Instructions for creating an AMI

The following instructions assume you’re using Amazon Linux 2, but can be adapted generically for other Amazon Machine Image (AMI)-compatible distributions.

1. Start an EC2 instance with your preferred setup.
2. Install dependent packages. For example: yum install -y redhat-lsb-core
3. Install the package. For example: rpm -i canary_forwarder-1.4.15.x86_64.rpm
4. Stop the cfsvcd service. For example: sudo systemctl stop cfsvcd or initctl stop cfsvcd
5. Copy the config.json file to /opt/redcanary/
   Note: Do not perform this step any earlier.
6. Confirm there is no state.json file in /opt/redcanary/. If there is, delete it.
7. Shut down the VM instance.
8. Create the AMI from the VM instance.
9. Using the AMI created in the preceding steps, launch as many VMs as needed.

Why does the endpoint launched from an AMI have two different hostnames listed in Red Canary?

Since AMI’s are clones of an EC2 Instance, some data may be cached for that VM. On startup, the agent aggressively uploads information about the endpoint to notify the platform of its installation. On initialization of the EC2 instance, the agent and hostname resolution face a race condition in which the agent may upload data before the hostname has been updated to the most recent one. This results in no material impact on the service we provide you.

What happens if I forget to stop the cfsvcd service before copying over the config file?

You can reset the agent's unique identifier by deleting the /opt/redcanary/state.json file.