Devuan + Runit for Amazon EC2
"Do one thing, do it well." - Doug McIllroy
"Do everything, do it in PID1" - systemd
This project aims to provide a viable alternative to the systemd-monotheistic AWS offering. The goal is to track progress and maintain documentation for a fast, stable and secure general-purpose operating system for Amazon EC2.
Devuan seems to be the practical and stable choice for administrators running servers in datacenters. Devuan which runs SysVinit by default was modified to use Runit as init and PID1 process. The AWS EC2 specific code is in this repository, the runit-init infrastructure is in the runit-base repository, and the installation/update scripts are implemented as modules of Simple Installer.
Because of systemd and its real world performance: http://cloux.org/init/#systemd
systemd became the single most widespread Linux init system. And it doesn't just do init, it also does login, pam, getty, syslog, udev, cryptsetup, cron, at, dbus, acpi, gnome-session, autofs, tcpwrappers, audit, chroot, mount(1), network management, DNS, Firewall, UEFI(2), su(3), HTTP server(4) ... and on saturdays it also does your laundry. Adopted by all major distributions, there seems to be no real alternative. systemd is not just a default software choice. Many packages depend directly on it, which makes it IMPOSSIBLE to remove or switch to something else later on. Even if you use systemd on a daily basis and everything goes well, you might want to have some alternative. So, what alternatives are available?
EC2 Linux AMI Comparison
Free-Tier Eligible general purpose GNU/Linux systems on AWS, as of 2018-03:
|AMI Name||Init System||Category||Packages||EBS Size*1||Boot Time*2 (±SD)||License|
|Amazon Linux AMI 2017.09.1||upstart||Quick Start||rpm||8 GB||7.2 s (±1.1)||EULA|
|Amazon Linux 2 LTS Candidate AMI 2017.12.0||systemd||Quick Start||rpm||8 GB||26.6 s (±0.2)||EULA|
|Red Hat Enterprise Linux 7.4||systemd||Quick Start||rpm||10 GB||13.0 s (±0.5)||EULA|
|SUSE Linux Enterprise Server 12 SP3||systemd||Quick Start||rpm||10 GB||44.2 s (±1.3)||EULA, Terms|
|Ubuntu Server 16.04 LTS||systemd||Quick Start||apt||8 GB||10.5 s (±1.6)||EULA|
|CentOS 7||systemd||Marketplace||rpm||8 GB||15.0 s (±0.8)||Free|
|Debian GNU/Linux 9.3 Stretch||systemd||Marketplace||apt||8 GB||7.0 s (±0.9)||Free|
|Devuan Runit 2018-12-06||Runit||Community||apt||4 GB||3.6 s (±0.9)||Free|
*1) Smallest possible storage size for a new instance
*2) Determined by ec2-benchmark-osboot.sh, on t2.micro in us-east-1a, averaged 5 consecutive runs
This is not a comprehensive comparison. Some AMIs might not qualify as general-purpose on EC2: while Gentoo uses OpenRC and not systemd, it is limited to very few instance types. However, if it works for your use case, Gentoo is definitely worth a try.
Amazon Linux 2017.09 looks like it's running SysVinit, but PID1 uses obsolete upstart v0.6.5. Either way, this OS is considered end-of-life and should not be used for any new projects.
All major Linux distributions already transitioned to systemd. If you want to use something else on Amazon EC2, you are pretty much out of luck. This is where the Devuan + Runit distribution comes in:
Currently available Devuan AMI offers:
- Runit as init and service supervisor
- Small footprint with only 4 GB minimal EBS volume size
- Fast direct boot without Initrd
- Custom compiled stable kernel from https://www.kernel.org
- Included network drivers Amazon ENA v1.3.0K (25Gb) + Intel ixgbevf 4.1.0-k (10Gb)
- Fully automated AMI release cycle, always with the latest kernel
- Easily configurable logging, with all logs being textfiles in /var/log
- Preinstalled cloud-init
- Preinstalled oomd - efficient Out-Of-Memory userspace killer based on PSI
- Preinstalled amazon-ssm-agent
- Preinstalled Hiawatha, advanced and secure webserver
- Fully automated domain TLS certificate management, requests and renewals
- Docker support:
apt-get install docker.ioand it's up and running!
NOTE: not everybody wants to run a webserver or amazon-ssm-agent. For convenience, these services are preinstalled and activated, since they are not directly available from the repository. If you don't need it, simply use the svdeactivate command, see service management.
