security patches and other enhancements and fixes which might be applied by the base image maintainers.

Software

Note to AMI authors: If you wish to add to your EC2 images the same ability to run user-data scripts, feel free to include the following code and make it run on image startup:

http://ec2-run-user-data.notlong.com

Credits

Thanks to RightScale for the original idea of EC2 images with user-data startup hooks. RightScale has advanced startup plugins which include scripts, software packages, and attachments, all of which integrate with the RightScale service.

Thanks to Kim Scheibel and Jorge Oliveira who submitted code used in the original ec2-run-user-data script.

What do you use EC2 user-data for?

Canonical has released official Ubuntu images for EC2 for Ubuntu 9.10 Karmic.

The primary technical benefit brought by Canonical's involvement in building official Ubuntu images is that custom kernels can be built for EC2 through a relationship with Amazon. This means that the Ubuntu images can now run on more modern Ubuntu kernels instead of on Amazon's older, Fedora kernels.

Other differences are listed below:

Items listed are likely to change as images are enhanced. This table may or may not be updated to match. Please leave comments if you notice or question other differences.

Note: There are some older (2009-04) Canonical AMIs floating around for Hardy and Intrepid. These have not been maintained and are not recommended at this point.

Updated 2009-06-15: Alestic.com Jaunty is using an Ubuntu mirror inside EC2. Alestic.com images using load balanced mirror with failover between EC2 availability zones.

Updated 2009-06-25: Alestic.com published Karmic (Alpha) but later withdrew.

Updated 2009-10-29: Canonical released Karmic. None of the image currently have RightScale support built in, but RightScale has their own Ubuntu AMIs.

As you may have heard, Ubuntu 9.04 Jaunty has been officially released by Ubuntu today, right on schedule:

http://ubuntu.com

Matching updates have been released for the Ubuntu 9.04 Jaunty AMIs listed on:

https://alestic.com

Please note that we are still defaulting to Amazon’s 2.6.21fc8 kernel which is getting older and older for each new release of Ubuntu. Please do let the group know if you find incompatibilities with Ubuntu Jaunty other than the known problem that AppArmor is not enabled.

You might be able to run the 9.04 Jaunty image with the official Ubuntu 2.6.27 kernel (for Intrepid) which is currently in release candidate state from Canonical.

For what it’s worth, I still run Ubuntu 8.04 LTS Hardy on Amazon EC2 personally and for my company.

New updates have been released for all* of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancements in this release are:

• The images which were experiencing problems with XFS and the Amazon 2.6.21fc8 kernel have been fixed by installing an XFS kernel module which matches Amazon’s kernel. This includes Ubuntu Intrepid, Ubuntu Jaunty, Debian Lenny, and Debian Squeeze.

• The Ubuntu 9.04 Jaunty image is using release candidate software. The official Jaunty release is expected April 23.

• At the request of the Amazon security folks, ssh PasswordAuthentication has been disabled by default on the server images. Even though the base images have passwords disabled on the root account, some folks may be creating accounts with poor passwords susceptible to attacks. The desktop images require password authentication for NX (as far as I know) so please use secure passwords.

• The desktop images have been upgraded to a recent version of NX Free Edition software.

• This is the last published image for Ubuntu 7.10 Gutsy. This version has reached its end of life on April 18 and should not be used any more unless you really need to test something on Gutsy and you aren’t going to leave it running long (no security patches available).

All of the AMIs are available in both the US and European regions.

Notes:

• The Ubuntu 6.10 Edgy, 7.04 Feisty, and 7.10 Gutsy AMIs are obsolete and unsupported. Running these images introduces a security risk as no security patches are being produced any more by Ubuntu.

New updates have been released for the Ubuntu Jaunty AMIs on

https://alestic.com

Jaunty recently moved from “alpha” to “beta” in preparation for its official release as Ubuntu 9.04 next month.

For details on what is new in Jaunty, see:

http://www.ubuntu.com/testing/jaunty/beta

This is beta software and is not suitable for production use.

All of the AMIs are available in both the US and European regions.

New updates have been released for all* of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancements in this release are:

• Ubuntu Hardy and Intrepid have new apt sources.list pointing to the local EC2 mirrors provided by RightScale. Please let me know if you have any problems with updates.

