Running CoreOS Container Linux on EC2

The current AMIs for all Container Linux channels and EC2 regions are listed below and updated frequently. Using CloudFormation is the easiest way to launch a cluster, but it is also possible to follow the manual steps at the end of the article. Questions can be directed to the CoreOS IRC channel or user mailing list.

Choosing a channel

Container Linux is designed to be updated automatically with different schedules per channel. You can disable this feature, although we don't recommend it. Read the release notes for specific features and bug fixes.

The Alpha channel closely tracks master and is released frequently. The newest versions of system libraries and utilities will be available for testing. The current version is Container Linux 1688.0.0.

View as json feed
EC2 Region AMI Type AMI ID CloudFormation
ap-northeast-1 PV ami-63156905 Launch Stack
HVM ami-a5413cc3 Launch Stack
ap-northeast-2 PV ami-d52381bb Launch Stack
HVM ami-7f57f511 Launch Stack
ap-south-1 PV ami-56376a39 Launch Stack
HVM ami-7d184512 Launch Stack
ap-southeast-1 PV ami-0c2f6270 Launch Stack
HVM ami-1fc78563 Launch Stack
ap-southeast-2 PV ami-fde0259f Launch Stack
HVM ami-88b97cea Launch Stack
ca-central-1 PV ami-0e0e8a6a Launch Stack
HVM ami-bb7efadf Launch Stack
cn-north-1 PV ami-f6cf139b Launch Stack
HVM ami-e2c8148f Launch Stack
cn-northwest-1 PV Launch Stack
HVM ami-172d3975 Launch Stack
eu-central-1 PV ami-e41c7d8b Launch Stack
HVM ami-78244517 Launch Stack
eu-west-1 PV ami-67fe8e1e Launch Stack
HVM ami-b21c6ccb Launch Stack
eu-west-2 PV ami-c71efba0 Launch Stack
HVM ami-f40fea93 Launch Stack
eu-west-3 PV Launch Stack
HVM ami-759c2a08 Launch Stack
sa-east-1 PV ami-3a337a56 Launch Stack
HVM ami-4a2f6626 Launch Stack
us-east-1 PV ami-2fc5d955 Launch Stack
HVM ami-9b203de1 Launch Stack
us-east-2 PV ami-19edd97c Launch Stack
HVM ami-12f8cc77 Launch Stack
us-gov-west-1 PV ami-68199109 Launch Stack
HVM ami-6b18900a Launch Stack
us-west-1 PV ami-d92a23b9 Launch Stack
HVM ami-b20801d2 Launch Stack
us-west-2 PV ami-ae32b2d6 Launch Stack
HVM ami-db35b5a3 Launch Stack

The Beta channel consists of promoted Alpha releases. The current version is Container Linux 1662.2.0.

View as json feed
EC2 Region AMI Type AMI ID CloudFormation
ap-northeast-1 PV ami-e3413c85 Launch Stack
HVM ami-9e4439f8 Launch Stack
ap-northeast-2 PV ami-ea54f684 Launch Stack
HVM ami-1656f478 Launch Stack
ap-south-1 PV ami-8c1548e3 Launch Stack
HVM ami-7218451d Launch Stack
ap-southeast-1 PV ami-bec486c2 Launch Stack
HVM ami-0fc68473 Launch Stack
ap-southeast-2 PV ami-a7b97cc5 Launch Stack
HVM ami-8bb97ce9 Launch Stack
ca-central-1 PV ami-d20783b6 Launch Stack
HVM ami-b87efadc Launch Stack
cn-north-1 PV ami-5fd70b32 Launch Stack
HVM ami-ddd70bb0 Launch Stack
cn-northwest-1 PV Launch Stack
HVM ami-dd283cbf Launch Stack
eu-central-1 PV ami-2d244542 Launch Stack
HVM ami-d12445be Launch Stack
eu-west-1 PV ami-351e6e4c Launch Stack
HVM ami-441f6f3d Launch Stack
eu-west-2 PV ami-fa0fea9d Launch Stack
HVM ami-7c09ec1b Launch Stack
eu-west-3 PV Launch Stack
HVM ami-749c2a09 Launch Stack
sa-east-1 PV ami-1e2f6672 Launch Stack
HVM ami-6d2c6501 Launch Stack
us-east-1 PV ami-64d9c41e Launch Stack
HVM ami-99263be3 Launch Stack
us-east-2 PV ami-41ffcb24 Launch Stack
HVM ami-b1f8ccd4 Launch Stack
us-gov-west-1 PV ami-5c0c843d Launch Stack
HVM ami-1d00887c Launch Stack
us-west-1 PV ami-aa0a03ca Launch Stack
HVM ami-3e08015e Launch Stack
us-west-2 PV ami-ce34b4b6 Launch Stack
HVM ami-cc34b4b4 Launch Stack

