create new tag
view all tags


  • The instructions on the CernVM website use the 2009 java-based release of the Amazon EC2 documented here.
  • The current release of the java-based Amazon EC2 tools are from 2015, and are documented here.
It is important to note that the 2009 version allows you to bundle images the 2015 tools do not. The 2015 tools support hvm, while the 2009 does not. The 2015 document also notes that we should use the python/boto-based command line tools.

Uploading CernVM

First off a point that confuses me on the function of S3 (I thought S3 was replicated site-to-site): To create an S3 backed image you need to create a bucket local to the EC2 region you care to create the image on. For example:

aws s3 mb --region us-west-2 s3://ucernvm-us-west-2
aws s3 mb --region us-east-1 s3://ucernvm-us-east-1

And then you'll need to add the VM image into each of these buckets - once for each region you care to maintain an image in. I really hope that this will go away at some point ... but it makes me think hat S3 is in fact not replicated between the amazon sites.

Preparing the image

These instructions are derived from the documentation on the CernVM website. Note that these instructions use the depreciated amazon CLI documented here. If you have trouble finding those CLI tools, they are included in CernVM. The only reference I was able to find to the first command though came from this quick reference sheet. So to do this you will need to have an x.509 key - root or IAM user, more on this under AmazonWebServices#IAMPolicy. To create the image files grab the FAT filesystem of cernvm and then add the amazon disk description:
wget http://cernvm.cern.ch/releases/production/cernvm-3.6.5.fat
ec2-bundle-image -u <account_id> -c cert-*.pem -k pk-*.pem -i cernvm-3.6.5.fat --debug --arch x86_64
Note: You can look up your account ID in "My Account" in the AWS console. The cert-*.pem and pk-*.pem are your certificate and private key.

Now upload the manifests you created above to your S3 buckets:

ec2-upload-bundle -a <ID> -s <key> -m /tmp/cernvm-3.6.5.fat.manifest.xml -b ucernvm-us-west-2
ec2-upload-bundle -a <ID> -s <key> -m /tmp/cernvm-3.6.5.fat.manifest.xml -b ucernvm-us-east-1
For me that splits into two parts which end up in the buckets.

Paravirtualized Image

Amazon provides kernel images for a para-virtualized instances. I found the kernel image identifiers by using the amazon linux instances as a reference.

%IMAGE{"EC2_Management_Console.png" type="frame" align="center" caption="finding the Kernel ID" }%

Here are the AKI's I've looked up so far:

Region Kernel ID
us-east-1 aki-919dcaf8
us-west-2 aki-fc8f11cc

OK, armed with those kernel IDs we can now make our para-virtualized image. You have to set up the correct service endpoint for ec2, you can look them up here. So for Oregon:

export EC2_URL=https://ec2.us-west-1.amazonaws.com
ec2-register -O <ID> -W <key> -a x86_64 --kernel aki-fc8f11cc ucernvm-us-west-2/cernvm-3.6.5.fat.manifest.xml -d "CernVM 3.6.5"

For N. Virginia note that the service endpoint and the kernel ID are different:

export EC2_URL=ec2.us-east-1.amazonaws.com
ec2-register -O <ID> -W <key> -a x86_64 --kernel aki-919dcaf8 ucernvm-us-east-1/cernvm-3.6.5.fat.manifest.xml -d "CernVM 3.6.5"

Hypervirtualized (HVM) Images

The AWS documentation fooled me with the ec2-register documentation of the new CLI. Since I thought this implied to the old way of doing things I thought we could do this:
export EC2_URL=https://ec2.us-west-1.amazonaws.com
ec2-register -O <ID> -W <key> -a x86_64 --virtualization-type hvm --kernel aki-fc8f11cc ucernvm-us-west-2/cernvm-3.6.5.fat.manifest.xml -d "CernVM 3.6.5"
Which does no work, the option does not exist and the kernel needs changing. If you were really motivated you probably looked at the HVM images and noted that none of them have an associated Kernel ID. So let's learn about the new CLI!

New(ish) AWS Command Line Interface

The new amazon cli is very nicely available via pip:
pip install awscli
and promises great things, such as easy hvm support. Here I chronicle my journeys so far. First there is some friendly documentation here. First I identify that the cernvm!*-.fat image would be a Filesystem for Citrix Xen image and thus should qualify for import. However Xen is para-virtualization so I am keeping an open mind about the RAW image CernVM advertises for OpenStack (is that crazy?).

I followed along with the [[http://docs.aws.amazon.com/vm-import/latest/userguide/import-vm-image.html[instructions]]. First of, you need to work from an instance that has a an appropriate service role associated with it. That means we have to using an amazon instance. You will need to create an IAM user that has full access to IAM, to get started following their instructions:

aws configure
AWS Access Key ID [None]: <ID>
AWS Secret Access Key [None]: <key>
Default region name [None]: us-west-2
Default output format [None]:

Upload the image you want to create the VM Image from onto S3:

wget http://cernvm.cern.ch/releases/production/cernvm-3.6.5.hdd
aws s3 cp cernvm-3.6.5.hdd s3://ucernvm-us-west-2/cernvm-3.6.5.hdd
aws s3 cp cernvm-3.6.5.hdd s3://ucernvm-us-east-1/cernvm-3.6.5.hdd

When you are ready to run aws ec2 import-image I suggest proceeding as follows. First run aws ec2 import-image --generate-cli-skeleton to get the structure of JSON we'll use to describe the image. I then filled it like this:

  "DryRun": false,
  "Description": "The micro CernVM version 3.6.5 running CerntOS 6",
  "DiskContainers": [
      "Description": "CernVM disk image",
      "Format": "raw",
      "UserBucket": {
        "S3Bucket": "ucernvm-us-west-2",
        "S3Key": "cernvm-3.6.5.hdd"
  "Hypervisor": "xen",
  "Architecture": "x86_64",
  "Platform": "Linux"
Now, I know that this is kvm image, but xen is literally the only hypervisor value that is allowed here, so let's see what happens, maybe we have to convert that image? Then Run the import task:
aws ec2 import-image --cli-input-json file://cernvm-import.json

That will give you a message like this:

    "Status": "active",
    "Description": "The micro CernVM version 3.6.5 running CerntOS 6",
    "Hypervisor": "xen",
    "Platform": "Linux",
    "Architecture": "x86_64",
    "Progress": "2",
    "SnapshotDetails": [
            "UserBucket": {
                "S3Bucket": "ucernvm-us-west-2",
                "S3Key": "cernvm-3.6.5.hdd"
            "DiskImageSize": 0.0,
            "Format": "RAW"
    "StatusMessage": "pending",
    "ImportTaskId": "import-ami-fh29lusp"

You can then check on the progress of your request like so:

aws ec2 describe-import-image-tasks --import-task-ids import-ami-fh29lusp

Unfortunately this one, just as all my previous attempts failed with the following:

    "StatusMessage": "ClientError: Unknown OS / Missing OS files."

IAM Users and Policies

#IAMPolicy I ended up just adding Full S3 and EC2 access (nuke form orbit?). The following is how far I got with defining a more specific set of permissions:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"


In the remainder of this document, the following formatting convention is used to differentiate terminal commands from file content

This background colour denotes terminal input

This background colour denotes file content

-- frank - 2016-10-11


Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng EC2_Management_Console.png r1 manage 421.6 K 2016-10-11 - 16:54 UnknownUser Finding the Kernel ID on Amazon
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r3 - 2016-10-13 - frank
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback