Chapter 11. Provisioning Cloud Instances in Amazon EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides public cloud compute resources. Red Hat Satellite 6 can interact with Amazon EC2’s public API to create new cloud instances and control their power management states. In this chapter, the aim is to add a connection to ACME’s Amazon EC2 account and provision a cloud instance.

11.1. Defining Requirements for Amazon EC2 Provisioning

The requirements for Amazon EC2 provisioning include:

  • Synchronized content repositories for Red Hat Enterprise Linux 7. See Synchronizing Red Hat Repositories in the Content Management Guide for more information.
  • A Capsule Server managing a network in your EC2 environment. Ideally, this should be a Virtual Private Cloud (VPC) to ensure a secure network between the hosts and the Capsule Server.
  • A chosen Amazon Machine Image (AMI) for image-based provisioning.
  • An example activation key for host registration. See Section 3.8, “Creating an Activation Key” for more information.

11.2. Adding a Amazon EC2 Connection to the Satellite Server

This process adds the Amazon EC2 connection in the Satellite Server’s compute resources.

Important

Amazon Web Services uses time settings as part of the authentication process. This means the time on the Satellite Server should be correctly synchronized. Ensure that an NTP service, such as ntpd or chronyd, is running properly on the Satellite Server. Failure to provide the correct time to Amazon Web Services can lead to authentication failures. For more information, see Synchronizing Time in the Installation Guide.

For Web UI Users

Navigate to Infrastructure > Compute resource and click New Compute Resource. The UI provides a set of fields for the compute resource:

  • Name - A plain text name for the resource. For example, ACME's EC2.
  • Provider - A field for selecting the compute resource provider. Select EC2 and a new set of fields appear.
  • Description - A plain text description for the resource. For example, Amazon EC2 Public Cloud.
  • Access Key and Secret Key - The access keys for your Amazon EC2 account. You generate these keys on the Amazon EC2 Management Console under Security Credentials. For more information, see Managing Access Keys for your AWS Account on the Amazon documentation website.
  • Region - The Amazon EC2 region/data center to use. Once you enter your access keys, click Load Regions to show the regions available.

The Locations and Organizations tabs are automatically set to your current context. Add additional contexts to these tabs.

Click Submit to save the Amazon EC2 connection.

For CLI Users

Create the connection with the hammer compute-resource create command. The --user and --password fields acts as the access key and secret key respectively. For example:

# hammer compute-resource create --name "ACME's EC2" --provider "EC2" \
--description "Amazon EC2 Public Cloud` --user "ABCDEFGHIJ1234567" \
--password "*********" --region "us-east-1" --locations "New York" \
--organizations "ACME"

11.3. Adding Amazon EC2 Images on the Satellite Server

Amazon EC2 uses image-based provisioning to create new hosts. This means you need to add image details to your Satellite Server. This includes access details and image location.

For Web UI Users

Navigate to Infrastructure > Compute resource and click the name of your Amazon EC2 connection. The UI displays information about the connection, including an Images tab. This tab contains no images for new providers but you can add new ones. Click New Image and the UI provides a set of fields for the Amazon EC2 image:

  • Name - A plain text name for the image. For example, Test Amazon EC2 Image.
  • Operatingsystem - A field for selecting the image’s base operating system. For example, RedHat 7.2.
  • Architecture - A field for selecting the operating system architecture. For example, x86_64.
  • Username - The SSH user name for image access. This is normally the root user.
  • Password - The SSH password for image access.
  • Image ID - The Amazon Machine Image (AMI) ID for the image. This is usually in the following format: ami-xxxxxxxx. For example, ami-b32c14ad.
  • User data - To set whether the images support user data input, such as cloud-init data. Enabling user data disables the Finish scripts. If you enable user data, the Finish scripts are automatically disabled. This also applies in reverse: if you enable the Finish scripts, this disables user data.
  • IAM role - The Amazon security role used for creating the image.

Click Submit to save the image details.

For CLI Users

Create the image with the hammer compute-resource image create command. Use the --uuid field to store the full path of the image location on the Amazon EC2 server.