The setup differences compared to a clean Devuan installation mainly address runit compatibility with Devuan and AWS EC2 environment integration:
# apt-get install acpid apache2-utils aptitude bison certbot cpulimit curl dnsutils ethtool eudev flex fuse gawk htop incron iptraf jq kexec-tools lsof lynx mc multitail ncdu ncftp nfs-common nfswatch nfstrace ntp p7zip-full pciutils pigz php php-cgi procmail pwgen rename rsync screen sntop telnet whois zip
Compiled from source
- Linux stable kernel (https://www.kernel.org), see sin - kernel module
- Hiawatha webserver (http://www.hiawatha-webserver.org), see sin - hiawatha module
- Socklog (http://smarden.org/socklog/install.html), see sin - socklog module
- amazon-ssm-agent, ec2-metadata and other tools
Sources are placed in /usr/src and /root/inst inside the AMI.
"Devuan Runit YYYY-MM-DD (Unofficial)" AMIs are available in the Amazon EC2 us-east-1 (N. Virginia) region in the Community AMIs category. This git repository serves as documentation and development base for Devuan AMIs inside AWS EC2, and cannot be directly used for AWS management, installation, or upgrades.
Why 'Unofficial': This project is not affiliated with the official Devuan GNU/Linux distribution in any way.
How to find freshest AMI ID with awscli and jq:
aws ec2 describe-images --region us-east-1 --owners 771240843992 --filters 'Name=name,Values=Devuan Runit *' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.).ImageId'
The Vagrant base box is available for download at https://app.vagrantup.com/cloux/boxes/ColibriOS
This image is built by the same principles as the AWS EC2, featuring:
- Rebranding to ColibriOS
- Small image size ~200 MB
- Direct boot without initrd
- Kernel optimized for VirtualBox
- Many tools including oomd, wireguard and sin
NOTE: Unlike AWS EC2, the Vagrant images are not released automatically with each new kernel. New releases are available ad-hoc, depending on the amount of accumulated fixes.
A few useful commands to get you up and running quickly.
- The default SSH user is admin
- For an easy access, use ssh-login
or use the command
ssh -i INSTANCE-KEY.pem admin@INSTANCE-IP
Runit service management
In addition to standard Runit service control, these commands were added for convenience:
- svactivate - include and start services in Runit supervisor
- svdeactivate - stop services and disable supervision
- svstat - show status of a service, or all supervised services when run without parameter
Updates and additional installations outside of the repository are available through the Simple Installer:
sin kernel- compile and update the kernel from latest source on kernel.org
sin install oomd amazon-ssm-agent- update the oomd and ssm-agent from source
This work is free. You can redistribute it and/or modify it under the terms of the Do What The Fuck You Want To Public License, Version 2, as published by Sam Hocevar. See http://www.wtfpl.net for more details. If you feel that releasing this work under WTFPL is not appropriate, since some of the code might be derivative and thus possibly breaking some other license... just do WTF you want to.
"AWS" and "Amazon EC2" are registered trademarks of Amazon.com Inc., "Devuan" is a registered trademark of the Dyne.org foundation, "Debian" is a registered trademark of Software in the Public Interest Inc., "Ubuntu" is a registered Trademark of Canonical Inc., "SuSE" is a registered trademark of SUSE IP Development Ltd., Red Hat is a trademark or registered trademark of Red Hat Inc. or its subsidiaries, Linux is a registered trademark of Linus Torvalds. All other possibly and impossibly mentioned trademarks are the property of their respective owners.
This repository is maintained by email@example.com
I am not involved or in any way affiliated with the development of any particular init system. I do not participate in any public discussion or flamewar about init. I am not a fanboy, nor a hater. I do not have any personal feelings towards any init, or any other software, or its developers. As a sysadmin I could not care less which init system is in use, as long as it works. Also, I do not claim fitness of this project for any particular purpose and do not take any responsibility for its use. You should always choose your system and all of its components very carefully, if something breaks it's on you. See license.
NOTE: Much of the Runit base structure is "borrowed" from the void-runit, and modified to integrate with Devuan inside cloud environment.
I will keep this project alive as long as I can, and as long as there is some interest. This is however a private project, so my support is fairly limited. Any help with further development, testing, and bugfixing will be appreciated. If you want to report a bug, please either raise an issue, or fork the project and send me a pull request.
- Devuan Project: https://devuan.org
- Void Linux: https://www.voidlinux.org
- Runit and Socklog author Gerrit Pape: https://smarden.org/pape
- Hiawatha author Hugo Leisink: https://www.hiawatha-webserver.org
- Flussence: https://gitlab.com/flussence/runit-scripts