Looking for maintainers
I'm no longer maintaining this project. If you're interested in maintaining it, please post a comment on this issue.
Create custom Ubuntu AMIs the hard (secure) way
build-ubuntu-ami is a simple tool for making secure, custom Ubuntu images for Amazon EC2 from your local computer.
Why the hard way?
Booting and logging in to a system offers many opportunities to leak secret credentials (even if you delete them). Creating an AMI from a pristine image rather than a running root volume obviates the need to remove leaked credentials.
For convenience, this script does not need an AWS EC2 private key & cert for credentials. It uses the AWS Access Key ID and Secret Access Key instead.
# Using rubygems gem install build-ubuntu-ami
build-ubuntu-ami relies on Fog. You will need to configure a
~/.fog file, like so:
:default: :aws_access_key_id: A..your key here...Z :aws_secret_access_key: A..........your key here...............Z
if you have not registered an SSH keypair named 'default' with AWS, you will need to supply a
See examples of custom build scripts.
# Create a custom AMI from my_script.sh build-ubuntu-ami my_script.sh # Show options build-ubuntu-ami -h # Example output $ build-ubuntu-ami -k aaron-rsa -g aaron-test -b demoami custom.sh Configuration: region: us-east-1 flavor: m1.small brand: demoami size: 20 codename: lucid key_name: aaron-rsa group: aaron-test arch: amd64 canonical ami: ami-0baf7662 kernel: aki-427d952b description: demoami-lucid-amd64-20120609-0938 Launching server... Launched i-dcf145a5; ec2-23-20-92-209.compute-1.amazonaws.com; waiting for it to be available. Attaching volume vol-597aef37 waiting for user_data to complete and server to shut down... Follow along by running: ssh -l ubuntu ec2-23-20-92-209.compute-1.amazonaws.com 'tail -f /var/log/user.log' Detaching volume Waiting for volume to detach... Taking snapshot demoami-lucid-amd64-20120609-0938 root volume from vol-597aef37 Creating snapshot snap-a4b6e8db Registered imageId ami-abcdef01 Deleting vol-597aef37 Terminating i-dcf145a5
How it works
build-ubuntu-ami uses the ruby fog library to:
- Boot an EC2 instance from the Canonical Ubuntu AMI
- Download and mount a copy of the Canonical Ubuntu root volume image
- Run your custom script in a chrooted environment on that image
- Attach an new EBS volume
- Copy the customized boot image to the EBS volume
- Register an AMI using the customized EBS volume as the root volume.
Since you never booted or logged in to the customized EBS volume, there is reduced risk of leaking confidential information.
If you're running into an issue where you need to run CLI commands, its helpful to ssh to the instance and enter into the chroot environment. Do the following:
$ cd /mnt/$IMAGE_NAME $ sudo chroot . /bin/bash