How to create an Amazon Elastic Compute Cloud EC2 Machine Image (AMI)

February 14, 2009

(UPDATED: 05/31/2010)

This how to article will go over creating a Amazon Elastic Compute Cloud (EC2) Machine Image (AMI) from scratch. In this particular example we are creating a Centos 5.3 64bit AMI from beginning to end. For those that are interested in taking advantage of cloud computing, hopefully you find this blog article helpful. Note this blog also can be generalized for Centos 5, 5.1, 5.2 most versions of Redhat, and Fedora 64bit and 32bit.

First thing is first you are going to need to sign up for an Amazon Web Services account specifically S3 Storage and EC2 Elastic Compute Cloud here. You will need a credit card and some basic info, and will immediately get the following info:

AWS Account Number
S3 KEY "yourkeynumber"
S3 SECRET KEY "yoursecretkey"
EC2 PRIVATE KEY "pk-yourprivatekey.pem"
EC2 CERTIFICATE "cert-yourcertificate.pem"

You will need to work off of a server with the same distro you would like your image to be in my case that would be Centos 5 also note you will want to work on a server with enough disk space to create and image on.

Time to login become root and go to town:

Put your two .pem files the cert and pk in the directory ~/.ec2

[root@server]$ mkdir ~/.ec2

Create some directories to work from and put your working files in make sure its on your largest partition in my case its /opt.

[root@server]$ mkdir /opt/EC2AMIFILES
[root@server]$ mkdir /opt/EC2TOOLS
[root@server]$ mkdir /opt/EC2AMIIMAGE
[root@server]$ mkdir /opt/EC2YUM

Download and extract the Amazon AMI tools into the /opt/EC2TOOLS you should have subdirectories that look like /opt/EC2TOOLS/bin etc…

[root@server]$ cd /opt/EC2TOOLS
[root@server]$ wget http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
[root@server]$ unzip ec2-ami-tools.zip
[root@server]$ cd ec2-ami-tools-1.3-31780
[root@server]$ mv * ../
[root@server]$ cd ../
[root@server]$ rmdir ec2-ami-tools-1.3-31780/

Setup your .bashrc file to have proper pathing to EC2 resources

[root@server]$ vi ~/.bashrc
 
export PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/opt/EC2TOOLS/bin
export EC2_HOME=/opt/EC2TOOLS
export EC2_PRIVATE_KEY=~/.ec2/pk-yourprivatekey.pem
export EC2_CERT=~/.ec2/cert-yourcert.pem

Enable your .bashrc settings

[root@server]$ source ~/.bashrc

Create an empty file that is about 10GB where the OS files will be worked.

[root@server]$ dd if=/dev/zero of=/opt/EC2AMIIMAGE/ami-centos5.3-64bit-base.img bs=1M count=10240

Create an ext3 filesystem inside the image file.

[root@server]$ /sbin/mke2fs -F -j /opt/EC2AMIIMAGE/ami-centos5.3-64bit-base.img

Mount the image file using the loop-back option, allowing you to treat the image file as if it was a standard disk drive.

[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base
 
[root@server]$ mount -o loop /opt/EC2AMIIMAGE/ami-centos5.3-64bit-base.img /mnt/ami-centos5.3-64bit-base

Prepare the empty image filesystem with paths for system devices and configuration files.

[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/proc
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/etc
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/dev
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/var
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/var/cache
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/var/log
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/var/lock
 
[root@server]$ mkdir /mnt/ami-centos5.3-64bit-base/var/lock/rpm
 
[root@server]$ /sbin/MAKEDEV -d /mnt/ami-centos5.3-64bit-base/dev -x console
 
[root@server]$ /sbin/MAKEDEV -d /mnt/ami-centos5.3-64bit-base/dev -x null
 
[root@server]$ /sbin/MAKEDEV -d /mnt/ami-centos5.3-64bit-base/dev -x zero

Create the file fstab to store the filesystem configuration.

[root@server]$ vi /mnt/ami-centos5.3-64bit-base/etc/fstab
 
If you are using 64BIT use these fstab entries below
 
/dev/sda1       /      ext3   defaults  1  1
/dev/sdb        /mnt   ext3   defaults  0  0
none            /proc  proc   defaults  0  0
none            /sys   sysfs  defaults  0  0
 
If you are using 32BIT use these fstab entries below
 
/dev/sda1	/		ext3		defaults	1	1
none		/dev/pts	devpts	        gid=5,mode=620	0	0
none		/dev/shm	tmpfs	        defaults	0	0
none		/proc		proc		defaults	0	0
none		/sys		sysfs		defaults	0	0
/dev/sda2	/mnt		ext3		defaults	0	0
/dev/sda3	swap		swap		defaults	0	0

Mount the image’s proc device in advance to avoid problems with using yum.

[root@server]$ mount -t proc none /mnt/ami-centos5.3-64bit-base/proc

Create a YUM config file, note please adjust version and architecture according to which version you are using.
For Centos 5.3 64bit use the following:

[root@server]$ vi /opt/EC2YUM/yum-ami.conf
 
[main]
cachedir=/var/cache/yum
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
metadata_expire=1800
 
[base]
name=CentOS-5 - Base
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=os
#baseurl=http://mirror.centos.org/centos/5/os/x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#released updates 
[updates]
name=CentOS-5 - Updates
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=updates
#baseurl=http://mirror.centos.org/centos/5/updates/x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#packages used/produced in the build but not released
[addons]
name=CentOS-5 - Addons
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=addons
#baseurl=http://mirror.centos.org/centos/5/addons/x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#additional packages that may be useful
[extras]
name=CentOS-5 - Extras
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=extras
#baseurl=http://mirror.centos.org/centos/5/extras/x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-5 - Plus
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=centosplus
#baseurl=http://mirror.centos.org/centos/5/centosplus/x86_64/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#contrib - packages by Centos Users
[contrib]
name=CentOS-5 - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=x86_64&repo=contrib
#baseurl=http://mirror.centos.org/centos/5/contrib/x86_64/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

