diff options
author | Jake Buchholz <tomalok@gmail.com> | 2018-07-28 18:28:29 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2018-07-30 07:59:39 -0700 |
commit | 836d9a3e7ef0b664f2b33fc65bb5315b901dfe2e (patch) | |
tree | 07d0cb926f0b4932370e08f0c15eb52e6f6836f3 | |
parent | 27bcd4a05e0ce1bc28886452355121501310df8f (diff) | |
download | alpine-ec2-ami-836d9a3e7ef0b664f2b33fc65bb5315b901dfe2e.tar.bz2 alpine-ec2-ami-836d9a3e7ef0b664f2b33fc65bb5315b901dfe2e.tar.xz alpine-ec2-ami-836d9a3e7ef0b664f2b33fc65bb5315b901dfe2e.zip |
* switch to alpine v3.8
* add public_ip variable, setting to 'true' allows packer to build from outside AWS
* use smallest instance_type (t2.nano) and volume_size (1 GiB)
* eu-west-3 region is live; ap-northeast-3 requires subscription
* no longer need setup_staging_repos function...
+ tiny-ec2-bootstrap is available in main since v3.8
+ aws-ena-driver-vanilla is only available in edge/testing
* switched to linux-vanilla since linux-hardened is no longer available and linux-virt does not have NVME available
+ TODO? make kernel choice selectable (significant memory/disk savings linux-virt can be used)
-rw-r--r-- | README.md | 8 | ||||
-rw-r--r-- | alpine-ami.yaml | 19 | ||||
-rwxr-xr-x | make_ami.sh | 47 |
3 files changed, 25 insertions, 49 deletions
@@ -50,11 +50,9 @@ its development and thus there are some sharp edges. | |||
50 | hardware so it seems unlikely that they will be supported going forward. Thus | 50 | hardware so it seems unlikely that they will be supported going forward. Thus |
51 | this project does not support them. | 51 | this project does not support them. |
52 | 52 | ||
53 | - Not all packages required have been merged into the upstream aports tree. | 53 | - The aws-ena-driver-vanilla package is still in edge/testing. When it is |
54 | When they are they will still only be available on edge. Until then the image | 54 | available in a release, the edge/testing repository can be removed from |
55 | sources a few packages from a testing repo managed by the owner of this | 55 | /etc/apk/repositories. |
56 | repository. The builds in this repository should be identical to what is | ||
57 | eventually merged into the official tree. | ||
58 | 56 | ||
59 | - [cloud-init](https://cloudinit.readthedocs.io/en/latest/) is not currently | 57 | - [cloud-init](https://cloudinit.readthedocs.io/en/latest/) is not currently |
60 | supported on Alpine Linux. Instead this image uses | 58 | supported on Alpine Linux. Instead this image uses |
diff --git a/alpine-ami.yaml b/alpine-ami.yaml index 9cf221e..af97e49 100644 --- a/alpine-ami.yaml +++ b/alpine-ami.yaml | |||
@@ -1,17 +1,18 @@ | |||
1 | variables: | 1 | variables: |
2 | security_group: "" | 2 | security_group: "" |
3 | subnet: "" | 3 | subnet: "" |
4 | public_ip: "false" | ||
4 | 5 | ||
5 | # Treat this similar to a ABUILD pkgrel variable and increment with every | 6 | # Treat this similar to a ABUILD pkgrel variable and increment with every |
6 | # release. Packer will notice an exiting AMI at build start and fail unless | 7 | # release. Packer will notice an exiting AMI at build start and fail unless |
