Difference: AmazonWebServices (1 vs. 3)
Revision 32016-10-13 - frank
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Deleted: | ||||||||
| < < | under construction | |||||||
AmazonWebServices | ||||||||
| Added: | ||||||||
| > > | It is important to note that the 2009 version allows you to bundle images the 2015 tools do not. The 2015 tools support hvm, while the 2009 does not. The 2015 document also notes that we should use the python/boto-based command line tools. | |||||||
Uploading CernVMFirst off a point that confuses me on the function of S3 (I thought S3 was replicated site-to-site): To create an S3 backed image you need to create a bucket local to the EC2 region you care to create the image on. For example: | ||||||||
Revision 22016-10-11 - frank
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
under construction
AmazonWebServices | ||||||||
| Line: 70 to 70 | ||||||||
and promises great things, such as easy hvm support. Here I chronicle my journeys so far. First there is some friendly documentation here . First I identify that the cernvm!*-.fat image would be a Filesystem for Citrix Xen image and thus should qualify for import. However Xen is para-virtualization so I am keeping an open mind about the RAW image CernVM advertises for OpenStack (is that crazy?). | ||||||||
| Added: | ||||||||
| > > | I followed along with the [[http://docs.aws.amazon.com/vm-import/latest/userguide/import-vm-image.html[instructions]]. First of, you need to work from an instance that has a an appropriate service role associated with it. That means we have to using an amazon instance. You will need to create an IAM user that has full access to IAM, to get started following their instructions:
aws configure AWS Access Key ID [None]: <ID> AWS Secret Access Key [None]: <key> Default region name [None]: us-west-2 Default output format [None]:Upload the image you want to create the VM Image from onto S3: wget http://cernvm.cern.ch/releases/production/cernvm-3.6.5.hdd aws s3 cp cernvm-3.6.5.hdd s3://ucernvm-us-west-2/cernvm-3.6.5.hdd aws s3 cp cernvm-3.6.5.hdd s3://ucernvm-us-east-1/cernvm-3.6.5.hddWhen you are ready to run aws ec2 import-image I suggest proceeding as follows. First run aws ec2 import-image --generate-cli-skeleton to get the structure of JSON we'll use to describe the image. I then filled it like this:
{
"DryRun": false,
"Description": "The micro CernVM version 3.6.5 running CerntOS 6",
"DiskContainers": [
{
"Description": "CernVM disk image",
"Format": "raw",
"UserBucket": {
"S3Bucket": "ucernvm-us-west-2",
"S3Key": "cernvm-3.6.5.hdd"
}
}
],
"Hypervisor": "xen",
"Architecture": "x86_64",
"Platform": "Linux"
}
Now, I know that this is kvm image, but xen is literally the only hypervisor value that is allowed here, so let's see what happens, maybe we have to convert that image? Then Run the import task:
aws ec2 import-image --cli-input-json file://cernvm-import.jsonThat will give you a message like this:
{
"Status": "active",
"Description": "The micro CernVM version 3.6.5 running CerntOS 6",
"Hypervisor": "xen",
"Platform": "Linux",
"Architecture": "x86_64",
"Progress": "2",
"SnapshotDetails": [
{
"UserBucket": {
"S3Bucket": "ucernvm-us-west-2",
"S3Key": "cernvm-3.6.5.hdd"
},
"DiskImageSize": 0.0,
"Format": "RAW"
}
],
"StatusMessage": "pending",
"ImportTaskId": "import-ami-fh29lusp"
}
You can then check on the progress of your request like so:
aws ec2 describe-import-image-tasks --import-task-ids import-ami-fh29luspUnfortunately this one, just as all my previous attempts failed with the following:
"StatusMessage": "ClientError: Unknown OS / Missing OS files."