If you are creating a 32bit Centos 5 create the following YUM config file instead:

[main]
cachedir=/var/cache/yum
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
metadata_expire=1800
 
[base]
name=CentOS-5 - Base
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=os
#baseurl=http://mirror.centos.org/centos/5/os/i386/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#released updates 
[updates]
name=CentOS-5 - Updates
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=updates
#baseurl=http://mirror.centos.org/centos/5/updates/i386/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#packages used/produced in the build but not released
[addons]
name=CentOS-5 - Addons
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=addons
#baseurl=http://mirror.centos.org/centos/5/addons/i386/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#additional packages that may be useful
[extras]
name=CentOS-5 - Extras
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=extras
#baseurl=http://mirror.centos.org/centos/5/extras/i386/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-5 - Plus
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=centosplus
#baseurl=http://mirror.centos.org/centos/5/centosplus/i386/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
 
#contrib - packages by Centos Users
[contrib]
name=CentOS-5 - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=5&arch=i386&repo=contrib
#baseurl=http://mirror.centos.org/centos/5/contrib/i386/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Perform the operating system installation via yum, installing base OS.

[root@server opt]$ cd /opt/EC2YUM
 
[root@server EC2YUM]$ yum -c yum-ami.conf --installroot=/mnt/ami-centos5.3-64bit-base -y groupinstall Base
 
[root@server EC2YUM]$ cp yum-ami.conf /mnt/ami-centos5.3-64bit-base/etc/yum.conf

Install openssh dependencies to allow you to connect via SSH

[root@server EC2YUM]$ yum -c /opt/EC2YUM/yum-ami.conf --installroot=/mnt/ami-centos5.3-64bit-base install *openssh*
[root@server EC2YUM]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/chkconfig sshd --add
[root@server EC2YUM]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/chkconfig --level 12345 sshd on

Install precompiled modules supplied by Amazon, since the kernel modules installed by yum are not appropriate for the EC2 environment.

[root@server]$ wget http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules-261633-xenu.tgz
[root@server]$ gunzip -c kernel-modules261633-xenu.tgz | tar -xvf -
[root@server]$ mv 2.6.16.33-xenU /mnt/ami-centos5.3-64bit-base/lib/modules
[root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/depmod -ae 2.6.16.33-xenU

If you are installing 32bit use the following download instead

[root@server]$ wget http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules2616-xenu.tgz
[root@server]$ gunzip -c kernel-modules2616-xenu.tgz | tar -xvf -
[root@server]$ cd lib/modules
[root@server]$ mv 2.6.16-xenU /mnt/ami-centos5.3-32bit-base/lib/modules
[root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-32bit-base /sbin/depmod -ae 2.6.16-xenU

Delete Kudzu from startup since for some reason it messes up your network settings on first startup of the image.

[root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/chkconfig --del kudzu

Configure SSH to allow Root login only via key.

[root@server]$ vi /mnt/ami-centos5.3-64bit-base/etc/ssh/sshd_config
 
UseDNS no
PermitRootLogin without-password

Configure the images network settings

[root@server]$ cd /mnt/ami-centos5.3-64bit-base/etc/sysconfig/
 
[root@server sysconfig]$ vi network
 
NETWORKING=yes
HOSTNAME=localhost.localdomain
 
[root@server sysconfig]$ vi /mnt/ami-centos5.3-64bit-base/etc/sysconfig/network-scripts/ifcfg-eth0
 
ONBOOT=yes
DEVICE=eth0
BOOTPROTO=dhcp

This script grabs the public key credentials for your root login.

[root@server]$ vi /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh
 
#!/bin/bash
# chkconfig: 2345 95 20
# description: getssh
# processname: getssh
#
export PATH=:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
# Source function library.
. /etc/rc.d/init.d/functions
 
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
 
# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 1
 
start() {
  if [ ! -d /root/.ssh ] ; then
          mkdir -p /root/.ssh
          chmod 700 /root/.ssh
  fi
  # Fetch public key using HTTP
/usr/bin/curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/my-key
  if [ $? -eq 0 ] ; then
          cat /tmp/my-key >> /root/.ssh/authorized_keys
          chmod 600 /root/.ssh/authorized_keys
          rm /tmp/my-key
  fi
  # or fetch public key using the file in the ephemeral store:
  if [ -e /mnt/openssh_id.pub ] ; then
          cat /mnt/openssh_id.pub >> /root/.ssh/authorized_keys
          chmod 600 /root/.ssh/authorized_keys
  fi
}
 
stop() {
  echo "Nothing to do here"
}
 
restart() {
  stop
  start
}
 
# See how we were called.
case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    restart
    ;;
  *)
    echo $"Usage: $0 {start|stop}"
    exit 1
esac
 
exit $?
###END OF SCRIPT

Give the getssh proper permissions

#Fixed typo 07/09
[root@server]$ /bin/chmod +x /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh

Configure your init script to be launched in run level 3 and 4

[root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/chkconfig --level 34 getssh on

Yum install Ruby and CURL to the image

[root@server EC2YUM]$ cd /opt/EC2YUM/
 
[root@server EC2YUM]$ yum -c yum-ami.conf --installroot=/mnt/ami-centos5.3-64bit-base install ruby
 
[root@server EC2YUM]$ yum -c yum-ami.conf --installroot=/mnt/ami-centos5.3-64bit-base install curl

Install Java to the image, get Java file for your distro jre-6u12-linux-x64.bin and put it in the /mnt/ami-centos5.3-64bit-base

[root@server]$ cd /mnt/ami-centos5.3-64bit-base/
 
[root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base ./jre-6u12-linux-x64.bin

Here is the part where you can install other software you wish or remove it simply by using the chroot command

[root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base (put your commands here to do installs for the image)

