Creating a CentOS 5.3 Amazon AMI

Posted in May 24th, 2009

This post is more for my own notes so I dont forget how I created this AMI. It took me a while because the main thing that was missing was the fact that you need to add in a way for the OS to grab your public key info OR to have /etc/passwd set up in the image. I decided to do the former (grabbing the public key). Also the other thing people seem to have left off is the fact that you need to install wget or curl in order to run the setup. Also, a quick thing to note is that to do this tutorial YOU NEED A CENTOS 5 machine to run it on. Just start one through Amazon and use that. If you dont have one (if you can’t do that, then this tutorial is probably outta your league anyway).

These are the links that I used to figure this stuff out:

http://www.how-to-linux.com/2009/02/how-to-create-a-centos-52-ec2-amazon-machine-image-ami/

http://www.ioncannon.net/system-administration/115/creating-your-own-fc6-instance-for-ec2/

https://developer.amazonwebservices.com/connect/message.jspa?messageID=76866

Using the first tut. I created my image:

dd if=/dev/zero of=my-image.fs bs=1M count=1024

Then I created my filesystem on the space:

mke2fs -F -j my-image.fs

Create a mount point

mkdir /mnt/ec2-fs

Mount it using a loopback

mount -o loop my-image.fs /mnt/ec2-fs

mkdir /mnt/ec2-fs/dev

Populate /dev some minimal devices

/sbin/MAKEDEV -d /mnt/ec2-fs/dev/ -x console

/sbin/MAKEDEV -d /mnt/ec2-fs/dev/ -x null

/sbin/MAKEDEV -d /mnt/ec2-fs/dev/ -x zero

Create /etc

mkdir /mnt/ec2-fs/etc

Create the yum-xen.conf file. I modified the ones into the tut to use CentOS5.3 i386 and x86_64. I listed both below. For the x86_64 you’ll need to create it on a CentOS 64bit image.

i386

[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
exclude=*-debuginfo
gpgcheck=0
obsoletes=1
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
reposdir=/dev/null
metadata_expire=1800
[base]
name=CentOS-5.3 – Base
baseurl=http://mirror.centos.org/centos/5.3/os/i386/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
priority=1
protect=1
#released updates
[update]
name=CentOS-5.3 – Updates
baseurl=http://mirror.centos.org/centos/5.3/updates/i386/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
priority=1
protect=1
#packages used/produced in the build but not released
[addons]
name=CentOS-5.3 – Addons
baseurl=http://mirror.centos.org/centos/5.3/addons/i386/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
priority=1
[extras]
name=CentOS 5.3 Extras $releasever – $basearch
baseurl=http://mirror.centos.org/centos/5.3/extras/i386/
enabled=1

x86_64

[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
exclude=*-debuginfo
gpgcheck=0
obsoletes=1
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
reposdir=/dev/null
metadata_expire=1800
[base]
name=CentOS-5.3 – Base
baseurl=http://mirror.centos.org/centos/5.3/os/x86_64/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
priority=1
protect=1
#released updates
[update]
name=CentOS-5.3 – Updates
baseurl=http://mirror.centos.org/centos/5.3/updates/x86_64/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
priority=1
protect=1
#packages used/produced in the build but not released
[addons]
name=CentOS-5.3 – Addons
baseurl=http://mirror.centos.org/centos/5.3/addons/x86_64/
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
priority=1
[extras]
name=CentOS 5.3 Extras $releasever – $basearch
baseurl=http://mirror.centos.org/centos/5.3/extras/x86_64/
enabled=1

Create a proc point for the image and mount it:

mkdir /mnt/ec2-fs/proc

mount -t proc none /mnt/ec2-fs/proc

Run the yum installer and install the Core:

yum -c yum-xen.conf –installroot=/mnt/ec2-fs -y groupinstall Core

Create a network config script for your new image:

vi /mnt/ec2-fs/etc/sysconfig/network-scripts/ifcfg-eth0

Enter this for file:

DEVICE=eth0

BOOTPROTO=dhcp

ONBOOT=yes

TYPE=Ethernet

USERCTL=yes

PEERDNS=yes

IPV6INIT=no

Turn on networking for your image:

vi /mnt/ec2-fs/etc/sysconfig/network

Enter the following:

NETWORKING=yes

Set up the hard drives:

vi /mnt/ec2-fs/etc/fstab

Enter

/dev/sda2 /mnt ext3 defaults 1 2

/dev/sda3 swap swap defaults 0 0

Copy the centos resolv.conf over (if you’re using an Amazon Centos image, if not create one):

cp /etc/resolv.conf /mnt/ec2-fs/etc/resolv.conf

Chroot and start services like sshd:

chroot /mnt/ec2-fs /bin/sh

chkconfig –level 345 sshd on

Install wget or curl

yum install curl (or yum install wget for the bash script below)

