Chapter 3. Deploying a Red Hat Enterprise Linux image as an EC2 instance on Amazon Web Services

You have a number of options for deploying a Red Hat Enterprise Linux (RHEL) 8 image as an EC2 instance on Amazon Web Services (AWS). This chapter discusses your options for choosing an image and lists or refers to system requirements for your host system and virtual machine (VM). The chapter also provides procedures for creating a custom image, uploading it to EC2, and launching an EC2 instance.

This chapter refers to the Amazon documentation in a number of places. For many procedures, see the referenced Amazon documentation for additional detail.

Note

For a list of Red Hat products that you can use securely on AWS, see Red Hat on Amazon Web Services.

Prerequisites

3.1. Red Hat Enterprise Linux Image options on AWS

The following table lists image choices and notes the differences in the image options.

Table 3.1. Image options

Image optionSubscriptionsSample scenarioConsiderations

Choose to deploy a Red Hat Gold Image.

Leverage your existing Red Hat subscriptions.

Enable subscriptions through the Red Hat Cloud Access program, and then choose a Red Hat Gold Image on AWS.

The subscription includes the Red Hat product cost; you pay Amazon for all other instance costs.

Red Hat Gold Images are called "Cloud Access" images because you leverage your existing Red Hat subscriptions. Red Hat provides support directly for Cloud Access images.

Choose to deploy a custom image that you move to AWS.

Leverage your existing Red Hat subscriptions.

Enable subscriptions through the Red Hat Cloud Access program, upload your custom image, and attach your subscriptions.

The subscription includes the Red Hat product cost; you pay Amazon for all other instance costs.

Custom images that you move to AWS are "Cloud Access" images because you leverage your existing Red Hat subscriptions. Red Hat provides support directly for Cloud Access images.

Choose to deploy an existing Amazon image that includes RHEL.

The AWS EC2 images include a Red Hat product.

Choose a Red Hat Enterprise Linux image when you launch an instance on the AWS Management Console, or choose an image from the AWS Marketplace.

You pay Amazon hourly on a pay-as-you-go model. Such images are called "on-demand" images. Amazon provides support for on-demand images.

Red Hat provides updates to the images. AWS makes the updates available through the Red Hat Update Infrastructure (RHUI).

Note

You can create a custom image for AWS using Red Hat Image Builder. See Composing a Customized RHEL System Image for more information.

Important

You cannot convert an on-demand instance to a Red Hat Cloud Access instance. To change from an on-demand image to a Red Hat Cloud Access (BYOS) image, create a new Red Hat Cloud Access instance and migrate data from your on-demand instance. Cancel your on-demand instance after you migrate your data to avoid double billing.

The remainder of this chapter includes information and procedures pertaining to custom images.

3.2. Understanding base images

This section includes information on using preconfigured base images and their configuration settings.

3.2.1. Using a custom base image

To manually configure a VM, you start with a base (starter) VM image. Once you have created the base VM image, you can modify configuration settings and add the packages the VM requires to operate on the cloud. You can make additional configuration changes for your specific application after you upload the image.

The recommended base VM image is the Red Hat Enterprise Linux 8 KVM Guest Image, which you download from the Red Hat Customer Portal. The KVM Guest Image is preconfigured with the following cloud configuration settings.

  • The root account is disabled. You temporarily enable root account access to make configuration changes and install packages that the cloud may require. This guide provides instructions for enabling root account access.
  • A user account named cloud-user is preconfigured on the image. The cloud-user account has sudo access.
  • The image has cloud-init installed and enabled. cloud-init is a service that handles provisioning of the VM (or instance) at initial boot.

You can choose to use a custom Red Hat Enterprise Linux ISO image; however, when using a custom ISO image, you may need to make additional configuration changes.

Additional resources

Red Hat Enterprise Linux

3.2.2. Virtual machine configuration settings

Cloud VMs must have the following configuration settings.

Table 3.2. VM configuration settings

SettingRecommendation

ssh

ssh must be enabled to provide remote access to your VMs.

dhcp

The primary virtual adapter should be configured for dhcp.

3.3. Creating a base image from a KVM Guest Image

Follow the procedures in this section to create a base image from a KVM Guest Image.

Prerequisites

Enable virtualization for your Red Hat Enterprise Linux 8 host machine.

3.3.1. Downloading the KVM Guest Image

Procedure

  1. Download the latest Red Hat Enterprise Linux KVM Guest Image from the Red Hat Customer Portal.
  2. Move the image to /var/lib/libvirt/images.