Clean up after yourself lowering image size

[root@server ami-centos5.3-64bit-base]$ cd /opt/EC2YUM/
 
[root@server EC2YUM]$ yum -c yum-ami.conf --installroot=/mnt/ami-centos5.3-64bit-base clean all
 
[root@server EC2YUM]$ sync
[root@server EC2YUM]$ umount /mnt/ami-centos5.3-64bit-base/proc
[root@server EC2YUM]$ umount /mnt/ami-centos5.3-64bit-base

Bundle your image

[root@server]$ cd /opt/EC2TOOLS/bin/
 
[root@server bin]$ ./ec2-bundle-image --image /opt/EC2AMIIMAGE/ami-centos5.3-64bit-base.img --prefix ami-centos5.3-64bit-base --cert ~/.ec2/cert-yourcert.pem --privatekey ~/.ec2/pk-yourprivatekey.pem --user youramazonaccountnumber --destination /opt/EC2AMIFILES --arch x86_64

The next step is to ensure you have a target bucket for your EC2 instance with the correct ACL’s you may want to use the FireFox plugin S3 Fox to do this but their are great libraries out their for your desired language. I created a bucket called phils-amis

Give the ACL permission to the bucket you create for your AMI:
6aa5a366c34c1cbe25dc49211496e913e0351eb0e8c37aa3477e40942ec6b97c

Next you will upload your files to the bucket you just designated in my case phils-amis

[root@server]$ cd /opt/EC2TOOLS/bin/
 
[root@server bin]$ ./ec2-upload-bundle --manifest /opt/EC2AMIFILES/ami-centos5.3-64bit-base.manifest.xml --bucket phils-amis --access-key accesskeyhere --secret-key secretkeyhere --location (US, UK, us-west-1, ap-southeast-1)
 
[root@server bin]$ history -c

Now you are just about done all you need to do is register your AMI. I did this part from my Macbook Pro since I had my Amazon Web Services Tools there. You can get these from Amazon keep in mind these tools are different then the AMI tools you have been using. I put mine in /Users/phil/EC2 also I created a .ec2 directory with my cerificate and private key at /Users/phil/.ec2 Also know that you can use the AWS console from their site to register AMI’s add security groups and launch them as well.

My .bashrc file looks like this on my laptop

# .bashrc
 
# User specific aliases and functions
 
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
 
# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
 
export PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/Users/phil/EC2/bin
export EC2_HOME=/Users/phil/EC2
 
export EC2_PRIVATE_KEY=~/.ec2/pk-yourprivatekey.pem
export EC2_CERT=~/.ec2/cert-yourcertificate.pem
 
export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Home/

You now can register our new AMI and get your AMI code

[phil@desktop]$ cd /Users/phil/EC2/bin
[phil@desktop]$ ./ec2-register phils-amis/ami-centos5.3-64bit-base.manifest.xml
IMAGE	ami-youramicode

You will want to create a keypair to launch your AMI

[phil@desktop]$ ./ec2-add-keypair phils-keypair-raw
 
KEYPAIR phil-keypair  1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFxTHgElQiJLChp
HungXQ29VTc8rc1bW0lkdi23OH5eqkMHGhvEwqa0HWASUMll4o3o/IX+0f2UcPoKCOVUR+jx71Sg
5AU52EQfanIn3ZQ8lFW7Edp5a3q4DhjGlUKToHVbicL5E+g45zfB95wIyywWZfeW/UUF3LpGZyq/
ebIUlq1qTbHkLbCC2r7RTn8vpQWp47BGVYGtGSBMpTRP5hnbzzuqj3itkiLHjU39S2sJCJ0TrJx5
i8BygR4s3mHKBj8l+ePQxG1kGbF6R4yg6sECmXn17MRQVXODNHZbAgMBAAECggEAY1tsiUsIwDl5
91CXirkYGuVfLyLflXenxfI50mDFms/mumTqloHO7tr0oriHDR5K7wMcY/YY5YkcXNo7mvUVD1pM
ZNUJs7rw9gZRTrf7LylaJ58kOcyajw8TsC4e4LPbFaHwS1d6K8rXh64o6WgW4SrsB6ICmr1kGQI7
3wcfgt5ecIu4TZf0OE9IHjn+2eRlsrjBdeORi7KiUNC/pAG23I6MdDOFEQRcCSigCj+4/mciFUSA
SWS4dMbrpb9FNSIcf9dcLxVM7/6KxgJNfZc9XWzUw77Jg8x92Zd0fVhHOux5IZC+UvSKWB4dyfcI
tE8C3p9bbU9VGyY5vLCAiIb4qQKBgQDLiO24GXrIkswF32YtBBMuVgLGCwU9h9HlO9mKAc2m8Cm1
jUE5IpzRjTedc9I2qiIMUTwtgnw42auSCzbUeYMURPtDqyQ7p6AjMujp9EPemcSVOK9vXYL0Ptco
xW9MC0dtV6iPkCN7gOqiZXPRKaFbWADp16p8UAIvS/a5XXk5jwKBgQCKkpHi2EISh1uRkhxljyWC
iDCiK6JBRsMvpLbc0v5dKwP5alo1fmdR5PJaV2qvZSj5CYNpMAy1/EDNTY5OSIJU+0KFmQbyhsbm
rdLNLDL4+TcnT7c62/aH01ohYaf/VCbRhtLlBfqGoQc7+sAc8vmKkesnF7CqCEKDyF/dhrxYdQKB
gC0iZzzNAapayz1+JcVTwwEid6j9JqNXbBc+Z2YwMi+T0Fv/P/hwkX/ypeOXnIUcw0Ih/YtGBVAC
-----END RSA PRIVATE KEY-----

Now create the key basically cut and paste —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– including the two lines into a your keypair file.

