The following is a quick informal document outlining the steps that I took to create an Amazon account, Amazon virtual machine and an Amazon persistent storage volume.
Created account at Amazon Web Services Site.
Signed in and make my way to the EC2 dashboard, here I was greeted with a button that says “Launch Instances” from here I had the option of choosing from a range of Amazon machine images (AMI) or community AMI, of course I chose the community AMI knowing that I wanted to use Ubuntu. From here there were a few really simple choices regarding server type (small recommended cheaper), 32 or 64 bit architecture etc. If you are wanting to clone the machine at a later date (bundle it and create more of the same) the machine must have the AMI tools to avoind problems with networking ie unique mac addresses. There is a list of machines at http://alestic.com/ that is where I found the ami-ed46a784 (Ubuntu 9.04). You will see the tools in /usr/lib/site_ruby/ec2 once you are able to use the console.
There was a “Volumes” menu item in the Amazon EC2 console dashboard (after initial log in). Remember if you do not associate any Volumes with your server there is no persistence, meaning that when you turn the server off you loose everything. I created a 20 Gb volume for this project.
You are able to administer security using the “Security Groups” menu item in the Amazon EC2 console dashboard. There is a table at the bottom of the screen. I chose to start off with a simple configuration port 80 open to all and port 22 restricted to the subnet that my IP is on at work. Eg 18.104.22.168/24 will allow access from 22.214.171.124 to 126.96.36.199.
There is a “Key Pairs” menu item in the Amazon EC2 console dashboard. If you have not done so already you can create a key pair now by clicking “Create Key Pair”, this will download a .pem file to your machine.
Once you are ready to log in type the following into your console/terminal window on your machine.
ssh -v -i /path/to/file.pem -l root public.name.amazonaws.com
Check to see that the RSA finger print displayed during the ssh connection matches the public key on the Amazon server this can be done by typing the following once logged in
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
This assists in confirming that the right decision was made when answering YES to the question…
The authenticity of host xyz.com can't be established.
RSA key fingerprint is 12:34:45:56:67:78:89
Are you sure you want to continue connecting (yes/no)? yes
Securing the server’s operating system from the command line is beyond the scope of this document, please see your operating system documentation to ensure that the machine firewall etc is configured to your liking. I have created documentation covering the steps I took to secure the Ubuntu 9.04 server.
Follow this link to enable email (I used the external DNS url given by Amazon here )
Follow this link to set up Cron job for the update
I want to be able to clone the machine that I have just created so I am following this link. http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/ (select “Using Amazon EC2” then “Bundling an AMI”)
I checked to see what the architecture of this machine was
I used the following command to create the bundle, I decided to leave out any options that were not mandatory.
/usr/local/bin>ec2-bundle-vol --privatekey /path/to/privatekey.pem --cert /path/to/cert/file --user awsAccountNumberGoesHere(no dashes)
I unfortunately got the following error
ERROR: error reading certificate file /path/to/cert/file: error reading certificate: nested asn1 error
I found this reply on a forum
Our platform team has identified the issue with the certificates. As some of you noticed, certain new lines were stripped out of the certificate. The ec2-bundle-image tool was not able to use these certificates.
We have update the portal to generate usable certificates in all cases. We will also look at the ec2-bundle-image tool to see if it can be more tolerate of certificate format.
If you are affected by this issue, the easiest way to fix the issue is to use the portal to regenerate your certificate as follows:
1/ Goto http://aws.amazon.com.
2/ Mouse over "Your Webservices Account" button in upper right of screen.
3/ Click on "AWS Access Identifiers" from the pop up menu.
4/ Scroll down to the section titled: "X.509 Certificate"
5/ Click on "Create New" and "Download". You'll need to download and use both the new certificate and the new private key.
Let us know if you have any additional issues with ec2-bundle-image.
I created a new cert and private key fromm within the “X.509 Certificates” tab in the Security Credentials” page. I then copied them up to the server and used those in the bundle command.
I ran the ec2-upload-bundle command in the /usr/local/bin directory.
Once again I only used the mandatory flags.
ec2-upload-bundle --bucket http://mybucket.s3.amazonaws.com/ --access-key FOUND_ON_SECURITY_CREDENTIALS_PAGE --secret-key FOUND_ON_SECURITY_CREDENTIALS_PAGE --manifest /tmp/image.manifest.xml
I got the following error
ERROR: Error talking to S3: Server.InvalidBucketName(400): The specified bucket is not valid.
So I wrote a separate blog post for that error
I noticed that the command to register the bundle in the Amazon documentation was not in the ec2 toolkit. I chose to register my bundle with Elasticfox (the Firefox plug in)
Note: When supplying the path to the bundle’s manifest you must not supply the actual complete URL (as per a right click copy location in S3Fox) it must have the following format
Here is a screen shot of where I clicked to register the machine (click the round Green button with the plus sign on it).
After clicking the button with the plus sign you will see an input box like this, this is where you place the path to the manifest we were talking about above.
To create persistent storage I made an EBS Volume, ensuring that the Zone “us-east-1c” was the same as the Virtual Machines.
Attached the volume to an instance using elasticfox (Firefox plugin) using the device name of /dev/sda4
Type the following to see the volume unmounted
I then added the following line to the /etc/fstab file (used auto for the settings so it detects the file system type, not really interested in configuring read/write and access control as this is just a dev box, however you can go and Google how to edit the fstab file.
/dev/sda4 /mnt/e3mount auto auto 0 0
You can either just mount that volume by it self to test
or you can mount all the entries in the /etc/fstab file