This repository contains the infrastructure code for building custom Amazon Machine Images (AMIs) used by cirun.io to spin up on-demand and spot runners on AWS for Nebari's CI pipeline.
We use Packer to create standardized AMIs based on Ubuntu 24.04 that come pre-installed with all the tools needed for Nebari's integration tests. This approach significantly reduces CI build times by avoiding repeated installation of dependencies when cirun launches new runner instances.
The AMI includes:
- Docker and Docker Compose
- Kubernetes tools (kubectl, kind, k9s)
- Node.js 20 and npm
- Python 3 with pip
- Miniconda (latest)
- Playwright for browser testing
- AWS CLI v2
- Common utilities (jq, hub, git, curl, wget)
packer/
nebari-runner.pkr.hcl # Main Packer configuration
scripts/
disable-upgrades.sh # Disables automatic system updates
install-docker.sh # Docker installation
setup-runner.sh # Basic runner tools
preinstall-tools.sh # CI-specific tools
.github/workflows/
build-ami.yml # GitHub Actions workflow
.gitignore
- AWS IAM role configured for GitHub Actions with EC2 permissions
- GitHub repository secrets:
AWS_ROLE_ARN: ARN of the IAM role for building AMIsNEBARI_PAT: Personal Access Token for nebari repository (for auto-updates)
cd packer
packer init .
packer validate .
packer build .Linting: Runs automatically on push/PR to main branch for packer/ changes
Building: Only runs on manual trigger via workflow dispatch
- Go to the Actions tab in this repository
- Click on "Build AMI" workflow
- Click "Run workflow" button
- Wait for the build to complete (~10-15 minutes)
- Note the AMI ID from the build summary
Option A: Automatic Update (Recommended)
- Go to the Actions tab in this repository
- Click on "Update Nebari AMI" workflow
- Click "Run workflow" button
- Either:
- Leave AMI ID empty (will use latest built AMI)
- Or enter specific AMI ID from Step 1
- This will create a PR in the nebari repository
Option B: Manual Update
- Go to the nebari repository
- Edit the
.cirun.ymlfile - Update the
machine_imagefield with the new AMI ID:machine_image: ami-xxxxxxxxx # Replace with new AMI ID
- Create a pull request with your changes
- Once the PR is merged in nebari repository
- New CI runs will use the updated AMI
- Monitor the first few CI runs to ensure everything works correctly
Old AMIs are automatically cleaned up weekly, keeping only the 5 most recent images. To manually trigger cleanup:
- Go to the Actions tab in this repository
- Click on "Cleanup Old AMIs" workflow
- Click "Run workflow" button
- Optionally adjust the number of AMIs to keep (default: 5)
The GitHub Actions workflow requires these EC2 permissions:
ec2:DescribeRegions,ec2:DescribeImages,ec2:DescribeInstancesec2:RunInstances,ec2:TerminateInstances,ec2:StopInstancesec2:CreateImage,ec2:CreateTags,ec2:CreateSecurityGroupec2:DeleteKeyPair,ec2:DeleteSecurityGroup- Additional EC2 permissions for AMI creation
AMIs are named using the format: nebari-cirun-runner-ubuntu24-YYYYMMDD-HHMM
Example: nebari-cirun-runner-ubuntu24-20240716-1430
Once built, these AMIs are used by cirun.io to launch EC2 instances (both on-demand and spot) that serve as GitHub Actions runners for Nebari's CI workflows. The pre-installed tools ensure fast startup times and consistent environments across all CI runs.
To add new tools or modify the AMI:
- Update the appropriate script in
packer/scripts/ - Test locally with
packer build - Create a pull request
The build process automatically disables system auto-updates to prevent interference with CI jobs.