[phil@desktop]$ vi phil-key-pair
 
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFxTHgElQiJLChp
HungXQ29VTc8rc1bW0lkdi23OH5eqkMHGhvEwqa0HWASUMll4o3o/IX+0f2UcPoKCOVUR+jx71Sg
5AU52EQfanIn3ZQ8lFW7Edp5a3q4DhjGlUKToHVbicL5E+g45zfB95wIyywWZfeW/UUF3LpGZyq/
ebIUlq1qTbHkLbCC2r7RTn8vpQWp47BGVYGtGSBMpTRP5hnbzzuqj3itkiLHjU39S2sJCJ0TrJx5
i8BygR4s3mHKBj8l+ePQxG1kGbF6R4yg6sECmXn17MRQVXODNHZbAgMBAAECggEAY1tsiUsIwDl5
91CXirkYGuVfLyLflXenxfI50mDFms/mumTqloHO7tr0oriHDR5K7wMcY/YY5YkcXNo7mvUVD1pM
ZNUJs7rw9gZRTrf7LylaJ58kOcyajw8TsC4e4LPbFaHwS1d6K8rXh64o6WgW4SrsB6ICmr1kGQI7
3wcfgt5ecIu4TZf0OE9IHjn+2eRlsrjBdeORi7KiUNC/pAG23I6MdDOFEQRcCSigCj+4/mciFUSA
SWS4dMbrpb9FNSIcf9dcLxVM7/6KxgJNfZc9XWzUw77Jg8x92Zd0fVhHOux5IZC+UvSKWB4dyfcI
tE8C3p9bbU9VGyY5vLCAiIb4qQKBgQDLiO24GXrIkswF32YtBBMuVgLGCwU9h9HlO9mKAc2m8Cm1
jUE5IpzRjTedc9I2qiIMUTwtgnw42auSCzbUeYMURPtDqyQ7p6AjMujp9EPemcSVOK9vXYL0Ptco
xW9MC0dtV6iPkCN7gOqiZXPRKaFbWADp16p8UAIvS/a5XXk5jwKBgQCKkpHi2EISh1uRkhxljyWC
iDCiK6JBRsMvpLbc0v5dKwP5alo1fmdR5PJaV2qvZSj5CYNpMAy1/EDNTY5OSIJU+0KFmQbyhsbm
rdLNLDL4+TcnT7c62/aH01ohYaf/VCbRhtLlBfqGoQc7+sAc8vmKkesnF7CqCEKDyF/dhrxYdQKB
gC0iZzzNAapayz1+JcVTwwEid6j9JqNXbBc+Z2YwMi+T0Fv/P/hwkX/ypeOXnIUcw0Ih/YtGBVAC
-----END RSA PRIVATE KEY-----

Time to start your AMI! Note that if you have a 64bit AMI it needs to be started as a large instance.

[phil@desktop]$ /Users/phil/EC2/bin/ec2-run-instances ami-youramiid --instance-type m1.large -k phil-key-pair --region (US, UK, us-west-1, ap-southeast-1)

Time to check the status

[phil@desktop]$ /Users/phil/EC2/bin/ec2-describe-instances
 
RESERVATION	r-0dc52965	027409037432	default
INSTANCE	i-yourinstance	ami-youramiid			pending	phil-key-pair	0		m1.large	2009-02-13T23:51:11+0000	us-east-1c

When it running it will look like this

[phil@desktop]$ /Users/phil/EC2/bin/ec2-describe-instances
 
RESERVATION	r-0dc57965	024439027432	default
INSTANCE	i-yourinstance	ami-youramiid	ec2-176-122-149-109.compute-1.amazonaws.com	domU-12-31-39-00-12-C1.compute-1.internal	running	phil-key-pair	0		m1.large	2009-02-13T23:51:11+0000	us-east-1c

Open the AWS Firewall ingress port 22

[phil@desktop]$ /Users/phil/EC2/bin/ec2-authorize default -p 22

Now you can ssh using your keypair as root!

[phil@desktop]$ ssh -i phil-key-pair root@ec2-176-122-149-109.compute-1.amazonaws.com
 
The authenticity of host 'ec2-176-122-149-109.compute-1.amazonaws.com (174.129.149.109)' can't be established.
RSA key fingerprint is cb:77:33:4f:a0:62:c0:a6:c8:40:99:09:25:4f:5d:ef.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-174-129-149-109.compute-1.amazonaws.com,174.129.149.109' (RSA) to the list of known hosts.
 
[root@domU-11-33-39-00-12-C1 ~]$

To terminate the instance you can do the following use the describe instance command to find the i-id then do the below

[phil@desktop]$ /Users/phil/EC2/bin/ec2-terminate-instances i-yourinstance
INSTANCE	i-yourinstance	running	shutting-down

If you ever need to stop deregister and delete your AMI you can do the following

[phil@desktop]$ /Users/phil/EC2/bin/ec2-deregister ami-youramiid
 
[root@server bin]$ /Users/phil/EC2/bin/ec2-delete-bundle -b phils-amis -a yourkey -s yoursecretkey -m /opt/EC2/ami-centos5.3-64bit-base.manifest.xml
 
[phil@desktop]$ :>~/.bash_history

If you need to modify your image do the above two steps of deregistering and deleting your bundle in S3 as well as delete the files in /opt/EC2AMIFILES then you can remount the image to make your changes using the same commands you did before

 
[root@server]$ mount -o loop /opt/EC2AMIIMAGE/ami-centos5.3-64bit-base.img /mnt/ami-centos5.3-64bit-base
 
[root@server]$ mount -t proc none /mnt/ami-centos5.3-64bit-base/proc

After you remount the image you can modify your software and then re-bundle, re-upload, re-register your ami.

For help setting up your environment or things I may have left out please refer to the documentation at Amazon or write me a comment.

One last note make sure you turn your EC2 Instances off if your not using them they do cost money $ 😛

Happy AMI building!

