AMI for AWS

Milind Nirgun
[email protected]

22 June 2018

Creating Virtualbox VM

Prerequisite for installing 64 bit OS

● Hyper-V should be turned off on Windows 10 for installing 64 bit OSes. To do this, go to Windows 10

Settings -> Turn Windows Features On or Off and uncheck the Hyper-V checkbox and restart the

computer.

● Create a new virtual machine with 4GB RAM and 32GB virtual disk with default parameters. The 32GB

is to support a larger “/” root of 30GB

● Attach the ISO for installation to the storage

Installing the OS

Centos7

● Download the minimal ISO from

● Start the machine and in the installation screen TAB to the manual boot parameters to add

net.ifnames=0 and press Enter to boot.

● Click on “Network & Host Name”; flip the switch for eth0 to ON;

○ Leave the hostname to localhost.localdomain - this gets changed by the cloud provider

○ Click the “Configure” button

○ On the General tab, check the “Automatically connect to this network when it is available” box.

○ Keep the default settings on the Ethernet, 802.1X, and DCB tabs.

○ On the IPV4 tab, leave the “Method” on “Automatic (DHCP)” and check the “Require IPv4

addressing for this connection to complete” box. In the field “Additional DNS Servers” add

“8.8.8.8 8.8.4.4”.

○ On the IPV6 tab, change “Method” to “Ignore” and click Save and then press Done.

1
 ● Click on the “Date & Time” and select the right Timezone. Make sure “Network Time” is ON. If there is a

yellow warning bar at the bottom stating “you have no network time server setup”, click the gears icon

next to the Network Time button to make sure NTP servers are configured.

● Click on “Installation Destination”

○ Choose “I will configure partitioning”. Click Done to proceed with next steps.

○ Choose Standard Partitioning

○ Click on the “Click here to create them automatically” link to create the 3 default partitions

for /dev/sda1 -> /boot, /dev/sda3 -> / and /dev/sda2 -> swap.

○ Change filesystem to ext4 if desired

○ Click the Done button to close this dialog

● Click on Begin Installation and set root password. If password is weak, ignore warning by clicking on

Done twice.

● After installation is complete, reboot into the machine. For Oracle Linux, boot into the standard kernel

and not the UEK kernel.

Configuring OS & Adding extra packages

● Go to Machine in VBox console and under Network->NAT->Port Forwarding add a rule for Protocol:

TCP, Host Port: 6036 (any available port on host), Guest IP: 10.0.2.15 (or whatever is the assigned IP

address for eth0), Guest Port: 22 (for SSH)

● Verify grub settings in /etc/default/grub contains net.ifnames=0 in the GRUB_CMDLINE_LINUX

variable.

● Any changes to grub will require a rebuild of grub with the command
Grub2-mkconfig -o /boot/grub2/grub.cfg

● Change the network interface settings in /etc/sysconfig/network-scripts/ifcfg-eth0 to look like:

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
NAME=eth0
UUID=1973fb53-0b3d-4811-8359-fcc6cec29120 (will be different)
DEVICE=eth0
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes

● Change /etc/dracut.conf to add XEN drivers to the initramfs image which are not installed in

Virtualbox. This step has to done or else the AMI will not boot in AWS. Uncomment the following line

and insert as below:

2
 # additional kernel modules to the default
add_drivers+="xen-blkfront xen-netfront"

● For Oracle Linux 7.3 -

○ Remove UEK kernels from boot options and uninstall them as AWS VMImport has problems

when UEK kernels are present.

○ Edit /etc/sysconfig/kernel and change DEFAULTKERNEL from

DEFAULTKERNEL=kernel-uek to DEFAULTKERNEL=kernel

○ Remove the UEK kernel using yum as

yum erase -y kernel-uek kernel-uek-firmware

○ Check the grub config to make sure it has been removed -

cat /boot/grub2/grubenv

● Rebuild the initramfs to add the XEN drivers for all installed kernels with the command:
rpm -qa kernel| sed 's/^kernel-//'|xargs -I {} dracut -f /boot/initramfs-{}.img {}

● For Oracle Linux 7.3 - Cleaning up yum repositories

○ Disable ol7_UEKR3 and ol7_UEKR4 to prevent the UEK kernel being reinstalled with a yum

update
vi /etc/yum.repos.d/public-yum-ol7.repo

And for sections [ol7_UEKR3] and [ol7_UEKR4] change enabled=0.

