cloud

Amazon EC2 Linux Instances


Recently, I got an access to Amazon Web Services account, including Amazon EC2. Elastic Cloud-2 allows users to rent virtual computers on which to run their own computer applications. EC2 allows scalable deployment of applications by providing a Web service through which a user can boot an Amazon Machine Image to create a virtual machine, which Amazon calls an “instance”, containing any software desired. A user can create, launch, and terminate server instances as needed, paying by the hour for active servers, hence the term “elastic”. EC2 provides users with control over the geographical location of instances that allows for latency optimization and high levels of redundancy.
This is how the dashboard of AWS looks like:
server1

From the Amazon EC2 console dashboard, click Launch Instance.
The Create a New Instance page includes these ways to launch an instance

  1. Classic Wizard
  2. Quick Launch
  3. AWS Marketplace

I have only used Quick Launch and if you have used other options to launch an instance, please blog about it.
server2

On the Create a New Instance page, click Quick Launch Wizard. In Name Your Instance, enter a name for the instance that has meaning for you. (If you run multiple instances, naming them helps you identify them in the console.

In Choose a Key Pair, you can choose from any existing key pairs that you’ve created, or you can create a new key pair.

A key pair enables you to connect to a Linux instance through SSH. Therefore, don’t select the None option. If you launch your instance without a key pair, then you can’t connect to it.

For this example, we’ll create a key pair:

  1. Click Create New.
  2. Type a name for your key pair and then click Download.
  3. Save your private key in a safe place on your computer. Note the location because you’ll need the key to connect to your instance.

server7
Click continue to view and customize the settings for your instance.

When you click the edit details button in the pop-up window, You can make changes in the settings of the instance which you are going to create:
1. Instance details
server4
2. Security Tags
server5
You can create a new security group or could use the existing one itself. The security group contains a rule that authorizes SSH traffic from any IP address source to port 22. If you launch a Linux instance running Apache and MySQL, the Quick Launch Wizard creates a security group that authorizes traffic to port 80 for HTTP (for web traffic) and port 3306 (for MySQL).
Now you can save the details and click on Launch button to launch the instance which you have created.

Now lets connect to the instance which we have created now. Right click on the instance and click on Connect option.

server8

You will get a window like this

server11

If you have Java plugin installed in your web browser then you can click on Launch SSH client button to open an SSH tunnel. You will get a console like this:

server9

You can even use OpenSSH to connect to the Linux instance

server10

Create and configure a Security Group in Amazon EC2

An Amazon EC2 security group acts as a firewall that controls the traffic allowed into a group of instances. When you launch an Amazon EC2 instance, you can assign it to one or more security groups. For each security group, you add rules that govern the allowed inbound traffic to instances in the group. All other inbound traffic is discarded. You can modify rules for a security group at any time. The new rules are automatically enforced for all existing and future instances in the group.

To configure your security group

  1. On the Security Groups page, click the security group webappsecuritygroup that you created in the previous procedure.
  2. Click the Inbound tab.
  3. In the Create a new rule drop-down box, click HTTP.
  4. In the Source box, type amazon-elb/amazon-elb-sg. This is the name of the security group that AWS assigns to the Elastic Load Balancer. When you select this source, this means that only traffic that comes through the Elastic Load Balancer can connect to your Amazon EC2 instance.
  5. Click Add Rule.
  6. Click RDP to connect to your Amazon EC2 instances.
  7. Important: In this example, the security group source settings are configured to allow access from everywhere 0.0.0.0/0. This is not good practice, and it is only for the purposes of this exercise we are setting it up this way. Best practice should be to set rules that restrict access to only those computers or networks that require access to this service. The number after the “/” indicates a range of addresses.
  8. Click Add Rule.
  9. Click Apply Rule Changes.snapshot18

If you want to allow all users accessing a port you can give the source as 0.0.0.0/0 to a specific port. Where as if you want to block all users from accessing a port you can give the source as 0.0.0.0/32 to that specific rule in the security group. It doesn’t require a restart in-order to take effect.

Xen hypervisor installation and configuration


As a part of Security in Cloud course of my master’s degree, I have configured and installed Xen hyper-visor in Ubuntu 12.04. Hence I thought to blog about it

Xen is an open-source hypervisor (The hypervisor presents the guest operating systems with a virtual operating platform) and manages the execution of the guest operating systems),  which makes it possible to run many instances of an operating system or indeed different operating systems in parallel on a single machine or a host machine.
Now, you might think that why I have used Xen hypervisor instead of VirtualBox or VMWare? The answer to that question is simple: The difference between Xen and VirtualBox is their usage or application. VirtualBox is to be used as a desktop application. So VirtualBox expects you to have a host OS pre-installed in your machine (say: Linux, Windows or Mac). Where as Xen is quite opposite, It can be thought of as the host OS even though you wouldn’t use it like a desktop environment. In terms of performance, Xen will probably edge out VirtualBox as it is a bare-metal (runs directly on host’s hardware to control the hardware and to manage the guest OS machine) hypervisor since the host OS is for Xen is tuned more for virtualization tasks rather than desktop duties. Another advantage of Xen is that it uses QEMU (which is a machine emulator and virtualizer). When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU (especially when it is run under Xen hypervisor).

Pre-requisites for installing Xen hypervisor

We need to check whether our system supports Intel – VT / AMD -V hardware virtualization extensions for host CPU. All the latest Intel and AMD processors supports full virtualization. It may not be supported by some old Intel/AMD CPUs.
Use the following commands to verify whether hardware virtualization is enabled or not

(in a root shell for Intel machine)

# grep --color vmx /proc/cpuinfo

if the output is having vmx flags then your Intel CPU supports hardware virtualization.