3.3.2. Creating the VM from the KVM Guest Image

Procedure

  1. Ensure that you have enabled your host machine for virtualization. See Enabling virtualization in RHEL 8 for information and procedures.
  2. Create and start a basic Red Hat Enterprise Linux VM. See Creating virtual machines for instructions.

    1. If you use the command line to create your VM, ensure that you set the default memory and CPUs to the capacity you want for the VM. Set your virtual network interface to virtio.

      A basic command-line sample follows.

      virt-install --name kvmtest --memory 2048 --vcpus 2 --disk rhel-8.0-x86_64-kvm.qcow2,bus=virtio --import --os-variant=rhel8.0
    2. If you use the web console to create your VM, follow the procedure in Creating virtual machines using the web console, with these caveats:

      • Do not check Immediately Start VM.
      • Change your Memory size to your preferred settings.
      • Before you start the installation, ensure that you have changed Model under Virtual Network Interface Settings to virtio and change your vCPUs to the capacity settings you want for the VM.
  3. Shut down the new VM after a login prompt appears.

3.3.3. Setting up root access to your KVM Guest Image

You need root access to make additional configuration changes to your image. You can also use root as one method of accessing your image once you have uploaded the image to the cloud. Perform the following procedure to enable root access to your VM.

Procedure

  1. From your host system, use the virt-customize command to generate a root password for the VM.

    # virt-customize -a <guest-image-path> --root-password password:<PASSWORD>

    Example:

    # virt-customize -a /var/lib/libvirt/images/rhel-guest-image-8.0-120.x86_64.qcow2 --root-password password:redhat!
    [   0.0] Examining the guest ...
    [ 103.0] Setting a random seed
    [ 103.0] Setting passwords
    [ 112.0] Finishing off
  2. Use the virt-edit command to edit the cloud.cfg file on your VM. Within the file, enable root login and password authentication by setting disable_root to 0 and ssh_pwauth to 1.

    # virt-edit -a <guest-image-path> /etc/cloud/cloud.cfg
  3. Verify root access by starting the RHEL VM and logging in as root.
  4. Configure the image.
  5. Important: This step is only for VMs you intend to upload to AWS. Install the nvme, xen-netfront, and xen-blkfront drivers. which are required for RHEL 8.x images on AWS.

     # dracut -f --add-drivers "nvme xen-netfront xen-blkfront"

    Including these driver removes the possibility of a dracut time-out.

  6. Power down the VM.

3.4. Creating a base VM from an ISO image

Follow the procedures in this section to create a base image from an ISO image.

Prerequisites

Enable virtualization for your Red Hat Enterprise Linux 8 host machine.

3.4.1. Downloading the ISO image

Procedure

  1. Download the latest Red Hat Enterprise Linux ISO image from the Red Hat Customer Portal.
  2. Move the image to /var/lib/libvirt/images.

3.4.2. Creating a VM from the ISO image

Procedure

  1. Ensure that you have enabled your host machine for virtualization. See Enabling virtualization in RHEL 8 for information and procedures.
  2. Create and start a basic Red Hat Enterprise Linux VM. See Creating virtual machines for instructions.

    1. If you use the command line to create your VM, ensure that you set the default memory and CPUs to the capacity you want for the VM. Set your virtual network interface to virtio.

      A basic command-line sample follows.

      virt-install --name isotest --memory 2048 --vcpus 2 --disk size=8,bus=virtio --location rhel-8.0-x86_64-dvd.iso --os-variant=rhel8.0
    2. If you use the web console to create your VM, follow the procedure in Creating virtual machines using the web console, with these caveats:

      • Do not check Immediately Start VM.
      • Change your Memory and Storage Size to your preferred settings.
      • Before you start the installation, ensure that you have changed Model under Virtual Network Interface Settings to virtio and change your vCPUs to the capacity settings you want for the VM.

3.4.3. Completing the RHEL installation

Perform the following steps to complete the installation and to enable root access once the VM launches.

Procedure

  1. Choose the language you want to use during the installation process.
  2. On the Installation Summary view:

    1. Click Software Selection and check Minimal Install.
    2. Click Done.
    3. Click Installation Destination and check Custom under Storage Configuration.

      • Verify at least 500 MB for /boot. You can use the remaining space for root /.
      • Standard partitions are recommended, but you can use Logical Volume Management (LVM).
      • You can use xfs, ext4, or ext3 for File System.
      • Click Done when you are finished with changes.
  3. Click Begin Installation.
  4. Set a Root Password. Create other users as applicable.
  5. Reboot the VM and log in as root once the installation completes.
  6. Configure the image.

    Note

    Ensure that the cloud-init package is installed and enabled.

  7. Important: This step is only for VMs you intend to upload to AWS. Install the nvme, xen-netfront, and xen-blkfront drivers. which are required for RHEL 8.x images on AWS.