Create a startup script to get your private key:

vi /usr/local/sbin/get-credentials.sh

Fill it with this:

#!/bin/bash

# Retreive the credentials from relevant sources.

# Fetch any credentials presented at launch time and add them to
# root’s public keys

PUB_KEY_URI=http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key
PUB_KEY_FROM_HTTP=/tmp/openssh_id.pub
PUB_KEY_FROM_EPHEMERAL=/mnt/openssh_id.pub
ROOT_AUTHORIZED_KEYS=/root/.ssh/authorized_keys

# We need somewhere to put the keys.
if [ ! -d /root/.ssh ] ; then
mkdir -p /root/.ssh
chmod 700 /root/.ssh
fi

# Fetch credentials…

# First try http
curl –retry 3 –retry-delay 0 –silent –fail -o $PUB_KEY_FROM_HTTP $PUB_KEY_URI
if [ $? -eq 0 -a -e $PUB_KEY_FROM_HTTP ] ; then
if ! grep -q -f $PUB_KEY_FROM_HTTP $ROOT_AUTHORIZED_KEYS
then
cat $PUB_KEY_FROM_HTTP >> $ROOT_AUTHORIZED_KEYS
echo “New key added to authrozied keys file from parameters”|logger -t “ec2″
fi
chmod 600 $ROOT_AUTHORIZED_KEYS
rm -f $PUB_KEY_FROM_HTTP

elif [ -e $PUB_KEY_FROM_EPHEMERAL ] ; then
# Try back to ephemeral store if http failed.
# NOTE: This usage is deprecated and will be removed in the future
if ! grep -q -f $PUB_KEY_FROM_EPHEMERAL $ROOT_AUTHORIZED_KEYS
then
cat $PUB_KEY_FROM_EPHEMERAL >> $ROOT_AUTHORIZED_KEYS
echo “New key added to authrozied keys file from ephemeral store”|logger -t “ec2″

fi
chmod 600 $ROOT_AUTHORIZED_KEYS
chmod 600 $PUB_KEY_FROM_EPHEMERAL

fi

if [ -e /mnt/openssh_id.pub ] ; then
if ! grep -q -f /mnt/openssh_id.pub /root/.ssh/authorized_keys
then
cat /mnt/openssh_id.pub >> /root/.ssh/authorized_keys
echo “New key added to authrozied keys file from ephemeral store”|logger -t “ec2″

fi
chmod 600 /root/.ssh/authorized_keys
fi

Edit your rc.local:

vi /etc/rc.local

Add this:

/usr/local/sbin/get-credentials.sh

Exit out of your chroot:

exit

Unmount the image

umount /mnt/ec2-fs/proc

umount -d /mnt/ec2-fs

Time to upload your image and get it registered. For this, its easiest to just install the ruby scripts that they have to create the image and upload it. If you dont have ruby, install it:

yum install ruby

Download the EC2 AMI Tools:

wget http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.noarch.rpm

Install the EC2 AMI Tools

rpm -Uvh ec2-ami-tools.noarch.rpm

Put both your private key and cert in the same folder as my-image.fs. This is available in your Amazon account under the X.509 Certificate section.

Use the AMI tools to bundle the your image:

ec2-bundle-image -i my-image.fs -c my-cert.pem -k my-private-key.pem -u 1234-5678-9101 (amazon account id)

This create the bundles the image to an AMI and puts it in /tmp. Now upload the ec2-bundle to S3. FYI, you’ll need an S3 account and bucket for this. (Quick hint: I use s3Fox plugin in firefox to setup my buckets.) Much easier this way.

ec2-upload-bundle -b my-bucket -m image.manifest -a my-aws-access-key-id -s my-secret-key-id

After this is done, you need to register the ami before you can use it. I was using the AWS Management Console to do this. It’s located under EC2 Console -> Instances -> Register.

Now you’re done! Im sure I left some stuff out. If you have questions, feel free to leave them below.

Update: Greg pointed out some stuff that I missed (oops!)

I replaced my /etc/fstab with:/dev/sda1 / ext3 user_xattr 0 1
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

..which made things work better.

Also, I did have to chmod +x /usr/local/sbin/get-credentials.sh

After doing that I could ping and connect to the server, but as soon as I did, ssh told me that I didn’t have access to /bin/bash.

I had created the vm image on a machine with selinux disabled, so I had to do the same on the image by setting SELINUX=disabled in /etc/selinux/config

UPDATE: missed the /etc/resolv.conf

here is a sample resolv.conf:
search z-2.compute-1.internal
nameserver 172.16.0.23

Usdating

I've made it to the end. Thanks for putting it together. Lots of things I didn't know. BOOKMARKED!

weoyt

maybe is a better idea to set username/password on the image....

but how?

