Patches to support EC2 AMI building in base system

Colin Percival cperciva at
Mon Nov 24 09:43:14 UTC 2014

Hi everyone,

I have some patches to support building EC2 AMIs from the FreeBSD base
system.  I hope that these will be merged soon, but in the mean time
you can apply them to your tree.

My patches are based off gjb's release-vmimage branch, but they build
images which take advantage of the 'growfs' rc.d script in HEAD (which
hasn't been merged to gjb's branch) so you'll want to check out HEAD and
then get gjb's release bits on top of that:

svnlite co /usr/src
svnlite co \ \

Then download and apply my patches to the release-vmimage bits:

cd /usr/src/release-vmimage
patch < 0-pkg-infrastructure.patch
patch < 1-ec2-conf.patch
patch < 2-ec2-ami.patch

You'll also need my bsdec2-image-upload code:

make -C /usr/ports/net/bsdec2-image-upload install clean

Next you'll need to set up your AWS account to support importing a disk
image and creating an AMI from it:
1. Create an S3 bucket in the region you want to use (in my case, us-west-2
aka. Oregon).  I called mine "freebsd-release-staging".
2. Create a Lifecycle Rule on the bucket to Permanently Delete objects 1 day
after the object's creation date.
3. Create an IAM user named "freebsd-release-upload".
4. Attach a Policy to the IAM user granting permission for:
 * s3:DeleteObject, s3:GetObject, and s3:PutObject
   on resource arn:aws:s3:::YOURBUCKETNAME/*
 * ec2:CopyImage, ec2:CreateSnapshot, ec2:DeleteVolume,
   ec2:DescribeConversionTasks, ec2:DescribeImages, ec2:DescribeSnapshots,
   ec2:ImportVolume, ec2:ModifyImageAttribute and ec2:RegisterImage
   on resource *
5. Create AWS Access Keys for the IAM user, and create a file in the format

Finally, build world and kernel, and then the "ec2ami" target (with the
appropriate parameters based on your AWS setup above):

cd /usr/src && make buildkernel buildworld
cd /usr/src/release-vmimage && make WITH_CLOUDWARE=YES \
    AWSKEYFILE=/root/aws.key AWSREGION=us-west-2 \
    AWSBUCKET=freebsd-release-staging EC2PUBLIC=YES \

This will construct a disk image, import it into EC2, create a snapshot
from it, register an AMI from that, copy the AMI to all the (publicly
available) regions, and mark the AMIs as public.  To skip the copying
and marking of the AMIs as public, remove the "EC2PUBLIC=YES" part of
the ec2ami make command.

Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | | Online backups for the truly paranoid

More information about the freebsd-cloud mailing list