# hammer compute-resource image create --name "Test Amazon EC2 Image" \
--operatingsystem "RedHat 7.2" --architecture "x86_64" --username root \
--user-data true --uuid "ami-b32c14ad" --compute-resource "ACME's EC2"

11.4. Adding Amazon EC2 Details to a Compute Profile

We can predefine certain hardware settings for instances on Amazon EC2. You achieve this through adding these hardware settings to a compute profile. For this example, we aim to include some basic hardware settings to the 4-Example profile.

For Web UI Users

Navigate to Infrastructure > Compute profiles and click the name of your profile. For example, use the 4-Example profile you previously created. The UI displays a list of your compute resources. Click on the EC2 connection.

The UI provides a set of fields where you can input Amazon-specific details for the profile. This includes:

  • Flavor - The hardware profile on EC2 to use for the host.
  • Image - The image to use for image-based provisioning. For this example, use the Test EC2 Image.
  • Availability zone - The target cluster to use within the chosen EC2 region.
  • Subnet - The subnet for the EC2 instance. If you have a VPC for provisioning new hosts, use its subnet.
  • Security Groups - The cloud-based access rules for ports and IP addresses. Select the groups to apply to the host.
  • Managed IP - The IP address assignment type. This is either a Public IP or a Private IP.

Click Submit to save the compute profile.

For CLI Users

The compute profile CLI commands are not yet implemented in Red Hat Satellite 6.3. As an alternative, you can include the same settings directly during the host creation process.

11.5. Creating Image-Based Hosts on Amazon EC2

The Amazon EC2 provisioning process creates new hosts from existing images on the Amazon EC2 server.

For Web UI Users

Navigate to Hosts > New host. The UI provides a set of fields where you can input details for the host.

  • In the Host tab:

    • Enter the Name of the Host. This becomes the provisioned system’s host name. For this example, enter ec2-test1.
    • The provisioning context (Organization and Location) should automatically set to the current context. For this example: ACME and New York.
    • Select the Host Group. This should automatically populate most of the new host’s fields. For this example: Base.
    • In Deploy on, select the EC2 connection. For this example: ACME's EC2. A new tab for virtual machines appears.
    • In Compute profile, select a profile to use to automatically populate virtual machine-based settings. For our example: 4-Example.
  • In the Interface tab:

    • Click Edit on the host’s interface.
    • Most of the fields should automatically contain values. Note in particular:

      • The Name from the Host tab becomes the DNS name.
      • The Satellite Server automatically assigns an IP address for the new host.
    • Leave the MAC address blank. The Amazon EC2 server assigns one to the host.
    • The Satellite Server should automatically select the Managed, Primary, and Provision options for the first interface on the host. If not, select them.
  • In the Operating System tab:

    • All fields should automatically contain values. Confirm each aspect of the operating system.
    • The Image field contains the chosen image from your compute profile. This field also allows you to select a different image to base the new host’s root volume.
    • Click Resolve in Provisioning templates to check the new host can identify the right provisioning templates to use.
  • In the Virtual Machine tab:

    • These settings should be populated with details from the chosen host group and compute profile. Modify these settings to suit your needs.
  • In the Parameters tab:

    • Confirm the kt_activation_keys parameter exists and is using the example activation key.

Click Submit.

For CLI Users

Create the host with the hammer host create command and include --provision-method image to use image-based provisioning. For example:

# hammer host create --name "ec2-test1" --organization "ACME" \
--location "New York" --hostgroup "Base" \
--compute-resource "ACME's EC2" --provision-method image \
--image "Test Amazon EC2 Image" --enabled true --managed true \
--interface "managed=true,primary=true,provision=true,subnet_id=EC2" \
--compute-attributes="flavor_id=m1.small,image_id=TestImage,availability_zones=us-east-1a,security_group_ids=Default,managed_ip=Public"
Note

See Appendix B, Additional Host Parameters for Hammer CLI for more information on additional host creation parameters for this compute resource.

This new host entry triggers the Amazon EC2 server to create the instance, using the pre-existing image as a basis for the new volume.

