Devuan + Runit for Amazon EC2
"Do one thing, do it well." - Doug McIllroy
"Do everything, do it in PID1" - systemd
This project aims to provide a viable alternative to the systemd-monotheistic AWS offering. The goal is to track progress and maintain documentation for a fast, stable and secure general-purpose operating system for Amazon EC2.
Devuan seems to be the practical and stable choice for administrators running servers in datacenters. Devuan Ascii, which runs SysVinit by default, was modified to use Runit instead. All relevant changes are in this repository. Most of the code is directly applicable to other standalone Devuan-based distributions outside the cloud environment.
Because of systemd and its real world performance: http://cloux.org/init/#systemd
systemd became the single most widespread Linux init system. And it doesn't just do init, it also does login, pam, getty, syslog, udev, cryptsetup, cron, at, dbus, acpi, gnome-session, autofs, tcpwrappers, audit, chroot, mount(1), network management, DNS, Firewall, UEFI(2), su(3), HTTP server(4) ... and on saturdays it also does your laundry. Adopted by all major distributions, there seems to be no real alternative. systemd is not just a default software choice. Many packages depend directly on it, which makes it IMPOSSIBLE to remove or switch to something else later on. Even if you use systemd on a daily basis and everything goes well, you might want to have some alternative. So, what alternatives are available?
EC2 Linux AMI Comparison
Free-Tier Eligible general purpose GNU/Linux systems on AWS, as of 2018-03:
|AMI Name||Init System||Category||Packages||EBS Size*1||Boot Time*2 (±SD)||License|
|Amazon Linux AMI 2017.09.1||upstart||Quick Start||rpm||8 GB||7.2 s (±1.1)||EULA|
|Amazon Linux 2 LTS Candidate AMI 2017.12.0||systemd||Quick Start||rpm||8 GB||26.6 s (±0.2)||EULA|
|Red Hat Enterprise Linux 7.4||systemd||Quick Start||rpm||10 GB||13.0 s (±0.5)||EULA|
|SUSE Linux Enterprise Server 12 SP3||systemd||Quick Start||rpm||10 GB||44.2 s (±1.3)||EULA, Terms|
|Ubuntu Server 16.04 LTS||systemd||Quick Start||apt||8 GB||10.5 s (±1.6)||EULA|
|CentOS 7||systemd||Marketplace||rpm||8 GB||15.0 s (±0.8)||Free|
|Debian GNU/Linux 9.3 Stretch||systemd||Marketplace||apt||8 GB||7.0 s (±0.9)||Free|
|Devuan Ascii 2018-02-14||Runit||Community||apt||4 GB||5.1 s (±0.8)||Free|
*1) Smallest possible storage size for a new instance
*2) Determined by ec2-benchmark-osboot.sh, on t2.micro in us-east-1a, averaged 5 consecutive runs
This is not a comprehensive comparison. Some AMIs might not qualify as general-purpose on EC2: while Gentoo uses OpenRC and not systemd, it is limited to very few instance types. However, if it works for your use case, Gentoo is definitely worth a try.
Amazon Linux 2017.09 looks like it's running SysVinit, but PID1 uses obsolete upstart v0.6.5. Either way, this OS is considered end-of-life and should not be used for any new projects.
All major Linux distributions already transitioned to systemd. If you want to use something else on Amazon EC2, you are pretty much out of luck. This is where the Devuan Ascii + Runit distribution comes in:
Currently available Devuan AMI offers:
- Runit as init and service supervisor
- Small footprint with only 4 GB minimal EBS volume size
- Fast direct boot without Initrd
- Custom compiled stable kernel from https://www.kernel.org
- Included network drivers Amazon ENA v1.3.0K (25Gb) + Intel ixgbevf 4.1.0-k (10Gb)
- Fully automated AMI release cycle, always with the latest kernel
- Easily configurable logging, with all logs being textfiles in /var/log
- Preinstalled cloud-init v0.7.9
- Preinstalled amazon-ssm-agent v2.2
- Preinstalled Hiawatha, advanced and secure webserver
- Fully automated domain TLS certificate management, requests and renewals
NOTE: not everybody wants to run a webserver or amazon-ssm-agent. For convenience, these services are preinstalled and activated, since they are not directly available from the repository. If you don't need it, simply use the svdeactivate command, see service management.