7 | # it is rmoved. To prevent a period of time where no Alpine AMI exists, | 8 | # it is rmoved. To prevent a period of time where no Alpine AMI exists, |
8 | # create a new variant. Old AMIs should be pruned at some point. | 9 | # create a new variant. Old AMIs should be pruned at some point. |
9 | ami_release: "2" | 10 | ami_release: "0" |
10 | 11 | ||
11 | # Overriding this requires validating that the installation script still | 12 | # Overriding this requires validating that the installation script still |
12 | # works as expected. It probably does but stuff changes between major | 13 | # works as expected. It probably does but stuff changes between major |
13 | # version. | 14 | # version. |
14 | alpine_release: "3.7" | 15 | alpine_release: "3.8" |
15 | 16 | ||
16 | # Don't override this without a good reason and if you do just make sure it | 17 | # Don't override this without a good reason and if you do just make sure it |
17 | # gets passed all the way through to the make_ami script | 18 | # gets passed all the way through to the make_ami script |
@@ -26,17 +27,18 @@ builders: | |||
26 | subnet_id: "{{user `subnet`}}" | 27 | subnet_id: "{{user `subnet`}}" |
27 | 28 | ||
28 | # Input Instance Setting | 29 | # Input Instance Setting |
29 | instance_type: "t2.micro" | 30 | instance_type: "t2.nano" |
30 | launch_block_device_mappings: | 31 | launch_block_device_mappings: |
31 | - volume_type: "gp2" | 32 | - volume_type: "gp2" |
32 | device_name: "{{user `volume_name`}}" | 33 | device_name: "{{user `volume_name`}}" |
33 | delete_on_termination: true | 34 | delete_on_termination: true |
34 | volume_size: 5 | 35 | volume_size: 1 |
36 | associate_public_ip_address: "{{user `public_ip`}}" | ||
35 | 37 | ||
36 | # Output AMI Settings | 38 | # Output AMI Settings |
37 | ena_support: true | 39 | ena_support: true |
38 | ami_name: "Alpine-{{user `alpine_release`}}-r{{user `ami_release`}}-Hardened-EC2" | 40 | ami_name: "Alpine-{{user `alpine_release`}}-r{{user `ami_release`}}-EC2" |
39 | ami_description: "Alpine Linux {{user `alpine_release`}}-r{{user `ami_release`}} Release with Hardened Kernel and EC2 Optimizations" | 41 | ami_description: "Alpine Linux {{user `alpine_release`}}-r{{user `ami_release`}} Release with EC2 Optimizations" |
40 | ami_groups: | 42 | ami_groups: |
41 | - "all" | 43 | - "all" |
42 | ami_virtualization_type: "hvm" | 44 | ami_virtualization_type: "hvm" |
@@ -49,9 +51,10 @@ builders: | |||
49 | - eu-central-1 | 51 | - eu-central-1 |
50 | - eu-west-1 | 52 | - eu-west-1 |
51 | - eu-west-2 | 53 | - eu-west-2 |
52 | # - eu-west-3 | 54 | - eu-west-3 |
53 | - ap-northeast-1 | 55 | - ap-northeast-1 |
54 | - ap-northeast-2 | 56 | - ap-northeast-2 |
57 | # - ap-northeast-3 | ||
55 | - ap-southeast-1 | 58 | - ap-southeast-1 |
56 | - ap-southeast-2 | 59 | - ap-southeast-2 |
57 | - ap-south-1 | 60 | - ap-south-1 |
@@ -60,7 +63,7 @@ builders: | |||
60 | source_device_name: "{{user `volume_name`}}" | 63 | source_device_name: "{{user `volume_name`}}" |
61 | device_name: "/dev/xvda" | 64 | device_name: "/dev/xvda" |
62 | delete_on_termination: true | 65 | delete_on_termination: true |
63 | volume_size: 5 | 66 | volume_size: 1 |
64 | volume_type: "gp2" | 67 | volume_type: "gp2" |
