Professional Documents
Culture Documents
Images haven’t loaded yet. Please exit printing, wait for images to load, and try
Louis McCormack Follow to print again.
Devops Engineer at Space Ape Games
Sep 7, 2017 · 8 min read
1 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
1 kernel:
2 image: linuxkit/kernel:4.9.39
3 cmdline: “console=ttyS0”
4 init:
5 — linuxkit/init:838b772355a8690143b37de1cdd4ac5db725271f
6 — linuxkit/runc:d5cbeb95bdafedb82ad2cf11cff1a5da7fcae630
7 — linuxkit/containerd:e33e0534d6fca88e1eb86897a1ea410b4a5d722e
8 — linuxkit/ca-certificates:67acf038c44bb191ebb704ec7bb39a1524052cdf
9 onboot:
10 — name: sysctl
11 image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
12 — name: dhcpcd
13 image: linuxkit/dhcpcd:17423c1ccced74e3c005fd80486e8177841fe02b
14 command: [“/sbin/dhcpcd”, “ — nobackground”, “-f”, “/dhcpcd.conf”, “-1
15 — name: metadata
16 image: linuxkit/metadata:f5d4299909b159db35f72547e4ae70bd76c42c6c
17 services:
18 — name: rngd
The moby tool will snaUe up this yaml and transmute it into a bootable
image (such as an ISO).
It is divided into discrete sections, starting with the ‘kernel’ section that
de9nes which kernel the OS should run. Each kernel is a Docker image
containing the kernel along with a tarball of compiled modules. The
kernels themselves are based on latest stable releases, with some
patches back-ported from newer kernels. That same savvy developer is
2 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
of course free to compile his or her own customised kernel should they
see 9t.
So, lets take this yaml de9nition and turn it into something we can
actually run on AWS. To do this we invoke the moby build command.
The tool will go oZ and pull any containers which are not immediately
present. It unpacks the 9lesystem of each of the containers, does some
shifting to make the whole thing palatable to the init process, then
bundles the lot into an initramfs (a compressed cpio archive). The
initramfs, along with the kernel and kernel command line, is the build
output. It is an entirely immutable Linux machine, with all system
services baked in. The default size of 1G is overridden here, and even
100M is probably generous (in all honesty, I couldn’t see the relevance
of this option once it becomes an AMI).
Let’s stop and think about this for a moment: an entirely immutable
system, coming in at around 50MB with nothing extraneous to that
which is needed to run containers. The root 9lesystem is read-only,
making it stateless and tamper-proof. The build itself takes a matter of
seconds, and is eminently reproducible, making it an ideal candidate to
pass through a CI system. Although we have added an SSH daemon, by
default there is no login (not even a terminal unless you add a getty
container). This is starting to feel like the fabled promised-land of
Proper Devops…
3 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
We’ll use Terraform to manage these entities as not only is it in the title
of this post, but it makes tidying everything up that much easier. So,
given a directory structure that now looks like this:
.
├── aws.raw
├── aws.yml
└── terraform
├── main.tf
└── files
├── assume-role-policy.json
└── policy.tpl
{
"Version": "2012-10-17",
"Statement": [
{
4 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "vmimport"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::${bucket}"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::${bucket}/*"
]
},
{
"Effect": "Allow",
"Action":[
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
This is the policy that will be attached to the vmimport role. It allows
5 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
Finally sling this code, which will create the IAM role and S3 bucket,
into main.tf :
This may take some time to complete (believe me, it takes even longer
if you don’t override the default 1G size in the moby build command
above!). With a bit of luck and a following wind you will eventually be
presented with an AMI ID. Use that in the following Terraform code:
This will boot up an AMI in EC2 Classic, which you should be able to
6 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
log into using your local SSH key (assuming it can be found at ~/.ssh
Unfortunately you can’t do a great deal, but perhaps that is the point. It
is however illustrative to have a poke around, to highlight the
properties of a machine built with Linuxkit…
First thing to note is that you are connected to the SSH container, not
the machine itself. Files and binaries available to the machine at large
are not available within individual containers, unless they are explicitly
mounted.
This can be seen with the aid of a slight detour into an explanation of
how Linuxkit handles AWS metadata:
It’s natural (at least was to me) to try and look in this directory from
the command line, however:
This is of course because we are in the SSH container. To enter the host
OS we need to enter the mount namespace of pid 1 (the init process):
7 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
# ls -1 /var/config
availability_zone
hostname
instance_id
instance_type
local_hostname
local_ipv4
provider
public_ipv4
ssh
userdata
8 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
9 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
10 of 11 03/5/18, 10:21 PM
Linuxkit on AWS, with Terraform – DevOps College https://devops.college/linuxkit-on-aws-with-terraform-86786...
11 of 11 03/5/18, 10:21 PM