# Default EC2 macOS Init init.toml config for mac1.metal instances # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You # may not use this file except in compliance with the License. A copy of # the License is located at # # http://aws.amazon.com/apache2.0/ # # or in the "license" file accompanying this file. This file is # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. ### Group 1 ### ## Making sure unnecessary resources are disabled # Disable Ethernet [[Module]] Name = "DisableEthernet" PriorityGroup = 1 # First group RunPerBoot = true # Run every boot FatalOnError = true # Fatal if there's an error - this must succeed [Module.Command] Cmd = ["/usr/sbin/networksetup", "-setnetworkserviceenabled", "Ethernet", "off"] # Unmount Local SSD [[Module]] Name = "UnmountLocalSSD" PriorityGroup = 1 # First group RunPerBoot = true # Run every boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["/bin/zsh", "-c", "diskutil list internal physical | egrep -o '^/dev/disk\\d+' | xargs diskutil eject || true"] ### Group 2 ### ## The only task in the first group is to make sure the network is up. Some of the subsequent actions require ## a connection to IMDS and will fail if this check doesn't pass. # Checks that the network is up [[Module]] Name = "CheckNetworkIsUp" PriorityGroup = 2 # Second group RunPerBoot = true # Run every boot FatalOnError = true # Fatal if there's an error - this must succeed [Module.NetworkCheck] PingCount = 3 # Three attempts ### Group 3 ### ## The second group has many actions that can be run in parallel including: ## 1. Optimize kernel and networking parameters ## 2. Disable auto-update ## 3. Apply suggested SSHD security settings ## 4. Reset a random password for ec2-user ## 5. Set the default timezone (GMT) ## 6. Set timed to use Amazon Time Sync Service ## 7. Update MOTD ## 8. Remove SSH group ## 9. Grow root APFS volume to max EBS volume size # Set suggested default system configuration settings # These kernel and networking parameters are suggested by EC2 for optimal instance performance. [[Module]] Name = "EC2SuggestedDefaultConfigPerformance" PriorityGroup = 3 # Third group RunPerBoot = true # Run every boot to enforce these parameters FatalOnError = false # Best effort, don't fatal on error [Module.SystemConfig] [[Module.SystemConfig.Sysctl]] value = "kern.aiomax=900" [[Module.SystemConfig.Sysctl]] value = "kern.aioprocmax=256" [[Module.SystemConfig.Sysctl]] value = "kern.aiothreads=64" [[Module.SystemConfig.Sysctl]] value = "net.inet.tcp.win_scale_factor=8" [[Module.SystemConfig.Sysctl]] value = "net.inet.tcp.autorcvbufmax=33554432" [[Module.SystemConfig.Sysctl]] value = "net.inet.tcp.autosndbufmax=33554432" [[Module.SystemConfig.Sysctl]] value = "net.inet.tcp.sendspace=1048576" [[Module.SystemConfig.Sysctl]] value = "net.inet.tcp.recvspace=1048576" [[Module.SystemConfig.Sysctl]] value = "net.link.generic.system.rcvq_maxlen=1024" [[Module.SystemConfig.Defaults]] plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist" parameter = "AutomaticallyInstallMacOSUpdates" type = "bool" value = "false" [[Module.SystemConfig.Defaults]] plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist" parameter = "AutomaticCheckEnabled" type = "bool" value = "false" [[Module.SystemConfig.Defaults]] plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist" parameter = "AutomaticDownload" type = "bool" value = "false" [[Module.SystemConfig.Defaults]] plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist" parameter = "CriticalUpdateInstall" type = "bool" value = "false" [[Module.SystemConfig.Defaults]] plist = "/Library/Preferences/com.apple.SoftwareUpdate.plist" parameter = "ConfigDataInstall" type = "bool" value = "false" # Apply secure settings to SSHD on every boot # To manage ssh_config separately, disable this module [[Module]] Name = "EC2SuggestedDefaultConfigSecurity" PriorityGroup = 3 # Third group RunPerBoot = true # Run every boot to enforce these parameters FatalOnError = true # Security settings, must succeed [Module.SystemConfig] secureSSHDConfig = true # Set a random password for ec2-user [[Module]] Name = "ManageEC2User" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = true # Must succeed [Module.UserManagement] User = "ec2-user" # This user must exist locally in /Users/ RandomizePassword = true # default is true # Set timezone as GMT [[Module]] Name = "SetDefaultTimezone" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["systemsetup", "-settimezone", "GMT"] # Use systemsetup to set property # Set timed to use Amazon Time Sync Service # 169.254.169.123 is the address for Amazon Time Sync in all regions [[Module]] Name = "SetAmazonTimeSync" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["systemsetup", "-setusingnetworktime", "on", "-setnetworktimeserver", "169.254.169.123"] # Use systemsetup to set property # Disable sleep [[Module]] Name = "NeverSleep" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["sudo", "pmset", "-a", "sleep", "0"] [[Module]] Name = "NeverSleepDisplay" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["sudo", "pmset", "-a", "displaysleep", "0"] [[Module]] Name = "DisableSleep" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["sudo", "pmset", "-a", "disablesleep", "1"] # Update MOTD to contain the current OS version and name [[Module]] Name = "UpdateMOTD" PriorityGroup = 3 # Third group RunPerBoot = true # Run every boot FatalOnError = false # Best effort, don't fatal on error [Module.MOTD] UpdateName = true # Update the macOS version string in /etc/motd with that latest name and os product version number # Remove SSH group, if it exists [[Module]] Name = "RemoveSSHGroup" PriorityGroup = 3 # Third group RunOnce = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["/bin/zsh", "-c", "dscl /Local/Default delete /Groups/com.apple.access_ssh || true"] # Use dscl to delete group # Disable WiFi [[Module]] Name = "DisableWiFi" PriorityGroup = 3 # Third group RunPerBoot = true # Run every boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["/bin/zsh", "-c", 'wifidevice="$(networksetup -listallhardwareports | grep -A 1 "Wi-Fi" | tail -n 1 | cut -d " " -f2)"; if [[ ! -z $wifidevice ]]; then networksetup -setairportpower $wifidevice off; fi'] # Turn off wifi device # Grow the root APFS volume to the maximum size of the EBS volume [[Module]] Name = "GrowRootAPFSVolume" PriorityGroup = 3 # Third group RunPerInstance = true # Run only on the first boot FatalOnError = false # Best effort, don't fatal on error [Module.Command] Cmd = ["/bin/zsh", "-c", "ec2-macos-utils grow --id root"] # Use ec2-macos-utils to grow the container ### Group 4 ### ## This group gets keys from IMDS and allows ssh access to the instance. # Get SSH keys from IMDS [[Module]] Name = "GetSSHKeys" PriorityGroup = 4 # Fourth group FatalOnError = true # Exit on failure - this is required to log in. RunPerInstance = true # Run only once per instance [Module.SSHKeys] GetIMDSOpenSSHKey = true # Get the key from IMDS User = "ec2-user" # Apply the key to ec2-user DedupKeys = true # Remove duplicate keys OverwriteAuthorizedKeys = false # Append to authorized_keys to avoid erasing any additional keys on future instances ### Group 5 ### ## Finally, run user data. # Attempt to execute userdata, if provided [[Module]] Name = "ExecuteUserData" PriorityGroup = 5 # Fifth group RunPerInstance = true # Run once per instance FatalOnError = false # Best effort, don't fatal on error [Module.UserData] ExecuteUserData = true # Execute the userdata