○ Also enable [ol7_optional_latest] and [ol7_addons]

● Optional - Install deltarpm, system-storage-manager and wget:

yum install -y deltarpm system-storage-manager wget

● For Oracle Linux 7.3 - Installing the EPEL repository

○ Install the EPEL repository by downloading it from fedoraproject.org as below

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh epel-release-latest-7.noarch.rpm

● Install necessary cloud tools, (rlwrap is useful) - cloud-init and cloud-utils-growpart

yum install -y rlwrap cloud-init cloud-utils-growpart

Note: after this step, booting into this VM is not possible. Therefore complete the rest of the steps to export

this VM as a OVA.

● Check firewall settings to make sure SSH is enabled.

firewall-cmd --get-default-zone
firewall-cmd --zone=public --list-all

This should display

Interfaces: eth0
Services: dhcpv6-client ssh

3
 ● Change SElinux to permissive
vi /etc/selinux/config

Change SELINUX from enforcing to permissive

● Change cloud.cfg for the following settings:

vi /etc/cloud/cloud.cfg

Change ssh_deletekeys=1
And under system_info:, change name=cloud_user to name=ec2_user

With these changes, with the deployment of a new instance, new ssh keys for the server are

generated, a new ec2_user with passwordless sudo to root is created and ssh to root is disabled as well

as password for ssh authentication.

● Lastly, check for updated packages and update the installation.

yum check-updates
yum update -y

● Cleaning up the VM for AMI - delete log files, command history etc.
rm -rf /var/lib/cloud/
yum -y clean packages
rm -rf /var/cache/yum
rm -rf /var/lib/yum

cd /var/log
rm -rf cloud-init.log cloud-init-output.log messages boot.log dmesg dmesg.old yum.log
wtmp lastlog

find / -name .bash_history -exec rm -rf {} +

find / -name .Xauthority -exec rm -rf {} +
find / -name authorized_keys -exec rm -rf {} +

history -c
shutdown -h now

● Export the VM as an OVA

Go to File->Export Appliance. Choose the VM and continue with the dialog box to export it as a
OVA file to a directory
●
Notes for resolving error while importing image into AMI

I've been struggling with this as well and finally got it to work. Here's something that may help
understanding what's happening, and what may go wrong:

Apparently the import/export task runs by some sort of AWS-owned agent ("service"). This agent is
called vmie.amazonaws.com. As soon as that agent starts running, it assumes a role that you have to
define yourself. If you don't supply a role name (aws ec2 import-image --role-name something) the
role "vmimport" will be used by default.

This role, "vmimport" or otherwise, needs two important properties. First, there needs to be a trust
relationship so that the Amazon agent vmie.amazonaws.com can assume this role. Second, there
needs to be a policy that gives access to both the S3 bucket and EC2 to perform the import.

4
The first, the trust relationship, is achieved as follows: Within IAM, go to "Roles" and select the role
you want to use for this (or create a role "vmimport"). Go to Trust Relationships; Edit Trust
Relationships. The policy document should look like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "vmie.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

Second, the policy. Easiest is to attach the following policies to this role:
● AmazonEC2FullAccess
●
● AmazonS3FullAccess
●
Obviously you can define custom policies as well, that only allow access to the S3 bucket where your
to-be-imported images are stored, and limit access to EC2 as well.

Next Steps

AWS client configuration

● Install the AWS command line client and configure it using the following steps:

○ See the link under References for installation.

● Create a new s3 bucket for the AMI

Copy the exported OVA file to the bucket - Use console upload from the S3 bucket

Configure the role vmimport and assign trust policy. Files: trust-policy.json, role-policy.json

and a container.json

5
 Create a new role, add policies AmazonEC2FullAccess and AmazonS3FullAccess, edit

the TrustRelationships to look like above.

Import the OVA VM as an image

Use vmimport

Launch the instance with this AMI.

Enable firewall

References:

Steps to build a VM and exporting OVA

https://technology.amis.nl/2017/07/14/aws-build-oracle-linux-7-ami-cloud/

Installation of the AWS command line interface

https://docs.aws.amazon.com/cli/latest/userguide/installing.html

For importing the OVA in AWS

https://forums.aws.amazon.com/thread.jspa?threadID=179090

Using vmimport to import a VM as an image

https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-

import.html#import-vm-image