PR updates

* README.md
  + update list of modern instance types
  + add caveat regarding linux-vanilla vs. linux-virt
* alpine-ami.yaml
  + build instance type is always t3.nano
  + block device where we build is always /dev/xvdf
  + add optional AMI encryption
  + always enable AMI SR-IOV flag (vanilla & virt both have the necessary driver)
  + no need to pass volume_name to make_ami.sh
* make_ami.sh
  + replace hard tabs with 4 spaces
  + always set up edge repositories
  + no need to add mkinitfs package, it's a dependency of linux-*
  + fix update of /etc/inittab
  + fix configuration of NTP
  + declare local vars in main()
  + device is always /dev/xvdf
* variables.json-default/example
  + improve comment for kernel_flavor
  + default add_repos is now empty
  + remove acct & e2fsprogs-extra from add_pkgs
  + add optional AMI encryption
  + remove sriov_enable, build_instance_type, and volume_name vars

README.md

@@ -8,8 +8,8 @@ containing Alpine Linux. The AMI is designed to work with most EC2 features
 such as Elastic Network Adapters and NVME EBS volumes by default. If anything
 is missing please report a bug.
 
-This image can be launched on any modern instance type. Including T2, M5, C5,
+This image can be launched on any modern instance type, including T3, M5, C5,
-I3, R4, P2, P3, X1, X1e, D2. Other instances may also work but have not been
+I3, R5, P3, X1, X1e, D2, Z1d. Other instances may also work but have not been
 tested. If you find an issue with instance support for any current generation
 instance please file a bug against this project.
 
@@ -50,10 +50,15 @@ its development and thus there are some sharp edges.
   hardware so it seems unlikely that they will be supported going forward. Thus
   this project does not support them.
 
+- The linux-vanilla kernel all the linux-firmware packages it installs is much
+  larger than is necessary for an AMI designed to run on EC2.  Unfortunately,
+  the linux-virt kernel is currently missing NVMe support, which is required for
+  the newest generation of instance families.
+
 - The aws-ena-driver-vanilla package is still in edge/testing, and requires the
   matching linux-vanilla package from edge/main.  When ENA is available in an
-  alpine version release, edge/testing and edge/main should no longer be
+  alpine version release (ideally with a 'virt' kernel flavor), edge/testing
-  necessary.
+  and edge/main should no longer be necessary.
 
 - [cloud-init](https://cloudinit.readthedocs.io/en/latest/) is not currently
   supported on Alpine Linux. Instead this image uses

alpine-ami.yaml

@@ -1,6 +1,6 @@
 variables:
 
-  # NOTE:  Additional configuration is set via the `variables.json` file.
+  # NOTE:  Configuration is done with a `variables.json` file.
   # To use default values, simply `cp variables.json-default variables.json`.
   # See `variables.json-example` for full configuration variable descriptions.
 
@@ -17,11 +17,11 @@ builders:
     vpc_id: "{{user `vpc`}}"
     subnet_id: "{{user `subnet`}}"
     security_group_id: "{{user `security_group`}}"
-    instance_type: "{{user `build_instance_type`}}"
+    instance_type: "t3.nano"
     associate_public_ip_address: "{{user `public_ip`}}"
     launch_block_device_mappings:
       - volume_type: "gp2"
-        device_name: "{{user `volume_name`}}"
+        device_name: "/dev/xvdf"
         delete_on_termination: "true"
         volume_size: "{{user `volume_size`}}"
     ssh_username: "ec2-user"
@@ -42,13 +42,14 @@ builders:
     ami_description: "{{user `ami_desc_prefix`}}{{user `alpine_release`}}-r{{user `ami_release`}}{{user `ami_desc_suffix`}}"
     ami_virtualization_type: "hvm"
     ami_root_device:
-      source_device_name: "{{user `volume_name`}}"
+      source_device_name: "/dev/xvdf"
       device_name: "/dev/xvda"
       delete_on_termination: "true"
       volume_size: "{{user `volume_size`}}"
       volume_type: "gp2"
+    encrypt_boot: "{{user `encrypt_ami`}}"
     ena_support: "{{user `ena_enable`}}"
-    sriov_support: "{{user `sriov_enable`}}"
+    sriov_support: "true"
     ami_groups: "{{user `ami_access`}}"
     ami_regions: "{{user `deploy_regions`}}"
 
