|
| 1 | +Provisioning Amazon EC2 instances |
| 2 | +================================= |
| 3 | + |
| 4 | +BSDploy provides automated provisioning of `Amazon EC2 <http://aws.amazon.com/ec2/>`_ instances via the `ploy_ec2 plugin <http://ploy.readthedocs.org/en/latest/ploy_ec2/README.html>`_. |
| 5 | + |
| 6 | +Note, that this plugin is not installed by default when installing BSDploy, so you need to install it additionally:: |
| 7 | + |
| 8 | + pip install ploy_ec2 |
| 9 | + |
| 10 | +Like with :doc:`Virtualbox instances <provisioning-virtualbox>` the configuration doesn't just describe existing instances but is used to create them. |
| 11 | + |
| 12 | +The first step is always to tell ploy where to find your AWS credentials in ``ploy.conf``:: |
| 13 | + |
| 14 | + [ec2-master:default] |
| 15 | + access-key-id = ~/.aws/foo.id |
| 16 | + secret-access-key = ~/.aws/foo.key |
| 17 | + |
| 18 | +Then, to define EC2 instances use the ``ec2-`` prefix, for example: |
| 19 | + |
| 20 | +.. code-block:: console |
| 21 | + :linenos: |
| 22 | +
|
| 23 | + [ec2-instance:production-backend] |
| 24 | + region = eu-west-1 |
| 25 | + placement = eu-west-1a |
| 26 | + keypair = xxx |
| 27 | + ip = xxx.xxx.xxx.xxx |
| 28 | + instance_type = c3.xlarge |
| 29 | + securitygroups = production |
| 30 | + image = ami-c847b2bf |
| 31 | + user = root |
| 32 | + startup_script = ../startup_script |
| 33 | +
|
| 34 | +Let's go through this briefly, the full details are available at the `ploy_ec2 documentation <http://ploy.readthedocs.org/en/latest/ploy_ec2/README.html>`_: |
| 35 | + |
| 36 | +- ``2-3`` here you set the region and placement where the instance shall reside |
| 37 | +- ``4`` you can optionally provide a keypair (that you must create or upload to EC2 beforehand). If you do so, the key will be used to grant you access to the newly created machine. See the section below regarding the ``startup_script``. |
| 38 | +- ``5`` if you have an Elastic IP you can specify it here and ``ploy`` will tell EC2 to assign it to the instance (if it's available) |
| 39 | +- ``6`` check `the EC2 pricing overview <https://aws.amazon.com/ec2/pricing/#aws-element-d6f4f5f6-88e6-4f9d-ae7e-bc8af955d03e1>`_ for a description of the available instance types. |
| 40 | + |
| 41 | +- ``7`` every EC2 instance needs to belong to a so-called security group. You can either reference an existing one or create one like so:: |
| 42 | + |
| 43 | + [ec2-securitygroup:production] |
| 44 | + connections = |
| 45 | + tcp 22 22 0.0.0.0/0 |
| 46 | + tcp 80 80 0.0.0.0/0 |
| 47 | + tcp 443 443 0.0.0.0/0 |
| 48 | + |
| 49 | +- ``8`` For FreeBSD the currently best option is to use Colin Percival's excellent `daemonology AMIs for FreeBSD <http://www.daemonology.net/freebsd-on-ec2/>`_. Simply pick the ID best suited for your hardware and region from the list and you're good to go! |
| 50 | + |
| 51 | +- ``9`` The default user for which daemonology's startup script configures SSH access (using the given ``keypair``) is named ``ec2-user`` but BSDploy's playbooks all assume ``root``, so we explicitly configure this here. Note, that this means that we *must* change the ``ec-user`` name (this happens in our own ``startup_script``, see below). |
| 52 | + |
| 53 | +- ``10`` ``ploy_ec2`` allows us to provide a local startup script which it will upload for us using Amazon's `instance metadata <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html>`_ mechanism. Here we reference it relative to the location of ``ploy.conf``. The following example provides minimal versions of ``rc.conf`` and ``sshd_config`` which... |
| 54 | + |
| 55 | + - configure SSH access for root |
| 56 | + - install Python (needed for running the :doc:`configuration playbook </setup/configuration>`) |
| 57 | + - updates FreeBSD to the latest patch level upon first boot:: |
| 58 | + |
| 59 | + #!/bin/sh |
| 60 | + cat << EOF > etc/rc.conf |
