Running Flatcar Container Linux on AWS EC2

The current AMIs for all Flatcar Container Linux channels and EC2 regions are listed below and updated frequently. Using CloudFormation is the easiest way to launch a cluster, but it is also possible to follow the manual steps at the end of the article. Questions can be directed to the Flatcar Container Linux IRC channel or user mailing list .

Release retention time

After publishing, releases will remain available as public AMIs on AWS for 9 months. AMIs older than 9 months will be un-published in regular garbage collection sweeps. Please note that this will not impact existing AWS instances that use those releases. However, deploying new instances (e.g. in autoscaling groups pinned to a specific AMI) will not be possible after the AMI was un-published.

Choosing a channel

Flatcar Container Linux is designed to be updated automatically with different schedules per channel. You can disable this feature , although we don’t recommend it. Read the release notes for specific features and bug fixes.

The Alpha channel closely tracks master and is released frequently. The newest versions of system libraries and utilities will be available for testing. The current version is Flatcar Container Linux 2748.0.0.

View as json feed: amd64 arm64
EC2 Region AMI Type AMI ID CloudFormation
ap-east-1 HVM (amd64) ami-0686e84dfcee3d7d6 Launch Stack
HVM (arm64) ami-05a816301d0138691 Launch Stack
ap-northeast-1 HVM (amd64) ami-0a3e9eace3a842661 Launch Stack
HVM (arm64) ami-0e5603d7a472cdc4d Launch Stack
ap-northeast-2 HVM (amd64) ami-05d4fa012b52f66fa Launch Stack
HVM (arm64) ami-03a6d7e01c5361fe3 Launch Stack
ap-south-1 HVM (amd64) ami-077bed345aca4da4f Launch Stack
HVM (arm64) ami-033490821f3c47009 Launch Stack
ap-southeast-1 HVM (amd64) ami-05e490ef875a46d15 Launch Stack
HVM (arm64) ami-0ecaa76f0cf1f4a58 Launch Stack
ap-southeast-2 HVM (amd64) ami-0c33019b859c52638 Launch Stack
HVM (arm64) ami-080aacc02420edc9d Launch Stack
ca-central-1 HVM (amd64) ami-01355728d9ee5e1f0 Launch Stack
HVM (arm64) ami-01cd63656a7ebed82 Launch Stack
eu-central-1 HVM (amd64) ami-02c87e68dd5c597e6 Launch Stack
HVM (arm64) ami-03ed9cd345d373bd4 Launch Stack
eu-north-1 HVM (amd64) ami-0ccce94dcadf4732f Launch Stack
HVM (arm64) ami-0d739a3ce806cdf8b Launch Stack
eu-west-1 HVM (amd64) ami-003a1bfa97e33bbd3 Launch Stack
HVM (arm64) ami-0011e73f4b885523c Launch Stack
eu-west-2 HVM (amd64) ami-094cd794073a14f38 Launch Stack
HVM (arm64) ami-0d86a678bf5f363dd Launch Stack
eu-west-3 HVM (amd64) ami-029f6237de32de054 Launch Stack
HVM (arm64) ami-0bf0d5a5ca7dc2ecd Launch Stack
me-south-1 HVM (amd64) ami-03730b9399d6ebb82 Launch Stack
HVM (arm64) ami-00d99035d4d96043e Launch Stack
sa-east-1 HVM (amd64) ami-0497f2cf535bdf94c Launch Stack
HVM (arm64) ami-01acfff141ec9a481 Launch Stack
us-east-1 HVM (amd64) ami-02a2f89db31b63c4d Launch Stack
HVM (arm64) ami-046007c0e79e7bf34 Launch Stack
us-east-2 HVM (amd64) ami-053aecd38d2a5aa2b Launch Stack
HVM (arm64) ami-0bb89c19cc0d6f235 Launch Stack
us-west-1 HVM (amd64) ami-00aae1f7c714ab8a4 Launch Stack
HVM (arm64) ami-0059d564814217919 Launch Stack
us-west-2 HVM (amd64) ami-07f2bbc6914ceb9c5 Launch Stack
HVM (arm64) ami-0e17859764b0b4885 Launch Stack

The Beta channel consists of promoted Alpha releases. The current version is Flatcar Container Linux 2705.1.1.

