upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-26 19:23:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/release/tools/ec2.conf
Colin Percival 29d6968fd3 EC2: Remove old broken_txfifo workaround 
Early versions of Xen, including those used in the early days of EC2,
had a bug in their UART emulation whereby the TX FIFO wouldn't send the
expected interrupt when emptying; as a result, FreeBSD would write 16
characters to the serial console and then stop because we thought the
FIFO was forever full.

In 2013 (1c60b24baa) I added a loader tunable "hw.broken_txfifo"
which spinwaits for the FIFO TX rather than relying on the interrupt,
and enabled this in loader.conf in EC2 images.

A decade later, this workaround is almost certainly no longer needed in
EC2 -- most instances don't run Xen, and the bug was long since fixed
in Xen anyway -- but we've been holding on to the workaround "just in
case".  Unfortunately, the spinwait behaviour is causing latency spikes
and triggering warnings from the ena(4) driver.

This commit removes the hw.broken_txfifo setting from loader.conf in
EC2 images, but leaves the loader tunable and associated code, since it
has been necessary in some other environments.  (It seems that the TX
FIFO missing-interrupts bug has been independently written at least
three times!)

Approved by:	re (cperciva)
MFC after:	1 minute
Sponsored by:	Amazon

(cherry picked from commit 9a685c09f06a55b18589d75f9307563d84a17fa9)
(cherry picked from commit eadda156a50d3487ec1e6fc78f6cfe2df42448fa)
2025-05-15 15:22:44 -07:00

