Chapter 14. Provisioning Cloud Instances in Amazon EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides public cloud compute resources. Using Satellite, you can interact with Amazon EC2’s public API to create cloud instances and control their power management states. Use the procedures in this chapter to add a connection to an Amazon EC2 account and provision a cloud instance.

14.1. Prerequisites for Amazon EC2 Provisioning

The requirements for Amazon EC2 provisioning include:

  • A Capsule Server managing a network in your EC2 environment. Use a Virtual Private Cloud (VPC) to ensure a secure network between the hosts and the Capsule Server.
  • An Amazon Machine Image (AMI) for image-based provisioning.
  • Synchronized content repositories for Red Hat Enterprise Linux. For more information, see Synchronizing Red Hat Repositories in the Content Management Guide.
  • An activation key for host registration. For more information, see Creating An Activation Key in the Content Management guide.

14.2. Adding an Amazon EC2 Connection to the Satellite Server

Use this procedure to add the Amazon EC2 connection in the Satellite Server’s compute resources.

Time Settings and Amazon Web Services

Amazon Web Services uses time settings as part of the authentication process. Ensure that Satellite Server’s time is correctly synchronized. Ensure that an NTP service, such as ntpd or chronyd, is running properly on the Satellite Server. Failure to provide the correct time to Amazon Web Services can lead to authentication failures.

For more information about synchronizing time in Satellite, see Synchronizing Time in Installing Satellite Server from a Connected Network.

Procedure

To add an Amazon EC2 connection, complete the following steps:

  1. In the Satellite web UI, navigate to Infrastructure > Compute Resources and in the Compute Resources window, click Create Compute Resource.
  2. In the Name field, enter a name to identify the Amazon EC2 compute resource.
  3. From the Provider list, select EC2.
  4. In the Description field, enter information that helps distinguish the resource for future use.
  5. Optional: From the HTTP proxy list, select an HTTP proxy to connect to external API services. You must add HTTP proxies to Satellite before you can select a proxy from this list. For more information, see Section 14.3, “Using an HTTP Proxy with Compute Resources”.
  6. In the Access Key and Secret Key fields, enter the access keys for your Amazon EC2 account. For more information, see Managing Access Keys for your AWS Account on the Amazon documentation website.
  7. Optional: Click the Load Regions button to populate the Regions list.
  8. From the Region list, select the Amazon EC2 region or data center to use.
  9. Click the Locations tab and ensure that the location you want to use is selected, or add a different location.
  10. Click the Organizations tab and ensure that the organization you want to use is selected, or add a different organization.
  11. Click Submit to save the Amazon EC2 connection.
  12. Select the new compute resource and then click the SSH keys tab, and click Download to save a copy of the SSH keys to use for SSH authentication. Until BZ1793138 is resolved, you can download a copy of the SSH keys only immediately after creating the Amazon EC2 compute resource. If you require SSH keys at a later stage, follow the procedure in Section 14.7, “Connecting to an Amazon EC2 instance using SSH”.

For CLI Users

Create the connection with the hammer compute-resource create command. Use --user and --password options to add the access key and secret key respectively.

# hammer compute-resource create --name "My_EC2" --provider "EC2" \
--description "Amazon EC2 Public Cloud` --user "user_name" \
--password "secret_key" --region "us-east-1" --locations "New York" \
--organizations "My_Organization"

14.3. Using an HTTP Proxy with Compute Resources

In some cases, the EC2 compute resource that you use might require a specific HTTP proxy to communicate with Satellite. In Satellite, you can create an HTTP proxy and then assign the HTTP proxy to your EC2 compute resource.

However, if you configure an HTTP proxy for Satellite in Administer > Settings, and then add another HTTP proxy for your compute resource, the HTTP proxy that you define in Administer > Settings takes precedence.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > HTTP Proxies, and select New HTTP Proxy.
  2. In the Name field, enter a name for the HTTP proxy.
  3. In the URL field, enter the URL for the HTTP proxy, including the port number.
  4. Optional: Enter a username and password to authenticate to the HTTP proxy, if your HTTP proxy requires authentication.
  5. Click Test Connection to ensure that you can connect to the HTTP proxy from Satellite.
  6. Click the Locations tab and add a location.
  7. Click the Organization tab and add an organization.
  8. Click Submit.

