1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
#!/bin/sh
# Package which should be installed onto all EC2 AMIs:
# * ebsnvme-id, which is very minimal and provides important EBS-specific
# functionality,
export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ebsnvme-id"
# Services which should be enabled by default in rc.conf(5).
export VM_RC_LIST="dev_aws_disk ntpd"
# Build with a 7.9 GB partition; the growfs rc.d script will expand
# the partition to fill the root disk after the EC2 instance is launched.
# Note that if this is set to <N>G, we will end up with an <N+1> GB disk
# image since VMSIZE is the size of the filesystem partition, not the disk
# which it resides within.
export VMSIZE=8000m
# No swap space; it doesn't make sense to provision any as part of the disk
# image when we could be launching onto a system with anywhere between 0.5
# and 4096 GB of RAM.
export NOSWAP=YES
ec2_common() {
# Delete the pkg package and the repo database; they will likely be
# long out of date before the EC2 instance is launched. In
# unprivileged builds this is unnecessary as pkg will not be
# installed to begin with.
if [ -z "${NO_ROOT}" ]; then
mount -t devfs devfs ${DESTDIR}/dev
chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
/usr/sbin/pkg delete -f -y pkg
umount ${DESTDIR}/dev
rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports
rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports-kmods
fi
# Turn off IPv6 Duplicate Address Detection; the EC2 networking
# configuration makes it unnecessary.
echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf
metalog_add_data ./etc/sysctl.conf
# Tell gptboot not to wait 3 seconds for a keypress which will
# never arrive.
printf -- "-n\n" > ${DESTDIR}/boot.config
metalog_add_data ./boot.config
# Booting quickly is more important than giving users a chance to
# access the boot loader via the serial port.
echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf
echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf
# The EFI RNG on Graviton 2 is particularly slow if we ask for the
# default 2048 bytes of entropy; ask for 64 bytes instead.
echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf
# The emulated keyboard attached to EC2 instances is inaccessible to
# users, and there is no mouse attached at all; disable to keyboard
# and the keyboard controller (to which the mouse would attach, if
# one existed) in order to save time in device probing.
echo 'hint.atkbd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
echo 'hint.atkbdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
# There is no floppy drive on EC2 instances so disable the driver.
echo 'hint.fd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
echo 'hint.fdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
# There is no parallel port on EC2 instances so disable driver.
echo 'hint.ppc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
# EC2 has two consoles: An emulated serial port ("system log"),
# which has been present since 2006; and a VGA console ("instance
# screenshot") which was introduced in 2016.
echo 'boot_multicons="YES"' >> ${DESTDIR}/boot/loader.conf
# Graviton 1 through Graviton 4 have a bug in their ACPI where they
# mark the PL061's pins as needing to be configured in PullUp mode
# (in fact the PL061 has no pullup/pulldown resistors). Graviton 1
# through Graviton 3 have non-functional PCI _EJ0 and need a value
# written to the PCI power status register in order to eject a
# device. EC2 instances with PCI (not PCIe) buses need a short
# delay before rescanning upon device detach.
echo 'debug.acpi.quirks="56"' >> ${DESTDIR}/boot/loader.conf
# The default behaviour of re-routing INTx interrupts causes a
# resource leak on INTRng (aka on Graviton systems). Repeated
# hotplug/unplug on PCI (not PCIe) Graviton systems ends up with
# a kernel panic unless we disable this.
echo 'hw.pci.intx_reroute=0' >> ${DESTDIR}/boot/loader.conf
# Load the kernel module for the Amazon "Elastic Network Adapter"
echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf
# Use the "nda" driver for accessing NVMe disks rather than the
# historical "nvd" driver.
echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf
# Reduce the timeout for PCIe Eject ("hotunplug") requests. PCIe
# mandates a 5 second timeout to allow someone to cancel the eject
# by pressing the "Attention button" a second time, but in the EC2
# environment this delay serves no purpose.
echo 'hw.pci.pcie_hp_detach_timeout="0"' >> ${DESTDIR}/boot/loader.conf
metalog_add_data ./boot/loader.conf
# Disable KbdInteractiveAuthentication according to EC2 requirements.
sed -i '' -e \
's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \
${DESTDIR}/etc/ssh/sshd_config
# RSA host keys are obsolete and also very slow to generate
echo 'sshd_rsa_enable="NO"' >> ${DESTDIR}/etc/rc.conf
# Use FreeBSD Update mirrors hosted in AWS
sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \
${DESTDIR}/etc/freebsd-update.conf
# Use the NTP service provided by Amazon
sed -i '' -e 's/^pool/#pool/' \
-e '1,/^#server/s/^#server.*/server 169.254.169.123 iburst/' \
${DESTDIR}/etc/ntp.conf
# Provide a map for accessing Elastic File System mounts
cat > ${DESTDIR}/etc/autofs/special_efs <<'EOF'
#!/bin/sh
if [ $# -eq 0 ]; then
# No way to know which EFS filesystems exist and are
# accessible to this EC2 instance.
exit 0
fi
# Provide instructions on how to mount the requested filesystem.
FS=$1
REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 's/[a-z]$//'`
echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/"
EOF
chmod 755 ${DESTDIR}/etc/autofs/special_efs
metalog_add_data ./etc/autofs/special_efs 0755
return 0
}
ec2_base_networking () {
# EC2 instances use DHCP to get their network configuration. IPv6
# requires accept_rtadv.
echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf
# The EC2 DHCP server can be trusted to know whether an IP address is
# assigned to us; we don't need to ARP to check if anyone else is using
# the address before we start using it.
echo 'dhclient_arpwait="NO"' >> ${DESTDIR}/etc/rc.conf
# Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold
echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf
echo 'rtsold_enable="YES"' >> ${DESTDIR}/etc/rc.conf
echo 'rtsold_flags="-M /usr/local/libexec/rtsold-M -a"' >> ${DESTDIR}/etc/rc.conf
# Provide a script which rtsold can use to launch DHCPv6
mkdir -p ${DESTDIR}/usr/local/libexec
cat > ${DESTDIR}/usr/local/libexec/rtsold-M <<'EOF'
#!/bin/sh
/usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1
EOF
chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M
metalog_add_data ./usr/local/libexec/rtsold-M 0755
return 0
}
|
