Install NixOS on Amazon EC2: Difference between revisions

From NixOS Wiki
imported>Fadenb
m →‎Public NixOS AMIs: fix broken link (ec2-amis.nix was removed from nixops repo, https://github.com/NixOS/nixops/commit/48fc0ffb53c97eb7ea895b0470816b83d0d34647 )
Haruki7049 (talk | contribs)
Add languages tag
 
(14 intermediate revisions by 9 users not shown)
Line 1: Line 1:
This article has some notes on installing NixOS on Amazon's [http://aws.amazon.com/ec2/ Elastic Compute Cloud (EC2)].  EC2 support is work in progress.
<languages />
<translate>
<!--T:1-->
Amazon EC2 is a widely used cloud deployment platform that is part of Amazon Web Services (AWS). NixOS largely supports the platform through AMIs and the [https://github.com/nix-community/nixos-generators nixos-generators] project.


Below we assume that the following environment variables are set:
== Public NixOS AMIs == <!--T:2-->


* <tt>$EC2_CERT</tt>: path to your AWS X.509 certificate (PEM file).
<!--T:3-->
* <tt>$EC2_PRIVATE_KEY</tt>: path to the corresponding private key (PEM file).
A list of NixOS AMI's available on AWS is located [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/amazon-ec2-amis.nix here] and for a more up to date list: [https://nixos.github.io/amis/ here] (cf. [https://discourse.nixos.org/t/ami-for-nixos-23-11/36860/7 this discourse thread]).
* <tt>$AWS_ACCOUNT</tt>: AWS account number (e.g. <tt>1234-5678-9012</tt>).
* <tt>$AWS_ACCESS_KEY_ID</tt>: AWS access key ID (e.g. <tt>AKIAJM...</tt>).
* <tt>$AWS_SECRET_ACCESS_KEY</tt>: corresponding secret access key (e.g. <tt>klG5...</tt>).
* <tt>$AWS_CALLING_FORMAT</tt> may need to be set to <tt>SUBDOMAIN</tt>.
* <tt>$EC2_URL</tt> should be set to the desired region, e.g. <tt>https://ec2.eu-west-1.amazonaws.com/</tt>.


== Public NixOS AMIs ==
<!--T:4-->
The default user for these AMI's is <code>root</code>. There isn't a default password, instead authentication is done by using the SSH key selected during the EC2 creation process.


The list of current NixOS AMI's are available at https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix
== Creating a NixOS AMI == <!--T:5-->


== Running NixOS instances ==
<!--T:6-->
The [https://github.com/nix-community/nixos-generators nixos-generators] project is currently the best method to create your own NixOS AMI. Follow the directions provided by <code>nixos-generators</code> & then follow the [https://docs.aws.amazon.com/vm-import/latest/userguide/what-is-vmimport.html instructions provided by AWS].


<ol>
== Additional Resources == <!--T:7-->


<li>To create instances from the command line, you need to install the EC2 API tools:
<!--T:8-->
[http://jackkelly.name/blog/archives/2020/08/30/building_and_importing_nixos_amis_on_ec2/ Building and Importing NixOS AMIs on EC2] by Jack Kelly


<pre>$ nix-env -i ec2-api-tools</pre>
== Troubleshooting == <!--T:9-->


Alternatively, you can create NixOS instances using the [http://aws.amazon.com/console/ AWS Management Console].
== SSH Asks For Password == <!--T:10-->


<li>Start a small instance running NixOS:
<!--T:11-->
 
When connecting to a newly launched EC2 instance via SSH, it may ask for a password. This seems to be because the <code>amazon-init</code> systemd service is still reading user data. Back out of the current SSH attempt and try again in a few minutes.
<pre>
</translate>
$ ec2-run-instances -k gsg-keypair ami-c9f2d8bd
RESERVATION  r-10ca4167  516444698777  default
INSTANCE    i-f6d3b781  ami-c9f2d8bd  pending gsg-keypair  0 m1.small ...</pre>
 
<tt>gsg-keypair</tt> denotes an SSH key pair created with <tt>ec2-add-keypair</tt>.  To run a 64-bit instance, you must specify a 64-bit-capable instance type, e.g., <tt>-t m1.large</tt>.  If your requirements allow it, you may prefer using a cheap spot instance:
 
<pre>
$ ec2-request-spot-instances -t m1.large -k gsg-keypair -p 0.3 ami-ecb49e98</pre>
 
<li>After a while the instance should be running, and you can log in using the SSH key generated by <tt>ec2-add-keypair</tt>:
 
<pre>
$ ssh -i id_rsa-gsg-keypair root@ec2-79-125-97-89.eu-west-1.compute.amazonaws.com</pre>
 
To get the IP address / hostname of the instance, use <tt>ec2-describe-instances</tt>.  You may need to allow traffic to port 22 (ssh):
 
<pre>
$ ec2-authorize default -p 22 -s 0.0.0.0/0</pre>
 
<li>To start working with the instance, you may want to do the following to obtain the Nixpkgs and NixOS sources:
 
<pre>
$ nixos-checkout
$ nixos-rebuild pull</pre>
 
You should now be able to install software, e.g.
 