     # dracut -f --add-drivers "nvme xen-netfront xen-blkfront"

    Including these driver removes the possibility of a dracut time-out.

  8. Power down the VM.

3.5. Uploading the Red Hat Enterprise Linux image to AWS

Follow the procedures in this section to upload your image to AWS.

3.5.1. Installing the AWS CLI

Many of the procedures in this chapter include using the AWS CLI. Complete the following steps to install the AWS CLI.

Prerequisites

You need to have created and have access to an AWS Access Key ID and an AWS Secret Access Key. See Quickly Configuring the AWS CLI for information and instructions.

Procedure

  1. Install Python 3 and the pip tool.

    # yum install python3
    # yum install python3-pip
  2. Install the AWS command line tools with the pip command.

    # pip3 install awscli
  3. Run the aws --version command to verify that you installed the AWS CLI.

    $ aws --version
    aws-cli/1.16.182 Python/2.7.5 Linux/3.10.0-957.21.3.el7.x86_64 botocore/1.12.172
  4. Configure the AWS command line client according to your AWS access details.

    $ aws configure
    AWS Access Key ID [None]:
    AWS Secret Access Key [None]:
    Default region name [None]:
    Default output format [None]:

3.5.2. Creating an S3 bucket

Importing to AWS requires an Amazon S3 bucket. An Amazon S3 bucket is an Amazon resource where you store objects. As part of the process for uploading your image, you create an S3 bucket and then move your image to the bucket. Complete the following steps to create a bucket.

Procedure

  1. Launch the Amazon S3 Console.
  2. Click Create Bucket. The Create Bucket dialog appears.
  3. In the Name and region view:

    1. Enter a Bucket name.
    2. Enter a Region.
    3. Click Next.
  4. In the Configure options view, select desired options and click Next.
  5. In the Set permissions view, change or accept the default options and click Next.
  6. Review your bucket configuration.
  7. Click Create bucket.

    Note

    Alternatively, you can use the AWS CLI to create a bucket. For example, aws s3 mb s3://my-new-bucket creates an S3 bucket named my-new-bucket. See the AWS CLI Command Reference for information on the mb command.

3.5.3. Creating the vmimport role

Perform the following procedure to create the vmimport role, which is required by VM import. See VM Import Service Role in the Amazon documentation for more information.

Procedure

  1. Create a file named trust-policy.json and include the following policy. Save the file on your system and note its location.

    {
       "Version": "2012-10-17",
       "Statement": [
          {
             "Effect": "Allow",
             "Principal": { "Service": "vmie.amazonaws.com" },
             "Action": "sts:AssumeRole",
             "Condition": {
                "StringEquals":{
                   "sts:Externalid": "vmimport"
                }
             }
          }
       ]
    }
  2. Use the create role command to create the vmimport role. Specify the full path to the location of the trust-policy.json file. Prefix file:// to the path. A sample follows.

    aws iam create-role --role-name vmimport --assume-role-policy-document file:///home/sample/ImportService/trust-policy.json
  3. Create a file named role-policy.json and include the following policy. Replace s3-bucket-name with the name of your S3 bucket.

    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Effect":"Allow",
             "Action":[
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket"
             ],
             "Resource":[
                "arn:aws:s3:::s3-bucket-name",
                "arn:aws:s3:::s3-bucket-name/*"
             ]
          },
          {
             "Effect":"Allow",
             "Action":[
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
             ],
             "Resource":"*"
          }
       ]
    }
  4. Use the put-role-policy command to attach the policy to the role you created. Specify the full path of the role-policy.json file. A sample follows.

    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///home/sample/ImportService/role-policy.json

3.5.4. Converting and pushing your image to S3

Complete the following procedure to convert and push your image to S3. The samples are representative; they convert an image formatted in the qcow2 file format to raw format. Amazon accepts images in OVA, VHD, VHDX, VMDK, and raw formats. See How VM Import/Export Works for more information on image formats that Amazon accepts.

Procedure

  1. Run the qemu-img command to convert your image. A sample follows.

    qemu-img convert -f qcow2 -O raw rhel-8.1-x86_64-kvm.qcow2 rhel-8.1-x86_64-kvm.raw
  2. Push the image to S3.

    aws s3 cp rhel-8.1-x86_64-kvm.raw s3://s3-bucket-name
    Note

    This procedure could take a few minutes. After completion, you can check that your image uploaded successfully to your S3 bucket using the AWS S3 Console.

3.5.5. Importing your image as a snapshot

Perform the following procedure to import an image as a snapshot.

