Firebird SQL on AWS User Guide

Overview

This image runs Firebird SQL, the mature, open source, ANSI SQL relational database descended from InterBase. Firebird is the only workload on the image, so the platform stays lean, predictable and easy to reason about. The current stable Firebird 5.x line is provided, installed from the official upstream distribution at firebirdsql.org and running as the SuperServer engine variant.

The image ships with native password authentication enabled. On the first boot of your instance a one shot service generates a fresh, strong password for the SYSDBA superuser, unique to that instance, applies it to the security database and writes it to /root/firebird-credentials.txt, a file that only the root user can read. No shared or default SYSDBA password ships in the image.

Firebird database files (.fdb) live under /var/lib/firebird on a dedicated EBS storage volume separate from the operating system disk. Keeping database files on their own volume means storage can be grown, snapshotted and backed up independently of the root disk. The sample employee database that ships with Firebird is preinstalled here, ready for hands on exploration.

This is a headless image. Firebird has no built in web interface; you administer it over SSH with the bundled isql interactive CLI shell, or from a desktop client such as FlameRobin or DBeaver via the Firebird wire protocol on TCP 3050.

Prerequisites

Before you deploy this image you need:

• An Amazon Web Services account where you can launch EC2 instances
• IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
• An EC2 key pair in the target Region for SSH access to the instance
• A VPC and subnet in the target Region, with a security group allowing inbound port 22 from your management network
• The AWS CLI (version 2) installed locally if you plan to deploy from the command line

Recommended instance type: m5.large (2 vCPU, 8 GB RAM) or larger. Firebird's footprint is small, but additional CPU and RAM directly benefit query concurrency and page cache size on production workloads.

Step 1: Launch the Instance from the AWS Marketplace

Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for Firebird SQL. Select the cloudimg listing and choose Select, then Continue on the subscription summary.

Pick an instance type of m5.large or larger. Choose your EC2 key pair under Key pair (login). Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from your management network. Leave the root volume at the default size or larger; the Firebird data volume is attached automatically from the image.

Select Launch instance. First boot initialisation, which generates the SYSDBA password and starts Firebird, takes a minute or so after the instance state becomes Running and the status checks pass.

Step 2: Launch the Instance from the AWS CLI

The following block launches an instance from the cloudimg Firebird SQL Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens inbound port 22.

aws ec2 run-instances \
  --image-id <ami-id> \
  --instance-type m5.large \
  --key-name <key-name> \
  --subnet-id <subnet-id> \
  --security-group-ids <security-group-id> \
  --metadata-options HttpTokens=required \
  --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=firebird-01}]'

The command prints a JSON document on success. Note the instance ID, then retrieve its public address once it is running with aws ec2 describe-instances --instance-ids <instance-id> --query "Reservations[].Instances[].PublicIpAddress" --output text.

Step 3: Connect over SSH

Connect over SSH with the key pair you selected and the public IP address from step 2. The SSH login user depends on the operating system of the AMI variant you launched:

AMI variant	SSH login user
Firebird SQL 5.0 on Ubuntu 24.04	ubuntu

ssh <login-user>@<public-ip>

Wait until the instance has passed both EC2 status checks before connecting. The first boot service runs before the SSH daemon is ready, so Firebird is initialised by the time you can log in.

Step 4: Retrieve the Generated SYSDBA Password

The first boot service generates a fresh SYSDBA superuser password for this instance and writes it, with the connection details, to /root/firebird-credentials.txt. The file is readable only by the root user. Display it from your SSH session:

sudo cat /root/firebird-credentials.txt

The file looks like this, with a unique password on your instance:

# Firebird SQL 5.0 — Per-Instance Credentials
# Generated on first boot: Sat May 23 19:58:21 UTC 2026
#
# Open the isql shell with:
#   /opt/firebird/bin/isql -user SYSDBA -password '<password below>' 'inet://127.0.0.1/employee'
#
FIREBIRD_USER=SYSDBA
FIREBIRD_SYSDBA_PASSWORD=<your generated password>
FIREBIRD_HOST=127.0.0.1
FIREBIRD_PORT=3050
SAMPLE_DATABASE=inet://127.0.0.1/employee

The installer's transient SYSDBA password is rotated away during first boot, so it no longer works. Use the generated password for every connection.

