fastboot: Build arm64 AMI image

- Supports arm64 ext4fs AMI creation using EBS-Surrogate
- Reduce VM boot-time between 10 to 15 seconds
- Shrink rootfs size from 16GB to 11GB
- Cleanup unused files and packages

Signed-off-by: Lakshmipathi Ganapathi <[email protected]>

Update amazon-arm64.pkr.hcl

Update amazon-arm64.pkr.hcl

Author: Lakshmipathi

.github/workflows/ci.yml

@@ -3,7 +3,7 @@ name: Run CI checks
 on:
   push:
     branches:
-      - develop
+      - wip/fastboot
 
 jobs:
   build:
@@ -16,4 +16,4 @@ jobs:
 
       - name: Build AMI
         run: |
-          packer build -timestamp-ui -color=false -on-error=cleanup -var-file common.vars.json -var-file development-arm.vars.json amazon.json
+          packer build -var-file="development-arm.vars.pkr.hcl" -var-file="common.vars.pkr.hcl" amazon-arm64.pkr.hcl

amazon-arm64.pkr.hcl

@@ -0,0 +1,218 @@
+variable "ami" {
+  type    = string
+  default = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-arm64-server-*"
+}
+
+variable "profile" {
+  type    = string
+  default = "${env("AWS_PROFILE")}"
+}
+
+variable "ami_name" {
+  type    = string
+  default = "supabase-postgres"
+}
+
+variable "ami_regions" {
+  type    = list(string)
+  default = ["ap-southeast-2"]
+}
+
+variable "ansible_arguments" {
+  type    = string
+  default = "--skip-tags,install-postgrest,--skip-tags,install-pgbouncer,--skip-tags,install-supabase-internal,ebssurrogate_mode='true'"
+}
+
+variable "aws_access_key" {
+  type    = string
+  default = ""
+}
+
+variable "aws_secret_key" {
+  type    = string
+  default = ""
+}
+
+variable "environment" {
+  type    = string
+  default = "prod"
+}
+
+variable "region" {
+  type    = string
+}
+
+variable "build-vol" {
+  type    = string
+  default = "xvdc"
+}
+
+# ccache docker image details
+variable "docker_user" {
+  type    = string
+  default = ""
+}
+
+variable "docker_passwd" {
+  type    = string
+  default = ""
+}
+
+variable "docker_image" {
+  type    = string
+  default = ""
+}
+
+variable "docker_image_tag" {
+  type    = string
+  default = "latest"
+}
+
+locals {
+  creator = "packer"
+}
+
+variable "postgres-version" {
+  type = string
+  default = ""
+}
+
+# source block
+source "amazon-ebssurrogate" "source" {
+  profile = "${var.profile}"
+  #access_key    = "${var.aws_access_key}"
+  #ami_name = "${var.ami_name}-arm64-${formatdate("YYYY-MM-DD-hhmm", timestamp())}"
+  ami_name = "${var.ami_name}-${var.postgres-version}"
+  ami_virtualization_type = "hvm"
+  ami_architecture = "arm64"
+  ami_regions   = "${var.ami_regions}"
+  instance_type = "t4g.2xlarge"
+  region       = "${var.region}"
+  #secret_key   = "${var.aws_secret_key}"
+
+  # Use latest official ubuntu focal ami owned by Canonical.
+  source_ami_filter {
+    filters = {
+      virtualization-type = "hvm"
+      name = "${var.ami}"
