aboutsummaryrefslogtreecommitdiff
path: root/release/tools/ec2.conf
Commit message (Collapse)AuthorAgeFilesLines
* release: Remove references to ChallengeResponseAuthenticationMark Johnston2022-03-011-3/+2
| | | | | | | | | | | | | This sshd_config keyword was replaced by KbdInteractiveAuthentication in openssh 8.7, though ChallengeResponseAuthentication is silently accepted as an alias. However, this means that the code in ec2.conf which modifies a commented-out line no longer does anything. Apply a minimal fix. Reviewed by: cperciva, emaste MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34400
* EC2: Turn off IPv6 DADColin Percival2021-11-261-0/+4
| | | | | | | | | | | | | Disable Duplicate Address Detection in EC2 instances. The networking configuration in EC2, with IPv6 addresses assigned by DHCPv6 and host egress filtering, makes "duplicate addresses" impossible. This speeds up the boot process in EC2 by 2 seconds. Reviewed by: kp, imp, bz MFC after: 2 weeks Sponsored by: https://www.patreon.com/cperciva Differential Revision: https://reviews.freebsd.org/D33091
* release: allow VM_EXTRA_PACKAGES to be specified in the environmentBrad Davis2021-08-091-1/+3
| | | | | | | | | | This is useful for adding extra packages to the build of an AMI. For example: env VM_EXTRA_PACKAGES="zsh" make -C release ec2ami Approved by: gjb MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
* EC2: Tell gptboot to skip its 3 second waitColin Percival2021-06-211-0/+4
| | | | | Nobody is going to hit a key to tell gptboot to select another disk, so there's no point waiting.
* release: fix VMSIZE following 1ca8842f3ad9Glen Barber2021-03-041-1/+1
| | | | | | | | | | | | truncate(1) is not case-sensitive with regard to setting the size of a file. makefs(8), however, does not honor upper-case values. Update release-specific files and the release(7) manual page to reflect this. MFC with: 1ca8842f3ad9 Submitted by: ehem_freebsd_m5p.com (original) Differential Review: https://reviews.freebsd.org/D28979 Sponsored by: Rubicon Communications, LLC ("Netgate")
* Spawn the DHCPv6 client in EC2 instances via rtsold.Colin Percival2020-09-131-3/+13
| | | | | | | | | | | | | | | | | | Prior to this commit, EC2 AMIs used a "dual-dhclient" tool which was launched in place of dhclient and spawned both the base system dhclient for IPv4 and the ISC dhclient from ports for IPv6. Now that rtsold supports the "M bit" (managed configuration), we can go back to having the base system dhclient spawned normally, and provide a script to rtsold which spawns the ISC dhclient from ports when rtsold decides that it is appropriate. Thanks to: bz MFC after: 1 week Sponsored by: https://www.patreon.com/cperciva Notes: svn path=/head/; revision=365696
* Bump the size of EC2 AMIs up to 5 GB.Colin Percival2020-09-131-2/+2
| | | | | | | | | | | | | The FreeBSD base system continues to expand. 4GB is now insufficient; we passed 3 GB in May 2019; we passed 2 GB in August 2017. Over half of the disk space used is in /usr/lib/debug/. Without this change, instances boot but are unusable, since the first thing which breaks when VM filesystems are too small is the "pkg install" in the VM building process. Notes: svn path=/head/; revision=365695
* Make EC2 AMIs use portsnap and freebsd-update mirrors hosted in AWSColin Percival2020-06-301-0/+6
| | | | | | | | | | | | This adjusts freebsd-update.conf and portsnap.conf files in EC2 AMIs to point at the new AWS-hosted mirror network. Approved by: re (delphij) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D25498 Notes: svn path=/head/; revision=362791
* Add ebsnvme-id to EC2 AMIs and enable /dev/aws/diskColin Percival2020-05-181-2/+2
| | | | | | | | | | | | | | | | | | | | The ebsnvme-id utility exposes information about EC2 disks -- for Elastic Block Store volumes, their volume IDs and "linux device names", and for Instance Store (aka "Ephemeral") disks, their serial numbers. The dev_aws_disk rc.d script and associated devd.conf rule maintains a tree under /dev/aws/disk: /dev/aws/disk/ebs/<volume ID> /dev/aws/disk/linuxname/<linux device name> /dev/aws/disk/ephemeral/<serial number> which are symlinks to the corresponding nda or nvd devices. MFC after: 1 week Sponsored by: https://www.patreon.com/cperciva Notes: svn path=/head/; revision=361150