The setup differences compared to a clean Devuan installation mainly address runit compatibility with Devuan and AWS EC2 environment integration:
# apt-get install acpid apache2-utils aptitude bison certbot cpulimit curl dnsutils ethtool eudev flex fuse gawk htop incron iptraf kexec-tools lsof lynx mc multitail ncdu ncftp nfs-common nfs-kernel-server nfswatch nfstrace ntp p7zip-full pciutils pigz php php-cgi procmail pwgen rename rsync runit screen sntop ssmtp sysv-rc-conf telnet whois
Compiled from source
- Linux stable kernel (https://www.kernel.org), see kernel-update.sh
- Hiawatha webserver (http://www.hiawatha-webserver.org), see hiawatha-update.sh
- Socklog (http://smarden.org/socklog/install.html)
- amazon-ssm-agent and ec2-metadata
- more tools in /usr/local/bin
Sources are placed in /usr/src and /root/inst inside the AMI.
"Devuan Ascii YYYY-MM-DD (Unofficial)" AMIs are available in the Amazon EC2 us-east-1 (N. Virginia) region in the Community AMIs category. This git repository serves as documentation and development base for Devuan AMIs inside AWS EC2, and cannot be directly used for AWS management, installation, or upgrades.
Why 'Unofficial': This project is not affiliated with the official Devuan GNU/Linux distribution in any way.
A few useful commands to get you up and running. These Runit scripts are universal, and work well outside the cloud environment.
- The default SSH user is admin
- For an easy access, use ssh-login.sh
or use the command
ssh -i INSTANCE-KEY.pem admin@INSTANCE-IP
Shutdown and reboot
shutdown- simple immediate halt and power off. Does not accept any parameters.
reboot- immediate system reboot
reboot soft- reboot quickly without waiting for BIOS, see kexec
Runit service management
In addition to standard Runit service control, these commands were added for convenience:
- svactivate - include and start services in Runit supervisor
- svdeactivate - stop service and disable supervision
- runit-core-install - integrate Runit into the system
Useful after OS upgrade to keep commands like reboot and shutdown to work properly.
- kernel-update.sh - download, compile and install new Linux kernel from kernel.org
- kernel-pull-binary.sh - get latest kernel from a server which compiled it with kernel-update.sh
- hiawatha-update.sh - download, compile and install new Hiawatha webserver
- hiawatha-certbot.sh - request new, or refresh existing letsencrypt certificates using certbot
- php-update.sh - download, compile and install latest stable PHP-FPM from php.net
NOTE: these scripts are included in /usr/local/bin inside the AMI
This work is free. You can redistribute it and/or modify it under the terms of the Do What The Fuck You Want To Public License, Version 2, as published by Sam Hocevar. See http://www.wtfpl.net for more details. If you feel that releasing this work under WTFPL is not appropriate, since some of the code might be derivative and thus possibly breaking some other license... just do WTF you want to.
"AWS" and "Amazon EC2" are registered trademarks of Amazon.com Inc., "Devuan" is a registered trademark of the Dyne.org foundation, "Debian" is a registered trademark of Software in the Public Interest Inc., "Ubuntu" is a registered Trademark of Canonical Inc., "SuSE" is a registered trademark of SUSE IP Development Ltd., Red Hat is a trademark or registered trademark of Red Hat Inc. or its subsidiaries, Linux is a registered trademark of Linus Torvalds. All other possibly and impossibly mentioned trademarks are the property of their respective owners.
This repository is maintained by email@example.com
I am not involved or in any way affiliated with the development of any particular init system. I do not participate in any public discussion or flamewar about init. I am not a fanboy, nor a hater. I do not have any personal feelings towards any init, or any other software, or its developers. As a sysadmin I could not care less which init system is in use, as long as it works. Also, I do not claim fitness of this project for any particular purpose and do not take any responsibility for its use. You should always choose your system and all of its components very carefully, if something breaks it's on you. See license.
NOTE: Much of the Runit base structure is "borrowed" from the void-runit, and modified to integrate with Devuan inside cloud environment.
I will keep this project alive as long as I can, and as long as there is some interest. This is however a private project, so my support is fairly limited. Any help with further development, testing, and bugfixing will be appreciated. If you want to report a bug, please either raise an issue, or fork the project and send me a pull request.
- Devuan Project: https://devuan.org
- Void Linux: https://www.voidlinux.eu
- Runit and Socklog author Gerrit Pape: https://smarden.org/pape
- Hiawatha author Hugo Leisink: https://www.hiawatha-webserver.org
- Flussence: https://gitlab.com/flussence/runit-scripts