151 lines
6 KiB
Bash
Raw Blame History

#!/bin/sh
# Package which should be installed onto all EC2 AMIs:
# * ebsnvme-id, which is very minimal and provides important EBS-specific
# functionality,
export VM_EXTRA_PACKAGES="${VM_EXTRA_PACKAGES} ebsnvme-id"
# Services which should be enabled by default in rc.conf(5).
export VM_RC_LIST="dev_aws_disk ntpd"
# Build with a 7.9 GB partition; the growfs rc.d script will expand
# the partition to fill the root disk after the EC2 instance is launched.
# Note that if this is set to <N>G, we will end up with an <N+1> GB disk
# image since VMSIZE is the size of the filesystem partition, not the disk
# which it resides within.
export VMSIZE=8000m
# No swap space; it doesn't make sense to provision any as part of the disk
# image when we could be launching onto a system with anywhere between 0.5
# and 4096 GB of RAM.
export NOSWAP=YES
ec2_common() {
# Delete the pkg package and the repo database; they will likely be
# long out of date before the EC2 instance is launched.
mount -t devfs devfs ${DESTDIR}/dev
chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
/usr/sbin/pkg delete -f -y pkg
umount ${DESTDIR}/dev
rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD
# Turn off IPv6 Duplicate Address Detection; the EC2 networking
# configuration makes it unnecessary.
echo 'net.inet6.ip6.dad_count=0' >> ${DESTDIR}/etc/sysctl.conf
# Booting quickly is more important than giving users a chance to
# access the boot loader via the serial port.
echo 'autoboot_delay="-1"' >> ${DESTDIR}/boot/loader.conf
echo 'beastie_disable="YES"' >> ${DESTDIR}/boot/loader.conf
# The EFI RNG on Graviton 2 is particularly slow if we ask for the
# default 2048 bytes of entropy; ask for 64 bytes instead.
echo 'entropy_efi_seed_size="64"' >> ${DESTDIR}/boot/loader.conf
# Tell gptboot not to wait 3 seconds for a keypress which will
# never arrive.
printf -- "-n\n" > ${DESTDIR}/boot.config
# The emulated keyboard attached to EC2 instances is inaccessible to
# users, and there is no mouse attached at all; disable to keyboard
# and the keyboard controller (to which the mouse would attach, if
# one existed) in order to save time in device probing.
echo 'hint.atkbd.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
echo 'hint.atkbdc.0.disabled=1' >> ${DESTDIR}/boot/loader.conf
# EC2 has two consoles: An emulated serial port ("system log"),
# which has been present since 2006; and a VGA console ("instance
# screenshot") which was introduced in 2016.
echo 'boot_multicons="YES"' >> ${DESTDIR}/boot/loader.conf
# Graviton 1 through Graviton 4 have a bug in their ACPI where they
# mark the PL061's pins as needing to be configured in PullUp mode
# (in fact the PL061 has no pullup/pulldown resistors). Graviton 1
# through Graviton 3 have non-functional PCI _EJ0 and need a value
# written to the PCI power status register in order to eject a
# device. EC2 instances with PCI (not PCIe) buses need a short
# delay before rescanning upon device detach.
echo 'debug.acpi.quirks="56"' >> ${DESTDIR}/boot/loader.conf
# The default behaviour of re-routing INTx interrupts causes a
# resource leak on INTRng (aka on Graviton systems). Repeated
# hotplug/unplug on PCI (not PCIe) Graviton systems ends up with
# a kernel panic unless we disable this.
echo 'hw.pci.intx_reroute=0' >> ${DESTDIR}/boot/loader.conf
# Load the kernel module for the Amazon "Elastic Network Adapter"
echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf
# Use the "nda" driver for accessing NVMe disks rather than the
# historical "nvd" driver.
echo 'hw.nvme.use_nvd="0"' >> ${DESTDIR}/boot/loader.conf
# Reduce the timeout for PCIe Eject ("hotunplug") requests. PCIe
# mandates a 5 second timeout to allow someone to cancel the eject
# by pressing the "Attention button" a second time, but in the EC2
# environment this delay serves no purpose.
echo 'hw.pci.pcie_hp_detach_timeout="0"' >> ${DESTDIR}/boot/loader.conf
# Disable KbdInteractiveAuthentication according to EC2 requirements.
sed -i '' -e \
's/^#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' \
${DESTDIR}/etc/ssh/sshd_config
# Use FreeBSD Update mirrors hosted in AWS
sed -i '' -e 's/update.FreeBSD.org/aws.update.FreeBSD.org/' \
${DESTDIR}/etc/freebsd-update.conf
# Use the NTP service provided by Amazon
sed -i '' -e 's/^pool/#pool/' \
-e '1,/^#server/s/^#server.*/server 169.254.169.123 iburst/' \
${DESTDIR}/etc/ntp.conf
# Provide a map for accessing Elastic File System mounts
cat > ${DESTDIR}/etc/autofs/special_efs <<'EOF'
#!/bin/sh
if [ $# -eq 0 ]; then
# No way to know which EFS filesystems exist and are
# accessible to this EC2 instance.
exit 0
fi
# Provide instructions on how to mount the requested filesystem.
FS=$1
REGION=`fetch -qo- http://169.254.169.254/latest/meta-data/placement/availability-zone | sed -e 's/[a-z]$//'`
echo "-nfsv4,minorversion=1,oneopenown ${FS}.efs.${REGION}.amazonaws.com:/"
EOF
chmod 755 ${DESTDIR}/etc/autofs/special_efs
# The first time the AMI boots, run "first boot" scripts.
touch ${DESTDIR}/firstboot
return 0
}
ec2_base_networking () {
# EC2 instances use DHCP to get their network configuration. IPv6
# requires accept_rtadv.
echo 'ifconfig_DEFAULT="SYNCDHCP accept_rtadv"' >> ${DESTDIR}/etc/rc.conf
# The EC2 DHCP server can be trusted to know whether an IP address is
# assigned to us; we don't need to ARP to check if anyone else is using
# the address before we start using it.
echo 'dhclient_arpwait="NO"' >> ${DESTDIR}/etc/rc.conf
# Enable IPv6 on all interfaces, and spawn DHCPv6 via rtsold
echo 'ipv6_activate_all_interfaces="YES"' >> ${DESTDIR}/etc/rc.conf
echo 'rtsold_enable="YES"' >> ${DESTDIR}/etc/rc.conf
echo 'rtsold_flags="-M /usr/local/libexec/rtsold-M -a"' >> ${DESTDIR}/etc/rc.conf
# Provide a script which rtsold can use to launch DHCPv6
mkdir -p ${DESTDIR}/usr/local/libexec
cat > ${DESTDIR}/usr/local/libexec/rtsold-M <<'EOF'
#!/bin/sh
/usr/local/sbin/dhclient -6 -nw -N -cf /dev/null $1
EOF
chmod 755 ${DESTDIR}/usr/local/libexec/rtsold-M
return 0
}
Reference in a new issue View git blame Copy permalink