• Debian “lenny” has been released as the new “stable”. Debian “squeeze” is the new “testing”, so the latest Debian mapping is as follows:

  squeeze - “testing” lenny - “stable” etch - “oldstable”

As always, “sid” is “unstable” and I can’t imagine why you would want to run this on EC2 unless you’re a Debian developer in which case you should probably built your own AMIs.

When I run “squeeze” it thinks that it is “lenny” (lsb_release -a). I assume that this is because it has just been branched from lenny but it’s possible that I didn’t build it correctly. Let me know if you have further information on this.

Notes:

• The Ubuntu 6.10 Edgy and 7.04 Feisty AMIs are obsolete, unsupported, and are not updated.

• The AMIs are in the process of being copied to eu-west-1 (Europe). Documentation will be updated soon.

New updates have been released for all* of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancements in this release are:

• The EC2 AMI tools have been upgraded to 1.3-30748. This adds support for EC2 regions including the new eu-west-1 European region.

• AMIs have been created for Ubuntu Jaunty Jackelope alpha (planned for release 2009-04). This is alpha software and is not suitable for production use.

All of the AMIs are available in both the US and European regions.

• The Ubuntu 6.10 Edgy and 7.04 Feisty AMIs are obsolete and unsupported.

The Ubuntu and Debian images listed on https://alestic.com are now available in both the US (us-east-1) and Europe (eu-west-1) EC2 regions.

Click on the “Europe” tab at the top of the table to see the new AMI ids for Europe.

Only the most recent images have been copied over to the Europe region. Let me know if you have specific older images which you would like to run in Europe.

New updates have been released for all* of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancements in this release are:

• The kernel modules for Amazon’s old 2.6.16 kernel are no longer included in the AMI. The images have been running for a while on Amazon’s 2.6.21 kernel by default and kernel modules are included for this version. If you need the 2.6.16 kernel modules they are available for download or you can build a new AMI with the kernel modules using the ec2-ubuntu-build-ami script on the above site.

• The EC2 AMI tools have been upgraded to 1.3-26357. This has reduced the number of required patches down to one as Amazon continues to improve support for Ubuntu and Debian in these tools.

• A new –arch option has been added based on a patch submitted by Don Spaulding II. This may help in building images for both 32- and 64-bit on the same system.

• Note that the Ubuntu 6.10 Edgy release is marked as obsolete and is no longer being maintained or updated. The Ubuntu 7.04 Feisty AMI was able to be updated it is also past its end of life.

There have been no volunteers for building an automated AMI testing framework so not all of these 24 images have been tested. Please report quickly any problems you encounter and hold off a bit on upgrading to these in production environments.

The big news in the Ubuntu community today is that Ubuntu 8.10 Intrepid Ibex has been released right on schedule:

http://ubuntu.com

If you’d like to take it for a spin on EC2, brand new AMIs are available for 32-bit and 64-bit instances in both base install and desktop flavors.

You can find the latest AMIs for all Ubuntu releases on the following site with links to the public AMI documents on Amazon:

https://alestic.com

Ubuntu 8.10 is not an LTS (long term support release). It will be supported for 18 months. If you would like a bit more longevity, Ubuntu 8.04 LTS (Hardy) still has 4.5 years of life left in the server edition and is available from the same sites above.

A new and final update has been released today for the Ubuntu 7.04 Feisty AMI on

https://alestic.com

Since Ubuntu 7.04 has reached its end-of-life (see forwarded attachment) there will be no further updates to the Ubuntu 7.04 Feisty base install AMI.

Anybody who might have been using the Feisty AMI series should have moved on by now to either the Ubuntu 7.10 Gutsy or 8.04 Hardy AMIs.

Please note: Ubuntu 7.10 Gutsy will reach its end-of-life in 6 months during which time everybody using that release should be upgrading to 8.04 Hardy.

Ubuntu 8.04 Hardy is LTS. The LTS versions of Ubuntu receive long- term support: 3 years for desktop versions and 5 years for server versions.

New updates have been released for all of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancement in this release is an emergency correction for a defect in the previous AMIs, to wit: The /etc/fstab file was missing and /mnt was not mounted as ephemeral storage.

Thanks to Garrett Smith and Ken Lim for identifying and reporting this problem. I had apparently missed the notice that the latest ec2- bundle-vol from Amazon requires –generate-fstab if you want to have an /etc/fstab when creating an AMI from scratch :-\

The defective AMIs are hereby deprecated and may eventually be withdrawn.