@@ -56,4 +57,4 @@ builders:
 provisioners:
   - type: "shell"
     script: "make_ami.sh"
-    execute_command: 'sudo sh -c "{{ .Vars }} {{ .Path }} {{user `volume_name`}} {{user `kernel_flavor`}} ''{{user `add_repos`}}'' ''{{user `add_pkgs`}}''"'
+    execute_command: 'sudo sh -c "{{ .Vars }} {{ .Path }} {{user `kernel_flavor`}} ''{{user `add_repos`}}'' ''{{user `add_pkgs`}}''"'

make_ami.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# vim: set ts=4 noet:
+# vim: set ts=4 et:
 
 set -eu
 
@@ -75,9 +75,12 @@ setup_repositories() {
     local add_repos="$2"  # extra repo lines, comma separated
 
     mkdir -p "$target"/etc/apk/keys
-	cat > "$target"/etc/apk/repositories <<-EOF
+    cat > "$target"/etc/apk/repositories <<EOF
 http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/main
 http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/community
+@edge-main http://dl-cdn.alpinelinux.org/alpine/edge/main
+@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community
+@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing
 EOF
     echo "$add_repos" | tr , "\012" >> "$target"/etc/apk/repositories
 }
@@ -110,17 +113,14 @@ install_core_packages() {
 
     # Most from: https://git.alpinelinux.org/cgit/alpine-iso/tree/alpine-virt.packages
     #
-	# linux-$flavor - linux kernel flavor to install
-	# e2fsprogs - required by init scripts to maintain ext4 volumes
-	# mkinitfs - required to build custom initfs
     # sudo - to allow alpine user to become root, disallow root SSH logins
     # tiny-ec2-bootstrap - to bootstrap system from EC2 metadata
+    #
     chroot "$target" apk --no-cache add \
         linux-"$flavor" \
         alpine-mirrors \
         chrony \
         e2fsprogs \
-		mkinitfs \
         openssh \
         sudo \
         tiny-ec2-bootstrap \
@@ -132,7 +132,8 @@ install_core_packages() {
     # Disable starting getty for physical ttys because they're all inaccessible
     # anyhow. With this configuration boot messages will still display in the
     # EC2 console.
-	sed -Ei '/^tty\d/s/^/#/' "$target"/etc/inittab
+    sed -Ei '/^tty[0-9]/s/^/#/' \
+        "$target"/etc/inittab
 
     # Make it a little more obvious who is logged in by adding username to the
     # prompt
@@ -187,7 +188,7 @@ install_extlinux() {
 setup_fstab() {
     local target="$1"
 
-	cat > "$target"/etc/fstab <<-EOF
+    cat > "$target"/etc/fstab <<EOF
 # <fs>      <mountpoint>   <type>   <opts>              <dump/pass>
 LABEL=/     /              ext4     defaults,noatime    1 1
 EOF
@@ -196,7 +197,7 @@ setup_fstab() {
 setup_networking() {
     local target="$1"
 
-	cat > "$target"/etc/network/interfaces <<-EOF
+    cat > "$target"/etc/network/interfaces <<EOF
 auto lo
 iface lo inet loopback
 
@@ -243,7 +244,7 @@ configure_ntp() {
     # in EC2.
     #
     # See: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html
-	sed -i 's/^server .*/server 169.254.169.123/' "$target"/etc/chrony/chrony.conf
+    sed -i 's/^pool .*/server 169.254.169.123 iburst/' "$target"/etc/chrony/chrony.conf
 }
 
 cleanup() {
@@ -266,14 +267,14 @@ cleanup() {
 }
 
 main() {
-	[ "$#" -ne 4 ] && { echo "usage: $0 <block-device> <kernel-flavor> '<repo>[,<repo>]' '<pkg>[ <pkg>]'"; exit 1; }
+    [ "$#" -ne 3 ] && { echo "usage: $0 <kernel-flavor> '<repo>[,<repo>]' '<pkg>[ <pkg>]'"; exit 1; }
 
-	device="$1"
+    local flavor="$1"
-	flavor="$2"
+    local add_repos="$2"
-	add_repos="$3"
+    local add_pkgs="$3"
-	add_pkgs="$4"
 