* Add /etc/autofs/special_efs to EC2 AMIsColin Percival2020-05-171-0/+17
| | | | | | | | | | | | | | | | Since Amazon Elastic File System is only available within AWS, it seems more appropriate to have this added only in EC2 AMIs rather than "polluting" non-EC2 images with it. Reviewed by: gjb MFC after: 7 days Relnotes: Amazon EFS filesystems can be automounted by enabling autofs and placing "/efs -efs" into /etc/auto_master. Sponsored by: https://www.patreon.com/cperciva Differential Revision: https://reviews.freebsd.org/D24791 Notes: svn path=/head/; revision=361143
* Set use_nvd=0 in EC2 AMIs.Colin Percival2020-04-271-0/+4
| | | | | | | | | | | | | | | | | | | | | FreeBSD is in the process of switching from nvd(4) to nda(4) as the disk device front-end to NVMe. Changing the default in the kernel is tricky since existing systems may have /dev/nvd* hard-coded e.g. in /etc/fstab; however, there's no reason to not change the default in HEAD for *new* systems. At present I have no intention of MFCing this to stable branches, since someone might reasonably expect scripts they use for launching and configuring FreeBSD 12.1 instances to work with FreeBSD 12.2 AMIs, for example. Reviewed by: gjb, imp Relnotes: NVMe disks in EC2 instances launched from 13.0 and later now show up as nda(4) devices. Differential Revision: https://reviews.freebsd.org/D24583 Notes: svn path=/head/; revision=360396
* Mount /dev while deinstalling pkg inside EC2 AMIs.Colin Percival2020-02-111-0/+2
| | | | | | | | | | This gets rid of (harmless) warnings: "pkg: Cannot open /dev/null:No such file or directory". MFC after: 2 weeks Notes: svn path=/head/; revision=357750
* Remove /qemu from EC2 ARM AMIsColin Percival2020-02-111-0/+3
| | | | | | | | | | | I forgot to do this as part of r345858 -- I added it to the vm_extra_pre_umount in vmimage.subr but forgot that function was overridden in the EC2 build. MFC after: 2 weeks Notes: svn path=/head/; revision=357749
* Switch EC2 AMIs from using the dual-dhclient script to using the newColin Percival2019-10-021-1/+1
| | | | | | | | | | dual-dhclient-daemon daemon. This makes it possible to stop/restart the dhclients. MFC after: 1 month Notes: svn path=/head/; revision=353022
* Bump EC2 AMI filesystem size up to 4000 MB.Colin Percival2019-05-081-2/+2
| | | | | | | | | | | | AMIs have been breaking for the past month due to insufficient disk space. Due to the small amount of overhead in the disk image, the EC2 AMIs end up with the same (4GB) minimum disk size. Reported by: Michal Krawczyk Notes: svn path=/head/; revision=347370
* Add support for cross-building cloudware images.Colin Percival2019-04-031-1/+1
| | | | | | | | | | | | | | If MACHINE_ARCH doesn't match TARGET_ARCH, and we're not in the special case of building i386 images on an amd64 host, we need to pull in the qemu-user-static package; this allows us to run some commands inside the VM disk image chroot, most notably to install packages. Reviewed by: gjb MFC after: 2 weeks Sponsored by: FreeBSD/EC2 patreon (https://www.patreon.com/cperciva) Notes: svn path=/head/; revision=345858
* Only install amazon-ssm-agent into amd64 AMIs.Colin Percival2019-03-201-1/+9
| | | | | | | This package does not exist on aarch64 at present. Notes: svn path=/head/; revision=345317
* Fix sed script to insert Amazon NTP server into ntp.conf once ratherColin Percival2019-02-191-1/+1
| | | | | | | | | | than twice. Reported by: Rafal Lukawiecki MFC after: 1 week Notes: svn path=/head/; revision=344315
* Turn off ec2_ephemeralswap for nowColin Percival2019-01-091-1/+1
| | | | | | | | | | | | | | | | This script broke around FreeBSD 11.0 as a result of SWAPMETA no longer being reported by vmstat -z; but it also needs to be reworked due to the arrival in EC2 of nvme ephemeral disks. I'll turn this option back on after I've found time to rewrite the script in question. PR: 234686 Reported by: meta@ MFC after: 1 week Notes: svn path=/head/; revision=342875
