Monthly Archives: January 2014

I can never remember the mapping of Ubuntu release numbers to names. This snippet helps in situations where I can’t use Puppet’s Facter.

export UBUNTU_RELEASE=''
case $(lsb_release -a) in
    *10.04*)
        UBUNTU_RELEASE='lucid';;
    *10.10*)
        UBUNTU_RELEASE='maverick';;
    *11.04*)
        UBUNTU_RELEASE='natty';;
    *11.10*)
        UBUNTU_RELEASE='oneiric';;
    *12.04*)
        UBUNTU_RELEASE='precise';;
    *12.10*)
        UBUNTU_RELEASE='quantal';;
    *13.04*)
        UBUNTU_RELEASE='raring';;
    *13.10*)
        UBUNTU_RELEASE='saucy';;
    *14.04*)
        UBUNTU_RELEASE='trusty';;
    *)
        echo 'Could not work out Ubuntu release name!' >&2
        exit 1
esac

echo $UBUNTU_RELEASE

Ubuntu’s silly release names

Advertisements
Tagged

AWS elastic IP subscription

I’m still not entirely convinced that AWS shouldn’t do this for us automatically, but here you go:

Manual method

Configure the desired Elastic IP by editing a script on the host

  1. Set up an IAM user
  2. Install the EC2 API tools
    • On Ubuntu, enable multiverse and install ec2-api-tools
  3. The command to associate an Elastic IP to a running EC2 instance is:
    • ec2-associate-address -i i-b2e019da –region eu-west-1 25.21.142.191

Automated method

This script reads the desired Elastic IP from a Tag called “elastic-ip” that you’ve set in the EC2 interface

#!/bin/bash
# This script assigns an Elastic IP to Instance on Reboot or Restart
# It gets the desired Elastic IP from the user tag "elastic-ip" set within the AWS interface
#
# Because it gets its only setting from the user tags it is autonomous and needs no on-machine configuration
#
set -e

export EC2_PRIVATE_KEY='/etc/ec2/user.private.key.pem'
export EC2_CERT='/etc/ec2/user-cert.pem'

if [ ! -e $EC2_PRIVATE_KEY ]; then
  echo "EC2 private key $EC2_PRIVATE_KEY missing!" >&2
  exit 1
fi
if [ ! -e $EC2_CERT ]; then
  echo "EC2 cert $EC2_CERT missing!" >&2
  exit 1
fi

EC2_AVAILABILITY_ZONE=`ec2metadata --availability-zone`
EC2_REGION_ID=${EC2_AVAILABILITY_ZONE:0:${#EC2_AVAILABILITY_ZONE} - 1}  # lop the last character off the availability zone
EC2_INSTANCE_ID=`ec2metadata --instance-id`
EC2_PUBLIC_IP=`ec2metadata --public-ipv4`

echo "Looking up tag:elastic-ip for $EC2_INSTANCE_ID in $EC2_REGION_ID"
# see: http://stackoverflow.com/questions/3883315/query-ec2-tags-from-within-instance
ELASTIC_IP=$(ec2-describe-tags \
  --region $EC2_REGION_ID \
  --filter "resource-type=instance" \
  --filter "resource-id=$EC2_INSTANCE_ID" \
  --filter "key=elastic-ip" | cut -f5)

if [ ! "$ELASTIC_IP" ]; then
  echo "Could not find elastic-ip tag in EC2 settings for this instance!" >&2
  exit 1
fi
echo "elastic-ip tag: $ELASTIC_IP"

if [ "$ELASTIC_IP" == "$EC2_PUBLIC_IP" ]; then
  echo "Public IP of this server already matches"
  exit 0
fi

echo "Assigning Elastic IP"
ec2-associate-address -i $EC2_INSTANCE_ID --region $EC2_REGION_ID $EC2_ELASTIC_IP
  • Install the script in /usr/local/bin
  • mark it executable
  • call it when your eth0 interface goes up
    • in ubuntu, add this line to /etc/network/interfaces:
      post-up /etc/network/if-up.d/myscript.sh

Generating an x.509 certificate for Amazon AWS IAM users

These keys let a user access AWS with the EC2 tools, which specifically require an x.509 certificate.

This fixes the ec2 tools “Required option ‘-K, –private-key KEY’ missing (-h for usage)” error

Create the Certificate

mkdir /etc/ec2 && chmod 700 /etc/ec2
openssl req -out /etc/ec2/CSR.csr -new -newkey rsa:2048 -nodes -keyout /etc/ec2/user.private.key.pem
openssl x509 -req -days 3650 -in /etc/ec2/CSR.csr -signkey /etc/ec2/user.private.key.pem -out /etc/ec2/user-cert.pem

Enable in IAM

  1. Go to IAM > User ID > Security Credentials
  2. Click “Manage Signing Certificates”
  3. Upload a certificate by pasting in the user-cert.pem

Verify

  • export EC2_CERT=/etc/ec2/user-cert.pem
  • export EC2_PRIVATE_KEY=/etc/ec2/user.private.key.pem
  • Run ec2-describe-regions – if everything is working OK you should (after a while) get a list back of regions.

Troubleshooting

  • Make sure you assigned your user to a group in IAM!
  • Does your user have all the necessary permissions for the EC2 operation you are trying to do?
  • Your commands might not be looking at the correct region. For example, ec2-describe-instances –region us-west-1

Thanks:

http://www.supertom.com/code/aws_iam_x509_signing_certificate.html

Tagged , ,