65 | 68 | ||
66 | # Use the most recent Amazon Linux AMI as our base | 69 | # Use the most recent Amazon Linux AMI as our base |
diff --git a/make_ami.sh b/make_ami.sh index ec89fb7..c85c160 100755 --- a/make_ami.sh +++ b/make_ami.sh | |||
@@ -3,11 +3,11 @@ | |||
3 | 3 | ||
4 | set -eu | 4 | set -eu |
5 | 5 | ||
6 | : ${ALPINE_RELEASE:="3.7"} # not tested against edge | 6 | : ${ALPINE_RELEASE:="3.8"} # not tested against edge |
7 | : ${APK_TOOLS_URI:="https://github.com/alpinelinux/apk-tools/releases/download/v2.8.0/apk-tools-2.8.0-x86_64-linux.tar.gz"} | 7 | : ${APK_TOOLS_URI:="https://github.com/alpinelinux/apk-tools/releases/download/v2.10.0/apk-tools-2.10.0-x86_64-linux.tar.gz"} |
8 | : ${APK_TOOLS_SHA256:="da21cefd2121e3a6cd4e8742b38118b2a1132aad7f707646ee946a6b32ee6df9"} | 8 | : ${APK_TOOLS_SHA256:="77f2d256fcd5d6fdafadf43bb6a9c85c3da7bb471ee842dcd729175235cb9fed"} |
9 | : ${ALPINE_KEYS:="http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/alpine-keys-2.1-r1.apk"} | 9 | : ${ALPINE_KEYS:="http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/alpine-keys-2.1-r1.apk"} |
10 | : ${ALPINE_KEYS_SHA256:="7b2d1e9a00324c8eee49785dc22355be02534201e77473ba9762027e1a475cc7"} | 10 | : ${ALPINE_KEYS_SHA256:="f7832b848cedca482b145011cf516e82392f02a10713875cb09f39c7221c6f17"} |
11 | 11 | ||
12 | die() { | 12 | die() { |
13 | printf '\033[1;31mERROR:\033[0m %s\n' "$@" >&2 # bold red | 13 | printf '\033[1;31mERROR:\033[0m %s\n' "$@" >&2 # bold red |
@@ -73,34 +73,12 @@ make_filesystem() { | |||
73 | setup_repositories() { | 73 | setup_repositories() { |
74 | local target="$1" # target directory | 74 | local target="$1" # target directory |
75 | 75 | ||
76 | # NOTE: we only need @testing for aws-ena-driver-vanilla, this can be removed if/when released | ||
76 | mkdir -p "$target"/etc/apk/keys | 77 | mkdir -p "$target"/etc/apk/keys |
77 | cat > "$target"/etc/apk/repositories <<-EOF | 78 | cat > "$target"/etc/apk/repositories <<-EOF |
78 | http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/main | 79 | http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/main |
79 | http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/community | 80 | http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/community |
80 | EOF | 81 | @testing http://dl-cdn.alpinelinux.org/alpine/edge/testing |
81 | } | ||
82 | |||
83 | # This is mostly a temporary measure because some required packages have not | ||
84 | # yet been accepted upstream. This can be removed when the following pull | ||
85 | # requests are merged: | ||
86 | # | ||
87 | # - https://github.com/alpinelinux/aports/pull/2962 | ||
88 | # - https://github.com/alpinelinux/aports/pull/2961 | ||
89 | setup_staging_repos() { | ||
90 | local target="$1" # target directory | ||
91 | |||
92 | echo "https://mcrute-build-artifacts.s3.us-west-2.amazonaws.com/alpine-packages/$ALPINE_RELEASE/testing" >> "$target"/etc/apk/repositories | ||
93 | |||
94 | cat > "$target"/etc/apk/keys/mcrute-5a3eecec.rsa.pub <<-EOF | ||
95 | -----BEGIN PUBLIC KEY----- | ||
96 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fW5dyTqgs9Yf93xKn5U | ||