View as json feed: amd64
EC2 Region AMI Type AMI ID CloudFormation
ap-east-1 HVM (amd64) ami-07f96e595b056eada Launch Stack
ap-northeast-1 HVM (amd64) ami-07bc0784a0f905342 Launch Stack
ap-northeast-2 HVM (amd64) ami-029338cb96513d98e Launch Stack
ap-south-1 HVM (amd64) ami-04a4114cb710d7ce2 Launch Stack
ap-southeast-1 HVM (amd64) ami-0518213a83ab1ca72 Launch Stack
ap-southeast-2 HVM (amd64) ami-01adbafbe661ca563 Launch Stack
ca-central-1 HVM (amd64) ami-02f0716c521257eda Launch Stack
eu-central-1 HVM (amd64) ami-0d2c2e4203a111185 Launch Stack
eu-north-1 HVM (amd64) ami-07c338449bcc58b79 Launch Stack
eu-west-1 HVM (amd64) ami-094e019b53cfebc8f Launch Stack
eu-west-2 HVM (amd64) ami-01bd95cc5f98bc0a7 Launch Stack
eu-west-3 HVM (amd64) ami-0ad1cfbdf138e65fd Launch Stack
me-south-1 HVM (amd64) ami-0f71f53a6f73faaaf Launch Stack
sa-east-1 HVM (amd64) ami-020a4330da30acad9 Launch Stack
us-east-1 HVM (amd64) ami-012ffa2677f082429 Launch Stack
us-east-2 HVM (amd64) ami-0625b8176fd0ec811 Launch Stack
us-west-1 HVM (amd64) ami-0d45953f2affd92e6 Launch Stack
us-west-2 HVM (amd64) ami-0ad71151994f5b423 Launch Stack

The Edge channel includes bleeding-edge features with the newest versions of the Linux kernel, systemd and other core packages. Can be highly unstable. The current version is Flatcar Container Linux 2466.99.0.

EC2 Region AMI Type AMI ID CloudFormation
ap-east-1 HVM (amd64) ami-0029ed2c00b284a95 Launch Stack
HVM (arm64) ami-0cde7033fa6bcee17 Launch Stack
ap-northeast-1 HVM (amd64) ami-03de4455102b2a92e Launch Stack
HVM (arm64) ami-0a9ea66ee2b271587 Launch Stack
ap-northeast-2 HVM (amd64) ami-0fa29269023d95001 Launch Stack
HVM (arm64) ami-074cb3948a34017a0 Launch Stack
ap-south-1 HVM (amd64) ami-0fb46b600f2aca4e1 Launch Stack
HVM (arm64) ami-0ceaed7c9d0f87d45 Launch Stack
ap-southeast-1 HVM (amd64) ami-0a6b32f389401c177 Launch Stack
HVM (arm64) ami-0518d47f3b8b44d5b Launch Stack
ap-southeast-2 HVM (amd64) ami-0412490cf5c6a15d3 Launch Stack
HVM (arm64) ami-041e3a6cbb758958a Launch Stack
ca-central-1 HVM (amd64) ami-076025e2f28c65607 Launch Stack
HVM (arm64) ami-07fdb592799a132cf Launch Stack
eu-central-1 HVM (amd64) ami-009f30f06e90a2962 Launch Stack
HVM (arm64) ami-05fc26d5d73ca1f6b Launch Stack
eu-north-1 HVM (amd64) ami-093a034857b0e19ae Launch Stack
HVM (arm64) ami-0fd671b8a15ca5e0f Launch Stack
eu-west-1 HVM (amd64) ami-0acd84e3d8e79c595 Launch Stack
HVM (arm64) ami-00fca33bcd7f93826 Launch Stack
eu-west-2 HVM (amd64) ami-0a844c6e6ed7e8591 Launch Stack
HVM (arm64) ami-0ff13ff8623ef93f4 Launch Stack
eu-west-3 HVM (amd64) ami-09bb22740c97e5fb0 Launch Stack
HVM (arm64) ami-02b8b9c099f9868f9 Launch Stack
me-south-1 HVM (amd64) ami-066ef9a0660b99958 Launch Stack
HVM (arm64) ami-0d7a8f9f15c1e5234 Launch Stack
sa-east-1 HVM (amd64) ami-0f1401074345667c6 Launch Stack
HVM (arm64) ami-0de4279896aa46920 Launch Stack
us-east-1 HVM (amd64) ami-0157dca117b3d3e5d Launch Stack
HVM (arm64) ami-0422302ecc961671f Launch Stack
us-east-2 HVM (amd64) ami-06f0a4868bcdfd485 Launch Stack
HVM (arm64) ami-0a2b7312228a58f6c Launch Stack
us-west-1 HVM (amd64) ami-081652cd66d10f632 Launch Stack
HVM (arm64) ami-02bd3609d5a2b957a Launch Stack
us-west-2 HVM (amd64) ami-053930c06131d49ad Launch Stack
HVM (arm64) ami-0d8325578a3100869 Launch Stack

The Stable channel should be used by production clusters. Versions of Flatcar Container Linux are battle-tested within the Beta and Alpha channels before being promoted. The current version is Flatcar Container Linux 2605.11.0.

