Patched FreeBSD AMIs
I've been maintaining FreeBSD in the EC2 cloud since 2012, and from October 2013 onwards FreeBSD AMIs had code to automatically download and install security and critical errata updates when they first boot. Importantly, this took place before sshd started running, to ensure instances could be launched safely even if there were OpenSSH vulnerabilities in the release, and the system rebooted after installing updates to ensure that it would be running an updated kernel.This was very important for security, but had one downside — and one new issue starting with 15.0:
- The process of downloading and installing security updates and rebooting takes time; while I've done a lot of work on speeding up the boot process (you can now launch a FreeBSD/EC2 instance and SSH in less than 10 seconds later) launching a release image which needs a lot of patching could be annoyingly slow.
- The script I wrote for "firstboot" security updates made use of FreeBSD Update, which is incompatible with pkgbase, and starting with 15.0 FreeBSD cloud images (including but not limited to EC2) use a packaged base system. (It is possible that in 15.1 the freebsd-update tool will run appropriate pkg commands instead of bailing out when it finds that the base system is packaged; we had hoped that change would land in time for 15.0 but delays in the pkgbase process prevented that.)
So it was clear that we needed a better solution; and fortunately Amazon came along with some sponsorship money for me to work on FreeBSD/EC2 throughout 2026. This gave me time to write some code, and as of yesterday we now have FreeBSD 15.0-RELEASE-p1 AMIs — and importantly a process for efficiently generating new update AMIs. How you access these will depend on how you launch FreeBSD:
If you use the AWS Marketplace, you'll see that FreeBSD 15 now has a new version, "15.0-RELEASE-p1"; this is what you'll get when launching FreeBSD 15 from the Marketplace unless you deliberately pick an older release. Note that once FreeBSD 15.1-RELEASE is in the Marketplace I will no longer be able to publish 15.0-RELEASE-pN updates since "FreeBSD 15" is a single "product". Instead you'll get the latest 15.1-RELEASE-pN version, which is probably what you'll want anyway.
If you don't use the AWS Marketplace, you'll want to look up AMI Ids in the SSM Parameter Store. The path for the RELEASE images hasn't changed and it will continue to return the original RELEASE AMIs:
$ aws --region us-west-2 ssm get-parameter --query 'Parameter.Value' --output text \
--name /aws/service/freebsd/arm64/base/ufs/15.0/RELEASE
ami-032b3da64ed94226d
but now you can also look up images by the patch level
$ aws --region us-west-2 ssm get-parameter --query 'Parameter.Value' --output text \
--name /aws/service/freebsd/arm64/base/ufs/15.0/RELEASE/p1
ami-0b73a438792412654
or simply ask for the most recent patch level from the release
$ aws --region us-west-2 ssm get-parameter --query 'Parameter.Value' --output text \
--name /aws/service/freebsd/arm64/base/ufs/15.0/RELEASE/latest
ami-0b73a438792412654
This last one is probably what you'll want to put into scripts and
configuration files — there's really no reason to launch anything
other than the most recent security-and-errata-fixed images.
The process for building these images takes about an hour (it involves spinning up an EC2 instance and running pkg upgrade on a bunch of disk images, then creating disk snapshots, creating AMIs, copying the AMIs around the world, recording AMI IDs in the SSM Parameter Store, and finally sending out an SNS notification about the new AMIs — none of those steps is particularly slow but it all adds up) and getting them into the Marketplace is likely to take another hour, but we should consistently have new AMIs available everywhere within a few hours of security advisories going out.
Thanks to Amazon for sponsoring this work!