97 | cYzY9t//M3TAaiDWH7rFxqBqTGnVGkP9QAGqsbXyoo/JpIalazkOfm/1L+XaK7NI | ||
98 | IUD/8KxfrnBW53cc/KOkPcGAga36aTBz/HmLQQvjWcizPxWepjdfvAnRTMV69Oud | ||
99 | zaRPGKx8nCRqLy1YFAEXn+zpHRh+OHCzzQFlkJop+2PCXqDFaMWC7+oWwrqFs1i0 | ||
100 | CXc4pq5oT6vAQyt6pUwN85sLVxtxXSt5G5ALYzQtaIj7IAR3jGlwU26wOAv5YP7z | ||
101 | xn/Z1ebQsPbAl3rw48v2T2ohPEX2TUtUq4OuwOG+z1pi3woIGOlOFVAP3k6lm8Z9 | ||
102 | 9QIDAQAB | ||
103 | -----END PUBLIC KEY----- | ||
104 | EOF | 82 | EOF |
105 | } | 83 | } |
106 | 84 | ||
@@ -131,19 +109,19 @@ install_core_packages() { | |||
131 | # Most from: https://git.alpinelinux.org/cgit/alpine-iso/tree/alpine-virt.packages | 109 | # Most from: https://git.alpinelinux.org/cgit/alpine-iso/tree/alpine-virt.packages |
132 | # | 110 | # |
133 | # acct - installed by some configurations, so added here | 111 | # acct - installed by some configurations, so added here |
134 | # aws-ena-driver-hardened - required for ENA enabled instances | 112 | # aws-ena-driver-vanilla - required for ENA enabled instances (still in edge/testing) |
135 | # e2fsprogs - required by init scripts to maintain ext4 volumes | 113 | # e2fsprogs - required by init scripts to maintain ext4 volumes |
136 | # linux-hardened - can't use virthardened because it's missing NVME support | 114 | # linux-vanilla - can't use virt because it's missing NVME support |
137 | # mkinitfs - required to build custom initfs | 115 | # mkinitfs - required to build custom initfs |
138 | # sudo - to allow alpine user to become root, disallow root SSH logins | 116 | # sudo - to allow alpine user to become root, disallow root SSH logins |
139 | # tiny-ec2-bootstrap - to bootstrap system from EC2 metadata | 117 | # tiny-ec2-bootstrap - to bootstrap system from EC2 metadata |
140 | chroot "$target" apk --no-cache add \ | 118 | chroot "$target" apk --no-cache add \ |
141 | acct \ | 119 | acct \ |
142 | alpine-mirrors \ | 120 | alpine-mirrors \ |
143 | aws-ena-driver-hardened \ | 121 | aws-ena-driver-vanilla@testing \ |
144 | chrony \ | 122 | chrony \ |
145 | e2fsprogs \ | 123 | e2fsprogs \ |
146 | linux-hardened \ | 124 | linux-vanilla \ |
147 | mkinitfs \ | 125 | mkinitfs \ |
148 | openssh \ | 126 | openssh \ |
149 | sudo \ | 127 | sudo \ |
@@ -166,7 +144,6 @@ create_initfs() { | |||
166 | local target="$1" | 144 | local target="$1" |
167 | 145 | ||
168 | # Create ENA feature for mkinitfs | 146 | # Create ENA feature for mkinitfs |
169 | # Submitted upstream: https://github.com/alpinelinux/mkinitfs/pull/19 | ||
170 | echo "kernel/drivers/net/ethernet/amazon" > \ | 147 | echo "kernel/drivers/net/ethernet/amazon" > \ |
171 | "$target"/etc/mkinitfs/features.d/ena.modules | 148 | "$target"/etc/mkinitfs/features.d/ena.modules |
172 | 149 | ||
@@ -310,8 +287,6 @@ main() { | |||
310 | einfo "Fetching Alpine signing keys" | 287 | einfo "Fetching Alpine signing keys" |
311 | fetch_keys "$target" | 288 | fetch_keys "$target" |
312 | 289 | ||
313 | setup_staging_repos "$target" | ||
314 | |||
315 | einfo "Installing base system" | 290 | einfo "Installing base system" |
316 | $apk add --root "$target" --update-cache --initdb alpine-base | 291 | $apk add --root "$target" --update-cache --initdb alpine-base |
317 | 292 | ||