From nobody Thu Oct 5 15:54:35 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S1bj80St4z4vs8d; Thu, 5 Oct 2023 15:54:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S1bj75xb2z3Lp7; Thu, 5 Oct 2023 15:54:35 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696521275; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/OF5BaPu4oFkow2QfULCArUCMuJO6YTes5KZaF+A9ZQ=; b=ECna4/I/Sasp0ncU7IN77tUZ7GOnAl/4KkFtGW5T+azfk0HQWbwg66LuMbvKELUIDXuKLW TrtCDBi3a/wyBpD0p9kWFM97W87LmH0ehSJ+qcHKkOf9TTj3M/nH8yk/dq/14UjxdcriDj 2d0XRDlMcblEFLFEh09mp/UvAPDoZ7KFLE3eofQBuQw7HfcRBCkhlb2ZS2klpj1euEraU8 5aY5H6/5JJpHESoYGxf/Z/d392amCc3vOAqoMWSsmiSCzszGsa488b+q1tYwcHzqvUHT+t kQb5ZvopFLs8DrcSOdZmuIzlUq6fMClEjQed20M/JWNf/VFM3d8oI/Jjmyweog== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696521275; a=rsa-sha256; cv=none; b=r2Q+5qVR/JNIkA5q1UKzkP54M685DPuQBib7h05I+MtjulZ8RiD2toHbl0vFD5bREkPWgs SKoo/j/G6hKsr0GkgrD/02Mq/+g24an9OpUIECxl6fbop0ZGmL/xge8k5qADmi/MW+YCIk BQ44L+JGyJQGc85gqnI9AwjKZ0oN/lqR/nc+NLF258O4BVVI/BWJI78FgsLXSzfEwJVJtz vH7/kwKFt6xHuE0zJTi2cko71tGlaSGzclU8e2gTdqaSdNyhqUB28J2udQUBqEy6e4fb5n zPDHBLytsdK2HPqPgtF/H/LhdBsgs4W0yqkNDO4sV+CGY55z5sLQgyKrgVOogw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696521275; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/OF5BaPu4oFkow2QfULCArUCMuJO6YTes5KZaF+A9ZQ=; b=M8euVWdXoISraeitMkROju6XSr01Okfl3WRH85f/F00GCXSQrrI9Ybaj6OpvRtFXXIMXXA 4Pu/G60PrvbhTlC9ivLD6Muh9RVpak6z/WF85uQLSkoi527R0jkKH2KoGX14eXAuAhXk/1 GZ1gghI0hSQZ1pmol/4C0KTEhgoAqqs59LSdzh1mJdpr0rWJs3aLTGgtBWkbSTefl1kfUj uAMC1jJMG7e0Xelam8m7h7dPOD/gd5ZcTNKPIbKYE+dAF8aOZXMBs6TDDz92c8hbSnaUWi VjfZ0i7r1O9qhzS2VdwSLLiowty5Vf8+tlElRAgkNoWwh4/04Q9w9OVoJnRg+w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S1bj752ZZz1QrK; Thu, 5 Oct 2023 15:54:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 395FsZ8O046763; Thu, 5 Oct 2023 15:54:35 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 395FsZMR046760; Thu, 5 Oct 2023 15:54:35 GMT (envelope-from git) Date: Thu, 5 Oct 2023 15:54:35 GMT Message-Id: <202310051554.395FsZMR046760@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Colin Percival Subject: git: a02a57f65b20 - releng/14.0 - EC2: Split off reusable configuration bits List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: a02a57f65b200aa4a4cb6474d6f389e5d918d8f2 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=a02a57f65b200aa4a4cb6474d6f389e5d918d8f2 commit a02a57f65b200aa4a4cb6474d6f389e5d918d8f2 Author: Colin Percival AuthorDate: 2023-09-09 00:54:11 +0000 Commit: Colin Percival CommitDate: 2023-10-05 15:54:04 +0000 EC2: Split off reusable configuration bits Split ec2-base.conf into ec2-base.conf and a reusable ec2.conf, similar to how Vagrant flavours share a common vagrant.conf. Approved by: re (gjb) Sponsored by: https://www.patreon.com/cperciva Differential Revision: https://reviews.freebsd.org/D41792 (cherry picked from commit fada6e2389fb62ff621a98fab7319e426da58b0b) (cherry picked from commit f4576ea0d5bcc26d8ffdf033cab36c651a5f0885) --- release/tools/ec2-base.conf | 161 ++++++-------------------------------------- release/tools/ec2.conf | 111 ++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+), 142 deletions(-) diff --git a/release/tools/ec2-base.conf b/release/tools/ec2-base.conf index d033739adc26..f4c46fe285cd 100644 --- a/release/tools/ec2-base.conf +++ b/release/tools/ec2-base.conf @@ -1,78 +1,36 @@ #!/bin/sh -# -# -# Packages to install into the image we're creating. This is a deliberately -# minimalist set, providing only the packages necessary to bootstrap further -# package installation as specified via EC2 user-data. -export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ec2-scripts \ - firstboot-freebsd-update firstboot-pkgs isc-dhcp44-client \ - ebsnvme-id" - -# Include the amazon-ssm-agent package in amd64 images, since some users want -# to be able to use it on systems which are not connected to the Internet. -# (It is not enabled by default, however.) This package does not exist for -# aarch64, so we have to be selective about when we install it. -if [ "${TARGET_ARCH}" = "amd64" ]; then - export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} amazon-ssm-agent" -fi - -# Set to a list of third-party software to enable in rc.conf(5). -export VM_RC_LIST="ec2_configinit ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs ntpd dev_aws_disk ec2_ephemeral_swap" +. ${WORLDDIR}/release/tools/ec2.conf -# Build with a 4.9 GB partition; the growfs rc.d script will expand -# the partition to fill the root disk after the EC2 instance is launched. -# Note that if this is set to G, we will end up with an GB disk -# image since VMSIZE is the size of the filesystem partition, not the disk -# which it resides within. -export VMSIZE=5000m +# Packages to install into the image we're creating. In addition to packages +# present on all EC2 AMIs, we install: +# * ec2-scripts, which provides a range of EC2ification startup scripts, +# * firstboot-freebsd-update, to install security updates at first boot, +# * firstboot-pkgs, to install packages at first boot, and +# * isc-dhcp44-client, used for IPv6 network setup. +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ec2-scripts \ + firstboot-freebsd-update firstboot-pkgs isc-dhcp44-client" -# No swap space; the ec2_ephemeralswap rc.d script will allocate swap -# space on EC2 ephemeral disks. (If they exist -- the T2 low-cost instances -# and the C4 compute-optimized instances don't have ephemeral disks. But -# it would be silly to bloat the image and increase costs for every instance -# just for those two families, especially since instances ranging in size -# from 1 GB of RAM to 60 GB of RAM would need different sizes of swap space -# anyway.) -export NOSWAP=YES +# Services to enable in rc.conf(5). +export VM_RC_LIST="${VM_RC_LIST} ec2_configinit ec2_ephemeral_swap \ + ec2_fetchkey ec2_loghostkey firstboot_freebsd_update firstboot_pkgs \ + growfs sshd" vm_extra_pre_umount() { - # The firstboot_pkgs rc.d script will download the repository - # catalogue and install or update pkg when the instance first - # launches, so these files would just be replaced anyway; removing - # them from the image allows it to boot faster. - mount -t devfs devfs ${DESTDIR}/dev - chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ - /usr/sbin/pkg delete -f -y pkg - umount ${DESTDIR}/dev - rm ${DESTDIR}/var/db/pkg/repo-*.sqlite - - # The size of the EC2 root disk can be configured at instance launch - # time; expand our filesystem to fill the disk. - echo 'growfs_enable="YES"' >> ${DESTDIR}/etc/rc.conf - - # EC2 instances use DHCP to get their network configuration. IPv6 - # requires accept_rtadv. - echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf - - # Unless the system has been configured via EC2 user-data, the user - # will need to SSH in to do anything. - echo 'sshd_enable="YES"' >> ${DESTDIR}/etc/rc.conf - # The AWS CLI tools are generally useful, and small enough that they # will download quickly; but users will often override this setting # via EC2 user-data. echo 'firstboot_pkgs_list="devel/py-awscli"' >> ${DESTDIR}/etc/rc.conf + # EC2 instances use DHCP to get their network configuration. IPv6 + # requires accept_rtadv. + echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf + # Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf echo 'rtsold_enable="YES"' >> ${DESTDIR}/etc/rc.conf echo 'rtsold_flags="-M /usr/local/libexec/rtsold-M -a"' >> ${DESTDIR}/etc/rc.conf - # Turn off IPv6 Duplicate Address Detection; the EC2 networking - # configuration makes it unnecessary. - echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf - # Provide a script which rtsold can use to launch DHCPv6 mkdir -p ${DESTDIR}/usr/local/libexec cat > ${DESTDIR}/usr/local/libexec/rtsold-M <<'EOF' @@ -82,94 +40,13 @@ vm_extra_pre_umount() { EOF chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M - # The EC2 console is output-only, so while printing a backtrace can - # be useful, there's no point dropping into a debugger or waiting - # for a keypress. - echo 'debug.trace_on_panic=1' >> ${DESTDIR}/boot/loader.conf - echo 'debug.debugger_on_panic=0' >> ${DESTDIR}/boot/loader.conf - echo 'kern.panic_reboot_wait_time=0' >> ${DESTDIR}/boot/loader.conf - - # The console is not interactive, so we might as well boot quickly. - echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf - echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf - - # Tell gptboot not to wait 3 seconds for a keypress which won't - # arrive either. - printf -- "-n\n" > ${DESTDIR}/boot.config - - # The emulated keyboard attached to EC2 instances is inaccessible to - # users, and there is no mouse attached at all; disable to keyboard - # and the keyboard controller (to which the mouse would attach, if - # one existed) in order to save time in device probing. - echo 'hint.atkbd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf - echo 'hint.atkbdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf - - # EC2 has two consoles: An emulated serial port ("system log"), - # which has been present since 2006; and a VGA console ("instance - # screenshot") which was introduced in 2016. - echo 'boot_multicons="YES"' >> ${DESTDIR}/boot/loader.conf - - # Some older EC2 hardware used a version of Xen with a bug in its - # emulated serial port. It is not clear if EC2 still has any such - # nodes, but apply the workaround just in case. - echo 'hw.broken_txfifo="1"' >> ${DESTDIR}/boot/loader.conf - - # Load the kernel module for the Amazon "Elastic Network Adapter" - echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf - - # Use the "nda" driver for accessing NVMe disks rather than the - # historical "nvd" driver. - echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf - - # Disable KbdInteractiveAuthentication according to EC2 requirements. - sed -i '' -e \ - 's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \ - ${DESTDIR}/etc/ssh/sshd_config - - # Use FreeBSD Update mirrors hosted in AWS - sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \ - ${DESTDIR}/etc/freebsd-update.conf - - # Use the NTP service provided by Amazon - sed -i '' -e 's/^pool/#pool/' \ - -e '1,/^#server/s/^#server.*/server 169.254.169.123 iburst/' \ - ${DESTDIR}/etc/ntp.conf - - # Provide a map for accessing Elastic File System mounts - cat > ${DESTDIR}/etc/autofs/special_efs <<'EOF' -#!/bin/sh - -if [ $# -eq 0 ]; then - # No way to know which EFS filesystems exist and are - # accessible to this EC2 instance. - exit 0 -fi - -# Provide instructions on how to mount the requested filesystem. -FS=$1 -REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 's/[a-z]$//'` -echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/" -EOF - chmod 755 ${DESTDIR}/etc/autofs/special_efs - - # The first time the AMI boots, the installed "first boot" scripts - # should be allowed to run: - # * ec2_configinit (download and process EC2 user-data) - # * ec2_fetchkey (arrange for SSH using the EC2-provided public key) - # * growfs (expand the filesystem to fill the provided disk) - # * firstboot_freebsd_update (install critical updates) - # * firstboot_pkgs (install packages) - touch ${DESTDIR}/firstboot - # Any EC2 ephemeral disks seen when the system first boots will # be "new" disks; there is no "previous boot" when they might have # been seen and used already. touch ${DESTDIR}/var/db/ec2_ephemeral_diskseen - if ! [ -z "${QEMUSTATIC}" ]; then - rm -f ${DESTDIR}/${EMULATOR} - fi - rm -f ${DESTDIR}/etc/resolv.conf + # Configuration common to all EC2 AMIs + ec2_common return 0 } diff --git a/release/tools/ec2.conf b/release/tools/ec2.conf new file mode 100644 index 000000000000..a233bf5981c1 --- /dev/null +++ b/release/tools/ec2.conf @@ -0,0 +1,111 @@ +#!/bin/sh + +# Packages which should be installed onto all EC2 AMIs: +# * ebsnvme-id, which is very minimal and provides important EBS-specific +# functionality, +# * amazon-ssm-agent (not enabled by default, but some users need to use +# it on systems not connected to the internet). +export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ebsnvme-id amazon-ssm-agent" + +# Services which should be enabled by default in rc.conf(5). +export VM_RC_LIST="dev_aws_disk ntpd" + +# Build with a 4.9 GB partition; the growfs rc.d script will expand +# the partition to fill the root disk after the EC2 instance is launched. +# Note that if this is set to G, we will end up with an GB disk +# image since VMSIZE is the size of the filesystem partition, not the disk +# which it resides within. +export VMSIZE=5000m + +# No swap space; it doesn't make sense to provision any as part of the disk +# image when we could be launching onto a system with anywhere between 0.5 +# and 4096 GB of RAM. +export NOSWAP=YES + +ec2_common() { + # Delete the pkg package and the repo database; they will likely be + # long out of date before the EC2 instance is launched. + mount -t devfs devfs ${DESTDIR}/dev + chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \ + /usr/sbin/pkg delete -f -y pkg + umount ${DESTDIR}/dev + rm ${DESTDIR}/var/db/pkg/repo-*.sqlite + + # Turn off IPv6 Duplicate Address Detection; the EC2 networking + # configuration makes it unnecessary. + echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf + + # Booting quickly is more important than giving users a chance to + # access the boot loader via the serial port. + echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf + echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf + + # Tell gptboot not to wait 3 seconds for a keypress which will + # never arrive. + printf -- "-n\n" > ${DESTDIR}/boot.config + + # The emulated keyboard attached to EC2 instances is inaccessible to + # users, and there is no mouse attached at all; disable to keyboard + # and the keyboard controller (to which the mouse would attach, if + # one existed) in order to save time in device probing. + echo 'hint.atkbd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf + echo 'hint.atkbdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf + + # EC2 has two consoles: An emulated serial port ("system log"), + # which has been present since 2006; and a VGA console ("instance + # screenshot") which was introduced in 2016. + echo 'boot_multicons="YES"' >> ${DESTDIR}/boot/loader.conf + + # Some older EC2 hardware used a version of Xen with a bug in its + # emulated serial port. It is not clear if EC2 still has any such + # nodes, but apply the workaround just in case. + echo 'hw.broken_txfifo="1"' >> ${DESTDIR}/boot/loader.conf + + # Load the kernel module for the Amazon "Elastic Network Adapter" + echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf + + # Use the "nda" driver for accessing NVMe disks rather than the + # historical "nvd" driver. + echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf + + # Disable KbdInteractiveAuthentication according to EC2 requirements. + sed -i '' -e \ + 's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \ + ${DESTDIR}/etc/ssh/sshd_config + + # Use FreeBSD Update mirrors hosted in AWS + sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \ + ${DESTDIR}/etc/freebsd-update.conf + + # Use the NTP service provided by Amazon + sed -i '' -e 's/^pool/#pool/' \ + -e '1,/^#server/s/^#server.*/server 169.254.169.123 iburst/' \ + ${DESTDIR}/etc/ntp.conf + + # Provide a map for accessing Elastic File System mounts + cat > ${DESTDIR}/etc/autofs/special_efs <<'EOF' +#!/bin/sh + +if [ $# -eq 0 ]; then + # No way to know which EFS filesystems exist and are + # accessible to this EC2 instance. + exit 0 +fi + +# Provide instructions on how to mount the requested filesystem. +FS=$1 +REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 's/[a-z]$//'` +echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/" +EOF + chmod 755 ${DESTDIR}/etc/autofs/special_efs + + # The first time the AMI boots, run "first boot" scripts. + touch ${DESTDIR}/firstboot + + if ! [ -z "${QEMUSTATIC}" ]; then + rm -f ${DESTDIR}/${EMULATOR} + fi + rm -f ${DESTDIR}/etc/resolv.conf + + return 0 +}