11.6. Connecting to an Amazon EC2 instance using SSH

You can connect remotely to your Amazon EC2 instance from Satellite Server using SSH. However, to connect to any Amazon Web Services EC2 instance that you provision through Red Hat Satellite, you must first access the private key that is associated with the compute resource in the Foreman database, and use this key for authentication.

To locate the private key and connect to an Amazon EC2 server using SSH, complete the following steps:

  1. To locate the compute resource list, on your Satellite Server base system, enter the following command, and note the ID of the compute resource that you want to use:

    # hammer compute-resource list
  2. Switch user to the postgres user:

    # su - postgres
  3. Initiate the postgres shell:

    $ psql
  4. Connect to the Foreman database as the user postgres:

    # postgres=# \c foreman
  5. Select the secret from key_pairs where compute_resource_id = 3:

    # select secret from key_pairs where compute_resource_id = 3; secret
  6. Copy the key from after -----BEGIN RSA PRIVATE KEY----- until -----END RSA PRIVATE KEY-----.
  7. Create a .pem file and paste your key into the file:

    # vim Keyname.pem
  8. Ensure that you restrict access to the .pem file:

    # chmod 600 Keyname.pem
  9. To connect to the Amazon EC2 instance, enter the following command:

    ssh -i Keyname.pem   ec2-user@example.aws.com

11.7. Configuring a Finish Template for an Amazon Web Service EC2 Environment

You can use Red Hat Satellite finish templates during the provisioning of Red Hat Enterprise Linux instances in an Amazon EC2 environment.

To configure a finish template for Amazon EC2, complete the following steps:

  1. In the Red Hat Satellite 6 web UI, navigate to Hosts > Provisioning Templates.
  2. In the Provisioning Templates page, enter Kickstart default finish into the search field and click Search.
  3. On the Kickstart default finish template, select Clone.
  4. In the Name field, enter a unique name for the template.
  5. In the template, prefix each command that requires root privileges with sudo, except for subscription-manager register and yum commands, or add the following line to run the entire template as the sudo user:

    sudo -s << EOS
    _Template_ _Body_
    EOS
  6. Click the Association tab, and associate the template with a Red Hat Enterprise Linux operating system that you want to use.
  7. Click the Locations tab, and add the the location where the host resides.
  8. Click the Organizations tab, and add the organization that the host belongs to.
  9. Make any additional customizations or changes that you require, then click Submit to save your template.
  10. Navigate to Hosts > Operating systems and select the operating system that you want for your host.
  11. Click the Templates tab, and from the Finish Template list, select your finish template.
  12. Navigate to Hosts > Create Host and enter the information about the host that you want to create.
  13. Click the Parameters tab and navigate to Host parameters.
  14. In Host parameters, click the Add Parameter button three times to add three new parameter fields. Add the following three parameters:

    1. In the Name field, enter remote_execution_ssh_keys. In the corresponding Value field, enter the output of cat /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.pub.
    2. In the Name field, enter remote_execution_ssh_user. In the corresponding Value field, enter ec2-user.
    3. In the Name field, enter kt_activation_keys. In the corresponding Value field, enter your activation key.
  15. Click Submit to save the changes.

11.8. More Information about Amazon Web Services and Satellite

For information about how to locate Red Hat Gold Images on Amazon Web Services EC2, see How to Locate Red Hat Cloud Access Gold Images on AWS EC2.

For information about how to install and use the Amazon Web Service Client on Linux, see Install the AWS Command Line Interface on Linux in the Amazon Web Services documentation.

For information about importing and exporting virtual machines in Amazon Web Services, see VM Import/Export in the Amazon Web Services documentation.

11.9. Chapter Summary

This chapter showed how to configure Red Hat Satellite 6 to use a Amazon EC2 server and how to provision new hosts through a Amazon EC2 server. This included both network-based hosts and image-based hosts.

If you have no further compute resources to configure with Red Hat Satellite 6, see Chapter 13, Finalizing Provisioning for some final notes on provisioning.

The next chapter explores methods of provisioning containers on a Red Hat Enterprise Linux Atomic Server.