Also a great resource for free Realtime AWS uptime data is Systems Watch

Comments for “How to create an Amazon Elastic Compute Cloud EC2 Machine Image (AMI)”

  1. Brian commented on March 9, 2009

    This is a good instruction thanks

  2. Glad you found it useful.

  3. Sandeep Dubey commented on March 17, 2009

    Awsome, I tried to followed the Amazones doc to create AMI from scratch but no luck. So i created my AMI by using public AMI but this tutor is realy very useful for me.
    Thanks

  4. Vince Allen commented on April 29, 2009

    Mr. Chen….. YOU ROCK!

  5. Thanks Vince glad you like 😛

  6. John Smith commented on May 19, 2009

    http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules2616-xenu.tgz

    This link seems to be broken, any chance you’d re-host it?

    I’ve tried recompiling the correct kernel modules (patched) with what’s listed on the ec2 repository, but there are a lot of conflicts. If you’ve already done this using CentOS 5.3, I’d love to give those files a whirl as I’m banging my head up against the wall at the moment.

  7. Phil Chen commented on May 19, 2009

    Hello John,

    Sorry about that I just updated those and typo’d it, the below two links should work now:

    64bit http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules-261633-xenu.tgz
    32bit http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules2616-xenu.tgz

    Both have worked for me using CentOS 5.3 32bit and 64bit

  8. Barrow commented on June 3, 2009

    Hi Phil,
    This is a very good post. By the way, did you compile the kernel modules yourself? In your blogs, you said “Install precompiled modules supplied by Amazon”, but I can’t find anywhere we can download that from Amazon. Can you post the link where you download that from Amazon? if you compile the kernel module, do you mind share the info? ( I got lot of conflict like other people said when I compile the kernel and modules. ) thanks in advance!

  9. Phil Chen commented on June 3, 2009

    Hello Barrow,

    I didn’t compile the modules I used Amazons for compatability reasons with Xen, but I did download them from them and provide them from the below urls:

    64bit http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules-261633-xenu.tgz
    32bit http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules2616-xenu.tgz

    Let me know if I am missing your point, this is included in the post.

    See below for the instructions after you retrieve them also in my post:

    64bit:
    [root@server]$ wget http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules-261633-xenu.tgz
    [root@server]$ gunzip -c kernel-modules261633-xenu.tgz | tar -xvf –
    [root@server]$ mv 2.6.16.33-xenU /lib/modules
    [root@server]$ depmod -ae 2.6.16.33-xenU

    32bit:
    [root@server]$ wget http://3.84.23.23/wp-content/uploads/2009/05/kernel-modules2616-xenu.tgz
    [root@server]$ gunzip -c kernel-modules2616-xenu.tgz | tar -xvf –
    [root@server]$ cd lib/modules
    [root@server]$ mv 2.6.16-xenU /lib/modules
    [root@server]$ depmod -ae 2.6.16-xenU

  10. Barrow commented on June 4, 2009

    Thanks Phil, I got the files from the link you provided ( http://www.philchen.com.. ) but I was wondering where you got this file from Amazon ( ie the URL where you download this file ). This is just in case your site is not available :).

    another question:
    should this

    [root@server]$ mv 2.6.16.33-xenU /lib/modules

    be

    [root@server]$ mv 2.6.16.33-xenU /mnt/ami-centos5.3-64bit-base/lib/modules

  11. Barrow commented on June 4, 2009

    I also found lot of warning “group xxxxxx does not exist use root” how can we fix that?

  12. Phil Chen commented on June 5, 2009

    Hello Barrow,

    I updated the blog entry with the correct path for /lib/modules in this example which is /mnt/ami-centos5.2-64bit-base/lib/modules and also added the chroot for depmod.

    As for where I got the modules from it looks like Amazon doesn’t have them anymore linked publicly so I guess your safer with me providing them 😉
    You could look at the following article: http://developer.amazonwebservices.com/connect/thread.jspa?messageID=96651&#96651 however to make your own.

    Regarding your warnings you have been receiving.
    Sounds like your using rpms and not yum? I can’t really tell you why your getting those errors with the above info?

    Phil

  13. Ashwin commented on June 30, 2009

    Hi Phil,

    We have a web application running at Client place, for which we are planning to use AmazonEC2.
    For creating AMI for that, do I need to create it on the Server machine on which the app is running or can I use any machine at my disposal?

  14. Hi Ashwin,

    The method I have outlined requires you to create your AMI on the architecture and OS in question. For this particular article it was CentOS 5.3 on a 64bit and 32bit architecture. The method I use is to build a base AMI using this blog post then launch it, ssh in adding your unique application and take snapshots as needed, which essentially creates separate AMI’s for different application servers off the base one. I have another blog post on snapshots.

  15. srinivas antarvedi commented on July 14, 2009

    Hello Phil,

    One of my software during the ./configure,make,make install process needs compatible
    kernel-devel package for the kernel that is running ..

    if i do the yum install kernel it will give me the present kernel and kernel-devel packages but
    to make it as present kernel, the only way i know is edit /boot/grub/grub.conf to the new kernel

    so how should i handle incase of ec2 architecutre to deploy my application ..

    please reply to me

  16. Ross commented on July 20, 2009

    Thanks for creating this great How-To Phil!! I’m able to get the AMI instance stored into S3 & running under EC2. However, when I try to SSH to my instance, I get the following (where is the public IP of the amazon instance):

    ssh -i ross-key-pair root@ec2-.compute-1.amazonaws.com
    The authenticity of host ‘ec2-.compute-1.amazonaws.com ()’ can’t be established.
    RSA key fingerprint is 74:db:……
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘ec2-.compute-1.amazonaws.com,’ (RSA) to the list of known hosts.
    Connection closed by

    I’m not able to ssh to my instance as it always gives the “Connection closed by ” message. I have already opened up the ACL (firewall) for port TCP:22 & nmap shows it is open. Have you encountered anything similar to this? Any ideas? Thanks

  17. Ross commented on July 20, 2009

    I apologize for the double posting, the FORM stripped out my "<IP>" tags ….. I’ve changed it to [IP].