* Disable atkbd0 and atkdbc0 in EC2 AMIs. This has the effect of skippingColin Percival2018-08-261-0/+7
| | | | | | | | | | | | | | | | | the probing and attaching of the PS/2 mouse (not present on EC2) and keyboard (emulated, but not accessible via EC2). Note that we disable atkbd0 separately even though during device probing it shows up as a child of atkbdc0; this is necessary because the device is also initialized during the early console setup from hammer_time. This change cuts the kernel boot time on an EC2 c5.4xlarge instance from 7259ms down to 4727 ms. Approved by: re (marius) Notes: svn path=/head/; revision=338321
* Move debug.{trace,debugger}_on_panic and kern.panic_reboot_wait_time inColin Percival2018-04-181-3/+3
| | | | | | | | | | | | EC2 instances from sysctl.conf to loader.conf; these can all be set as loader tunables, and setting them in loader.conf gives us the right behaviour in the event of a kernel panic taking place prior to when sysctl.conf is processed. MFC after: 1 week Notes: svn path=/head/; revision=332663
* Make EC2 instances use Amazon's NTP service for time synchronization.Colin Percival2017-12-051-1/+6
| | | | | | | | | | | | | | | | Since Amazon provides NTP servers within their network, this should be far superior to using the default NTP pools; and since the service is provided by Amazon there's very little risk in enabling it by default. (If someone is able to compromise Amazon's NTP servers and exploit them to attack EC2 instances, they would almost certainly be able to compromise EC2 instances even without ntpd running...) MFC after: 1 week Relnotes: EC2 instances now keep their clocks synchronized using the Amazon Time Sync Service (aka. NTP). Notes: svn path=/head/; revision=326565
* Resurrect r321659: Turn off ChallengeResponseAuthentication for EC2 AMIs.Colin Percival2017-12-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | EC2 instances are normally launched with an SSH public key specified, which is then used for logging in (by default, as 'ec2-user'). Having ChallengeResponseAuthentication enabled (as FreeBSD's default sshd_config does) has no functional effect in a new EC2 instance, since you can't log in using a password until a password has been set -- but having this enabled results in alerts from automated scanning tools which can detect that sshd advertises support for keyboard-interactive logins (since they can't detect that accounts have no password set). EC2 users who want to use passwords to log in to their instances will need to set 'ChallengeResponseAuthentication yes' in FreeBSD 12.0 and later. Discussed with: gjb, gtetlow, emaste, des Requested by: Amazon X-MFC: No Relnotes: ChallengeResponseAuthentication is turned off by default in Amazon EC2 AMIs. Notes: svn path=/head/; revision=326564
* Remove /etc/resolv.conf from virtual machine images, which isGlen Barber2017-11-211-0/+2
| | | | | | | | | | | | copied from the build host. It is renamed to /etc/resolv.conf.bak on boot, so never used anyway. Noticed by: peter MFC after: 3 days Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=326068
* Add the amazon-ssm-agent package to EC2 AMI builds. This makes itColin Percival2017-11-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | immediately available on instances which are running without internet access (or which can't rely on firstboot_pkgs to install it for some other reason). Note that this agent is not enabled by default; to enable it, add amazon_ssm_agent_enable="YES" to /etc/rc.conf, e.g., by placing the lines >>/etc/rc.conf amazon_ssm_agent_enable="YES" into the EC2 user-data. In addition to being enabled, the agent requires keys to be provided via IAM Roles; users are encouraged to be very careful in using this functionality due to the inherent vulnerability in the idea of providing credentials via a service accessible to any process which can open an HTTP connection. Requested by: Amazon No objection from: re@ Relnotes: FreeBSD/EC2 AMIs now include the Amazon EC2 Systems Manager (SSM) Agent. Notes: svn path=/head/; revision=325254