-	target="/mnt/target"
+    local device="/dev/xvdf"
+    local target="/mnt/target"
 
     validate_block_device "$device"
 

variables.json-default

@@ -5,18 +5,16 @@
   "ami_desc_prefix": "Alpine Linux ",
   "ami_desc_suffix": " Release with EC2 Optimizations",
   "kernel_flavor": "vanilla@edge-main",
-  "add_repos": "@edge-main http://dl-cdn.alpinelinux.org/alpine/edge/main,@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing",
+  "add_repos": "",
-  "add_pkgs": "acct aws-ena-driver-vanilla@edge-testing e2fsprogs-extra",
+  "add_pkgs": "aws-ena-driver-vanilla@edge-testing",
   "ena_enable": "true",
-  "sriov_enable": "false",
   "volume_size": "1",
+  "encrypt_ami": "false",
   "ami_access": "all",
   "deploy_regions": "us-east-1,us-east-2,us-west-1,us-west-2,ca-central-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3,ap-northeast-1,ap-northeast-2,ap-southeast-1,ap-southeast-2,ap-south-1,sa-east-1",
 
   "vpc": "",
   "subnet": "",
   "security_group": "",
-  "public_ip": "false",
+  "public_ip": "false"
-  "build_instance_type": "t2.nano",
-  "volume_name": "/dev/xvdf"
 }

variables.json-example

@@ -1,4 +1,5 @@
-# NOTE: This is file not valid JSON.
+# *** NOTE: This is file not valid JSON! ***
+
 {
   ### Build Options ###
 
@@ -13,31 +14,37 @@
   "ami_desc_prefix": "Alpine Linux ",
   "ami_desc_suffix": " Release with EC2 Optimizations",
 
-  # Kernel "flavor" to install.  'virt' is a slim choice, but doesn't currently
+  # Kernel "flavor" to install.
-  # include NVME support and there is no matching 'aws-ena-driver' package.
+  #
+  # 'virt' is the slim choice, but doesn't currently include NVMe support and
+  # there is no matching 'aws-ena-driver' package.  When these features are
+  # available, this kernel flavor will be the default (if not hardcoded).
+  #
   # 'vanilla' installs a lot of unneeded stuff (for an AMI), but does support
-  # NVME; however, there is no matching ENA driver in the main repo.  In order
+  # NVMe; however, there is no matching ENA driver in the main repo.  In order
-  # to support NVME and ENA, we need to use 'vanilla@edge-main', which matches
+  # to support NVMe and ENA, we need to use 'vanilla@edge-main', which matches
   # the 'aws-ena-driver@edge-testing' package.
+  #
   "kernel_flavor": "vanilla@edge-main",
 
-  # Comma separated list of lines to add to /etc/apk/repositories.  We need
+  # Comma separated list of custom lines to add to /etc/apk/repositories.
-  # edge/main and edge/testing for simultaneous NVME and ENA support.
+  # @edge-main, @edge-community, and @edge-testing repos have been predefined.
-  "add_repos": "@edge-main http://dl-cdn.alpinelinux.org/alpine/edge/main,@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing",
+  "add_repos": "",
 
   # Space separated list of additional packages to add to the AMI.
-  # acct - system accounting utilities (sa, etc.)
+  # aws-ena-driver-vanilla - ENA driver (until we have a 'virt' flavor)
-  # aws-ena-driver-vanilla - Enhanced Network Adapter kernel module
+  "add_pkgs": "aws-ena-driver-vanilla@edge-testing",
-  # e2fsprogs-extra - ec2-tiny-bootstrap's currently undeclared dependency (resize2fs)
-  "add_pkgs": "acct aws-ena-driver-vanilla@edge-testing e2fsprogs-extra",
 
-  # Enable ENA/SRIOV support on the AMI.
+  # Enable ENA support on the AMI.
+  # When ENA is available for the 'virt' kernel, this will always be on.
   "ena_enable": "true",
-  "sriov_enable": "false",
 
   # Size of the AMI image (in GiB).
   "volume_size": "1",
 
+  # Encrypt the AMI?
+  "encrypt_ami": "false",
+
   # Comma separated list of groups that should have access to the AMI.  However,
   # only two values are currently supported: 'all' for public, '' for private.
   "ami_access": "all",
@@ -62,12 +69,6 @@
   # Assign a public IP to the builder instance.  Set to 'true' for if you need
   # to initiate the build from somewhere that wouldn't normally be able to
   # access the builder instance's private network.
-  "public_ip": "false",
+  "public_ip": "false"
 
-  # Instance type to use for building.
-  "build_instance_type": "t2.nano",
-
-  # Don't override this without a good reason, and if you do just make sure it
-  # gets passed all the way through to the make_ami script.
-  "volume_name": "/dev/xvdf"
 }