Step 5: Confirm the Service and the Listener

Firebird runs under systemd as the firebird-superserver service and starts automatically on boot. Confirm it is active:

systemctl is-active firebird-superserver

The command prints active. Confirm the Firebird wire protocol is listening. The engine binds to the loopback address 127.0.0.1 on port 3050 by default, so it is reachable from the instance itself:

ss -tln | grep 3050

You should see a listening socket on 127.0.0.1:3050:

LISTEN 0      128        127.0.0.1:3050      0.0.0.0:*

Step 6: Connect with the isql Interactive Shell

The image provides /opt/firebird/bin/isql, the standard Firebird interactive SQL shell. Open an interactive session against the bundled employee sample database with the generated SYSDBA password. Replace <password> with the value from /root/firebird-credentials.txt:

/opt/firebird/bin/isql -user SYSDBA -password '<password>' 'inet://127.0.0.1/employee'

You can also run a single statement without entering the interactive shell by piping it on standard input. To verify the connection non interactively from your SSH session, run:

echo "SELECT 'roundtrip-ok' FROM RDB\$DATABASE;" \
  | /opt/firebird/bin/isql -user SYSDBA -password '<password>' 'inet://127.0.0.1/employee' -q

The query returns the literal you asked for:

CONSTANT
============
roundtrip-ok

Confirm the engine version with the -z flag, which prints the client and server banner:

/opt/firebird/bin/isql -z -q < /dev/null

The output names the Firebird release and the ODS (on disk structure) version:

ISQL Version: LI-V5.0.3.1683 Firebird 5.0

Step 7: Explore the Employee Sample Database

The employee database is the canonical Firebird sample. It models a small company with departments, projects, jobs and salary history. List its tables from inside isql:

SHOW TABLES;

The shell prints the ten sample tables:

COUNTRY
CUSTOMER
DEPARTMENT
EMPLOYEE
EMPLOYEE_PROJECT
JOB
PROJECT
PROJ_DEPT_BUDGET
SALARY_HISTORY
SALES

Describe a single table with SHOW TABLE, and run a normal SQL query to read rows. The example below joins the EMPLOYEE table with its job code and returns the first five rows:

SELECT FIRST 5 FIRST_NAME, LAST_NAME, JOB_CODE FROM EMPLOYEE;

FIRST_NAME      LAST_NAME            JOB_CODE
=============== ==================== ========
Robert          Nelson               VP
Bruce           Young                Eng
Kim             Lambert              Eng
Leslie          Johnson              Mktg
Phil            Forest               Mngr

Type EXIT; to leave the isql shell.

Step 8: Create Your Own Database

To create a new database, use the CREATE DATABASE statement from an isql session. The example below creates a database called inventory.fdb on the dedicated data volume, with the SYSDBA password as the database owner credential. Replace <password> with your generated SYSDBA password:

/opt/firebird/bin/isql -user SYSDBA -password '<password>'

Inside the shell:

CREATE DATABASE 'inet://127.0.0.1//var/lib/firebird/inventory.fdb'
  USER 'SYSDBA' PASSWORD '<password>'
  PAGE_SIZE 16384
  DEFAULT CHARACTER SET UTF8;

CONNECT 'inet://127.0.0.1//var/lib/firebird/inventory.fdb'
  USER 'SYSDBA' PASSWORD '<password>';

CREATE TABLE products (
  id INTEGER NOT NULL PRIMARY KEY,
  name VARCHAR(100) NOT NULL,
  price NUMERIC(10, 2) NOT NULL
);

INSERT INTO products (id, name, price) VALUES (1, 'Mechanical Keyboard', 89.00);
INSERT INTO products (id, name, price) VALUES (2, 'USB-C Hub', 39.00);

COMMIT;

SELECT * FROM products;

Type EXIT; to leave the shell. The new .fdb file lives under /var/lib/firebird and is included in any EBS snapshot of the data volume.

Step 9: The Firebird Data Volume

Firebird database files are stored under /var/lib/firebird, which is a dedicated EBS volume separate from the operating system disk. Confirm the mount:

findmnt /var/lib/firebird

The output shows /var/lib/firebird is its own ext4 filesystem on a separate device:

TARGET            SOURCE       FSTYPE OPTIONS
/var/lib/firebird /dev/nvme1n1 ext4   rw,relatime

Because the data directory is on its own volume you can take an Amazon EBS snapshot of it on its own schedule, and you can grow it independently of the root volume. Check the available space at any time with:

df -h /var/lib/firebird

Filesystem      Size  Used Avail Use% Mounted on
/dev/nvme1n1     20G  2.8M   19G   1% /var/lib/firebird

Step 10: Managing the Firebird Service

Firebird is managed through systemd. The service starts automatically on boot.

