Thursday, May 7, 2009

Minimal i386 CentOS5 AMI

Here is a quick cheat-sheet to help you create a minimal CentOS5.x image to create a custom Amazon Machine Image (AMI).

My target instance type is small (see page 49, 57 EC2 Developers Guide ) , so adjust fstab accordingly. To create the image you will need to create a custom fstab file and a yum config file. Additionally, the following cheat-sheet assumes you are using a Red Hat based distribution to create the image (CentOS 5 in my case), otherwise some of the tool parameters will not work, not to mention yum might not be available.

/etc/fstab

/dev/sda1 / ext3 defaults 1 1
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
/dev/sda2 /mnt ext3 defaults 0 0
/dev/sda3 swap swap defaults 0 0


yum-aws.conf

[main]
exclude=authd lha libsdp iptstate emacs-common emacs-nox bluez-utils aspell-en rdist libmthca NetworkManager dhcpv6_client lksctp-tools autofs finger bluez-libs vconfig libibverbs ash jpackage-utils rdate aspell irda-utils rp-pppoe pcmcia-cs bluez-bluefw udapl jwhois rsh wireless-tools ipsec-tools bluez-hcidump krb5-workstation fbset apmd dosfstools dump ed eject ethereal-gnome ethereal mkbootdisk redhat-lsb gtk2 fonts-xorg-base fonts-xorg-truetype freetype fontconfig xorg-x11-libs pango ttmkfdir xorg-x11-font-utils xorg-x11-xfs xorg-x11-Mesa-libGL xorg-x11-xauth chkfontpath rmt sysreport stunnel talk wvdial yp-tools ypbind xine xinetd td statserial cups cups-libs minicom bc isdn4k-utils lrzsz mtr mt-st nfs-utils portmap nc nano crash up2date netdump oddjob oddjob-libs ccid coolkey conman cpuspeed Deployment_Guide-en-US firstboot-tui pcsc-lite ifd-egate mdadm postfix cyrus-sasl sendmail numactl pcmciautils pscs-lite-libs quota usbutils logwatch iptables-ipv6 system-config-securitylevel-tui dhcpv6-client ibmasm ksh tcsh mtools rhpl system-config-lvm system-config-network-tui at smartmontools mailcap acpid cyrus-sasl-plain cryptsetup-luks hal pm-utils desktop-file-utils redhat-menus htmlview pinfo anacron sos setuptool pciutils pkinit-nss pax pam_krb5 pam_smb amtu


#Base distro
[base]
name=CentOS-5 - Base
baseurl=http://destiny/centos5-i386-prepatched-latest-install/
gpgcheck=1
gpgkey=http://destiny/centos/RPM-GPG-KEY-CentOS-5

#released updates
[updates]
name=CentOS-5 - Updates
baseurl=http://destiny/centos/5/updates/i386/stable/
gpgcheck=1
gpgkey=http://destiny/centos/RPM-GPG-KEY-CentOS-5

#packages by vendors
[vendor]
name=CentOS-5 - Vendor
baseurl=http://destiny/centos/5/vendor/i386/
gpgcheck=0
enabled=1

#custom built packages
[custom]
name=CentOS-5 - Custom
baseurl=http://destiny/centos/5/custom/i386/
gpgcheck=0
enabled=0


Build Image
As root, run the following:

# dd if=/dev/zero of=centos5_i386_minimal.img bs=1M count=1024
# mkfs.ext3 -F ~/centos5_i386_minimal.img
# mount -o loop centos5_i386_minimal.img /mnt
# mkdir /mnt/dev
# mkdir /mnt/proc
# mkdir /mnt/etc
# /sbin/MAKEDEV -d /mnt/dev -x console
# /sbin/MAKEDEV -d /mnt/dev -x null
# /sbin/MAKEDEV -d /mnt/dev -x zero
# cp ~/fstab /mnt/etc/
# mount -t proc none /mnt/proc

# yum -c yum-aws.conf --installroot=/mnt -y groupinstall Base

Next I install few hand picked packages

# yum -c yum-aws.conf --installroot=/mnt -y install dhclient dmidecode file iptables openssh openssh-clients openssh-server prelink rootfiles sysfsutils sysklogd tar mkinitrd nash lvm2 cpio ntp net-snmp net-snmp-utils net-snmp-libs vim-enhanced screen strace setools selinux-policy selinux-policy-targeted libvolume_id mailx gcc cpp gcc-c++ libtool pkgconfig gettext autoconf automake bison flex dos2unix unix2dos elinks procinfo

Customization
Create eth0 ( /mnt/etc/sysconfig/network-scripts/ifcfg-eth0 ) network script to use DHCP for configuration:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
IPV6INIT=no


Enable networking ( /mnt/etc/sysconfig/network)

NETWORKING=yes

Chroot
At this point you might consider spending some time customizing your build ( chroot /mnt /bin/bash ). Pay special attention to permissions of the file you will create (/etc/shadow, authorized_keys etc.). Here is a short checklist:
  1. Setup user accounts and SSH authorized_keys for password-less login. Don't forget to create the home directories, unless you have pam mkhomedir enabled.
  2. Setup various daemons such as NTP, syslog, SSH, cron. Make sure they are enabled for the appropriate run-level.
  3. Setup policies for passwords, firewall etc.

Clean-up
To reduce the image size, clear yum cached data.

yum clean all

Exit out of chroot environment and /mnt folder and run the following:

# umount /mnt/proc
# umount /mnt

Bundling

Thats it! Now you can proceed with bundling your AMI as per EC2 Developers Guide (page 28).


# ec2-bundle-image -i centos5_i386_minimal.img -k .ec2/pk-.pem -c .ec2/cert-.pem -u -r i386

# ec2-upload-bundle -b osc-ami -m /tmp/centos5_i386_minimal.img.manifest.xml -s -a --location US


Register AMI

See EC2 Developers Guide (page 311).


# ec2-register my-ami/centos5_i386_minimal.img.manifest.xml


You should see an output with your AMI ID. You can use this AMI ID to launch new instances.

Notes
  1. Carefully audit the exclude parameter in main section of the yum-aws.conf file. I have chosen to remove a lot of core packages to trim down the install base from 350+ packages to 139, but you might need some of those excluded packages.
  2. I am using a pre-patched local yum repository to do the install, and maybe some day I'll blog about how to set it up. In the mean time you might need to adjust the baseurl in yum-aws.conf to some public yum repo or a private one if available.
  3. Error "rpmdb: unable to lock mutex: Invalid argument" is caused by Bug 463921

Cheers,
VVK

No comments:

Post a Comment