14.4. Adding Amazon EC2 Images to Satellite Server

Amazon EC2 uses image-based provisioning to create hosts. You must add image details to your Satellite Server. This includes access details and image location.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > Compute Resources and select an Amazon EC2 connection.
  2. Click the Images tab, and then click New Image.
  3. In the Name field, enter a name to identify the image for future use.
  4. From the Operating System list, select the operating system that corresponds with the image you want to add.
  5. From the Architecture list, select the operating system’s architecture.
  6. In the Username field, enter the SSH user name for image access. This is normally the root user.
  7. In the Password field, enter the SSH password for image access.
  8. In the Image ID field, enter the Amazon Machine Image (AMI) ID for the image. This is usually in the following format: ami-xxxxxxxx.
  9. Optional: Select the User Data check box if the images support user data input, such as cloud-init data. If you enable user data, the Finish scripts are automatically disabled. This also applies in reverse: if you enable the Finish scripts, this disables user data.
  10. Optional: In the IAM role field, enter the Amazon security role used for creating the image.
  11. Click Submit to save the image details.

For CLI Users

Create the image with the hammer compute-resource image create command. Use the --uuid field to store the full path of the image location on the Amazon EC2 server.

# hammer compute-resource image create --name "Test Amazon EC2 Image" \
--operatingsystem "RedHat 7.2" --architecture "x86_64" --username root \
--user-data true --uuid "ami-my_ami_id" --compute-resource "My_EC2"

14.5. Adding Amazon EC2 Details to a Compute Profile

You can add hardware settings for instances on Amazon EC2 to a compute profile.

Procedure

To add hardware settings, complete the following steps:

  1. In the Satellite web UI, navigate to Infrastructure > Compute Profiles and click the name of your profile, then click an EC2 connection.
  2. From the Flavor list, select the hardware profile on EC2 to use for the host.
  3. From the Image list, select the image to use for image-based provisioning.
  4. From the Availability zone list, select the target cluster to use within the chosen EC2 region.
  5. From the Subnet list, add the subnet for the EC2 instance. If you have a VPC for provisioning new hosts, use its subnet.
  6. From the Security Groups list, select the cloud-based access rules for ports and IP addresses to apply to the host.
  7. From the Managed IP list, select either a Public IP or a Private IP.
  8. Click Submit to save the compute profile.

For CLI Users

The compute profile CLI commands are not yet implemented in Red Hat Satellite. As an alternative, you can include the same settings directly during the host creation process.

14.6. Creating Image-Based Hosts on Amazon EC2

The Amazon EC2 provisioning process creates hosts from existing images on the Amazon EC2 server.

Procedure

  1. In the Satellite web UI, navigate to Hosts > Create Host.
  2. In the Name field, enter a name for the host.
  3. From the Host Group list, you can select a host group to populate most of the new host’s fields.
  4. From the Deploy on list, select the EC2 connection.
  5. From the Compute Profile list, select a profile to use to automatically populate virtual machine-based settings.
  6. Click the Interface tab, and then click Edit on the host’s interface, and verify that the fields are populated with values. Leave the Mac Address field blank. The Satellite Server automatically selects and IP address and the Managed, Primary, and Provision options for the first interface on the host.
  7. Click the Operating System tab and confirm that all fields are populated with values.
  8. Click the Virtual Machine tab and confirm that all fields are populated with values.
  9. Click the Parameters tab, and ensure that a parameter exists that provides an activation key. If not, add an activation key.
  10. Click Submit to save your changes.

This new host entry triggers the Amazon EC2 server to create the instance, using the pre-existing image as a basis for the new volume.

For CLI Users

Create the host with the hammer host create command and include --provision-method image to use image-based provisioning.

# hammer host create --name "ec2-test1" --organization "My_Organization" \
--location "New York" --hostgroup "Base" \
--compute-resource "My_EC2" --provision-method image \
--image "Test Amazon EC2 Image" --enabled true --managed true \
--interface "managed=true,primary=true,provision=true,subnet_id=EC2" \
--compute-attributes="flavor_id=m1.small,image_id=TestImage,availability_zones=us-east-1a,security_group_ids=Default,managed_ip=Public"

For more information about additional host creation parameters for this compute resource, enter the hammer host create --help command.