* Increase the Amazon EC2 AMI image size from 2GB to 3GB to preventGlen Barber2017-08-281-2/+2
| | | | | | | | | image build failures due to a full md(4)-backed filesystem. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=322968
* Revert r321659, re-enabling ChallengeResponseAuthentication, which wasGlen Barber2017-07-281-6/+0
| | | | | | | | | | discussed a while back between cperciva@ and so@, and I forgot. Reported by: cperciva Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=321661
* Turn off ChallengeResponseAuthentication for EC2 AMIs, one of EC2'sGlen Barber2017-07-281-0/+6
| | | | | | | | | | requirements. MFC after: 3 days Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=321659
* Turn on support for the Amazon "Elastic Network Adapter" in EC2 AMIs.Colin Percival2017-05-251-0/+3
| | | | | | | X-MFC-after: 318647 + fixes for some lock ordering warnings Notes: svn path=/head/; revision=318894
* ec2.conf and vmimage.subr can be used from the installation livecd afterAndrew Thompson2017-03-091-1/+2
| | | | | | | | | | | | | install to prepare an AMI image. This can be used to create a ZFS AMI disk image using a virtual machine. Change ec2.conf to use the pkg tool from a chroot rather than trying to bootstrap it and fail from the livecd readonly filesystem. Reviewed by: gjb Notes: svn path=/head/; revision=314935
* Increase the EC2 image size for 12-CURRENT. The recent snapshotGlen Barber2017-03-021-2/+2
| | | | | | | | | | builds of EC2 images for 12-CURRENT failed due to a full filesystem on the md(4) device during creation. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=314561
* Enable IPv6 networking on Amazon EC2.Colin Percival2017-01-151-3/+8
| | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=312214
* Now that potentially buggy versions of Xen are automatically detectedColin Percival2016-07-161-6/+0
| | | | | | | | | | | (see r302635), there is no need to force msix interrupt migration off via loader.conf. Reverts: r302184 MFC after: 3 days Notes: svn path=/head/; revision=302929
* Enable indirect segment I/Os by default in the Xen blkfront driver whenColin Percival2016-06-291-5/+0
| | | | | | | | | | | | | | | running on EC2. Due to improvements in EC2, the performance penalty which was present on some EC2 instances no longer exists, and enabling this feature now consistently yields ~20% higher throughput with equal or lower latency. Reverts: r286063 Approved by: re (gjb) MFC after: 2 weeks Relnotes: Improved disk throughput on EC2 Notes: svn path=/head/; revision=302288
* Turn off MSI-X interrupt migration by default in EC2 instances; this worksColin Percival2016-06-241-0/+6
| | | | | | | | | | | around a bug in older versions of Xen and unbreaks SR-IOV (aka. "EC2 Enhanced Networking"). Approved by: re (gjb) Thanks to: jhb, Jeremiah Lott Notes: svn path=/head/; revision=302184
* Switch from console="comconsole" to boot_multicons="YES" in EC2.Colin Percival2016-06-091-2/+4
| | | | | | | | | | Amazon recently introduced an API for capturing screenshots of an emulated VGA device; this commit makes that (somewhat) useful. MFC after: 3 weeks Notes: svn path=/head/; revision=301732
* Disable blkif indirect segment I/Os in EC2 by default due to performanceColin Percival2015-07-301-0/+5
| | | | | | | | | issues on some EC2 instance types. Users may want to experiment with removing this from loader.conf and measuring the performance impact on the EC2 instances they are using. Notes: svn path=/head/; revision=286063
* Ensure ASSUME_ALWAYS_YES is set when deleting pkg(8) from theGlen Barber2015-06-241-1/+1
| | | | | | | | | | | | DESTDIR, otherwise it can get stuck in ttyin. This means no 10-STABLE EC2 images this week. MFC after: 3 days Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=284780
* It would help if I committed the right patch...Colin Percival2015-03-311-1/+1
| | | | Notes: svn path=/head/; revision=280884
* Add bits for building EC2 disk images. Make logic for uploading theseColin Percival2015-03-311-0/+83
to create EC2 AMIs will come in a later commit. Notes: svn path=/head/; revision=280879