View as json feed: amd64
EC2 Region AMI Type AMI ID CloudFormation
ap-east-1 HVM (amd64) ami-0a66670a332004614 Launch Stack
ap-northeast-1 HVM (amd64) ami-0542e4dff8420d487 Launch Stack
ap-northeast-2 HVM (amd64) ami-041e489f08aac9255 Launch Stack
ap-south-1 HVM (amd64) ami-06b541ee787f9dcdf Launch Stack
ap-southeast-1 HVM (amd64) ami-0721703baa9b72cd8 Launch Stack
ap-southeast-2 HVM (amd64) ami-0c797e0867680e1d5 Launch Stack
ca-central-1 HVM (amd64) ami-005f63b0367244cbb Launch Stack
eu-central-1 HVM (amd64) ami-083477fab62dc2eb0 Launch Stack
eu-north-1 HVM (amd64) ami-0d8a20560dc4f6d77 Launch Stack
eu-west-1 HVM (amd64) ami-0f0d86a1db55e0fdb Launch Stack
eu-west-2 HVM (amd64) ami-0105750d9768df0a9 Launch Stack
eu-west-3 HVM (amd64) ami-0544e90383096dfe3 Launch Stack
me-south-1 HVM (amd64) ami-0fb337227637bcf0d Launch Stack
sa-east-1 HVM (amd64) ami-0354636e64ec00881 Launch Stack
us-east-1 HVM (amd64) ami-01d772a46fc16d4f0 Launch Stack
us-east-2 HVM (amd64) ami-0e042550cf12fd3a7 Launch Stack
us-west-1 HVM (amd64) ami-006da855103391bd8 Launch Stack
us-west-2 HVM (amd64) ami-0bef8aecb982525a5 Launch Stack

AWS China AMIs maintained by Giant Swarm

The following AMIs are not part of the official Flatcar Container Linux release process and may lag behind (query version).

View as json feed: amd64
EC2 Region AMI Type AMI ID CloudFormation
cn-north-1 HVM (amd64) ami-006e38ad40da9b657 Launch Stack
cn-northwest-1 HVM (amd64) ami-04ca1ab74bc985ff2 Launch Stack

CloudFormation will launch a cluster of Flatcar Container Linux machines with a security and autoscaling group.

Container Linux Configs

Flatcar Container Linux allows you to configure machine parameters, configure networking, launch systemd units on startup, and more via Container Linux Configs. These configs are then transpiled into Ignition configs and given to booting machines. Head over to the docs to learn about the supported features .

You can provide a raw Ignition config to Flatcar Container Linux via the Amazon web console or via the EC2 API .

As an example, this Container Linux Config will configure and start etcd:

etcd:
  # All options get passed as command line flags to etcd.
  # Any information inside curly braces comes from the machine at boot time.

  # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
  advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
  initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
  # listen on both the official ports and the legacy ports
  # legacy ports can be omitted if your application doesn't depend on them
  listen_client_urls:          "http://0.0.0.0:2379"
  listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
  # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
  # specify the initial size of your cluster with ?size=X
  discovery:                   "https://discovery.etcd.io/<token>"

Instance storage

Ephemeral disks and additional EBS volumes attached to instances can be mounted with a .mount unit. Amazon’s block storage devices are attached differently depending on the instance type . Here’s the Container Linux Config to format and mount the first ephemeral disk, xvdb, on most instance types:

storage:
  filesystems:
    - mount:
        device: /dev/xvdb
        format: ext4
        wipe_filesystem: true

systemd:
  units:
    - name: media-ephemeral.mount
      enable: true
      contents: |
        [Mount]
        What=/dev/xvdb
        Where=/media/ephemeral
        Type=ext4

        [Install]
        RequiredBy=local-fs.target

For more information about mounting storage, Amazon’s own documentation is the best source. You can also read about mounting storage on Flatcar Container Linux .

Adding more machines

To add more instances to the cluster, just launch more with the same Container Linux Config, the appropriate security group and the AMI for that region. New instances will join the cluster regardless of region if the security groups are configured correctly.

SSH to your instances

Flatcar Container Linux is set up to be a little more secure than other cloud images. By default, it uses the core user instead of root and doesn’t use a password for authentication. You’ll need to add an SSH key(s) via the AWS console or add keys/passwords via your Container Linux Config in order to log in.