<pre>
$ nix-env -i emacs</pre>
 
or reconfigure the instance:
 
<pre>
$ nano /etc/nixos/configuration.nix
$ nixos-rebuild switch</pre>
 
Note: if you're using an ec2 instance based on the HVM virtualization type, you will need to set the
ec2.hvm = true;
 
setting in configuration.nix; otherwise GRUB won't pick up changes to your configuration across reboots.
 
</ol>
 
== Creating a NixOS AMI ==
 
The following steps show how to build your own NixOS Amazon Image (AMI), upload it to S3, and start an instance.
 
<ol>
 
<li>Install the EC2 AMI tools:
 
<pre>$ nix-env -i ec2-ami-tools</pre>
 
<li>The easy way to build NixOS AMIs is to run the following command:
 
<pre>
$ NIXOS=/path/to/nixos NIXPKGS=/path/to/nixpkgs /path/to/nixos/maintainers/scripts/create-amis.sh</pre>
 
This will build, bundle and upload AMIs to several EC2 regions.  Note that the resulting AMIs will be public.
 
Alternatively, you can perform the steps below to create the AMI manually.
 
<li>Build the raw disk image:
 
<pre>
$ NIXPKGS=/path/to/nixpkgs NIXOS_CONFIG=/path/to/nixos/modules/virtualisation/amazon-config.nix \
    nix-build /path/to/nixos -A config.system.build.amazonImage \
    --argstr system i686-linux</pre>
 
(Use <tt>--argstr system x86_64-linux</tt> to build a 64-bit image.) This will produce an <tt>ext3</tt> disk image in <tt>./result/nixos.img</tt>:
 
<pre>
$ ls -l ./result/nixos.img
-r--r--r-- 1 root nixbld 4294967296 Jan  1  1970 ./result/nixos.img</pre>
 
<li>Bundle the image:
 
<pre>
$ ec2-bundle-image -i ./result/nixos.img --user $AWS_ACCOUNT --arch i386 \
    -c $EC2_CERT -k $EC2_PRIVATE_KEY \
    --kernel aki-c34d67b7
Bundling image file...
Splitting /tmp/nixos.img.tar.gz.enc...
Created nixos.img.part.00
...
Created nixos.img.part.19
Generating digests for each part...
Digests generated.
Creating bundle manifest...
ec2-bundle-image complete.</pre>
 
The resulting bundle is stored in <tt>/tmp/nixos.img.manifest.xml</tt> and <tt>/tmp/nixos.img.part.*</tt>.  Use <tt>--arch x86_64</tt> for 64-bit images.  For the kernel, you should use <tt>pv-grub-hd0_1.02-<em>arch</em></tt> (use <tt>ec2-describe-images -a</tt> to find the AMI ID).  This is the PV-GRUB "kernel" that boots the native NixOS kernel in the image.
 
<li>Upload the bundle:
 
<pre>
$ ec2-upload-bundle -b nixos-img -m /tmp/nixos.img.manifest.xml \
    -a $AWS_ACCESS_KEY_ID -s $AWS_SECRET_ACCESS_KEY --location EU
Creating bucket...
Uploading bundled image parts to the S3 bucket nixos-img ...
Uploaded nixos.img.part.00
Uploaded nixos.img.part.01
...
Uploaded nixos.img.part.19
Uploading manifest ...
Uploaded manifest.
Bundle upload completed.
</pre>
 
(Of course you can use any other bucket location as well.)
 
<li>Register the image as a private AMI:
 
<pre>
$ ec2-register nixos-img/nixos.img.manifest.xml -n nixos-img -d '...description...'
IMAGE  ami-efffd59b</pre>
 
To make it public:
 
<pre>
$ ec2-modify-image-attribute ami-efffd59b -l -a all</pre>
 
</ol>


[[Category:Deployment]]
[[Category:Deployment]]
[[Category:Server]]

Latest revision as of 12:43, 5 November 2024

Amazon EC2 is a widely used cloud deployment platform that is part of Amazon Web Services (AWS). NixOS largely supports the platform through AMIs and the nixos-generators project.

Public NixOS AMIs

A list of NixOS AMI's available on AWS is located here and for a more up to date list: here (cf. this discourse thread).

The default user for these AMI's is root. There isn't a default password, instead authentication is done by using the SSH key selected during the EC2 creation process.

Creating a NixOS AMI

The nixos-generators project is currently the best method to create your own NixOS AMI. Follow the directions provided by nixos-generators & then follow the instructions provided by AWS.

Additional Resources

Building and Importing NixOS AMIs on EC2 by Jack Kelly

Troubleshooting

SSH Asks For Password

When connecting to a newly launched EC2 instance via SSH, it may ask for a password. This seems to be because the amazon-init systemd service is still reading user data. Back out of the current SSH attempt and try again in a few minutes.