Amazon Server Setup

The following is a quick informal document outlining the steps that I took to create an Amazon account, Amazon virtual machine and an Amazon persistent storage volume.

Creating an account

Created account at Amazon Web Services Site.

Creating the Server

Signed in and make my way to the EC2 dashboard, here I was greeted with a button that says Launch Instances from here I had the option of choosing from a range of Amazon machine images (AMI) or community AMI, of course I chose the community AMI knowing that I wanted to use Ubuntu. From here there were a few really simple choices regarding server type (small recommended cheaper), 32 or 64 bit architecture etc. If you are wanting to clone the machine at a later date (bundle it and create more of the same) the machine must have the AMI tools to avoind problems with networking ie unique mac addresses. There is a list of machines at http://alestic.com/ that is where I found the ami-ed46a784 (Ubuntu 9.04). You will see the tools in /usr/lib/site_ruby/ec2 once you are able to use the console.

Creating the Storage

There was a Volumes menu item in the Amazon EC2 console dashboard (after initial log in). Remember if you do not associate any Volumes with your server there is no persistence, meaning that when you turn the server off you loose everything. I created a 20 Gb volume for this project.

Amazon Firewall

You are able to administer security using the Security Groups menu item in the Amazon EC2 console dashboard. There is a table at the bottom of the screen. I chose to start off with a simple configuration port 80 open to all and port 22 restricted to the subnet that my IP is on at work. Eg 123.45.67.0/24 will allow access from 123.45.67.0 to 123.45.67.255.

Security and logging in for the first time

There is a Key Pairs menu item in the Amazon EC2 console dashboard. If you have not done so already you can create a key pair now by clicking Create Key Pair, this will download a .pem file to your machine.

Once you are ready to log in type the following into your console/terminal window on your machine.

ssh -v -i /path/to/file.pem -l root public.name.amazonaws.com

Check to see that the RSA finger print displayed during the ssh connection matches the public key on the Amazon server this can be done by typing the following once logged in

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

This assists in confirming that the right decision was made when answering YES to the question…

The authenticity of host xyz.com can't be established.
RSA key fingerprint is 12:34:45:56:67:78:89
Are you sure you want to continue connecting (yes/no)? yes

Securing the server’s operating system from the command line is beyond the scope of this document, please see your operating system documentation to ensure that the machine firewall etc is configured to your liking. I have created documentation covering the steps I took to secure the Ubuntu 9.04 server.

Configuring automatic updates and email notification

Follow this link to enable email (I used the external DNS url given by Amazon here )

https://techteam.wordpress.com/2008/04/08/sending-mail-from-the-command-line-on-ubuntu/

Follow this link to set up Cron job for the update

https://techteam.wordpress.com/2008/04/09/setting-up-a-cron-job-to-update-ubuntu-machine/

Creating an Image/Bundle

I want to be able to clone the machine that I have just created so I am following this link. http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/ (select Using Amazon EC2 then Bundling an AMI)

I checked to see what the architecture of this machine was

uname -a

I used the following command to create the bundle, I decided to leave out any options that were not mandatory.

/usr/local/bin>ec2-bundle-vol --privatekey /path/to/privatekey.pem --cert /path/to/cert/file --user awsAccountNumberGoesHere(no dashes)

I unfortunately got the following error

ERROR: error reading certificate file /path/to/cert/file: error reading certificate: nested asn1 error

I found this reply on a forum

Our platform team has identified the issue with the certificates.  As some of you noticed, certain new lines were stripped out of the certificate.  The ec2-bundle-image tool was not able to use these certificates.
We have update the portal to generate usable certificates in all cases.  We will also look at the ec2-bundle-image tool to see if it can be more tolerate of certificate format.
If you are affected by this issue, the easiest way to fix the issue is to use the portal to regenerate your certificate as follows:
1/ Goto http://aws.amazon.com.
2/ Mouse over "Your Webservices Account" button in upper right of screen.
3/ Click on "AWS Access Identifiers" from the pop up menu.
4/ Scroll down to the section titled: "X.509 Certificate"
5/ Click on "Create New" and "Download".  You'll need to download and use both the new certificate and the new private key.
Let us know if you have any additional issues with ec2-bundle-image.

I created a new cert and private key fromm within the X.509 Certificates tab in the Security Credentials page. I then copied them up to the server and used those in the bundle command.

Uploading the bundle

I ran the ec2-upload-bundle command in the /usr/local/bin directory.

Once again I only used the mandatory flags.

ec2-upload-bundle --bucket http://mybucket.s3.amazonaws.com/ --access-key FOUND_ON_SECURITY_CREDENTIALS_PAGE --secret-key  FOUND_ON_SECURITY_CREDENTIALS_PAGE --manifest /tmp/image.manifest.xml

I got the following error

ERROR: Error talking to S3: Server.InvalidBucketName(400): The specified bucket is not valid.

So I wrote a separate blog post for that error

https://techteam.wordpress.com

Registering the bundle (AMI)

I noticed that the command to register the bundle in the Amazon documentation was not in the ec2 toolkit. I chose to register my bundle with Elasticfox (the Firefox plug in)

Note: When supplying the path to the bundle’s manifest you must not supply the actual complete URL (as per a right click copy location in S3Fox) it must have the following format

mybucket.s3.amazonaws.com/image.manifest.xml

Here is a screen shot of where I clicked to register the machine (click the round Green button with the plus sign on it).

graphics2

After clicking the button with the plus sign you will see an input box like this, this is where you place the path to the manifest we were talking about above.

graphics3

Persistent Storage

To create persistent storage I made an EBS Volume, ensuring that the Zone us-east-1c was the same as the Virtual Machines.

Attached the volume to an instance using elasticfox (Firefox plugin) using the device name of /dev/sda4

Type the following to see the volume unmounted

fdisk -l

I then added the following line to the /etc/fstab file (used auto for the settings so it detects the file system type, not really interested in configuring read/write and access control as this is just a dev box, however you can go and Google how to edit the fstab file.

/dev/sda4 /mnt/e3mount auto auto 0 0

You can either just mount that volume by it self to test

mount /dev/sda4

or you can mount all the entries in the /etc/fstab file

mount -a
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s