+      root-device-type = "ebs"
+    }
+    owners = [ "099720109477" ]
+    most_recent = true
+   }
+  ena_support = true
+  launch_block_device_mappings {
+    device_name = "/dev/xvdf"
+    delete_on_termination = true
+    volume_size = 10
+    volume_type = "gp3"
+   }
+
+  launch_block_device_mappings {
+    device_name           = "/dev/${var.build-vol}"
+    delete_on_termination = true
+    volume_size           = 16
+    volume_type           = "gp2"
+    omit_from_artifact    = true
+  }
+
+  run_tags = {
+    creator = "packer"
+    appType = "postgres"
+  }
+  run_volume_tags = {
+    creator = "packer"
+    appType = "postgres"
+  }
+  snapshot_tags = {
+    creator = "packer"
+    appType = "postgres"
+  }
+  tags = {
+    creator = "packer"
+    appType = "postgres"
+  }
+
+  communicator = "ssh"
+  ssh_pty = true
+  ssh_username = "ubuntu"
+  ssh_timeout = "5m"
+
+  ami_root_device {
+    source_device_name = "/dev/xvdf"
+    device_name = "/dev/xvda"
+    delete_on_termination = true
+    volume_size = 10
+    volume_type = "gp2"
+  }
+}
+
+# a build block invokes sources and runs provisioning steps on them.
+build {
+  sources = ["source.amazon-ebssurrogate.source"]
+
+  provisioner "file" {
+    source = "ebssurrogate/files/sources-arm64.cfg"
+    destination = "/tmp/sources.list"
+  }
+
+  provisioner "file" {
+    source = "ebssurrogate/files/ebsnvme-id"
+    destination = "/tmp/ebsnvme-id"
+  }
+
+  provisioner "file" {
+    source = "ebssurrogate/files/70-ec2-nvme-devices.rules"
+    destination = "/tmp/70-ec2-nvme-devices.rules"
+  }
+
+  provisioner "file" {
+    source = "ebssurrogate/scripts/chroot-bootstrap.sh"
+    destination = "/tmp/chroot-bootstrap.sh"
+  }
+
+  provisioner "file" {
+    source = "ebssurrogate/files/cloud.cfg"
+    destination = "/tmp/cloud.cfg"
+  }
+
+  provisioner "file" {
+    source = "ebssurrogate/files/vector.timer"
+    destination = "/tmp/vector.timer"
+  }
+
+  # Copy ansible playbook
+  provisioner "shell" {
+    inline = ["mkdir /tmp/ansible-playbook"]
+  }
+
+  provisioner "file" {
+    source = "ansible"
+    destination = "/tmp/ansible-playbook"
+  }
+
+  provisioner "file" {
+    source = "scripts"
+    destination = "/tmp/ansible-playbook"
+  }
+
+  provisioner "shell" {
+    environment_vars = [
+      "ARGS=${var.ansible_arguments}",
+      "DOCKER_USER=${var.docker_user}",
+      "DOCKER_PASSWD=${var.docker_passwd}",
+      "DOCKER_IMAGE=${var.docker_image}",
+      "DOCKER_IMAGE_TAG=${var.docker_image_tag}"
+    ]
+    script = "ebssurrogate/scripts/surrogate-bootstrap.sh"
+    execute_command = "sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
+    start_retry_timeout = "5m"
+    skip_clean = true
+  }
+
+  provisioner "file" {
+    source = "/tmp/ansible.log"
+    destination = "/tmp/ansible.log"
+    direction = "download"
+  }
+}

