Running CoreOS Container Linux on EC2

The current AMIs for all Container Linux channels and EC2 regions are listed below and updated frequently. Questions can be directed to the CoreOS IRC channel or user mailing list.

Choosing a channel

Container Linux is designed to be updated automatically with different schedules per channel. You can disable this feature, although we don't recommend it. Read the release notes for specific features and bug fixes.

The Alpha channel closely tracks master and is released frequently. The newest versions of system libraries and utilities will be available for testing. The current version is Container Linux 1981.0.0.

View as json feed
EC2 Region AMI Type AMI ID
ap-northeast-1 PV ami-03f660fa3702b4325
HVM ami-0b30ee8ed96747100
ap-northeast-2 HVM ami-028b4aaefb81e73c2
ap-south-1 HVM ami-00ddc0f7963fd9408
ap-southeast-1 PV ami-0365b6425920aef67
HVM ami-0ffa245a749ef2799
ap-southeast-2 PV ami-0d0e1d986f7d584a7
HVM ami-0bcadcf28295c3034
ca-central-1 HVM ami-03cb6223f2d5e5e05
cn-north-1 PV ami-0fac356d218d5f5d7
HVM ami-083ae92c74816b227
cn-northwest-1 HVM ami-02e89a6d0ccc14608
eu-central-1 PV ami-0e9e6443237bc5824
HVM ami-07b83e26468055607
eu-west-1 PV ami-0849a0598cbeac6b7
HVM ami-064e8c9d84377d188
eu-west-2 HVM ami-0759303b61d1b6168
eu-west-3 HVM ami-079cbf7121a2b13c8
sa-east-1 PV ami-0b53e1cfeb85ca479
HVM ami-0097bc331878b3484
us-east-1 PV ami-0c56906f3854a64c5
HVM ami-0d8c7dff9f7cf0f6c
us-east-2 HVM ami-08477df13d28669c0
us-gov-west-1 PV ami-18402679
HVM ami-ef5c3a8e
us-west-1 PV ami-0d4072c67ebebc91e
HVM ami-0730b394f2a7e7095
us-west-2 PV ami-0e72c1f9659a0533b
HVM ami-040c26afb7bdea363

The Stable channel should be used by production clusters. Versions of Container Linux are battle-tested within the Beta and Alpha channels before being promoted. The current version is Container Linux 1911.4.0.

View as json feed
EC2 Region AMI Type AMI ID
ap-northeast-1 PV ami-0ee6bb58fc140e531
HVM ami-0bc12b4d1219f58ac
ap-northeast-2 HVM ami-06da21e4dbddf08fb
ap-south-1 HVM ami-06b7a29e2a33cb452
ap-southeast-1 PV ami-0d0562e879d70e9bd
HVM ami-0e6d89f4818a7f42c
ap-southeast-2 PV ami-0eacb626044e7fd3a
HVM ami-00a7f2d4e72882d65
ca-central-1 HVM ami-0dd4a413d76f0b772
cn-north-1 PV ami-0200e438e48c94b1a
HVM ami-0742010bbaf2d247f
cn-northwest-1 HVM ami-0249866ccbeab07ae
eu-central-1 PV ami-03538f2134836a375
HVM ami-05e7f7fc79cd6ba7e
eu-west-1 PV ami-08a458503dc3340e3
HVM ami-0772233ad155871ff
eu-west-2 HVM ami-0016c65679adc75f5
eu-west-3 HVM ami-015b1578841b2e1cb
sa-east-1 PV ami-05fdaedb150c834f3
HVM ami-02aaf77da1aafd541
us-east-1 PV ami-042df7b643addf6cc
HVM ami-0f51520e8e4a1fbe7
us-east-2 HVM ami-08e0a720053fb44b9
us-gov-west-1 PV ami-52e28533
HVM ami-95e582f4
us-west-1 PV ami-0fb454033feb80d24
HVM ami-0daa79f4415db181c
us-west-2 PV ami-07cbcc1b4bfb5c040
HVM ami-0c24d5499b254c53e

Container Linux Configs

Container Linux allows you to configure machine parameters, configure networking, launch systemd units on startup, and more via Container Linux Configs. These configs are then transpiled into Ignition configs and given to booting machines. Head over to the docs to learn about the supported features.

You can provide a raw Ignition config to Container Linux via the Amazon web console or via the EC2 API.

As an example, this Container Linux Config will configure and start etcd:

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

etcd:
  # All options get passed as command line flags to etcd.
  # Any information inside curly braces comes from the machine at boot time.

  # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
  advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
  initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
  # listen on both the official ports and the legacy ports
  # legacy ports can be omitted if your application doesn't depend on them
  listen_client_urls:          "http://0.0.0.0:2379"
  listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
  # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
  # specify the initial size of your cluster with ?size=X
  discovery:                   "https://discovery.etcd.io/<token>"
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "config": {},
    "timeouts": {},
    "version": "2.1.0"
  },
  "networkd": {},
  "passwd": {},
  "storage": {},
  "systemd": {
    "units": [
      {
        "dropins": [
          {
            "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
            "name": "20-clct-etcd-member.conf"
          }
        ],
        "enable": true,
        "name": "etcd-member.service"
      }
    ]
  }
}

Instance storage

Ephemeral disks and additional EBS volumes attached to instances can be mounted with a .mount unit. Amazon's block storage devices are attached differently depending on the instance type. Here's the Container Linux Config to format and mount the first ephemeral disk, xvdb, on most instance types:

This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
# This config is meant to be consumed by the config transpiler, which will
# generate the corresponding Ignition config. Do not pass this config directly
# to instances of Container Linux.

storage:
  filesystems:
    - mount:
        device: /dev/xvdb
        format: ext4
        wipe_filesystem: true

systemd:
  units:
    - name: media-ephemeral.mount
      enable: true
      contents: |
        [Mount]
        What=/dev/xvdb
        Where=/media/ephemeral
        Type=ext4

        [Install]
        RequiredBy=local-fs.target
This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
{
  "ignition": {
    "config": {},
    "timeouts": {},
    "version": "2.1.0"
  },
  "networkd": {},
  "passwd": {},
  "storage": {
    "filesystems": [
      {
        "mount": {
          "device": "/dev/xvdb",
          "format": "ext4",
          "wipeFilesystem": true
        }
      }
    ]
  },
  "systemd": {
    "units": [
      {
        "contents": "[Mount]\nWhat=/dev/xvdb\nWhere=/media/ephemeral\nType=ext4\n\n[Install]\nRequiredBy=local-fs.target",
        "enable": true,
        "name": "media-ephemeral.mount"
      }
    ]
  }
}

For more information about mounting storage, Amazon's own documentation is the best source. You can also read about mounting storage on Container Linux.

Adding more machines

To add more instances to the cluster, just launch more with the same Container Linux Config, the appropriate security group and the AMI for that region. New instances will join the cluster regardless of region if the security groups are configured correctly.

SSH to your instances

Container Linux is set up to be a little more secure than other cloud images. By default, it uses the core user instead of root and doesn't use a password for authentication. You'll need to add an SSH key(s) via the AWS console or add keys/passwords via your Container Linux Config in order to log in.

To connect to an instance after it's created, run:

ssh core@<ip address>

Multiple clusters

If you would like to create multiple clusters you will need to change the "Stack Name". You can find the direct template file on S3.

Manual setup

TL;DR: launch three instances of ami-0d8c7dff9f7cf0f6c in us-east-1 with a security group that has open port 22, 2379, 2380, 4001, and 7001 and the same "User Data" of each host. SSH uses the core user and you have etcd and Docker to play with.

Creating the security group

You need open port 2379, 2380, 7001 and 4001 between servers in the etcd cluster. Step by step instructions below.

This step is only needed once

First we need to create a security group to allow Container Linux instances to communicate with one another.

  1. Go to the security group page in the EC2 console.
  2. Click "Create Security Group"
    • Name: coreos-testing
    • Description: Container Linux instances
    • VPC: No VPC
    • Click: "Yes, Create"
  3. In the details of the security group, click the Inbound tab
  4. First, create a security group rule for SSH
    • Create a new rule: SSH
    • Source: 0.0.0.0/0
    • Click: "Add Rule"
  5. Add two security group rules for etcd communication
    • Create a new rule: Custom TCP rule
    • Port range: 2379
    • Source: type "coreos-testing" until your security group auto-completes. Should be something like "sg-8d4feabc"
    • Click: "Add Rule"
    • Repeat this process for port range 2380, 4001 and 7001 as well
  6. Click "Apply Rule Changes"

Launching a test cluster

We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

  1. Open the quick launch wizard to boot ami-0d8c7dff9f7cf0f6c.
  2. On the second page of the wizard, launch 3 servers to test our clustering
    • Number of instances: 3
    • Click "Continue"
  3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
  4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
    This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
    # This config is meant to be consumed by the config transpiler, which will
    # generate the corresponding Ignition config. Do not pass this config directly
    # to instances of Container Linux.
    
              etcd:
                # All options get passed as command line flags to etcd.
                # Any information inside curly braces comes from the machine at boot time.
    