| |||||||
IAM Users and Policies | ||||||||
Revision 12016-10-11 - frank
| Line: 1 to 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| Added: | |||||||||
| > > | under construction
AmazonWebServicesUploading CernVMFirst off a point that confuses me on the function of S3 (I thought S3 was replicated site-to-site): To create an S3 backed image you need to create a bucket local to the EC2 region you care to create the image on. For example:aws s3 mb --region us-west-2 s3://ucernvm-us-west-2 aws s3 mb --region us-east-1 s3://ucernvm-us-east-1And then you'll need to add the VM image into each of these buckets - once for each region you care to maintain an image in. I really hope that this will go away at some point ... but it makes me think hat S3 is in fact not replicated between the amazon sites. Preparing the imageThese instructions are derived from the documentation on the CernVM website. Note that these instructions use the depreciated amazon CLI documented here. If you have trouble finding those CLI tools, they are included in CernVM. The only reference I was able to find to the first command though came from this quick reference sheet. So to do this you will need to have an x.509 key - root or IAM user, more on this under AmazonWebServices#IAMPolicy. To create the image files grab the FAT filesystem of cernvm and then add the amazon disk description:
wget http://cernvm.cern.ch/releases/production/cernvm-3.6.5.fat ec2-bundle-image -u <account_id> -c cert-*.pem -k pk-*.pem -i cernvm-3.6.5.fat --debug --arch x86_64Note: You can look up your account ID in "My Account" in the AWS console. The cert-*.pem and pk-*.pem are your certificate and private key. Now upload the manifests you created above to your S3 buckets: ec2-upload-bundle -a <ID> -s <key> -m /tmp/cernvm-3.6.5.fat.manifest.xml -b ucernvm-us-west-2 ec2-upload-bundle -a <ID> -s <key> -m /tmp/cernvm-3.6.5.fat.manifest.xml -b ucernvm-us-east-1For me that splits into two parts which end up in the buckets. Paravirtualized ImageAmazon provides kernel images for a para-virtualized instances. I found the kernel image identifiers by using the amazon linux instances as a reference. %IMAGE{"EC2_Management_Console.png" type="frame" align="center" caption="finding the Kernel ID" }% Here are the AKI's I've looked up so far:
. So for Oregon:
export EC2_URL=https://ec2.us-west-1.amazonaws.com ec2-register -O <ID> -W <key> -a x86_64 --kernel aki-fc8f11cc ucernvm-us-west-2/cernvm-3.6.5.fat.manifest.xml -d "CernVM 3.6.5"For N. Virginia note that the service endpoint and the kernel ID are different: export EC2_URL=ec2.us-east-1.amazonaws.com ec2-register -O <ID> -W <key> -a x86_64 --kernel aki-919dcaf8 ucernvm-us-east-1/cernvm-3.6.5.fat.manifest.xml -d "CernVM 3.6.5" Hypervirtualized (HVM) ImagesThe AWS documentation fooled me with the ec2-register documentation of the new CLI. Since I thought this implied to the old way of doing things I thought we could do this:
export EC2_URL=https://ec2.us-west-1.amazonaws.com ec2-register -O <ID> -W <key> -a x86_64 --virtualization-type hvm --kernel aki-fc8f11cc ucernvm-us-west-2/cernvm-3.6.5.fat.manifest.xml -d "CernVM 3.6.5"Which does no work, the option does not exist and the kernel needs changing. If you were really motivated you probably looked at the HVM images and noted that none of them have an associated Kernel ID. So let's learn about the new CLI! New(ish) AWS Command Line InterfaceThe new amazon cli is very nicely available via pip:
pip install awscliand promises great things, such as easy hvm support. Here I chronicle my journeys so far. First there is some friendly documentation here . First I identify that the cernvm!*-.fat image would be a Filesystem for Citrix Xen image and thus should qualify for import. However Xen is para-virtualization so I am keeping an open mind about the RAW image CernVM advertises for OpenStack (is that crazy?).
IAM Users and Policies#IAMPolicy I ended up just adding Full S3 and EC2 access (nuke form orbit?). The following is how far I got with defining a more specific set of permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::ucernvm",
"arn:aws:s3:::ucernvm/*",
"arn:aws:s3:::ucernvm-us-west-2",
"arn:aws:s3:::ucernvm-us-west-2/*",
"arn:aws:s3:::ucernvm-us-east-1",
"arn:aws:s3:::ucernvm-us-east-1/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask"
],
"Resource": "*"
}
]
}
Conventions:In the remainder of this document, the following formatting convention is used to differentiate terminal commands from file contentThis background colour denotes terminal input This background colour denotes file content--  frank - 2016-10-11
Comments
| ||||||||
View topic | History: r3 < r2 < r1 | More topic actions...
Copyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback