* switch to alpine v3.8
* add public_ip variable, setting to 'true' allows packer to build from outside AWS * use smallest instance_type (t2.nano) and volume_size (1 GiB) * eu-west-3 region is live; ap-northeast-3 requires subscription * no longer need setup_staging_repos function... + tiny-ec2-bootstrap is available in main since v3.8 + aws-ena-driver-vanilla is only available in edge/testing * switched to linux-vanilla since linux-hardened is no longer available and linux-virt does not have NVME available + TODO? make kernel choice selectable (significant memory/disk savings linux-virt can be used)
This commit is contained in:
parent
27bcd4a05e
commit
836d9a3e7e
|
@ -50,11 +50,9 @@ its development and thus there are some sharp edges.
|
|||
hardware so it seems unlikely that they will be supported going forward. Thus
|
||||
this project does not support them.
|
||||
|
||||
- Not all packages required have been merged into the upstream aports tree.
|
||||
When they are they will still only be available on edge. Until then the image
|
||||
sources a few packages from a testing repo managed by the owner of this
|
||||
repository. The builds in this repository should be identical to what is
|
||||
eventually merged into the official tree.
|
||||
- The aws-ena-driver-vanilla package is still in edge/testing. When it is
|
||||
available in a release, the edge/testing repository can be removed from
|
||||
/etc/apk/repositories.
|
||||
|
||||
- [cloud-init](https://cloudinit.readthedocs.io/en/latest/) is not currently
|
||||
supported on Alpine Linux. Instead this image uses
|
||||
|
|
|
@ -1,17 +1,18 @@
|
|||
variables:
|
||||
security_group: ""
|
||||
subnet: ""
|
||||
public_ip: "false"
|
||||
|
||||
# Treat this similar to a ABUILD pkgrel variable and increment with every
|
||||
# release. Packer will notice an exiting AMI at build start and fail unless
|
||||
# it is rmoved. To prevent a period of time where no Alpine AMI exists,
|
||||
# create a new variant. Old AMIs should be pruned at some point.
|
||||
ami_release: "2"
|
||||
ami_release: "0"
|
||||
|
||||
# Overriding this requires validating that the installation script still
|
||||
# works as expected. It probably does but stuff changes between major
|
||||
# version.
|
||||
alpine_release: "3.7"
|
||||
alpine_release: "3.8"
|
||||
|
||||
# Don't override this without a good reason and if you do just make sure it
|
||||
# gets passed all the way through to the make_ami script
|
||||
|
@ -26,17 +27,18 @@ builders:
|
|||
subnet_id: "{{user `subnet`}}"
|
||||
|
||||
# Input Instance Setting
|
||||
instance_type: "t2.micro"
|
||||
instance_type: "t2.nano"
|
||||
launch_block_device_mappings:
|
||||
- volume_type: "gp2"
|
||||
device_name: "{{user `volume_name`}}"
|
||||
delete_on_termination: true
|
||||
volume_size: 5
|
||||
volume_size: 1
|
||||
associate_public_ip_address: "{{user `public_ip`}}"
|
||||
|
||||
# Output AMI Settings
|
||||
ena_support: true
|
||||
ami_name: "Alpine-{{user `alpine_release`}}-r{{user `ami_release`}}-Hardened-EC2"
|
||||
ami_description: "Alpine Linux {{user `alpine_release`}}-r{{user `ami_release`}} Release with Hardened Kernel and EC2 Optimizations"
|
||||
ami_name: "Alpine-{{user `alpine_release`}}-r{{user `ami_release`}}-EC2"
|
||||
ami_description: "Alpine Linux {{user `alpine_release`}}-r{{user `ami_release`}} Release with EC2 Optimizations"
|
||||
ami_groups:
|
||||
- "all"
|
||||
ami_virtualization_type: "hvm"
|
||||
|
@ -49,9 +51,10 @@ builders:
|
|||
- eu-central-1
|
||||
- eu-west-1
|
||||
- eu-west-2
|
||||
# - eu-west-3
|
||||
- eu-west-3
|
||||
- ap-northeast-1
|
||||
- ap-northeast-2
|
||||
# - ap-northeast-3
|
||||
- ap-southeast-1
|
||||
- ap-southeast-2
|
||||
- ap-south-1
|
||||
|
@ -60,7 +63,7 @@ builders:
|
|||
source_device_name: "{{user `volume_name`}}"
|
||||
device_name: "/dev/xvda"
|
||||
delete_on_termination: true
|
||||
volume_size: 5
|
||||
volume_size: 1
|
||||
volume_type: "gp2"
|
||||
|
||||
# Use the most recent Amazon Linux AMI as our base
|
||||
|
|
47
make_ami.sh
47
make_ami.sh
|
@ -3,11 +3,11 @@
|
|||
|
||||
set -eu
|
||||
|
||||
: ${ALPINE_RELEASE:="3.7"} # not tested against edge
|
||||
: ${APK_TOOLS_URI:="https://github.com/alpinelinux/apk-tools/releases/download/v2.8.0/apk-tools-2.8.0-x86_64-linux.tar.gz"}