Check the service status:

systemctl status firebird-superserver --no-pager

Stop, start and restart the service when needed:

sudo systemctl stop firebird-superserver
sudo systemctl start firebird-superserver
sudo systemctl restart firebird-superserver

The Firebird log files are written under /opt/firebird. The main log is /opt/firebird/firebird.log; review it first when diagnosing a startup or runtime problem:

sudo tail -f /opt/firebird/firebird.log

The engine's main configuration file is /opt/firebird/firebird.conf. The image sets RemoteBindAddress = 127.0.0.1 so Firebird only listens on the loopback interface by default. To accept connections from outside the instance, edit the line to comment it out or set it to a specific address, then open inbound TCP 3050 on the EC2 security group and restart the service. The database aliases customers can connect by name are defined in /opt/firebird/databases.conf.

Step 11: Backups with gbak

gbak is the Firebird logical backup and restore tool. It takes a consistent, hot backup of a running database into a single .fbk archive that can be restored on any platform Firebird supports. Replace <password> with your generated SYSDBA password:

sudo /opt/firebird/bin/gbak -user SYSDBA -password '<password>' \
  -backup -v \
  'inet://127.0.0.1/employee' \
  /var/lib/firebird/employee.fbk

The -v flag prints progress. To restore the archive to a new database file, use the inverse command:

sudo /opt/firebird/bin/gbak -user SYSDBA -password '<password>' \
  -restore -v \
  /var/lib/firebird/employee.fbk \
  'inet://127.0.0.1//var/lib/firebird/employee-restored.fdb'

The archive file lives on the dedicated data volume, so it is included in any EBS snapshot you take of /var/lib/firebird. Schedule regular gbak runs via cron or a systemd timer in production, and copy the .fbk files to Amazon S3 for offsite retention.

For physical backups, nbackup takes incremental, block level snapshots that complement gbak. See the upstream Firebird documentation at firebirdsql.org for details of the nbackup workflow.

Step 12: Inspect Database Statistics with gstat

gstat reports header page information and detailed page level statistics for a Firebird database file. Use it to understand the on disk layout and to diagnose performance issues:

sudo /opt/firebird/bin/gstat -user SYSDBA -password '<password>' \
  -h /var/lib/firebird/employee.fdb

The header dump reports the database page size, the ODS (on disk structure) version, transaction counters and the platform Firebird was compiled for:

Database "/var/lib/firebird/employee.fdb"

Database header page information:
        Flags                   0
        Generation              183
        Page size               8192
        ODS version             13.1
        Implementation          HW=AMD/Intel/x64 little-endian OS=Linux CC=gcc
        Database dialect        3

Step 13: User Management with gsec

gsec is the security database administration tool. It creates, modifies and deletes Firebird user accounts. The example below creates a read only application user called appuser and grants it SELECT on the employee tables. From a root shell:

sudo /opt/firebird/bin/gsec -user SYSDBA -password '<password>' \
  -add appuser -pw 'AppUserPass!' -fname 'Application' -lname 'User'

Then grant table privileges from isql:

/opt/firebird/bin/isql -user SYSDBA -password '<password>' 'inet://127.0.0.1/employee'

GRANT SELECT ON EMPLOYEE TO appuser;
GRANT SELECT ON DEPARTMENT TO appuser;
COMMIT;
EXIT;

The new account can now log into the employee database from a client tool with the password you set. Rotate the SYSDBA password regularly through the same gsec interface with -modify SYSDBA -pw '<new>'.

Step 14: Customise the firebird.conf Settings

/opt/firebird/firebird.conf controls engine wide settings. Common production tweaks include:

• DefaultDbCachePages — the per database page cache size in pages. Increase for read heavy workloads.
• RemoteBindAddress — the network address the engine listens on. Set to a private IP to accept remote client connections.
• WireCrypt — set to Required to force every client connection to use Firebird's built in wire encryption.

After editing the file, restart the service so the new values take effect:

sudo systemctl restart firebird-superserver

For changes that require a reload of the security database (for example switching the authentication plugin), restart the service and re run a small isql command to confirm the engine accepts the SYSDBA password under the new configuration.

Next Steps

• Open inbound TCP 3050 on a private subnet security group so application servers can reach Firebird directly.
• Install a desktop client such as FlameRobin or DBeaver and connect with the SYSDBA credentials over an SSH tunnel from your workstation.
• Schedule gbak runs from cron or a systemd timer and ship the resulting .fbk files to Amazon S3 for offsite retention.
• Roll the EBS data volume into your overall snapshot policy so the Firebird .fdb files are backed up to Amazon EBS alongside your application data.
• For high availability, set up Firebird's built in replication (introduced in Firebird 4) between two instances; the user guide on firebirdsql.org covers the configuration in detail.

---

Screenshots

An isql session connected to the employee sample database, listing tables and querying employee records.

Creating a new Firebird database file from isql and connecting to it with the rotated SYSDBA credentials.

The gbak utility taking a hot backup of the employee database to a .fbk archive on the data volume.