14.7. Connecting to an Amazon EC2 instance using SSH

You can connect remotely to an Amazon EC2 instance from Satellite Server using SSH. However, to connect to any Amazon Web Services EC2 instance that you provision through Red Hat Satellite, you must first access the private key that is associated with the compute resource in the Foreman database, and use this key for authentication.

To locate the private key and connect to an Amazon EC2 server using SSH, complete the following steps:

  1. To locate the compute resource list, on your Satellite Server base system, enter the following command, and note the ID of the compute resource that you want to use:

    # hammer compute-resource list
  2. Switch user to the postgres user:

    # su - postgres
  3. Initiate the postgres shell:

    $ psql
  4. Connect to the Foreman database as the user postgres:

    # postgres=# \c foreman
  5. Select the secret from key_pairs where compute_resource_id = 3:

    # select secret from key_pairs where compute_resource_id = 3; secret
  6. Copy the key from after -----BEGIN RSA PRIVATE KEY----- until -----END RSA PRIVATE KEY-----.
  7. Create a .pem file and paste your key into the file:

    # vim Keyname.pem
  8. Ensure that you restrict access to the .pem file:

    # chmod 600 Keyname.pem
  9. To connect to the Amazon EC2 instance, enter the following command:

    ssh -i Keyname.pem   ec2-user@example.aws.com

14.8. Configuring a Finish Template for an Amazon Web Service EC2 Environment

You can use Red Hat Satellite finish templates during the provisioning of Red Hat Enterprise Linux instances in an Amazon EC2 environment.

If you want to use a Finish template with SSH, Satellite must reside within the EC2 environment and in the correct security group. Satellite currently performs SSH finish provisioning directly, not using Capsule Server. If Satellite Server does not reside within EC2, the EC2 virtual machine reports an internal IP rather than the necessary external IP with which it can be reached.

To configure a finish template for Amazon EC2, complete the following steps:

  1. In the Red Hat Satellite web UI, navigate to Hosts > Provisioning Templates.
  2. In the Provisioning Templates page, enter Kickstart default finish into the search field and click Search.
  3. On the Kickstart default finish template, select Clone.
  4. In the Name field, enter a unique name for the template.
  5. In the template, prefix each command that requires root privileges with sudo, except for subscription-manager register and yum commands, or add the following line to run the entire template as the sudo user:

    sudo -s << EOS
    _Template_ _Body_
    EOS
  6. Click the Association tab, and associate the template with a Red Hat Enterprise Linux operating system that you want to use.
  7. Click the Locations tab, and add the the location where the host resides.
  8. Click the Organizations tab, and add the organization that the host belongs to.
  9. Make any additional customizations or changes that you require, then click Submit to save your template.
  10. Navigate to Hosts > Operating systems and select the operating system that you want for your host.
  11. Click the Templates tab, and from the Finish Template list, select your finish template.
  12. Navigate to Hosts > Create Host and enter the information about the host that you want to create.
  13. Click the Parameters tab and navigate to Host parameters.
  14. In Host parameters, click the Add Parameter button three times to add three new parameter fields. Add the following three parameters:

    1. In the Name field, enter remote_execution_ssh_keys. In the corresponding Value field, enter the output of cat /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.pub.
    2. In the Name field, enter remote_execution_ssh_user. In the corresponding Value field, enter ec2-user.
    3. In the Name field, enter activation_keys. In the corresponding Value field, enter your activation key.
  15. Click Submit to save the changes.

14.9. More Information about Amazon Web Services and Satellite

For information about how to locate Red Hat Gold Images on Amazon Web Services EC2, see How to Locate Red Hat Cloud Access Gold Images on AWS EC2.

For information about how to install and use the Amazon Web Service Client on Linux, see Install the AWS Command Line Interface on Linux in the Amazon Web Services documentation.

For information about importing and exporting virtual machines in Amazon Web Services, see VM Import/Export in the Amazon Web Services documentation.