    Thanks for creating this great How-To Phil!! I’m able to get the AMI instance stored into S3 & running under EC2. However, when I try to SSH to my instance, I get the following (where [IP] is the public IP of the amazon instance):

    ssh -i ross-key-pair root@ec2-[IP].compute-1.amazonaws.com
    The authenticity of host ‘ec2-[IP].compute-1.amazonaws.com ([IP])’ can’t be established.
    RSA key fingerprint is 74:db:……
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘ec2-[IP].compute-1.amazonaws.com,’ (RSA) to the list of known hosts.
    Connection closed by [IP]

    I’m not able to ssh to my instance as it always gives the “Connection closed by ” message. I have already opened up the ACL (firewall) for port TCP:22 & nmap shows it is open. Have you encountered anything similar to this? Any ideas? Thanks

  18. Srinivas, sounds like your answering your own question, unless I am missing the point. I have two articles one is to create a default AMI using a plain YUM install process for 5.3 CentOS, and one is to snapshot a existing instance into a new modified AMI. You could create a default AMI then make your kernel modifications and snapshot them which might be easier. Again I am a bit unclear on your question.

  19. Hi Ross,

    Glad the ariticle is helping you. Is it possible for you to post the ssh -v output for verbose ssh debugging purposes.

    Also did you make sure to have the below in your sshd_config file in your AMI

    UseDNS no
    PermitRootLogin without-password

    Also double check your:

    /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh

    script and make sure the syntax is correct like the post, also make sure you:

    [root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /bin/chmod +x /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh

    ^^
    (Looks like my post had a typo and didn’t include the /usr/bin/chroot /mnt/ami-centos5.3-64bit-base before the command) I fixed the post. This could have made it so you couldn’t chkconfig getssh on for run level 3 and 4)

    [root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/chkconfig –level 34 getssh on

    Let me know if that helps after the above commands I would make sure you check to see that getssh is turned on for runlevel 3 and 4 by doing:

    [root@server]$ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /sbin/chkconfig –list

    sorry for the typo its hard remembering to chroot your build, when working on a existing machine sometimes.

  20. Ross commented on July 22, 2009

    Thanks for the response Phil.

    1. I’ve doubled checked my “/etc/ssh/sshd_config” in the mounted image & it contains the proper directives you mentioned.

    UseDNS no
    PermitRootLogin without-password

    2. Double checked “getssh” & it was properly set to startup in run-levels 3&4 and was executable. I even went as far as to put debug code in the script, which then prints out the RSA public cert during boot. I then copy-n-pasted the same key to another Linux server I have locally & was able to access the other server using SSH keys. So I even know that the keys are correct.

    3. The output of the SSH connection is as follows using the “-vvv” option:

    # ssh -vvv -i mytest-keypair.pem root@ec2-[IPaddr].compute-1.amazonaws.com

    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to ec2-[IPaddr].compute-1.amazonaws.com [IPaddr] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug3: Not a RSA1 key file mytest-keypair.pem.
    debug2: key_type_from_name: unknown key type ‘—–BEGIN’
    debug3: key_read: missing keytype
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug2: key_type_from_name: unknown key type ‘—–END’
    debug3: key_read: missing keytype
    debug1: identity file mytest-keypair.pem type -1
    debug1: loaded 1 keys
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
    debug1: match: OpenSSH_4.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.3
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 122/256
    debug2: bits set: 531/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 8
    debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 8
    debug1: Host ‘ec2-[IPaddr].compute-1.amazonaws.com’ is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:8
    debug2: bits set: 500/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: mytest-keypair.pem ((nil))
    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug3: start over, passed a different list publickey,gssapi-with-mic,password
    debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
    debug3: authmethod_lookup gssapi-with-mic
    debug3: remaining preferred: publickey,keyboard-interactive,password
    debug3: authmethod_is_enabled gssapi-with-mic
    debug1: Next authentication method: gssapi-with-mic
    debug3: Trying to reverse map address [IPaddr].
    debug1: Unspecified GSS failure. Minor code may provide more information
    No credentials cache found

    debug1: Unspecified GSS failure. Minor code may provide more information
    No credentials cache found

    debug1: Unspecified GSS failure. Minor code may provide more information
    No credentials cache found

    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: mytest-keypair.pem
    debug1: read PEM private key done: type RSA
    debug3: sign_and_send_pubkey
    debug2: we sent a publickey packet, wait for reply
    debug1: Connection closed by [IPaddr]

    4. Based on the output above, I tried enabling iptables with rules opening up TCP:22 to everyone, but that did not work either (same SSH error log) …. thinking that the firewall was somehow disconnecting me.

    5. I was able to get an EC2 instance running CentOS 5.3 32-bit, which was based on a 3rd Party (Community) AMI image. This proved that my security settings were working for my “Default” Security Group & validated the public cert/private key I generated using Amazon tools.

    6. My version of CentOS is Release 5.3 (Final) with kernel 2.6.16-xenU (i386).

    Not sure where to go from here?

  21. Dhruv Parpia commented on August 2, 2009

    Hi Phil,

    Thanks for the great article, I have able to create and launch a Cent OS 5.3 64 bit instace just fine, but when I try to log into the instance via ssh I get a “Server refused our key” error. I have been looking around but can’t find any real help for this. I was wondering if you ever faced the error while creating your instance.

    Thanks,

    Dhruv

  22. Alfie Li commented on August 3, 2009

    very good tutorial many thanks

    but i am bit confused in the step:
    this script grabs the public key credentials

    http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

    how do i change this line for myself? or it is the same for everyone….. i could not find any further information about openssh-key how do i generate this key for myself?

    many thanks

  23. Excellent guide Phil; one thing to note when I ran through this (on Fedora 11) was that at the point which I ran the yum base install I got a lot of yum errors. I got round them by temporarily renaming /etc/yum.repos.d on the host machine in order to stop yum from trying to pick up extra repos.

