2019年8月9日 星期五

Import VMware VM to EC2 and support T3/M5/C5 ENA and Nitro Hypervisor

If you need to update an CentOS AMI to support AWS new generation instance type such as T3/T3a/C5/M5, Enhanced Networking Adaptor (ENA) or EBS Optimized disk. You will need to include drivers into initramfs, otherwise instance will boot fail.

The first thing is enable and install enhanced networking driver. You can refer document: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html#enhanced-networking-ena-linux

However, after rebuild initramfs via dracut and reboot, your instance might boot fail. Because of the new instance type supports ENA usually will also need to support EBS optimized volume. 

To troubleshoot I will suggest turn on console logging for your AMI first, so that you can troubleshoot via Get Instance Screenshot.
You need to update grub.cfg remove "rhgb quiet" and add "console=tty0" into /etc/default/grub and then install it via grub2-mkconfig -o /boot/grub2/grub.cfg

The second thing is to make initramfs support nvme drive (EBS Optimized disk).
You might check this document for general check points https://aws.amazon.com/premiumsupport/knowledge-center/boot-error-linux-m5-c5/
But there is still one thing missed. By default in CentOS 7, the dracut will auto detect and include necessary drivers into initramfs. But if you want your AMI to support both legacy and modern hypervisor such as Nitro, ENA, nvme. You need to built-in more generic drivers via dracut -f -v -N. The -N indicates dracut should disable host-only mode. 


By doing so, you can connect everything together and make your AMI support all HVM instance types in AWS.

BTW, before publish AMI, check this document to clean up your instance is also suggested:


2019年7月29日 星期一

Secure SSH access with AWS EC2 instance connect

要如何安全的存取 EC2 instance 呢?
管理和交換 EC2 ssh key pair 是一件很麻煩的事
除了透過 system manager access instance console 外,
另外一各有趣的方式是透過 IAM send ssh key + instance connect

原理是如果 EC2 instance server 端安裝 instance connect script, 則 sshd 會去 instance metadata 拉 one-time ssh key 來允許 user ssh login.

client 端可以把自己的 ssh key 透過 aws cli push 上去,或者是安裝 pip install ec2instanceconnectcli , 這個 command wrapper 會動態的產生 ssh key 然後再 push 上去 ec2 instance.

因為 key 在 instance metadata 只會存在 60 秒,基本上都是依靠 IAM 來控管權限,唯一的缺點就是,不是所有的 EC2 instance 預設都有安裝好 instance connect. 目前只有 Amazon Liunx 2 和 Ubuntu 16.04 later 預設先安裝好了...



AWS codecommit pricing by any different access id

The AWS codecommit pricing determine a valid user by any unique access identities.

Q: What is the definition of an active user in AWS CodeCommit?

An active user is any unique AWS identity (IAM user/role, federated user, or root account) that accesses AWS CodeCommit repositories during the month, either through Git requests or by using the AWS Management Console. A server accessing CodeCommit using a unique AWS identity counts as an active user.

I created a repo from web console with my AWS root account. For my desktop I create an IAM user with Access Key ID A, and for my Macbook Pro, I add second Access Key ID for the same IAM user.

Then I saw its counted as 3 user access, charged with $1 USD x 3 / per month for the repo... lol


2018年9月14日 星期五

AWS session manager and ssm-agent

Its quite a cool feature!
https://aws.amazon.com/blogs/aws/new-session-manager/

No more exposed open port for remote access!
No more shared ssh key!

Just attach SSM role to your running instances and install latest ssm-agent!

I think ssm-agent will getting more and more popular just like vmtools in VMware!

What else can ssm-agent do? Thats wait and see...


2018年5月22日 星期二

如果電話亭

如果紅燈可以右轉,是不是不用等綠燈還要等行人,讓交通打結?
前提:同美國直行車輛優先,無直行停等車輛時。

如果左轉車可以靠左直接左轉,是不是就不會造成待撞區和車流交織造成打結?

如果福和橋沒有車種分流,是不是就不會有那麼多機車道事故?



全球鷹/響尾蛇 D300 行車記錄器

全球鷹 Global Eagle /響尾蛇 D300 行車記錄器
前後雙鏡頭,透過電瓶的壓升壓降來開啟/關閉行車記錄器主機

wifi 是 mmcx 接頭,去淘寶買一條 20 元
預設 wifi 密碼是 12345678
透過 TimaCam 可以 wifi 連線主機,用來看即時鏡頭畫面還可以
但是要下載一個片段 216MB 非常慢,讓我看到噪音管和吐白煙的想檢舉也覺得麻煩...

主機拆下後,即使透過 USB 供電也無法開機,
要操作主機只能發動機車在車子旁邊操作,
主機沒接線的裝態也不能直接拿來看錄影檔。

從 2018.3 月安裝到現在,發生過一次熄火吃完飯(約20分鐘),竟然沒關機還在錄影。還好只是 20 分鐘,不然電瓶的電不知道會不會被吃完。

現在都很提心吊膽,熄火後都會等他壓降關機後(約 1 分鐘)才會離開。
早知道還是裝一般開電門供電,關電門關機的機種。

wifi 看檔和安裝容易都只是噱頭,買了才知道難用。



OSX Sierra+ 晶片讀卡機 EasyATM K50

EasyATM K50 免裝驅動程式 Sierra 10.12.6 / HighSierra 10.13 隨插即用

會辨識為 USB2.0-CRW
Product ID: 0x0169
Vendor ID: 0x0bda (Realtek Semiconductor Corp.)
Version: 61.23