Procedure

  1. Create a file to specify a bucket and path for your image. Name the file containers.json. In the sample that follows, replace s3-bucket-name with your bucket name and s3-key with your key. You can get the key for the image using the Amazon S3 Console.

    {
        "Description": "rhel-8.1-x86_64-kvm.raw",
        "Format": "raw",
        "UserBucket": {
            "S3Bucket": "s3-bucket-name",
            "S3Key": "s3-key"
        }
    }
  2. Import the image as a snapshot. This example uses a public Amazon S3 file; you can use the Amazon S3 Console to change permissions settings on your bucket.

    aws ec2 import-snapshot --disk-container file://containers.json

    The terminal displays a message such as the following. Note the ImportTaskID within the message.

    {
        "SnapshotTaskDetail": {
            "Status": "active",
            "Format": "RAW",
            "DiskImageSize": 0.0,
            "UserBucket": {
                "S3Bucket": "s3-bucket-name",
                "S3Key": "rhel-8.1-x86_64-kvm.raw"
            },
            "Progress": "3",
            "StatusMessage": "pending"
        },
        "ImportTaskId": "import-snap-06cea01fa0f1166a8"
    }
  3. Track the progress of the import using the describe-import-snapshot-tasks command. Include the ImportTaskID.

    aws ec2 describe-import-snapshot-tasks --import-task-ids import-snap-06cea01fa0f1166a8

    The returned message shows the current status of the task. When complete, Status shows completed. Within the status, note the snapshot ID.

3.5.6. Creating an AMI from the uploaded snapshot

Within EC2, you must choose an Amazon Machine Image (AMI) when launching an instance. Perform the following procedure to create an AMI from your uploaded snapshot.

Procedure

  1. Go to the AWS EC2 Dashboard.
  2. Under Elastic Block Store, select Snapshots.
  3. Search for your snapshot ID (for example, snap-0e718930bd72bcda0).
  4. Right-click on the snapshot and select Create image.
  5. Name your image.
  6. Under Virtualization type, choose Hardware-assisted virtualization.
  7. Click Create. In the note regarding image creation, there is a link to your image.
  8. Click on the image link. Your image shows up under Images>AMIs.

    Note

    Alternatively, you can use the AWS CLI register-image command to create an AMI from a snapshot. See register-image for more information. An example follows.

    $ aws ec2 register-image --name "myimagename" --description "myimagedescription" --architecture x86_64  --virtualization-type hvm --root-device-name "/dev/sda1" --block-device-mappings "{\"DeviceName\": \"/dev/sda1\",\"Ebs\": {\"SnapshotId\": \"snap-0ce7f009b69ab274d\"}}" --ena-support

3.5.7. Launching an instance from the AMI

Perform the following procedure to launch and configure an instance from the AMI.

Procedure

  1. From the AWS EC2 Dashboard, select Images and then AMIs.
  2. Right-click on your image and select Launch.
  3. Choose an Instance Type that meets or exceeds the requirements of your workload.

    Refer to Amazon EC2 Instance Types for information on instance types.

  4. Click Next: Configure Instance Details.

    1. Enter the Number of instances you want to create.
    2. For Network, select the VPC you created when setting up your AWS environment. Select a subnet for the instance or create a new subnet.
    3. Select Enable for Auto-assign Public IP.

      Note

      These are the minimum configuration options necessary to create a basic instance. Review additional options based on your application requirements.

  5. Click Next: Add Storage. Verify that the default storage is sufficient.
  6. Click Next: Add Tags.

    Note

    Tags can help you manage your AWS resources. See Tagging Your Amazon EC2 Resources for information on tagging.

  7. Click Next: Configure Security Group. Select the security group you created when setting up your AWS environment.
  8. Click Review and Launch. Verify your selections.
  9. Click Launch. You are prompted to select an existing key pair or create a new key pair. Select the key pair you created when setting up your AWS environment.

    Note

    Verify that the permissions for your private key are correct. Use the command options chmod 400 <keyname>.pem to change the permissions, if necessary.

  10. Click Launch Instances.
  11. Click View Instances. You can name the instance(s).

    You can now launch an SSH session to your instance(s) by selecting an instance and clicking Connect. Use the example provided for A standalone SSH client.

    Note

    Alternatively, you can launch an instance using the AWS CLI. See Launching, Listing, and Terminating Amazon EC2 Instances in the Amazon documentation for more information.

3.5.8. Attaching Red Hat subscriptions

Complete the following steps to attach the subscriptions you previously enabled through the Red Hat Cloud Access program.

Prerequisites

You must have enabled your subscriptions.

Procedure

  1. Register your system.

    subscription-manager register --auto-attach
  2. Attach your subscriptions.