| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Creating an Instance Store-Backed AMI From an Existing AMI
To quickly and easily get a new working AMI, start with an existing public AMI or one of your own. You can then modify it and create a new AMI.
Before You Get Started
| 1 | Before you select an AMI, determine whether the instance types you plan to launch are 32-bit or 64-bit. For more information, see Instance Families and Types. |
| 2 | Make sure you are using GNU Tar 1.15 or later. |
| 3 | Install the Amazon EC2 API tools. Go to
Amazon EC2 API Tools for more information and to download the tools from Amazon S3.
Note To ensure you have the latest and most reliable version, we recommend that you install the Amazon EC2 API tools only from Amazon S3. |
Customize an Instance
Customizing an instance involves the following series of steps:
Selecting an AMI from available AMIs.
Launching an instance from the AMI you selected.
Making changes to (thus, customizing) the instance, such as altering the Linux configuration, adding software, and configuring web applications.
For more information, see Launching EC2 Instances.
After you've launched an instance according to your specifications, proceed to the next steps to create a new AMI using the customized instance.
Upload the Key and Certificate
Your new AMI must be encrypted and signed to ensure that only you and Amazon EC2 can access it. To accomplish this, you must upload your Amazon EC2 private key and X.509 certificate to an instance store directory on your running instance. The private key and the certificate will be used in the AMI bundling process.
The private key and certificate files must not be bundled with the image. To prevent this,
create a separate directory for these files. This directory will be specifically
excluded from the bundle. In these examples, the private key and certificate
files will be stored in the /tmp/cert directory. Before you
can upload the private key and certificate files, you must grant write
permissions to the directory where these files will be uploaded. The following
command grants write permission to /tmp/cert.
$ sudo chmod 777 /tmp/certTo upload your Amazon EC2 private key and X.509 certificate
Copy your Amazon EC2 private key and X.509 certificate to the instance using a secure copy function such as scp.
The following shows the syntax to use with the
scp
$scp -i<keypair_name><private_keyfile><certificate_file><username>@<dns_location>:<instance_store_directory>
Where,
| Parameter | Description |
|---|---|
|
|
The name of your key pair. |
|
|
The file that contains the private key. |
|
|
The file that contains the certificate. |
|
|
The login name you use to log in to your instance. |
|
|
The DNS location of the instance within Amazon EC2. |
|
|
The directory where your instance store is mounted. |
scp displays the names of the files copied and some performance statistics.
The following is an example of a fully specified scp command using the Amazon Linux AMI.
$scp -i gsg-keypair pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem ec2-user@ec2-67-202-51-223.compute-1.amazonaws.com:/tmp/certpk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem 100% 717 0.7KB/s 00:00 cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem 100% 685 0.7KB/s 00:00
Bundle a Customized Image (Requires Root Privileges)
When you have the image that meets your specifications, you need to bundle it for uploading to Amazon S3. The bundling process requires root privileges. You can obtain these privileges with the sudo su command.
To bundle a customized image
Use the ec2-bundle-vol command. Make sure to exclude the directory where the private key and certificate files are stored with the -e option. This option excludes files that may contain sensitive information, such as your AWS credentials.
#ec2-bundle-vol -k<private_keyfile>-c<certificate_file>-u<user_id>-e<cert_location>
<private_keyfile>is the file that contains the private key<certificate_file>is the file that contains the certificate<user_id>is the ID associated with your AWS account. This is your AWS account ID without dashes. It consists of 12 to 15 characters, and it's not the same as your access key ID.<cert_location>is the directory that contains the private key and certificate files, which must be excluded from the bundle.
Note
Be sure to disable SELinux when running ec2-bundle-vol.
The following command bundles the local machine root file system.
#ec2-bundle-vol -e /tmp/cert -k pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -c cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem -u 111122223333Please specify a value for arch [x86_64]: Copying / into the image file /tmp/image... Excluding: /sys ... /tmp/cert ... 1+0 records in 1+0 records out 1048576 bytes (1.0 MB) copied, 0.00172 s, 610 MB/s mke2fs 1.42.3 (14-May-2012) Bundling image file... Splitting /tmp/image.tar.gz.enc... Created image.part.00 Created image.part.01 ... Created image.part.NN Generating digests for each part... Digests generated. Creating bundle manifest... ec2-bundle-vol complete.
Upload a Bundled AMI
You must upload the bundled AMI to Amazon S3 before Amazon EC2 can access it. This task is necessary when you create Amazon EC2 instance store-backed AMIs from an existing instance or from a loopback. Use the ec2-upload-bundle command to upload the bundled AMI that you created earlier. Amazon S3 stores data objects in buckets, which are similar to directories. All buckets must have globally unique names. The ec2-upload-bundle command uploads the bundled AMI to a specified bucket. If the specified bucket exists and belongs to another AWS account, the ec2-upload-bundle command will fail.
Important
The specified Amazon S3 bucket must exist, and it must have been created in the same region as the instance being uploaded.
To upload the bundled AMI
Use the ec2-upload-bundle command as follows:
$ec2-upload-bundle -b<your-s3-bucket>-m<manifest_path>-a<access_key>-s<secret_key>
<your-s3-bucket>is the Amazon S3 bucket that the bundle will be uploaded to. You can also upload the bundle to a subfolder of the bucket, such asmy-awsbucket/uploaded-images/image-1. If the subfolder does not exist, it will be created.<manifest_path>is the full path to the manifest file (for example,/tmp/image.manifest.xml). The manifest file will reside in the destination directory that was specified in the ec2-bundle-vol command.<access_key>is your AWS access key ID.<secret_key>is your AWS secret key.
The AMI manifest file and all image parts are uploaded to Amazon S3. The manifest file is encrypted with the Amazon EC2 public key before being uploaded.
Register the AMI
You must register your image with Amazon EC2, so that Amazon EC2 can locate it and run instances based on it. This task is necessary when you create Amazon EC2 instance store-backed AMIs from an existing file or from a loopback. If you make any changes to the source image stored in Amazon S3, you must reregister the image.
To register the AMI that you created and uploaded to Amazon S3
Use the ec2-register command (which is part of the EC2 CLI tools, not the AMI tools) as follows:
$ec2-register<your-s3-bucket>/<path>/image.manifest.xml -n<image_name>-O<your_access_key>-W<your_secret_key>
Important
The capitalization of the bucket name and path in
<your-s3-bucket>/<path> must match exactly what was passed in the
ec2-upload-bundle command.
This command registers the AMI in the default region. To specify a different region, set the EC2_URL environment variable, or use the
--region option with the ec2-register command.
Amazon EC2 returns an AMI identifier, the value next to the IMAGE tag
(ami-2bb65342 in the example), that you can use to run instances.