| 61 | + ec2_configinit_enable="YES" |
| 62 | + ec2_fetchkey_enable="YES" |
| 63 | + ec2_fetchkey_user="root" |
| 64 | + ec2_bootmail_enable="NO" |
| 65 | + ec2_ephemeralswap_enable="YES" |
| 66 | + ec2_loghostkey_enable="YES" |
| 67 | + ifconfig_xn0="DHCP" |
| 68 | + firstboot_freebsd_update_enable="YES" |
| 69 | + firstboot_pkgs_enable="YES" |
| 70 | + firstboot_pkgs_list="python27" |
| 71 | + dumpdev="AUTO" |
| 72 | + panicmail_enable="NO" |
| 73 | + panicmail_autosubmit="NO" |
| 74 | + sshd_enable="YES" |
| 75 | + EOF |
| 76 | + |
| 77 | + cat << EOF > /etc/ssh/sshd_config |
| 78 | + Port 22 |
| 79 | + ListenAddress 0.0.0.0 |
| 80 | + Subsystem sftp /usr/libexec/sftp-server |
| 81 | + PermitRootLogin without-password |
| 82 | + UseDNS no |
| 83 | + EOF |
| 84 | + |
| 85 | +Now you can provision the instance by running:: |
| 86 | + |
| 87 | + # ploy start production-backend |
| 88 | + |
| 89 | +This will take several minutes, as the machine is started up, updates itself and reboots. Be patient, it can easily take five minutes. To check if everything is done, use ploy's status command, once the instance is fully available it should say something like this:: |
| 90 | + |
| 91 | + # ploy status production-backend |
| 92 | + INFO: Instance 'production-backend' (i-xxxxx) available. |
| 93 | + INFO: Instance running. |
| 94 | + INFO: Instances DNS name ec2-xxx-xx-xx-xx.eu-west-1.compute.amazonaws.com |
| 95 | + INFO: Instances private DNS name ip-xxx-xx-xx-xx.eu-west-1.compute.internal |
| 96 | + INFO: Instances public DNS name ec2-xx-xx-xx-xx.eu-west-1.compute.amazonaws.com |
| 97 | + INFO: Console output available. SSH fingerprint verification possible. |
| 98 | + |
| 99 | +Especially the last line means that the new instance is now ready. |
| 100 | + |
| 101 | +You should now be able to log in via SSH:: |
| 102 | + |
| 103 | + ploy ssh production-backend |
| 104 | + |
| 105 | +.. Note:: Unlike with :doc:`plain <provisioning-plain>` or :doc:`Virtualbox <provisioning-virtualbox>` instances, daemonology's `configinit <http://www.daemonology.net/blog/2013-12-09-FreeBSD-EC2-configinit.html>`_ in conjunction with a ``startup_script`` such as the example above already perform everything we need in order to be able to run the jailhost playbooks. In other words, you can skip the :doc:`/setup/bootstrapping` step and continue straight to :doc:`/setup/configuration`. |
| 106 | + |
| 107 | +But before continuing on to :doc:`/setup/configuration`, let's take a look around while we're still logged in and note what hard disks and network interfaces are available. I.e. on our example machine of ``c3.xlarge`` type, the interface is named ``xn0`` and we have two SSDs of 40Gb at ``/dev/xbd1`` and ``/dev/xbd2``, but by default daemonology has already created a swap partition on the first slice (highly recommended, as most instance types don't have that much RAM), so we need to specify the second slice for our use. |
| 108 | + |
| 109 | +This means, that to configure a jailhost on this EC2 instance we need to declare an ``ez-master`` entry in ``ploy.conf`` with the following values:: |
| 110 | + |
| 111 | + [ez-master:production] |
| 112 | + instance = production-backend |
| 113 | + bootstrap_data_pool_devices = xbd1s2 xbd2s2 |
| 114 | + |
| 115 | +In addition, since daemonology will also update the installation to the latest patch level, we will need to explicitly tell ``ezjail`` which version to install, since by default it uses the output of ``uname`` to compute the URL for downloading the base jail but that most likely won't exist (i.e ``10.0-RELEASE-p10``). You can do this by specifying ``ezjail_install_release`` for the ``ez-master`` like so:: |
| 116 | + |
| 117 | + ezjail_install_release = 10.0-RELEASE |
| 118 | + |
| 119 | +With this information you are now finally and truly ready to :doc:`configure the jailhost. </setup/configuration>`. |
0 commit comments