|
||||
: ${APK_TOOLS_SHA256:="da21cefd2121e3a6cd4e8742b38118b2a1132aad7f707646ee946a6b32ee6df9"}
|
||||
: ${ALPINE_KEYS:="http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/alpine-keys-2.1-r1.apk"}
|
||||
: ${ALPINE_KEYS_SHA256:="7b2d1e9a00324c8eee49785dc22355be02534201e77473ba9762027e1a475cc7"}
|
||||
: ${ALPINE_RELEASE:="3.8"} # not tested against edge
|
||||
: ${APK_TOOLS_URI:="https://github.com/alpinelinux/apk-tools/releases/download/v2.10.0/apk-tools-2.10.0-x86_64-linux.tar.gz"}
|
||||
: ${APK_TOOLS_SHA256:="77f2d256fcd5d6fdafadf43bb6a9c85c3da7bb471ee842dcd729175235cb9fed"}
|
||||
: ${ALPINE_KEYS:="http://dl-cdn.alpinelinux.org/alpine/v3.8/main/x86_64/alpine-keys-2.1-r1.apk"}
|
||||
: ${ALPINE_KEYS_SHA256:="f7832b848cedca482b145011cf516e82392f02a10713875cb09f39c7221c6f17"}
|
||||
|
||||
die() {
|
||||
printf '\033[1;31mERROR:\033[0m %s\n' "$@" >&2 # bold red
|
||||
|
@ -73,34 +73,12 @@ make_filesystem() {
|
|||
setup_repositories() {
|
||||
local target="$1" # target directory
|
||||
|
||||
# NOTE: we only need @testing for aws-ena-driver-vanilla, this can be removed if/when released
|
||||
mkdir -p "$target"/etc/apk/keys
|
||||
cat > "$target"/etc/apk/repositories <<-EOF
|
||||
http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/main
|
||||
http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/community
|
||||
EOF
|
||||
}
|
||||
|
||||
# This is mostly a temporary measure because some required packages have not
|
||||
# yet been accepted upstream. This can be removed when the following pull
|
||||
# requests are merged:
|
||||
#
|
||||
# - https://github.com/alpinelinux/aports/pull/2962
|
||||
# - https://github.com/alpinelinux/aports/pull/2961
|
||||
setup_staging_repos() {
|
||||
local target="$1" # target directory
|
||||
|
||||
echo "https://mcrute-build-artifacts.s3.us-west-2.amazonaws.com/alpine-packages/$ALPINE_RELEASE/testing" >> "$target"/etc/apk/repositories
|
||||
|
||||
cat > "$target"/etc/apk/keys/mcrute-5a3eecec.rsa.pub <<-EOF
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fW5dyTqgs9Yf93xKn5U
|
||||
cYzY9t//M3TAaiDWH7rFxqBqTGnVGkP9QAGqsbXyoo/JpIalazkOfm/1L+XaK7NI
|
||||
IUD/8KxfrnBW53cc/KOkPcGAga36aTBz/HmLQQvjWcizPxWepjdfvAnRTMV69Oud
|
||||
zaRPGKx8nCRqLy1YFAEXn+zpHRh+OHCzzQFlkJop+2PCXqDFaMWC7+oWwrqFs1i0
|
||||
CXc4pq5oT6vAQyt6pUwN85sLVxtxXSt5G5ALYzQtaIj7IAR3jGlwU26wOAv5YP7z
|
||||
xn/Z1ebQsPbAl3rw48v2T2ohPEX2TUtUq4OuwOG+z1pi3woIGOlOFVAP3k6lm8Z9
|
||||
9QIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing
|
||||
EOF
|
||||
}
|
||||
|
||||
|
@ -131,19 +109,19 @@ install_core_packages() {
|
|||
# Most from: https://git.alpinelinux.org/cgit/alpine-iso/tree/alpine-virt.packages
|
||||
#
|
||||
# acct - installed by some configurations, so added here
|
||||
# aws-ena-driver-hardened - required for ENA enabled instances
|
||||
# aws-ena-driver-vanilla - required for ENA enabled instances (still in edge/testing)
|
||||
# e2fsprogs - required by init scripts to maintain ext4 volumes
|
||||
# linux-hardened - can't use virthardened because it's missing NVME support
|
||||
# linux-vanilla - can't use virt because it's missing NVME support
|
||||
# mkinitfs - required to build custom initfs
|
||||
# sudo - to allow alpine user to become root, disallow root SSH logins
|
||||
# tiny-ec2-bootstrap - to bootstrap system from EC2 metadata
|
||||
chroot "$target" apk --no-cache add \
|
||||
acct \
|
||||
alpine-mirrors \
|
||||
aws-ena-driver-hardened \
|
||||
aws-ena-driver-vanilla@testing \
|
||||
chrony \
|
||||
e2fsprogs \
|
||||
linux-hardened \
|
||||
linux-vanilla \
|
||||
mkinitfs \
|
||||
openssh \
|
||||
sudo \
|
||||
|
@ -166,7 +144,6 @@ create_initfs() {
|
|||
local target="$1"
|
||||
|
||||
# Create ENA feature for mkinitfs
|
||||
# Submitted upstream: https://github.com/alpinelinux/mkinitfs/pull/19
|
||||
echo "kernel/drivers/net/ethernet/amazon" > \
|
||||
"$target"/etc/mkinitfs/features.d/ena.modules
|
||||
|
||||
|
@ -310,8 +287,6 @@ main() {
|
|||
einfo "Fetching Alpine signing keys"
|
||||
fetch_keys "$target"
|
||||
|
||||
setup_staging_repos "$target"
|
||||
|
||||
einfo "Installing base system"
|
||||
$apk add --root "$target" --update-cache --initdb alpine-base
|
||||
|
||||
|
|
Loading…
Reference in New Issue