FreeBSD on EC2

The following page detailed the state of FreeBSD/EC2 development until the middle of 2015. EC2 is now fully supported by FreeBSD, with AMIs built by the FreeBSD release engineering team and announced in release and snapshot announcements; and this page is no longer being updated.

For lists of FreeBSD AMI IDs, please consult the appropriate FreeBSD release announcement; you can also launch FreeBSD through the AWS Marketplace.

If you wish to support my work on the FreeBSD/EC2 platform, I have a Patreon; I'm also happy to accept money in other ways if it's more convenient (send me an email).

---

FreeBSD on EC2

The following FreeBSD AMIs are available (additional obsolete AMIs are listed at the bottom of this page). For most users and applications, the FreeBSD 10.2-RELEASE for Current Generation instances AMI will be the most appropriate one to use.

To use FreeBSD/EC2:

1. Decide which types of EC2 instances you want to use. There are different FreeBSD/EC2 images for "Current Generation" EC2 instances (m3, c3, r3, i2, and t2) vs. "Previous Generation" EC2 instances (m1, m2, c1, and t1). You will almost always want to use the newer instance types; the only exception is if you already own previous-generation reserved instances.
2. Decide which FreeBSD release you want. This will almost certainly be either FreeBSD 10.2 (lots of new functionality, improved performance, and the ability to use freebsd-update for system updates) or FreeBSD 9.3 (older but very extensively tested).
3. Based on the above two decisions, and the EC2 region you're using, look up the AMI name in the table below.
4. Launch the EC2 instance.
5. If you're using FreeBSD 9.3 or later, you can provide launch-time configuration settings via the EC2 "user-data" functionality and configinit.
6. If you're using one of the "Previous Generation" AMIs, you may need to adjust your EC2 "security group" settings to allow incoming TCP connections on port 22 (EC2 thinks that those instances are "Windows" and sets default firewall rules for Windows).
7. (Optional) Look at the EC2 instance console output ("Get System Log" on the EC2 console) for the SSH host keys. Note that you may need to wait about five minutes for these to appear. (You can also use my ec2-knownhost script to parse the EC2 console log and add keys to your ssh known_hosts file automatically.)
8. SSH in as "ec2-user" (or the user you specified in the /etc/rc.conf parameters you provided via configinit) using the SSH key you created for EC2, and su to root (no password).
9. You can now use the EC2 instance like any other FreeBSD system, with the exception that on versions prior to FreeBSD 9.3 you can't use FreeBSD Update to fetch kernel security updates (you'll need to manually rebuild and reinstall the XENHVM kernel).

EC2 quirks

In order to work with EC2, the FreeBSD AMIs are slightly modified from what you would have immediately after installing FreeBSD from a release CD:

• The network is configured and the sshd daemon is enabled, for obvious reasons.
• On AMIs up to and including FreeBSD 9.1-RC1 or 8.3-RELEASE: SSH logins as root are enabled, but root's password is starred out (i.e., password logins as root will fail until a password is set).
• From FreeBSD 9.1-RC2 and 8.4-BETA1 onwards, you will need to login as "ec2-user" (from 10.0-RELEASE onwards, this can be changed via configinit) and su to root.
• The first time an AMI is booted, a script fetches the public half of an SSH keypair from EC2 and arranges for logins using that key.
• Every time the the AMI boots, it prints the SSH host keys to the console in the same format as Amazon Linux AMIs do.
• In the default configuration, kernel panics (including backtraces) are reported to the FreeBSD/EC2 maintainer to assist him in identifying and fixing bugs.
• Onr releases prior to 10.0-RELEASE, some EC2-specific patches have been applied to FreeBSD in order to improve performance and work around bugs. These are contained in /root/ec2-bits/*.patch.
• Because EC2 AMIs prior to 10.0-BETA1 have non-GENERIC kernels, FreeBSD Update cannot update their kernels. Updating should be performed by using FreeBSD Update to update the /usr/src tree and then rebuilding the kernel from source. (10.0-BETA1 and later have GENERIC kernels and can use FreeBSD Update for everything.)

Packaging new AMIs

The process of building FreeBSD AMIs from scratch is non-trivial; it is much easier to modify and re-bundle one of the existing FreeBSD AMIs:

1. Launch the FreeBSD AMI you want to base your AMI on.
2. Make your changes (installing packages, adjusting configurations, etc).
3. Delete the file /root/.ssh/authorized_keys or /home/ec2-user/.ssh/authorized_keys (otherwise your SSH key will be able to log in to any instances launched from this AMI).
4. Create the file /firstboot on 10.0-RELEASE or /root/firstboot on earlier releases (otherwise the AMI you create won't know to download the new SSH public key for logins).
5. Stop the instance (but do not terminate it).
6. Use the ec2-create-image tool or the "Create Image" command in the EC2 Management Console to create an AMI from the instance.
7. Terminate the instance.

About the author

This page is maintained, and the FreeBSD AMIs were produced, by Colin Percival — a FreeBSD developer, a member of the FreeBSD Core team, and the FreeBSD Security Officer. Work to get FreeBSD working on cc1.4xlarge instances was sponsored by SegPub. Work to get FreeBSD 7.4 working on EC2, fix bugs, and improve network performance was sponsored by LineRate Systems. Work to get FreeBSD working on "defenestrated" Windows instances and to further improve network performance was sponsored by an anonymous donor.

Colin is available for consulting on FreeBSD/EC2 if anyone wants to support further work on FreeBSD/EC2. When he's not working on FreeBSD, Colin spends most of his time running his online backup service.