2019年9月26日 星期四

Life in Montreal, Arrival! SIN and RAMQ!

記錄一下抵達 Montreal 後要做的事

因為是從東京直飛 Montreal,下飛機後到海關前先用 Kiosk 申報入境有沒有帶違禁品,超量的貨幣之類的,還有預計停留的時間和目的。

我選了 Work, 365 天,拍完照片後機器會印出一張紙,接著排隊等海關問問題。海關看了一下紙後就說往後面的 Immigration Office 去。進 Immigration Office 時會有個人問你要做什麼,回答說已經有 approved work permit 需要 immigration officer review,接著它會紀錄之前那張紙上面的編號,然後請你到旁邊的座位區等叫到號碼再去移民官櫃檯。我拿的是 D10 原本看已經到 D08 了,但等了快一個小時才叫到 D10,其他的 AX, BY, CZ 印象中都叫超快的。

等叫到 D10 移民官只問了我跟我太太結婚幾年?然後就印出了兩張 Work Permit,要我再確認一下裡面的內容有沒有問題,前後應該不到 5 分鐘吧。但是幸好不是入境加拿大後還要轉機,不然一直不確定要在 Immigration Office 裡面等多久真的很煎熬。

過了幾天,第一件事就是要申請 SIN (Social Insurance Number),Service Canada 是 8:30 AM 開,因為時差關係都很早起,所以大概 8 點就到了,在門口排一下隊,進去後會有人問說需要做什麼服務,然後就到旁邊等叫名字。好像也是等不到 5 分鐘,就被叫進一個小房間,看了一下護照還有 Work Permit 後,給了一張紙要我們填父母的英文名字還有在加拿大的居住信箱地址,電話。接著就印出了效期跟 Work Permit 一樣長的 SIN 臨時紙。

第二個要挑戰的是 RAMQ 健康保險,到了 RAMQ 發現排隊人龍太可怕了,中午再去看看發現也是一樣。後來就試著改打電話。電話不好撥,但後來有一次轉接竟然沒多久就有人接聽。跟他說要申請 RAMQ 後,需要提供 SIN 號碼,在加拿大的居住地址,Work Permit 上面的一些細項資料內容,接著他就說 Application Form 會在10天內寄到信箱。因為 RAMQ 等待期可能要三個月,但因為現在是 9 月底,所以如果 9 月底申請的話,9月也可以算一個月。對方說從打完電話輸入完資料後,等待期就已經開始算了。等接下來收到 Application Form 後,再到 CLSC 帶著護照/Workpermit 和照片做完身份驗證就可以了。因為 RAMQ 開的時間和下班時間很早,排隊的人又超級多,CLSC RAMQ service point 點比較多,有的又開到 8:00 PM,感覺比較方便。所以打電話進去 RAMQ 拿 Registration Form 真的方便很多!另外孕婦產檢相關的醫療好像不需要3個月等待期,可以在後面確定拿到 RAMQ 後退費。

心得:
一定要看RAMQ網站的 How to Registration!! RAMQ 一開始就說 Call us to have your personalized registration form! 能避開RAMQ reception desk 排隊地獄真的是很開心...

這兩樣必備的完成後,接下來就是其他日常的挑戰了....


2019年8月9日 星期五

Import VMware VM to EC2 and support T3/M5/C5 ENA and Nitro Hypervisor

If you need to update an CentOS AMI to support AWS new generation instance type such as T3/T3a/C5/M5, Enhanced Networking Adaptor (ENA) or EBS Optimized disk. You will need to include drivers into initramfs, otherwise instance will boot fail.

The first thing is enable and install enhanced networking driver. You can refer document: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html#enhanced-networking-ena-linux

However, after rebuild initramfs via dracut and reboot, your instance might boot fail. Because of the new instance type supports ENA usually will also need to support EBS optimized volume. 

To troubleshoot I will suggest turn on console logging for your AMI first, so that you can troubleshoot via Get Instance Screenshot.
You need to update grub.cfg remove "rhgb quiet" and add "console=tty0" into /etc/default/grub and then install it via grub2-mkconfig -o /boot/grub2/grub.cfg

The second thing is to make initramfs support nvme drive (EBS Optimized disk).
You might check this document for general check points https://aws.amazon.com/premiumsupport/knowledge-center/boot-error-linux-m5-c5/
But there is still one thing missed. By default in CentOS 7, the dracut will auto detect and include necessary drivers into initramfs. But if you want your AMI to support both legacy and modern hypervisor such as Nitro, ENA, nvme. You need to built-in more generic drivers via dracut -f -v -N. The -N indicates dracut should disable host-only mode. 


By doing so, you can connect everything together and make your AMI support all HVM instance types in AWS.

BTW, before publish AMI, check this document to clean up your instance is also suggested:


2019年7月29日 星期一

Secure SSH access with AWS EC2 instance connect

要如何安全的存取 EC2 instance 呢?
管理和交換 EC2 ssh key pair 是一件很麻煩的事
除了透過 system manager access instance console 外,
另外一各有趣的方式是透過 IAM send ssh key + instance connect

原理是如果 EC2 instance server 端安裝 instance connect script, 則 sshd 會去 instance metadata 拉 one-time ssh key 來允許 user ssh login.

client 端可以把自己的 ssh key 透過 aws cli push 上去,或者是安裝 pip install ec2instanceconnectcli , 這個 command wrapper 會動態的產生 ssh key 然後再 push 上去 ec2 instance.

因為 key 在 instance metadata 只會存在 60 秒,基本上都是依靠 IAM 來控管權限,唯一的缺點就是,不是所有的 EC2 instance 預設都有安裝好 instance connect. 目前只有 Amazon Liunx 2 和 Ubuntu 16.04 later 預設先安裝好了...



AWS codecommit pricing by any different access id

The AWS codecommit pricing determine a valid user by any unique access identities.

Q: What is the definition of an active user in AWS CodeCommit?

An active user is any unique AWS identity (IAM user/role, federated user, or root account) that accesses AWS CodeCommit repositories during the month, either through Git requests or by using the AWS Management Console. A server accessing CodeCommit using a unique AWS identity counts as an active user.

I created a repo from web console with my AWS root account. For my desktop I create an IAM user with Access Key ID A, and for my Macbook Pro, I add second Access Key ID for the same IAM user.

Then I saw its counted as 3 user access, charged with $1 USD x 3 / per month for the repo... lol