New updates have been released for all* of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancements in this release are:

• A defect has been corrected in a boot script so that the ssh host keys are only re-generated on the first boot of an instance. They were being re-generated on reboot, but nobody seemed to notice.

• There have been enough bugs reported in Amazon’s old 2.6.16 kernel that I have upgraded the Ubuntu 6.06 Dapper AMI to Amazon’s 2.6.21 kernel. This means that all of the Ubuntu and Debian AMIs now run Amazon’s 2.6.21 kernel by default (though you can select another at runtime). Please let me know if you run this and experience problems.

• Since we have at least one company using the Hardy 64-bit desktop AMI, I’ve updated it and added it to the list on https://alestic.com

• Hans Omli found a way to add libc6-xen on Hardy and Intrepid without causing problems (by removing libc6-i686). These releases now include libc6-xen which according to some may give a performance boost in some types of applications.

• I have been working with the good folks at RightScale to build Ubuntu AMIs which integrate with the RightScale service (server templates, startup scripts, runtime scripts, automatic EBS volume attachments, one button rebundling, and more). I’ve been using it a bit and think that the basic functionality is stable enough to release an early version now listed on https://alestic.com Please let me know if you experience problems. There is still some work to be done including in the performance monitoring integration.

If you haven’t been following the ec2ubuntu group, some progress has been made recently on getting the ec2ubuntu-build-ami script to run better on Ubuntu and on non-EC2 systems. Thanks to the community members who have contributed to this including yourabi and Terry Jones.

I don’t have the resources right now to test all two dozen public AMIs. Please take care when trying out AMIs which have just been built and please report any problems you run into.

If you are interested in helping to build an automated QA framework, please drop me a line.

Notes:

• Please note that the Ubuntu 6.10 Edgy release is marked as obsolete and is no longer being maintained or updated. This release has passed its end of life and attempts to build new AMIs fail because debootstrap can no longer find a repository for Ubuntu Edgy.

New updates have been released for all of the Ubuntu and Debian AMIs listed on:

https://alestic.com

The primary enhancements in this release are:

• Build using latest debootstrap v1.0.10

• Output new ssh host key fingerprints to console log for security.

• Use newly built kernel modules where fuse supports NFS export.

• All Ubuntu packages upgraded to latest versions

How to get the ssh host key fingerprint from the console output and compare it when using ssh to connect to the instance is described in the “Connecting to your instance” section of the EC2 Getting Started Guide:

http://ec2gsg-running.notlong.com

This is not necessary, but does add a bit of extra security if you are worried about folks intercepting and modifying your ssh connections to EC2 instances.

The NFS support in fuse should let you share an S3-based fuse file system (like PersistentFS) with other hosts over NFS.

Enjoy

New updates have been released for all of the Ubuntu AMIs listed on:

https://alestic.com

Though this release is only 3 days after the previous one it is surprisingly not to fix bugs, but rather to add one of the most demanded features: startup hooks.

Thanks to code submitted by Kim Scheibel and Jorge Oliveira (with a little mangling from me) it is now easy to type a single command (or push a button in Elasticfox) and have an Ubuntu instance start up and immediately install, configure, and run software without any additional manual intervention.

Simply pass a script (starting with #!) as the instance user-data and it will be run automatically on the first boot. If you want it to be run on every boot, see the comments at the top of this file:

http://ec2-run-user-data.notlong.com

For example, to start a Hardy LAMP server, you could create a script named “install-lamp-server” with the contents:

#!/bin/bash
export DEBIAN_PRIORITY=critical
apt-get update
apt-get upgrade -y
apt-get install -y lamp-server^
echo "Please remember to set the MySQL root password!"

Then using the latest Ubuntu 8.04 Hardy base install AMIID (from https://alestic.com) run a command like:

ec2-run-instances \
  --user-data-file install-lamp-server \
  --key IDENTITY \
  AMIID

A couple minutes later, you should be able to connect to the server’s external hostname with a web browser. To see the progress of your user-data script on the instance:

tail -f /var/log/syslog

Output from the user-data script is also available in the EC2 instance console output for convenient remote debugging.

You can write the user-data script in any language that happens to be on the base AMI (bash, perl, python, ruby, awk, …) as long as the program file starts with: #!

Note that there is a size limit on user-data in EC2, but the user-data script may download additional files from S3 or other locations, so this shouldn’t be too constraining.

Now let the competition begin for coolest and most useful instance user-data scripts!

Enjoy