From 836d9a3e7ef0b664f2b33fc65bb5315b901dfe2e Mon Sep 17 00:00:00 2001 From: Jake Buchholz Date: Sat, 28 Jul 2018 18:28:29 -0700 Subject: * switch to alpine v3.8 * add public_ip variable, setting to 'true' allows packer to build from outside AWS * use smallest instance_type (t2.nano) and volume_size (1 GiB) * eu-west-3 region is live; ap-northeast-3 requires subscription * no longer need setup_staging_repos function... + tiny-ec2-bootstrap is available in main since v3.8 + aws-ena-driver-vanilla is only available in edge/testing * switched to linux-vanilla since linux-hardened is no longer available and linux-virt does not have NVME available + TODO? make kernel choice selectable (significant memory/disk savings linux-virt can be used) --- README.md | 8 +++----- alpine-ami.yaml | 19 +++++++++++-------- make_ami.sh | 47 +++++++++++------------------------------------ 3 files changed, 25 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index e00891b..5740f5c 100644 --- a/README.md +++ b/README.md @@ -50,11 +50,9 @@ its development and thus there are some sharp edges. hardware so it seems unlikely that they will be supported going forward. Thus this project does not support them. -- Not all packages required have been merged into the upstream aports tree. - When they are they will still only be available on edge. Until then the image - sources a few packages from a testing repo managed by the owner of this - repository. The builds in this repository should be identical to what is - eventually merged into the official tree. +- The aws-ena-driver-vanilla package is still in edge/testing. When it is + available in a release, the edge/testing repository can be removed from + /etc/apk/repositories. - [cloud-init](https://cloudinit.readthedocs.io/en/latest/) is not currently supported on Alpine Linux. Instead this image uses diff --git a/alpine-ami.yaml b/alpine-ami.yaml index 9cf221e..af97e49 100644 --- a/alpine-ami.yaml +++ b/alpine-ami.yaml @@ -1,17 +1,18 @@ variables: security_group: "" subnet: "" + public_ip: "false" # Treat this similar to a ABUILD pkgrel variable and increment with every # release. Packer will notice an exiting AMI at build start and fail unless # it is rmoved. To prevent a period of time where no Alpine AMI exists, # create a new variant. Old AMIs should be pruned at some point. - ami_release: "2" + ami_release: "0" # Overriding this requires validating that the installation script still # works as expected. It probably does but stuff changes between major # version. - alpine_release: "3.7" + alpine_release: "3.8" # Don't override this without a good reason and if you do just make sure it # gets passed all the way through to the make_ami script @@ -26,17 +27,18 @@ builders: subnet_id: "{{user `subnet`}}" # Input Instance Setting - instance_type: "t2.micro" + instance_type: "t2.nano" launch_block_device_mappings: - volume_type: "gp2" device_name: "{{user `volume_name`}}" delete_on_termination: true - volume_size: 5 + volume_size: 1 + associate_public_ip_address: "{{user `public_ip`}}" # Output AMI Settings ena_support: true - ami_name: "Alpine-{{user `alpine_release`}}-r{{user `ami_release`}}-Hardened-EC2" - ami_description: "Alpine Linux {{user `alpine_release`}}-r{{user `ami_release`}} Release with Hardened Kernel and EC2 Optimizations" + ami_name: "Alpine-{{user `alpine_release`}}-r{{user `ami_release`}}-EC2" + ami_description: "Alpine Linux {{user `alpine_release`}}-r{{user `ami_release`}} Release with EC2 Optimizations" ami_groups: - "all" ami_virtualization_type: "hvm" @@ -49,9 +51,10 @@ builders: - eu-central-1 - eu-west-1 - eu-west-2 -# - eu-west-3 + - eu-west-3 - ap-northeast-1 - ap-northeast-2 +# - ap-northeast-3 - ap-southeast-1 - ap-southeast-2 - ap-south-1 @@ -60,7 +63,7 @@ builders: source_device_name: "{{user `volume_name`}}" device_name: "/dev/xvda" delete_on_termination: true - volume_size: 5 + volume_size: 1 volume_type: "gp2" # Use the most recent Amazon Linux AMI as our base diff --git a/make_ami.sh b/make_ami.sh