build-ubunut-ami is a simple tool for making secure, custom Ubuntu images for Amazon EC2 from your local computer.
Booting and logging in to a system offers many opportunities to leak secret credentials (even if you delete them). Creating an AMI from a pristine image rather than a running root volume obviates the need to remove leaked credentials.
This program is based on Eric Hammond's blog post Creating Public AMIs Securely for EC2, and his shell script alestic-git-build-ami.
For convenience, this script does not need an AWS EC2 private key & cert for credentials. It uses the AWS Access Key ID and Secret Access Key instead.
# Using rubygems
gem install build-ubuntu-ami
See examples of custom build scripts.
# Create a custom AMI from my_script.sh
build-ubuntu-ami my_script.sh
# Show options
build-ubuntu-ami -h
# Example output
$ build-ubuntu-ami -k aaron-rsa -g aaron-test -b demoami custom.sh
Configuration:
region: us-east-1
flavor: m1.small
brand: demoami
size: 20
codename: lucid
key_name: aaron-rsa
group: aaron-test
arch: amd64
canonical ami: ami-0baf7662
kernel: aki-427d952b
description: demoami-lucid-amd64-20120609-0938
Launching server...
Launched i-dcf145a5; ec2-23-20-92-209.compute-1.amazonaws.com; waiting for it to be available.
Attaching volume vol-597aef37
waiting for user_data to complete and server to shut down...
Follow along by running:
ssh -l ubuntu ec2-23-20-92-209.compute-1.amazonaws.com 'tail -f /var/log/user.log'
Detaching volume
Waiting for volume to detach...
Taking snapshot demoami-lucid-amd64-20120609-0938 root volume from vol-597aef37
Creating snapshot snap-a4b6e8db
Registered imageId ami-abcdef01
Deleting vol-597aef37
Terminating i-dcf145a5
build-ubuntu-ami uses the ruby fog library to:
- Boot an EC2 instance from the Canonical Ubuntu AMI
- Download and mount a copy of the Canonical Ubuntu root volume image
- Run your custom script in a chrooted environment on that image
- Attach an new EBS volume
- Copy the customized boot image to the EBS volume
- Register an AMI using the customized EBS volume as the root volume.
Since you never booted or logged in to the customized EBS volume, there is reduced risk of leaking confidential information.