To connect to an instance after it’s created, run:

ssh [email protected]<ip address>

Multiple clusters

If you would like to create multiple clusters you will need to change the “Stack Name”. You can find the direct template file on S3 .

Manual setup

TL;DR: launch three instances of ami-02a2f89db31b63c4d (amd64) in us-east-1 with a security group that has open port 22, 2379, 2380, 4001, and 7001 and the same “User Data” of each host. SSH uses the core user and you have etcd and Docker to play with.

Creating the security group

You need open port 2379, 2380, 7001 and 4001 between servers in the etcd cluster. Step by step instructions below.

Note: This step is only needed once

First we need to create a security group to allow Flatcar Container Linux instances to communicate with one another.

  1. Go to the security group page in the EC2 console.
  2. Click “Create Security Group”
    • Name: flatcar-testing
    • Description: Flatcar Container Linux instances
    • VPC: No VPC
    • Click: “Yes, Create”
  3. In the details of the security group, click the Inbound tab
  4. First, create a security group rule for SSH
    • Create a new rule: SSH
    • Source: 0.0.0.0/0
    • Click: “Add Rule”
  5. Add two security group rules for etcd communication
    • Create a new rule: Custom TCP rule
    • Port range: 2379
    • Source: type “flatcar-testing” until your security group auto-completes. Should be something like “sg-8d4feabc”
    • Click: “Add Rule”
    • Repeat this process for port range 2380, 4001 and 7001 as well
  6. Click “Apply Rule Changes”

Launching a test cluster

We will be launching three instances, with a few parameters in the User Data, and selecting our security group.

  1. {% for region in site.data.alpha_channel.amis %} {% if region.name == 'us-east-1' %} Open the quick launch wizard to boot {{region.hvm}} (amd64). {% endif %} {% endfor %}
  2. On the second page of the wizard, launch 3 servers to test our clustering
    • Number of instances: 3
    • Click "Continue"
  3. Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at https://discovery.etcd.io/new?size=3, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
  4. Use ct to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field. ```yaml etcd: # All options get passed as command line flags to etcd. # Any information inside curly braces comes from the machine at boot time.
            # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
            advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
            initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
            # listen on both the official ports and the legacy ports
            # legacy ports can be omitted if your application doesn't depend on them
            listen_client_urls:          "http://0.0.0.0:2379"
            listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
            # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
            # specify the initial size of your cluster with ?size=X
            discovery:                   "https://discovery.etcd.io/<token>"
          ```
          <ul>
            <li>Paste configuration into "User Data"</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Storage Configuration
          <ul>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Tags
          <ul>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Create Key Pair
          <ul>
            <li>Choose a key of your choice, it will be added in addition to the one in the gist.</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Choose one or more of your existing Security Groups
          <ul>
            <li>"flatcar-testing" as above.</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Launch!
        </li>
      </ol>
    </div>
    <div class="tab-pane" id="beta-manual">
      <p>We will be launching three instances, with a few parameters in the User Data, and selecting our security group.</p>
      <ol>
        <li>
        {% for region in site.data.beta_channel.amis %}
          {% if region.name == 'us-east-1' %}
            Open the <a href="https://console.aws.amazon.com/ec2/home?region={{region.name}}#launchAmi={{region.hvm}}" target="_blank">quick launch wizard</a> to boot {{region.hvm}} (amd64).
          {% endif %}
        {% endfor %}
        </li>
        <li>
          On the second page of the wizard, launch 3 servers to test our clustering
          <ul>
            <li>Number of instances: 3</li>
            <li>Click "Continue"</li>
          </ul>
        </li>
        <li>
          Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at <a href="https://discovery.etcd.io/new?size=3">https://discovery.etcd.io/new?size=3</a>, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
        </li>
        <li>
          Use <a href="provisioning">ct</a> to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
          ```yaml
          etcd:
            # All options get passed as command line flags to etcd.
            # Any information inside curly braces comes from the machine at boot time.
    
            # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
            advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
            initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
            # listen on both the official ports and the legacy ports
            # legacy ports can be omitted if your application doesn't depend on them
            listen_client_urls:          "http://0.0.0.0:2379"
            listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
            # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
            # specify the initial size of your cluster with ?size=X
            discovery:                   "https://discovery.etcd.io/<token>"
          ```
          <ul>
            <li>Paste configuration into "User Data"</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Storage Configuration
          <ul>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Tags
          <ul>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Create Key Pair
          <ul>
            <li>Choose a key of your choice, it will be added in addition to the one in the gist.</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Choose one or more of your existing Security Groups
          <ul>
            <li>"flatcar-testing" as above.</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Launch!
        </li>
      </ol>
    </div>
    <div class="tab-pane active" id="stable-manual">
      <p>We will be launching three instances, with a few parameters in the User Data, and selecting our security group.</p>
      <ol>
        <li>
        {% for region in site.data.stable_channel.amis %}
          {% if region.name == 'us-east-1' %}
            Open the <a href="https://console.aws.amazon.com/ec2/home?region={{region.name}}#launchAmi={{region.hvm}}" target="_blank">quick launch wizard</a> to boot {{region.hvm}} (amd64).
          {% endif %}
        {% endfor %}
        </li>
        <li>
          On the second page of the wizard, launch 3 servers to test our clustering
          <ul>
            <li>Number of instances: 3</li>
            <li>Click "Continue"</li>
          </ul>
        </li>
        <li>
          Next, we need to specify a discovery URL, which contains a unique token that allows us to find other hosts in our cluster. If you're launching your first machine, generate one at <a href="https://discovery.etcd.io/new?size=3">https://discovery.etcd.io/new?size=3</a>, configure the `?size=` to your initial cluster size and add it to the metadata. You should re-use this key for each machine in the cluster.
        </li>
        <li>
          Use <a href="https://docs.flatcar-linux.org/os/provisioning/#config-transpiler">ct</a> to convert the following configuration into an Ignition config, and back in the EC2 dashboard, paste it into the "User Data" field.
          ```yaml
          etcd:
            # All options get passed as command line flags to etcd.
            # Any information inside curly braces comes from the machine at boot time.
    
            # multi_region and multi_cloud deployments need to use {PUBLIC_IPV4}
            advertise_client_urls:       "http://{PRIVATE_IPV4}:2379"
            initial_advertise_peer_urls: "http://{PRIVATE_IPV4}:2380"
            # listen on both the official ports and the legacy ports
            # legacy ports can be omitted if your application doesn't depend on them
            listen_client_urls:          "http://0.0.0.0:2379"
            listen_peer_urls:            "http://{PRIVATE_IPV4}:2380"
            # generate a new token for each unique cluster from https://discovery.etcd.io/new?size=3
            # specify the initial size of your cluster with ?size=X
            discovery:                   "https://discovery.etcd.io/<token>"
          ```
          <ul>
            <li>Paste configuration into "User Data"</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Storage Configuration
          <ul>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Tags
          <ul>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Create Key Pair
          <ul>
            <li>Choose a key of your choice, it will be added in addition to the one in the gist.</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Choose one or more of your existing Security Groups
          <ul>
            <li>"flatcar-testing" as above.</li>
            <li>"Continue"</li>
          </ul>
        </li>
        <li>
          Launch!
        </li>
      </ol>
    </div>
    

Installation from a VMDK image

One of the possible ways of installation is to import the generated VMDK Flatcar image as a snapshot. The image file will be in https://${CHANNEL}.release.flatcar-linux.net/${ARCH}-usr/${VERSION}/flatcar_production_ami_vmdk_image.vmdk.bz2. Make sure you download the signature (it’s available in https://${CHANNEL}.release.flatcar-linux.net/${ARCH}-usr/${VERSION}/flatcar_production_ami_vmdk_image.vmdk.bz2.sig) and check it before proceeding.

$ wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_ami_vmdk_image.vmdk.bz2
$ wget https://alpha.release.flatcar-linux.net/amd64-usr/current/flatcar_production_ami_vmdk_image.vmdk.bz2.sig
$ gpg --verify flatcar_production_ami_vmdk_image.vmdk.bz2.sig
gpg: assuming signed data in 'flatcar_production_ami_vmdk_image.vmdk.bz2'
gpg: Signature made Thu 15 Mar 2018 10:27:57 AM CET
gpg:                using RSA key A621F1DA96C93C639506832D603443A1D0FC498C
gpg: Good signature from "Flatcar Buildbot (Official Builds) <[email protected]>" [ultimate]

Then, follow the instructions in Importing a Disk as a Snapshot Using VM Import/Export . You’ll need to upload the uncompressed vmdk file to S3.

After the snapshot is imported, you can go to “Snapshots” in the EC2 dashboard, and generate an AMI image from it. To make it work, use /dev/sda2 as the “Root device name” and you probably want to select “Hardware-assisted virtualization” as “Virtualization type”.

Using Flatcar Container Linux

Now that you have a machine booted it is time to play around. Check out the Flatcar Container Linux Quickstart guide or dig into more specific topics .