2019年8月9日 星期五

Import VMware VM to EC2 and support T3/M5/C5 ENA and Nitro Hypervisor

If you need to update an CentOS AMI to support AWS new generation instance type such as T3/T3a/C5/M5, Enhanced Networking Adaptor (ENA) or EBS Optimized disk. You will need to include drivers into initramfs, otherwise instance will boot fail.

The first thing is enable and install enhanced networking driver. You can refer document: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html#enhanced-networking-ena-linux

However, after rebuild initramfs via dracut and reboot, your instance might boot fail. Because of the new instance type supports ENA usually will also need to support EBS optimized volume. 

To troubleshoot I will suggest turn on console logging for your AMI first, so that you can troubleshoot via Get Instance Screenshot.
You need to update grub.cfg remove "rhgb quiet" and add "console=tty0" into /etc/default/grub and then install it via grub2-mkconfig -o /boot/grub2/grub.cfg

The second thing is to make initramfs support nvme drive (EBS Optimized disk).
You might check this document for general check points https://aws.amazon.com/premiumsupport/knowledge-center/boot-error-linux-m5-c5/
But there is still one thing missed. By default in CentOS 7, the dracut will auto detect and include necessary drivers into initramfs. But if you want your AMI to support both legacy and modern hypervisor such as Nitro, ENA, nvme. You need to built-in more generic drivers via dracut -f -v -N. The -N indicates dracut should disable host-only mode. 


By doing so, you can connect everything together and make your AMI support all HVM instance types in AWS.

BTW, before publish AMI, check this document to clean up your instance is also suggested:


2019年7月29日 星期一

Secure SSH access with AWS EC2 instance connect

要如何安全的存取 EC2 instance 呢?
管理和交換 EC2 ssh key pair 是一件很麻煩的事
除了透過 system manager access instance console 外,
另外一各有趣的方式是透過 IAM send ssh key + instance connect

原理是如果 EC2 instance server 端安裝 instance connect script, 則 sshd 會去 instance metadata 拉 one-time ssh key 來允許 user ssh login.

client 端可以把自己的 ssh key 透過 aws cli push 上去,或者是安裝 pip install ec2instanceconnectcli , 這個 command wrapper 會動態的產生 ssh key 然後再 push 上去 ec2 instance.

因為 key 在 instance metadata 只會存在 60 秒,基本上都是依靠 IAM 來控管權限,唯一的缺點就是,不是所有的 EC2 instance 預設都有安裝好 instance connect. 目前只有 Amazon Liunx 2 和 Ubuntu 16.04 later 預設先安裝好了...



AWS codecommit pricing by any different access id

The AWS codecommit pricing determine a valid user by any unique access identities.

Q: What is the definition of an active user in AWS CodeCommit?

An active user is any unique AWS identity (IAM user/role, federated user, or root account) that accesses AWS CodeCommit repositories during the month, either through Git requests or by using the AWS Management Console. A server accessing CodeCommit using a unique AWS identity counts as an active user.

I created a repo from web console with my AWS root account. For my desktop I create an IAM user with Access Key ID A, and for my Macbook Pro, I add second Access Key ID for the same IAM user.

Then I saw its counted as 3 user access, charged with $1 USD x 3 / per month for the repo... lol