The Stable channel should be used by production clusters. Versions of Container Linux are battle-tested within the Beta and Alpha channels before being promoted. The current version is Container Linux 1632.3.0.

View as json feed
EC2 Region AMI Type AMI ID CloudFormation
ap-northeast-1 PV ami-024b3664 Launch Stack
HVM ami-884835ee Launch Stack
ap-northeast-2 PV ami-1554f67b Launch Stack
HVM ami-1455f77a Launch Stack
ap-south-1 PV ami-a21b46cd Launch Stack
HVM ami-991845f6 Launch Stack
ap-southeast-1 PV ami-06c1837a Launch Stack
HVM ami-b9c280c5 Launch Stack
ap-southeast-2 PV ami-17b97c75 Launch Stack
HVM ami-04be7b66 Launch Stack
ca-central-1 PV ami-ad79fdc9 Launch Stack
HVM ami-9e7cf8fa Launch Stack
cn-north-1 PV ami-d2d70bbf Launch Stack
HVM ami-d1d70bbc Launch Stack
cn-northwest-1 PV Launch Stack
HVM ami-8f293ded Launch Stack
eu-central-1 PV ami-09224366 Launch Stack
HVM ami-862140e9 Launch Stack
eu-west-1 PV ami-6319691a Launch Stack
HVM ami-a61464df Launch Stack
eu-west-2 PV ami-a80feacf Launch Stack
HVM ami-3e0eeb59 Launch Stack
eu-west-3 PV Launch Stack
HVM ami-1f9d2b62 Launch Stack
sa-east-1 PV ami-cf2f66a3 Launch Stack
HVM ami-022d646e Launch Stack
us-east-1 PV ami-08302d72 Launch Stack
HVM ami-3f061b45 Launch Stack
us-east-2 PV ami-6ffeca0a Launch Stack
HVM ami-85ffcbe0 Launch Stack
us-gov-west-1 PV ami-880f87e9 Launch Stack
HVM ami-bc0d85dd Launch Stack
us-west-1 PV ami-fe08019e Launch Stack
HVM ami-cc0900ac Launch Stack
us-west-2 PV ami-432eae3b Launch Stack
HVM ami-692faf11 Launch Stack

CloudFormation will launch a cluster of Container Linux machines with a security and autoscaling group.

Container Linux Configs

Container Linux allows you to configure machine parameters, configure networking, launch systemd units on startup, and more via Container Linux Configs. These configs are then transpiled into Ignition configs and given to booting machines. Head over to the docs to learn about the supported features.

You can provide a raw Ignition config to Container Linux via the Amazon web console or via the EC2 API.

As an example, this Container Linux Config will configure and start etcd:

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

etcd:
  # All options get passed as command line flags to etcd.
  # Any information inside curly braces comes from the machine at boot time.

  # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
  advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
  initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
  # listen on both the official ports and the legacy ports
  # legacy ports can be omitted if your application doesn't depend on them
  listen_client_urls:          "http://0.0.0.0:2379"
  listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
  # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
  # specify the initial size of your cluster with ?size=X
  discovery:                   "https://discovery.etcd.io/<token>"
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "config": {},
    "timeouts": {},
    "version": "2.1.0"
  },
  "networkd": {},
  "passwd": {},
  "storage": {},
  "systemd": {
    "units": [
      {
        "dropins": [
          {
            "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
            "name": "20-clct-etcd-member.conf"
          }
        ],
        "enable": true,
        "name": "etcd-member.service"
      }
    ]
  }
}