David Wang

if you wanted to add a username pwd, you could copy an existing /etc/passwd and /etc/shadow into your /etc dir

weoyt

Linux version 2.6.16-xenU (builder@xenbat.amazonsa) (gcc version 4.0.1 20050727 (Red Hat 4.0.1-5)) #1 SMP Mon May 28 03:41:49 SAST 2007
BIOS-provided physical RAM map:
Xen: 0000000000000000 - 000000006a400000 (usable)
980MB HIGHMEM available.
727MB LOWMEM available.
NX (Execute Disable) protection: active
IRQ lockup detection disabled
Built 1 zonelists
Kernel command line: root=/dev/sda1 ro 4
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
PID hash table entries: 4096 (order: 12, 65536 bytes)
Xen reported: 2600.000 MHz processor.
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Software IO TLB disabled
vmalloc area: ee000000-f53fe000, maxmem 2d7fe000
Memory: 1718700k/1748992k available (1958k kernel code, 20948k reserved, 620k data, 144k init, 1003528k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Calibrating delay using timer specific routine.. 5201.58 BogoMIPS (lpj=26007900)
Mount-cache hash table entries: 512
CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line)
CPU: L2 Cache: 1024K (64 bytes/line)
Checking 'hlt' instruction... OK.
Brought up 1 CPUs
migration_cost=0
Grant table initialized
NET: Registered protocol family 16
Brought up 1 CPUs
xen_mem: Initialising balloon driver.
highmem bounce pool size: 64 pages
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
Initializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
i8042.c: No controller found.
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Xen virtual console successfully installed as tty1
Event-channel device installed.
netfront: Initialising virtual ethernet driver.
mice: PS/2 mouse device common for all mice
md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27
md: bitmap version 4.39
NET: Registered protocol family 2
Registering block device major 8
IP route cache hash table entries: 65536 (order: 6, 262144 bytes)
TCP established hash table entries: 262144 (order: 9, 2097152 bytes)
TCP bind hash table entries: 65536 (order: 7, 524288 bytes)
TCP: Hash tables configured (established 262144 bind 65536)
TCP reno registered
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Using IPI No-Shortcut mode
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
kjournald starting. Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
VFS: Mounted root (ext3 filesystem) readonly.
Freeing unused kernel memory: 144k freed

***************************************************************
***************************************************************
** WARNING: Currently emulating unsupported memory accesses **
** in /lib/tls glibc libraries. The emulation is **
** slow. To ensure full performance you should **
** install a 'xen-friendly' (nosegneg) version of **
** the library, or disable tls support by executing **
** the following as root: **
** mv /lib/tls /lib/tls.disabled **
** Offending process: init (pid=1) **
***************************************************************
***************************************************************

Pausing... 5Pausing... 4Pausing... 3Pausing... 2Pausing... 1Continuing...
modprobe: FATAL: Could not load /lib/modules/2.6.16-xenU/modules.dep: No such file or directory
INIT: version 2.86 booting
Welcome to CentOS release 5.3 (Final)
Press 'I' to enter interactive startup.
modprobe: FATAL: Could not load /lib/modules/2.6.16-xenU/modules.dep: No such file or directory
Setting clock : Thu Jul 23 17:20:51 EDT 2009 [ OK ]
Starting udev: [ OK ]
Setting hostname localhost: [ OK ]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext3 (1) -- /mnt] fsck.ext3 -a /dev/sda2
ext2fs_check_if_mount: No such file or directory while determining whether /dev/sda2 is mounted.
/dev/sda2 has gone 279 days without being checked, check forced.
/dev/sda2: 11/19546112 files (9.1% non-contiguous), 661385/39088128 blocks
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
mount: can't find / in /etc/fstab or /etc/mtab
Mounting local filesystems: [ OK ]
Enabling /etc/fstab swaps: [ OK ]
INIT: Entering runlevel: 4
Entering non-interactive startup
Checking for hardware changes [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Starting system message bus: [ OK ]
Mounting other filesystems: [ OK ]
Generating SSH1 RSA host key: [ OK ]
Generating SSH2 RSA host key: [ OK ]
Generating SSH2 DSA host key: [ OK ]
Starting sshd: [ OK ]
Starting HAL daemon: [ OK ]
curl: (6) Couldn't resolve host 'âretry'
curl: (7) Failed to connect to 0.0.0.3: Invalid argument
curl: (6) Couldn't resolve host 'âretry-delay'
curl: (7) couldn't connect to host
curl: (6) Couldn't resolve host 'âsilent'
curl: (6) Couldn't resolve host 'âfail'
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSzU2K4Xv91mn0NA/S4MaFIYXQcchTnyEdXutc4EMth1CDWZjLxAAHYAXNM2nbiwKtG/pueg/FkYLIzW9D6FdxuXwh9XTu5kPWINm3thp2eC1PR77wqxoKGFhH84VcD++qAcers1YsWT/acknOEVlllpLKtyAnWNc4hwsypRzYzPms2r10UmkUj+4W/fotau64UsfZxVK2Kd4ZIBhLIEj82yIV4Bh4syJiAhanm2WEFyYqTfaExlywMC2P103cnwG8mg4So6hiy/T8XhqJfBGwxSpxbIy4vEYsaadEs+k+Z37gsTpoXVu7cVKXyoNzF2TvC4SGHFWykqHoRGbSpQeV id-jlguard
c
CentOS release 5.3 (Final)
Kernel 2.6.16-xenU on an i686
domU-12-31-39-02-F1-08 login: INIT: Id "2" respawning too fast: disabled for 5 minutes
INIT: Id "3" respawning too fast: disabled for 5 minutes
INIT: Id "4" respawning too fast: disabled for 5 minutes
INIT: Id "5" respawning too fast: disabled for 5 minutes
INIT: Id "6" respawning too fast: disabled for 5 minutes