ansible/playbook.yml

@@ -47,6 +47,27 @@
       systemd:
         name: postgresql
         state: started
+      when: not ebssurrogate_mode
+
+    - name: Start Postgres Database without Systemd
+      become: yes
+      become_user: postgres
+      shell:
+        cmd: /usr/bin/pg_ctl -D /var/lib/postgresql/data start
+      when: ebssurrogate_mode
+
+    - name: Install WAL-G
+      import_tasks: tasks/setup-wal-g.yml
+
+    - name: Install PostgREST
+      import_tasks: tasks/setup-postgrest.yml
+      tags:
+        - install-postgrest
+
+    - name: Adjust APT update intervals
+      copy:
+        src: files/apt_periodic
+        dest: /etc/apt/apt.conf.d/10periodic
 
     - name: Transfer init SQL files
       copy:
@@ -67,19 +88,6 @@
         state: absent
       loop: "{{ sql_files }}"
 
-    - name: Install PostgREST
-      import_tasks: tasks/setup-postgrest.yml
-      tags:
-        - install-postgrest
-
-    - name: Clean out build dependencies
-      import_tasks: tasks/clean-build-dependencies.yml
-
-    - name: Adjust APT update intervals
-      copy:
-        src: files/apt_periodic
-        dest: /etc/apt/apt.conf.d/10periodic
-
     - name: UFW - Allow SSH connections
       ufw:
         rule: allow
@@ -160,7 +168,17 @@
         paths: /usr/lib/postgresql/bin
       register: postgresql_bin
 
+    - name: Clean out build dependencies
+      import_tasks: tasks/clean-build-dependencies.yml
+
     - name: Create symbolic links for Postgres binaries to /usr/bin/
       become: yes
       shell:
         cmd: "for fl in /usr/lib/postgresql/bin/* ; do ln -sf $fl /usr/bin/$(basename $fl) ; done"
+
+    - name: Stop Postgres Database without Systemd
+      become: yes
+      become_user: postgres
+      shell:
+        cmd: /usr/bin/pg_ctl -D /var/lib/postgresql/data stop
+      when: ebssurrogate_mode

ansible/tasks/internal/optimizations.yml

@@ -2,6 +2,7 @@
   community.general.snap:
     name: amazon-ssm-agent
     state: absent
+  failed_when: not ebssurrogate_mode
 
 - name: ensure services are stopped and disabled for first boot
   systemd:
@@ -15,12 +16,14 @@
     - fail2ban
     - motd-news
     - vector
+  failed_when: not ebssurrogate_mode
 
 - name: Remove snapd
   apt:
     state: absent
     pkg:
       - snapd
+  failed_when: not ebssurrogate_mode
 
 - name: ensure services are stopped and disabled for first boot
   systemd:
@@ -30,6 +33,7 @@
     masked: yes
   with_items:
     - lvm2-monitor
+  failed_when: not ebssurrogate_mode
 
 - name: disable man-db
   become: yes
@@ -40,3 +44,4 @@
     - man-db
     - popularity-contest
     - ubuntu-advantage-tools
+  failed_when: not ebssurrogate_mode

ansible/tasks/setup-osquery.yml

@@ -10,6 +10,15 @@
 - name: filter out audit logs from journald # c.f. https://osquery.readthedocs.io/en/stable/installation/install-linux/
   shell: |
     systemctl mask --now systemd-journald-audit.socket
+  when: not ebssurrogate_mode
+
+- name: filter out audit logs from journald without Systemd
+  ansible.builtin.file:
+    src: /dev/null
+    dest: /etc/systemd/system/systemd-journald-audit.socket
+    state: link
+  become: yes
+  when: ebssurrogate_mode
 
 - name: install systemd service
   template:

ansible/tasks/setup-postgres.yml

@@ -11,6 +11,7 @@
       - libxslt-dev
       - libssl-dev
       - libsystemd-dev
+      - libpq-dev
       - libxml2-utils
       - uuid-dev
       - xsltproc
@@ -32,6 +33,15 @@
   shell:
     cmd: update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 100 --slave /usr/bin/g++ g++ /usr/bin/g++-10 --slave /usr/bin/gcov gcov /usr/bin/gcov-10
 
+# Setup permissions
+- name: Update permissions for /var/tmp directory
+  file:
+    path: /var/tmp/
+    owner: root
+    group: root
+    mode: '1777'
+  become: yes
+
 # Building Postgres from source
 - name: Postgres - download latest release
   get_url:
@@ -142,6 +152,20 @@
     dest: /etc/postgresql/pg_ident.conf
     group: postgres
 
+- name: Find all files in /usr/lib/postgresql/bin
+  find:
+    paths: /usr/lib/postgresql/bin
+  register: postgresql_bin
+
+- name: Create symbolic links for Postgres binaries to /usr/bin/
+  become: yes
+  file:
+    src: "{{ item.path }}"
+    path: "/usr/bin/{{ item.path | basename }}"
+    state: link
+    force: yes
+  with_items: "{{ postgresql_bin.files }}"
+
 # init DB
 - name: Initialize the database
   become: yes