(in a root shell for AMD machine)

# grep --color svm /proc/cpuinfo

if the output is having svm flags then your AMD CPU supports hardware virtualization.

Check your BIOS settings

Many, system manufacturers disable AMD or Intel virtualization technology in the BIOS by default. You need to reboot the system and turn it in the BIOS. (Take a look at this picture)
VirtualizationBIOSCapable_thumb

Checking Xen kernel

By default, if you booted into Xen kernel it will not display svm or vmx flag using the grep command. To see if it is enabled or not from xen, enter:

$ cat /sys/hypervisor/properties/capabilities

You must see hvm flags in the output. If not reboot the box and set Virtualization in the BIOS.

Installing Xen hypervisor and utilities

I am installing xen hypervisor and virtual machine manager, which is a desktop application for managing VM’s and its supporting tools.

$ sudo apt-get install xen-hypervisor-4.1-amd64 xen-utils-4.1 xenwatch xen-tools xen-utils-common xenstore-utils virtinst virt-viewer virt-manager  

Now, reboot to Xen kernel (a new entry will be visible in your grub)

$ sudo reboot

And verify installation has succeeded

$ sudo xm list
Name                                        ID   Mem VCPUs      State   Time(s)
Domain-0                                     0   945     1     r-----      11.3

Xend configuration
Edit /etc/xen/xend-config.sxp and add this line at the end of the document. To enable the UNIX domain socket server.

(xend-unix-server yes)

We need to start/restart the xend server in-order to apply the changes

$ sudo service xend start

Edit the bashrc file in your home directory to add this line. This will set a value to the environment variable VIRSH_DEFAULT_CONNECT_URI

export VIRSH_DEFAULT_CONNECT_URI="xen:///" 

Reboot your machine and then verify for libvirt installation:

$ sudo virsh version
Compiled against library: libvir 0.9.8
Using library: libvir 0.9.8
Using API: QEMU 0.9.8
Running hypervisor: QEMU 1.0.0

Lets start the virtual machine manager

$ sudo virt-manager

A new window will pop-up like this:
snapshot2

Lets a create a virtual instance now.

Before creating a virtual instance I will copy down the error which I have got and I will provide the solutions for the same:
Screenshot at 2011-12-30 20_15_44
Screenshot at 2011-12-30 20_15_44
You can fix these issues by executing these commands:

$ sudo mkdir /usr/lib64/xen -p
$ sudo cp /usr/lib/xen-4.1/* -r /usr/lib64/xen/
$ sudo mkdir /usr/share/qemu
$ sudo cp -r /usr/share/qemu-linaro/keymaps /usr/share/qemu/ 

The system thew errors as it was expecting files in the specified directories which was not present in my machine. What I did was – I made the specified directories and copied files from the real directories.

We’ve fixed all the issues regarding creating the virtual instance. Lets start creating a virtual instance. You can follow the below given steps to do so:


You can follow the following steps to create so:
snapshot3

snapshot7

snapshot4

Run the installer

From now on you should install the guest from the ISO as if you were installing it on real hardware:

snapshot8

Creating a network bridge on the host

Install the bridge-utils package:

$ sudo apt-get install bridge-utils

We are going to change the network configuration1. To do it properly, you should first stop networking2:

$ sudo invoke-rc.d networking stop

To setup a bridge interface, edit /etc/network/interface to look something like this (it works for me!):

auto lo
iface lo inet loopback
auto br0
iface br0 inet dhcp

This will create a virtual interface br0.

Now restart network:

$ sudo /etc/init.d/networking restart

Bridge br0 to eth0

$ sudo brctl addif br0 eth0

And change the default bridge name to the one which you have created just now (“br0”).

snapshot9

You may not be able to ping to any machines from your ethernet interface, but you will be able to do the same using the br0 interface. This is because your ethernet’s IP is assigned to your bridge interface and ethernet interface is given a new IP. Run this command (the below given results was from my machine and it varies from network to network)

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.30.8.1       0.0.0.0         UG    0      0        0 br0
10.30.8.0       0.0.0.0         255.255.252.0   U     0      0        0 br0
10.30.8.0       0.0.0.0         255.255.252.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

And find the default gateway of your network.

$ sudo route add default gw YOUR_GATEWAY dev br0

This will add the default gateway and  associates with previously configured br0.

After executing the above mentioned steps, you should get something like this for getting the correct results:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.30.8.1       0.0.0.0         UG    0      0        0 br0
0.0.0.0         10.30.8.1       0.0.0.0         UG    0      0        0 eth0
10.30.8.0       0.0.0.0         255.255.252.0   U     0      0        0 br0
10.30.8.0       0.0.0.0         255.255.252.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Manually installing an HVM Guest VM

Download the ISO image of any operating system (I used Ubuntu 12.04 32 bit version’s ISO)

Create a virtual disk of size 10 GB (9.8 G approximately)

$ dd if=/dev/zero of=new.img bs=1M count=10000

Create a guest config file ubuntu.cfg

builder = "hvm"
name = "ubuntu-hvm"
memory = "512"
vcpus = 1
vif = ['bridge=br0']
disk = ['file:/media/linux_data/Ubuntu.img,sda,w','file:/media/linux_data/ubuntu-12.04-desktop-i386.iso,hdc:cdrom,r']
vnc = 1
boot="dc"
vncdisplay = 7

Then you could create that virtual instance using this command:

$ xm create Ubuntu.cfg

In-order to run this virtual instance, you have to install xvncviewer, A VNC client lets you connect to a desktop that’s been shared..

$ sudo apt-get install xnc4viewer
$ xvncviewer localhost:7 

Now you can install the ubuntu 12.04 in your hypervisor and enjoy!