David Wang

your dns isn't resolving properly:

here is a sample resolv.conf:
search z-2.compute-1.internal
nameserver 172.16.0.23

weoyt

ok i'm kidna lost...

i followed the procedure... and cerate a new keypair for this instance

ec2-add-keypair jlguard ...

then; when launched i did

ec2-run-instances ami-ID -k id-jlguard

still asks me for the pasword

David Wang

Make sure to read the comments above! Greg tweaked some of it. the chmod +x is important.

Also, take a look at the terminal output in aws console to figure out what's going on.

greg

Ah thanks for the tip about checking the console. I had looked at it the first time but it was blank. It tTurns out that I just had to wait a little longer after startup for it to be populated.

From the console, I saw that it was going down to single user mode because the partitions in /etc/fstab weren't found. I replaced my /etc/fstab with:

/dev/sda1 / ext3 user_xattr 0 1
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0

..which made things work better.

Also, I did have to chmod +x /usr/local/sbin/get-credentials.sh

After doing that I could ping and connect to the server, but as soon as I did, ssh told me that I didn't have access to /bin/bash.

I had created the vm image on a machine with selinux disabled, so I had to do the same on the image by setting SELINUX=disabled in /etc/selinux/config

Once I did that I was able to login successfully.

Thanks for the help and the great article.

greg

I can’t ping the instance created by following the directions here.

David Wang

it sounds like you may have some issues with your security settings. These are my current awsconsole security settings for my default group:
All icmp -1 -1 default group
All tcp 0 65535 default group
All udp 0 65535 default group
SSH tcp 22 22 0.0.0.0/0
HTTP tcp 80 80 0.0.0.0/0

Also check the console output. If you had a typo or something else that went wrong the console may shed more light on what the issue is.

greg

That's the command I'm using. SSH doesn't even tell me that it doesn't know the key for the host though.

Also, while I can ping other instances in the same security group, I can' ping the instance created by following the directions here.

Thanks

greg

Also, you might need a:
chmod +x /usr/local/sbin/get-credentials.sh

while in the chroot. I'm not sure of course because it still doesn't work for me..

David Wang

your command to login would be something like ssh -i my_default.pem root@externaladdress.amazon.com

greg

heh

It looks like the blog automatically replaced my two hyphens with a single bigger hyphen.

That same problem is in the article itself. Where there should be two hyphens, a single big hyphen appears instead.

greg

First a quick note: in the article, the character –, which isn't -, should be --

Second, here is a sample resolv.conf:
search z-2.compute-1.internal
nameserver 172.16.0.23

Third, after following the directions the image had only 683M in use. A smaller initial image size could be used by those really looking to trim costs.

Finally, while I was able to follow these directions without any problems, I wasn't able to connect to the instance. SSH just timed out. I checked the security group settings, which allowed ssh, but beyond that I don't know how to troubleshoot this sort of problem. Any tips would be appreciated. Thanks.

reviewazon

Thank you so much for this post. I use the reviewazon plugin. Reviewazon is the easy and simple way to add amazon affiliate product to your website.

Creating a CentOS 5.3 Amazon AMI

Similar Posts

Recent Posts

Categories

Archives

Recent Comments

UDFI Projects

Follow me on Twitter!

del.icio.us links

Blogroll