  24. satish commented on August 18, 2009

    I have the same problem as Ross. ssh -v indicates the public-key packet
    has been sent and then I get the connection closed message…

    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: very-first-key.pem
    debug1: read PEM private key done: type RSA
    debug3: sign_and_send_pubkey
    debug2: we sent a publickey packet, wait for reply
    Connection closed by 174.129.104.149

    getssh appears ok..chkconfig is ok, and permissions are ok.

    (One thing I notice in the output thing on the AWS console is a missing
    /etc/resolv.conf). Could that be a problem?

  25. zach commented on August 24, 2009

    Hi Phil,

    Great stuff you have posted here. I’m trying to execute the steps but got stuck at ‘yum -c yum-ami.conf –installroot=/mnt/ami-centos5.3-64bit-base -y groupinstall Base’ command. It seems that the link to atrpms is broken. It trying to look into http://dl.atprms.net/el$releasever-x86_64/… . The $releasever value is not seem to be right. It should be 5 or 5.3. How can I proceed? Btw, I have copied the exact yum configuration.

    Thanks.

  26. zach commented on August 24, 2009

    Hi again,

    I have sorted out the issue. I have changed the entry in /etc/yum.repos.d/atrpms.repo to reflect the exact url. If you have other options do let me know. Thanks.

  27. ajaya commented on August 27, 2009

    I am trying to create the CentOS 4.7 64bit image using this instruction. I have updated the yum.conf file to point to 64 bit URLs. However, I get dependency errors like
    Error: Missing Dependency: /usr/bin/md5sum is needed by package redhat-lsb-3.0-8.EL.i386 (base)
    I wonder why it is trying to install redhat-lsb-3.0-8.EL.i386 and not redhat-lsb-3.0-8.EL.x86_64 version.

    Any idea?

  28. blogananda commented on August 27, 2009

    Iam running into exactly the same problem that “Ross” had mentioned 🙁

    and also, I have a comment on this command :

    $ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /bin/chmod +x /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh

    shouldn’t this be :

    $ /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /bin/chmod +x /etc/init.d/getssh

    “/mnt/ami-centos5.3-64bit-base” in front of “/etc/init.d/getssh” will throw a “no such file or directory” right ?

  29. Manjeet commented on August 29, 2009

    Hi Phil,

    I am stuck at the chroot command, it says ‘/bin/bash’ file or directory does not exist

    /usr/sbin/chroot /tmp/ami-linux

    Please help

    Regards,
    Manjeet

  30. Hello,

    I tried the above method, but i am stuck at the yum OS install. It is showing lots of missing dependency while installing the OS. Do you have a solution for this?

    Thanks

  31. Jamie Jamison commented on September 8, 2009

    Phil, thanks for writing this article and posting it. Your getssh script helped me fix the problem I was having with building my AMI and this is much better documentation than Amazon has on their site.

  32. This is really a very good doc. I found it very useful as i am beginner on amazon.
    Thanks a lot dude.

    Sandeep

  33. Endrigo Rivas commented on September 19, 2009

    Hello Phil

    Great job!. This article was very helpful for me. Thanks.

    I found the modules for 32 bits in Amazon:

    http://ec2-downloads.s3.amazonaws.com/linux-2.6.16-ec2.tgz

    Regards,

    Endrigo Rivas.

  34. Endrigo Rivas commented on September 19, 2009

    Sorry, the link is

    http://ec2-downloads.s3.amazonaws.com/modules-2.6.16-ec2.tgz

    Endrigo Rivas.

  35. Max commented on December 19, 2009

    Thank you for the instructions this helped me alot but i am stuck at the instructions which says
    yum -c yum-ami.conf –installroot=/mnt/ami-centos5.3-64bit-base -y groupinstall Base

    and I get the error.

    Repository updates is listed more than once in the configuration

    I am trying to create the ami on one of the fedora 8 32bit instance. and using the centos 64 bit repo you mentioned, could I know if anyone knows how to resolve this.

  36. Max commented on December 19, 2009

    I disabled the repos in my yum.repo.d directory and now I get an error which says.
    Error: Cannot find a valid baseurl for repo: fedora

  37. Max glad its of help. Make sure you have the correct 32bit Yum config file I have outlined in the article. Sounds like your mixing the 32bit and 64bit. Hope it works out for you.

  38. Aravind commented on March 2, 2010

    Hi Phil,

    Firstly, thanks for the wonderful step-by-step document. It worked fine until I got to the below step.

    When I try changing the permission on the ‘getssh’ script, I get the below error.

    [root@localhost]# /usr/sbin/chroot /mnt/ami-centos5.4-32bit-base /bin/chmod +x /mnt/ami-centos5.4-32bit-base/etc/init.d/getssh
    /bin/chmod: cannot access `/mnt/ami-centos5.4-32bit-base/etc/init.d/getssh’: No such file or directory

    I am able to do the below but not with ‘chroot’:

    [root@localhost]# /bin/chmod +x /mnt/ami-centos5.4-32bit-base/etc/init.d/getssh

    Is it ok if I change the permission without chroot? If not can you please let me know how to resolve the above error I mentioned? Any help is much appreciated.

    Thanks

    Aravind.

  39. Aravind commented on March 2, 2010

    I think I got it. Like

    “blogananda says: on August 27, 2009 at 11:09 pm” in this blog comments, i guess it should be

    [root@localhost]# /usr/sbin/chroot /mnt/ami-centos5.4-32bit-base /bin/chmod +x /etc/init.d/getssh

    since we are already ‘chroot’ing to the base directory, giving the entire path again will throw the error ‘no such file or directory’

    Thanks Blogananda.

    Cheers

    Aravind.

  40. CARLOS commented on March 18, 2010

    SO, ALL THIS IS DONE IN MY MACHINE OR DO I HAVE TO GET FIRST HTE INSTANCE RUNNING BEFORE I ALTER IT?

