This is how you would create a livable FreeBSD instance on EC2 by hand. The smart thing to do is to automate most of these actions. But I do it this way so you can see and understand all the different techniques. I want to create FreeBSD instances in EC2 and I want some of the management benefits that come from native AWS technologies like CloudWatch. It can be done, but it takes a bit of extra work because FreeBSD isn't Linux, and AWS doesn't directly support FreeBSD.
Before we go far, we will want some things setup in AWS IAM and VPC. I assume you have already created a VPC, decided what network numbers you're going to use, created a subnet and so on. If you haven't done those basic things, you need to go do them. I also assume you've created an ssh key and uploaded it to your AWS account.
I use the AWS-managed policy CloudWatchAgentServerPolicy. The right way to do this is to assign a role to the instance, then assign the policies to the role.
We will want a security group that allows access to the right IP addresses (e.g., on-prem, your house, your office, etc.)
Go to the EC2 console. Pick AWS Marketplace. Pick the one created by Colin Percival on the FreeBSD team. Choose security group, role, storage, etc.
Go to the EC2 console and lookup the IP address of the instance you just launched. Assuming that IP address is 1.2.3.4 you'd login like this:
ssh ec2-user@1.2.3.4
Become root so you can update this thing a bit.
su - root
Install typical stuff. These are some of the packages I install:
- bash
- tmux
- curl
- python2
- python3
- git
- sudo
So I just do:
pkg install bash tmux curl python2 python3 git sudo
Add user for myself. Just run adduser and manually answer the questions. When it asks Invite user into other groups I type wheel so that my unprivileged login ID is in the wheel group.
Edit the sudoers file so that I can sudo from my unprivileged account. Use visudo. Find the commented out rule that allows wheel to run any command. Uncomment it. Save and exit.
Run vipw. Edit the line that has root. The second field is null, which is why root had no password when you logged in. Put a * or some other garbage in there, so it looks like this:
root:*:0:0::0:0:Charlie &:/root:/bin/csh
I remove the toor user. I don't think it has any purpose in a cloud environment.
Let's prevent it from allowing passwords at all.
- set
ChallengeResponseAuthentication no - Then run
service sshd restart
Ok at this point the system is pretty usable. Before you give up your root privileges, ssh into your instance as your unprivileged user. Make sure you can sudo and such. If that works, we can finally get on to the AWS-specific stuff.
In prior versions of this doc, I recommended installing the cwlogs agent and the EC2 monitoring agent. Both of those have been deprecated by AWS in favour of their unified CloudWatch Agent. That agent, however, is only distributed in binary form and the only binaries they ship are Linux and Windows binaries.
I now use Telegraf and configure it to send its output to CloudWatch metrics.
sudo pkg install telegraf(No dependencies! Whee!)- Here's the telegraf.conf file that I use.