    This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
    {
      "ignition": {
        "config": {},
        "timeouts": {},
        "version": "2.1.0"
      },
      "networkd": {},
      "passwd": {},
      "storage": {},
      "systemd": {}
    }
    
    ` # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4} advertise_client_urls: "http://{PRIVATE_IPV4}:2379" initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380" # listen on both the official ports and the legacy ports # legacy ports can be omitted if your application doesn't depend on them listen_client_urls: "http://0.0.0.0:2379" listen_peer_urls: "http://{PRIVATE_IPV4}:2380" # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3 # specify the initial size of your cluster with ?size=X discovery: "https://discovery.etcd.io/" ```
    • Paste configuration into "User Data"
    • "Continue"
    </li>
  5. Storage Configuration
    • "Continue"
  6. Tags
    • "Continue"
  7. Create Key Pair
    • Choose a key of your choice, it will be added in addition to the one in the gist.
    • "Continue"
  8. Choose one or more of your existing Security Groups
    • "coreos-testing" as above.
    • "Continue"
  9. Launch!
  10. </ol> </div>

    We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

    1. Open the quick launch wizard to boot ami-0f38c2f94b3b134d8.
    2. On the second page of the wizard, launch 3 servers to test our clustering
      • Number of instances: 3
      • Click "Continue"
    3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
    4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
      This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
      # This config is meant to be consumed by the config transpiler, which will
      # generate the corresponding Ignition config. Do not pass this config directly
      # to instances of Container Linux.
      
            etcd:
              # All options get passed as command line flags to etcd.
              # Any information inside curly braces comes from the machine at boot time.
            
              # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
              advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
              initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
              # listen on both the official ports and the legacy ports
              # legacy ports can be omitted if your application doesn't depend on them
              listen_client_urls:          "http://0.0.0.0:2379"
              listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
              # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
              # specify the initial size of your cluster with ?size=X
              discovery:                   "https://discovery.etcd.io/<token>"
      
      This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
      {
        "ignition": {
          "config": {},
          "timeouts": {},
          "version": "2.1.0"
        },
        "networkd": {},
        "passwd": {},
        "storage": {},
        "systemd": {
          "units": [
            {
              "dropins": [
                {
                  "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
                  "name": "20-clct-etcd-member.conf"
                }
              ],
              "enable": true,
              "name": "etcd-member.service"
            }
          ]
        }
      }
      
      • Paste configuration into "User Data"
      • "Continue"
    5. Storage Configuration
      • "Continue"
    6. Tags
      • "Continue"
    7. Create Key Pair
      • Choose a key of your choice, it will be added in addition to the one in the gist.
      • "Continue"
    8. Choose one or more of your existing Security Groups
      • "coreos-testing" as above.
      • "Continue"
    9. Launch!

    We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

    1. Open the quick launch wizard to boot ami-0f51520e8e4a1fbe7.
    2. On the second page of the wizard, launch 3 servers to test our clustering
      • Number of instances: 3
      • Click "Continue"
    3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
    4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
      This is the human-readable config file. This should not be immediately passed to Container Linux. Learn more.
      # This config is meant to be consumed by the config transpiler, which will
      # generate the corresponding Ignition config. Do not pass this config directly
      # to instances of Container Linux.
      
            etcd:
              # All options get passed as command line flags to etcd.
              # Any information inside curly braces comes from the machine at boot time.
            
              # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
              advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
              initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
              # listen on both the official ports and the legacy ports
              # legacy ports can be omitted if your application doesn't depend on them
              listen_client_urls:          "http://0.0.0.0:2379"
              listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
              # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
              # specify the initial size of your cluster with ?size=X
              discovery:                   "https://discovery.etcd.io/<token>"
      
      This is the raw machine configuration, which is not intended for editing. Learn more. Validate the config here.
      {
        "ignition": {
          "config": {},
          "timeouts": {},
          "version": "2.1.0"
        },
        "networkd": {},
        "passwd": {},
        "storage": {},
        "systemd": {
          "units": [
            {
              "dropins": [
                {
                  "contents": "[Unit]\nRequires=coreos-metadata.service\nAfter=coreos-metadata.service\n\n[Service]\nEnvironmentFile=/run/metadata/coreos\nExecStart=\nExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \\\n  --listen-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --listen-client-urls=\"http://0.0.0.0:2379\" \\\n  --initial-advertise-peer-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2380\" \\\n  --advertise-client-urls=\"http://${COREOS_EC2_IPV4_LOCAL}:2379\" \\\n  --discovery=\"https://discovery.etcd.io/\u003ctoken\u003e\"",
                  "name": "20-clct-etcd-member.conf"
                }
              ],
              "enable": true,
              "name": "etcd-member.service"
            }
          ]
        }
      }
      
      • Paste configuration into "User Data"
      • "Continue"
    5. Storage Configuration
      • "Continue"
    6. Tags
      • "Continue"
    7. Create Key Pair
      • Choose a key of your choice, it will be added in addition to the one in the gist.
      • "Continue"
    8. Choose one or more of your existing Security Groups
      • "coreos-testing" as above.
      • "Continue"
    9. Launch!
    ```` </div> </div> ## Using CoreOS Container Linux Now that you have a machine booted it is time to play around. Check out the [Container Linux Quickstart](quickstart.html) guide or dig into [more specific topics](https://coreos.com/docs).