  41. Manish commented on April 6, 2010

    Hi Phil,

    Great tutorial on building a EC2 AMI. Any suggestions on how should one go about building a custom AMI for Debian or Ubuntu instead of CentOS?

    Thanks,
    Manish

  42. Bob commented on April 7, 2010

    Phil,

    First off great article. Now to my issue. I followed your steps but instead of using Centos I used Fedora 12. I can get the instance running, but cannot connect to it. Putty always throws a Netork Error: Connection Timed Out message.

    Forgive me as I’m a bit of a noob with Linux, but would really like to get this working somehow. Any insight you can provide would be greatly appreciated.

    Best regards,

    -bob

  43. rajesh commented on April 10, 2010

    I tried executing the above with Centos 5.0 successfully.
    In addition i am looking for
    1) building the image should contain my custom file (example file.zip). How to do ?
    example: Adding custom file file.zip, jboss installation
    if i create the instance, the os should contain with jboss installation, with my custom file etc…
    2) Like to add welcome message say for example “welcome to my xxxxx” to image

  44. Mark commented on April 14, 2010

    I am having the same problem that Max had regarding the yum-ami.conf.

    I am trying to make a base image of CentOS 4.8 – 32bit. I am making the AMI while running on CentOS 4.8 in VirtualBox. I have modified all the references from 5.4 to 4.8 and 64bit to 32bit, throughout the process.

    However, I am getting this error:

    Repository base is listed more than once in the configuration
    Repository contrib is listed more than once in the configuration
    Repository centosplus is listed more than once in the configuration
    Repository addons is listed more than once in the configuration
    Repository extras is listed more than once in the configuration
    Setting up Group Process
    Setting up repositories
    not using ftp, http[s], or file for repos, skipping – Null is not a valid release or hasnt been released yet
    Cannot find a valid baseurl for repo: update
    Error: Cannot find a valid baseurl for repo: update

    I have tried to uncomment the baseurl sections and running it, but that did not work. The urls appear to be valid when using it for 4.8-32bit. Any insight on how to fix would be appreciated.

  45. I am wondering if there is a way to take a working install and turn it into an AMI? Currently I think the process would be to create this base install, then rebuild the application installation on the AMI. This seems an extra step as I already have a running version (not instanced) on some local hardware and really just wish to translate it over to an AMI. Is this clear? Any help would be appreciated.

  46. runamile commented on April 28, 2010

    Thanks Phil for this great article. I’ve followed many online how-to’s but only yours actually worked.

  47. Tom commented on May 17, 2010

    This is an excellent guide and helped me to overcome all the issues I was having with creating custom AMIs. Thanks Phil!

  48. edsanks commented on May 17, 2010

    Hi Phil,

    I see your article is the best knowledge by far in creating custom AMI from a vanilla distro. I am wondering if all the comments from this blog have been folded into the article itself or we have to take additional steps to fix any issues by going thru the users’ comments. Thanks for contributing to the knowledge.

    Right now, I have just signed up for the S3 and EC2 accounts and am ready to kick tires with CentOS 5.4 64 bit. I am confused about the certificate.pem file. I know I have the S3 keys I got when I signed up, and I have the key-pair.pem file I created first time on EC2. How do I get the certificate file? Is it the same as X.509 certificate or something else?

  49. Ashwin commented on May 25, 2010

    Great steps Phil!. Can you point me to creating customer AMI for SUSE Linux.

    Thanks.

  50. Kevin Bridges commented on May 30, 2010

    Thanks for sharing this information … any chance you have a public ami you’ve created using these steps we could launch as a base?

  51. Kevin Bridges commented on May 30, 2010

    I followed these steps verbatim with the exception of “usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /bin/chmod +x /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh” which generated file not found errors … I made the ami public ami-7f4fa616

  52. Phil Chen commented on May 31, 2010

    Kevin Bridges instead of /usr/sbin/chroot /mnt/ami-centos5.3-64bit-base /bin/chmod +x /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh you can do /bin/chmod +x /mnt/ami-centos5.3-64bit-base/etc/init.d/getssh instead since you are only doing a file permission change.

  53. Phil Chen commented on May 31, 2010

    So I decided to make a base Install 64bit CentOS 5.3 AMI available in US, us-west-1, UK, ap-southeast-1 for those of you that have requested it. You can find them in the AWS EC2 Dashboard under public AMI’s named below:

    US East Virginia – ami-b945acd0
    US West California – ami-498cdd0c
    UK West Ireland – ami-993d17ed
    Asia Pacific Singapore – ami-45e29d17

    I hope these are helpful.

    Also a couple of notes for those that have issues following my blog and ssh’ing into their instances. I believe a couple of things are happening for you:

    1) You did not allow the proper AWS security group for port 22
    2) the getssh script is not executing at the correct runlevel due to permissions or improper chkconfig settings and therefore is not adding the public key to the authorized_keys in your roots .ssh
    3) SSHD didn’t get installed for whatever reason, it doesn’t come with the base install
    4) Your network setting is not working possibly due to kudzu horking things

    I have followed the instructions again myself and they work for me. So good luck and happy AMI making!

  54. Ola commented on June 16, 2010

    Hi!

    Great tutorial. I need to create an AMI for Suse 10 SP3 but I have only seen tutorials using redhat based distros.

    I can follow your steps but I get stuck on the YUM commands. Has anyone came across a guide/tutorial which describes how to create an AMI for Suse.

    Regards Ola

  55. Excellent article Phil. Any tutorial for Windows AMI?

  56. sgm commented on July 6, 2010

    For future reference could you tell us how you determine what kernel to use. Im currently creating an instance following you instructions verbatim but the latest kernels for ec2 are 2.6.21 and my current centos install is 2.6.18. And Id rather not upgrade or downgrade the kernel unless it’s unavoidable.
    Thanks