Instance storage

Ephemeral disks and additional EBS volumes attached to instances can be mounted with a .mount unit. Amazon's block storage devices are attached differently depending on the instance type. Here's the Container Linux Config to format and mount the first ephemeral disk, xvdb, on most instance types:

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

storage:
  filesystems:
    - mount:
        device: /dev/xvdb
        format: ext4
        create:
          force: false

systemd:
  units:
    - name: media-ephemeral.mount
      enable: true
      contents: |
        [Mount]
        What=/dev/xvdb
        Where=/media/ephemeral
        Type=ext4

        [Install]
        RequiredBy=local-fs.target
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "config": {},
    "timeouts": {},
    "version": "2.1.0"
  },
  "networkd": {},
  "passwd": {},
  "storage": {
    "filesystems": [
      {
        "mount": {
          "create": {},
          "device": "/dev/xvdb",
          "format": "ext4"
        }
      }
    ]
  },
  "systemd": {
    "units": [
      {
        "contents": "[Mount]\nWhat=/dev/xvdb\nWhere=/media/ephemeral\nType=ext4\n\n[Install]\nRequiredBy=local-fs.target",
        "enable": true,
        "name": "media-ephemeral.mount"
      }
    ]
  }
}

For more information about mounting storage, Amazon's own documentation is the best source. You can also read about mounting storage on Container Linux.

Adding more machines

To add more instances to the cluster, just launch more with the same Container Linux Config, the appropriate security group and the AMI for that region. New instances will join the cluster regardless of region if the security groups are configured correctly.

SSH to your instances

Container Linux is set up to be a little more secure than other cloud images. By default, it uses the core user instead of root and doesn't use a password for authentication. You'll need to add an SSH key(s) via the AWS console or add keys/passwords via your Container Linux Config in order to log in.

To connect to an instance after it's created, run:

ssh core@<ip address>

Optionally, you may want to configure your ssh-agent to more easily run fleet commands.

Multiple clusters

If you would like to create multiple clusters you will need to change the "Stack Name". You can find the direct template file on S3.

Manual setup

TL;DR: launch three instances of ami-2fc5d955 in us-east-1 with a security group that has open port 22, 2379, 2380, 4001, and 7001 and the same "User Data" of each host. SSH uses the core user and you have etcd and Docker to play with.

Creating the security group

You need open port 2379, 2380, 7001 and 4001 between servers in the etcd cluster. Step by step instructions below.

This step is only needed once

First we need to create a security group to allow Container Linux instances to communicate with one another.

  1. Go to the security group page in the EC2 console.
  2. Click "Create Security Group"
    • Name: coreos-testing
    • Description: Container Linux instances
    • VPC: No VPC
    • Click: "Yes, Create"
  3. In the details of the security group, click the Inbound tab
  4. First, create a security group rule for SSH
    • Create a new rule: SSH
    • Source: 0.0.0.0/0
    • Click: "Add Rule"
  5. Add two security group rules for etcd communication
    • Create a new rule: Custom TCP rule
    • Port range: 2379
    • Source: type "coreos-testing" until your security group auto-completes. Should be something like "sg-8d4feabc"
    • Click: "Add Rule"
    • Repeat this process for port range 2380, 4001 and 7001 as well
  6. Click "Apply Rule Changes"

Launching a test cluster

We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

  1. Open the quick launch wizard to boot ami-2fc5d955.
  2. On the second page of the wizard, launch 3 servers to test our clustering
    • Number of instances: 3
    • Click "Continue"
  3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
  4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
    This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
    # This config is meant to be consumed by the config transpiler, which will
    # generate the corresponding Ignition config. Do not pass this config directly
    # to instances of Container Linux.
    
              etcd:
                # All options get passed as command line flags to etcd.
                # Any information inside curly braces comes from the machine at boot time.
              
                # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
                advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
                initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
                # listen on both the official ports and the legacy ports
                # legacy ports can be omitted if your application doesn't depend on them
                listen_client_urls:          "http://0.0.0.0:2379"
                listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
                # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
                # specify the initial size of your cluster with ?size=X
                discovery:                   "https://discovery.etcd.io/<token>"
    
    This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
    {
      "ignition": {
        "config": {},
        "timeouts": {},
        "version": "2.1.0"
      },
      "networkd": {},
      "passwd": {},
      "storage": {},
      "systemd": {
        "units": [
          {
            "dropins": [
              {
                "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
                "name": "20-clct-etcd-member.conf"
              }
            ],
            "enable": true,
            "name": "etcd-member.service"
          }
        ]
      }
    }
    
    • Paste configuration into "User Data"
    • "Continue"
  5. Storage Configuration
    • "Continue"
  6. Tags
    • "Continue"
  7. Create Key Pair
    • Choose a key of your choice, it will be added in addition to the one in the gist.
    • "Continue"
  8. Choose one or more of your existing Security Groups
    • "coreos-testing" as above.
    • "Continue"
  9. Launch!

We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

  1. Open the quick launch wizard to boot ami-64d9c41e.
  2. On the second page of the wizard, launch 3 servers to test our clustering
    • Number of instances: 3
    • Click "Continue"
  3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
  4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
    This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
    # This config is meant to be consumed by the config transpiler, which will
    # generate the corresponding Ignition config. Do not pass this config directly
    # to instances of Container Linux.
    
              etcd:
                # All options get passed as command line flags to etcd.
                # Any information inside curly braces comes from the machine at boot time.
              
                # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
                advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
                initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
                # listen on both the official ports and the legacy ports
                # legacy ports can be omitted if your application doesn't depend on them
                listen_client_urls:          "http://0.0.0.0:2379"
                listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
                # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
                # specify the initial size of your cluster with ?size=X
                discovery:                   "https://discovery.etcd.io/<token>"
    
    This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
    {
      "ignition": {
        "config": {},
        "timeouts": {},
        "version": "2.1.0"
      },
      "networkd": {},
      "passwd": {},
      "storage": {},
      "systemd": {
        "units": [
          {
            "dropins": [
              {
                "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
                "name": "20-clct-etcd-member.conf"
              }
            ],
            "enable": true,
            "name": "etcd-member.service"
          }
        ]
      }
    }
    
    • Paste configuration into "User Data"
    • "Continue"
  5. Storage Configuration
    • "Continue"
  6. Tags
    • "Continue"
  7. Create Key Pair
    • Choose a key of your choice, it will be added in addition to the one in the gist.
    • "Continue"
  8. Choose one or more of your existing Security Groups
    • "coreos-testing" as above.
    • "Continue"
  9. Launch!

We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

  1. Open the quick launch wizard to boot ami-08302d72.
  2. On the second page of the wizard, launch 3 servers to test our clustering
    • Number of instances: 3
    • Click "Continue"
  3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
  4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
    This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
    # This config is meant to be consumed by the config transpiler, which will
    # generate the corresponding Ignition config. Do not pass this config directly
    # to instances of Container Linux.
    
              etcd:
                # All options get passed as command line flags to etcd.
                # Any information inside curly braces comes from the machine at boot time.
              
                # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
                advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
                initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
                # listen on both the official ports and the legacy ports
                # legacy ports can be omitted if your application doesn't depend on them
                listen_client_urls:          "http://0.0.0.0:2379"
                listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
                # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
                # specify the initial size of your cluster with ?size=X
                discovery:                   "https://discovery.etcd.io/<token>"
    
    This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
    {
      "ignition": {
        "config": {},
        "timeouts": {},
        "version": "2.1.0"
      },
      "networkd": {},
      "passwd": {},
      "storage": {},
      "systemd": {
        "units": [
          {
            "dropins": [
              {
                "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
                "name": "20-clct-etcd-member.conf"
              }
            ],
            "enable": true,
            "name": "etcd-member.service"
          }
        ]
      }
    }
    
    • Paste configuration into "User Data"
    • "Continue"
  5. Storage Configuration
    • "Continue"
  6. Tags
    • "Continue"
  7. Create Key Pair
    • Choose a key of your choice, it will be added in addition to the one in the gist.
    • "Continue"
  8. Choose one or more of your existing Security Groups
    • "coreos-testing" as above.
    • "Continue"
  9. Launch!

Using CoreOS Container Linux

Now that you have a machine booted it is time to play around. Check out the Container Linux Quickstart guide or dig into more specific topics.