index ec89fb7..c85c160 100755 --- a/make_ami.sh +++ b/make_ami.sh @@ -3,11 +3,11 @@ set -eu -: ${ALPINE_RELEASE:="3.7"} # not tested against edge -: ${APK_TOOLS_URI:="https://github.com/alpinelinux/apk-tools/releases/download/v2.8.0/apk-tools-2.8.0-x86_64-linux.tar.gz"} -: ${APK_TOOLS_SHA256:="da21cefd2121e3a6cd4e8742b38118b2a1132aad7f707646ee946a6b32ee6df9"} -: ${ALPINE_KEYS:="http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/alpine-keys-2.1-r1.apk"} -: ${ALPINE_KEYS_SHA256:="7b2d1e9a00324c8eee49785dc22355be02534201e77473ba9762027e1a475cc7"} +: ${ALPINE_RELEASE:="3.8"} # not tested against edge +: ${APK_TOOLS_URI:="https://github.com/alpinelinux/apk-tools/releases/download/v2.10.0/apk-tools-2.10.0-x86_64-linux.tar.gz"} +: ${APK_TOOLS_SHA256:="77f2d256fcd5d6fdafadf43bb6a9c85c3da7bb471ee842dcd729175235cb9fed"} +: ${ALPINE_KEYS:="http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/alpine-keys-2.1-r1.apk"} +: ${ALPINE_KEYS_SHA256:="f7832b848cedca482b145011cf516e82392f02a10713875cb09f39c7221c6f17"} die() { printf '\033[1;31mERROR:\033[0m %s\n' "$@" >&2 # bold red @@ -73,34 +73,12 @@ make_filesystem() { setup_repositories() { local target="$1" # target directory + # NOTE: we only need @testing for aws-ena-driver-vanilla, this can be removed if/when released mkdir -p "$target"/etc/apk/keys cat > "$target"/etc/apk/repositories <<-EOF http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/main http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/community - EOF -} - -# This is mostly a temporary measure because some required packages have not -# yet been accepted upstream. This can be removed when the following pull -# requests are merged: -# -# - https://github.com/alpinelinux/aports/pull/2962 -# - https://github.com/alpinelinux/aports/pull/2961 -setup_staging_repos() { - local target="$1" # target directory - - echo "https://mcrute-build-artifacts.s3.us-west-2.amazonaws.com/alpine-packages/$ALPINE_RELEASE/testing" >> "$target"/etc/apk/repositories - - cat > "$target"/etc/apk/keys/mcrute-5a3eecec.rsa.pub <<-EOF - -----BEGIN PUBLIC KEY----- - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fW5dyTqgs9Yf93xKn5U - cYzY9t//M3TAaiDWH7rFxqBqTGnVGkP9QAGqsbXyoo/JpIalazkOfm/1L+XaK7NI - IUD/8KxfrnBW53cc/KOkPcGAga36aTBz/HmLQQvjWcizPxWepjdfvAnRTMV69Oud - zaRPGKx8nCRqLy1YFAEXn+zpHRh+OHCzzQFlkJop+2PCXqDFaMWC7+oWwrqFs1i0 - CXc4pq5oT6vAQyt6pUwN85sLVxtxXSt5G5ALYzQtaIj7IAR3jGlwU26wOAv5YP7z - xn/Z1ebQsPbAl3rw48v2T2ohPEX2TUtUq4OuwOG+z1pi3woIGOlOFVAP3k6lm8Z9 - 9QIDAQAB - -----END PUBLIC KEY----- + @testing http://dl-cdn.alpinelinux.org/alpine/edge/testing EOF } @@ -131,19 +109,19 @@ install_core_packages() { # Most from: https://git.alpinelinux.org/cgit/alpine-iso/tree/alpine-virt.packages # # acct - installed by some configurations, so added here - # aws-ena-driver-hardened - required for ENA enabled instances + # aws-ena-driver-vanilla - required for ENA enabled instances (still in edge/testing) # e2fsprogs - required by init scripts to maintain ext4 volumes - # linux-hardened - can't use virthardened because it's missing NVME support + # linux-vanilla - can't use virt because it's missing NVME support # mkinitfs - required to build custom initfs # sudo - to allow alpine user to become root, disallow root SSH logins # tiny-ec2-bootstrap - to bootstrap system from EC2 metadata chroot "$target" apk --no-cache add \ acct \ alpine-mirrors \ - aws-ena-driver-hardened \ + aws-ena-driver-vanilla@testing \ chrony \ e2fsprogs \ - linux-hardened \ + linux-vanilla \ mkinitfs \ openssh \ sudo \ @@ -166,7 +144,6 @@ create_initfs() { local target="$1" # Create ENA feature for mkinitfs - # Submitted upstream: https://github.com/alpinelinux/mkinitfs/pull/19 echo "kernel/drivers/net/ethernet/amazon" > \ "$target"/etc/mkinitfs/features.d/ena.modules @@ -310,8 +287,6 @@ main() { einfo "Fetching Alpine signing keys" fetch_keys "$target" - setup_staging_repos "$target" - einfo "Installing base system" $apk add --root "$target" --update-cache --initdb alpine-base -- cgit v1.2.3