More control over personal privacy

I guess it has been years in the making.  The new General Data Protection Regulation of the European Union.  It is a law on data protection for the privacy of all individuals in the EU.

Here is a small summary of what the general data protection rights should encompass

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

This actually should be good news to everyone who uses the internet.  Depending on your relationship with various web sites this could be meaningful.  Of course this is more important if the site(s) have any information about you or your habits. This blog, well as of today anyway, doesn’t collect any information and the cookies that are used are only the basic functionality provided by WordPress.

It was because of the passage of this law (went into effect June 1st) that caused a lot of email boxes to start receiving mails from sites asking for confirmation of your relationship.  I supposed that without that affirmation a lot of information was sent to the bit bucket in the sky.

Not only emails but now a lot of web sites now inform you that they are using cookies.  This is nice, I guess, but when every site starts doing that at the exact same time it probably causes a lot of people to be conditioned to “press ok”.

 

Posted in Soapbox | Leave a comment

AWS – S3 buckets

Amazon AWS is a very rich infrastructure.  It is not uncommon for AWS to field several different yet somewhat similar types of services.  The area of data storage is one of those areas where there is a rich set to pick from.  Not all services are suitable for all tasks but when data needs to be stored there are quite a number to choose from.

  • S3
  • Elastic File System – EFS
  • Elastic Block Store – EBS
  • Amazon Glacier

In this post I will be examining S3 to demonstrate setting it up as well as discussing some of it’s uses.

First of all, S3 is not a file system but it can also be mounted as such.  Amazon created S3 as a place where you can store whole objects and these objects (pictures, pdf’s, videos) are what most users would consider to be an actual file.  The difference in how S3 treats these objects becomes obvious when there is a change in the object.

A normal file system might be able to change one or two blocks of the file that encompass the change but for S3 the entire object is rewritten to the object store.  This isn’t anything too dramatic unless you have a lot of objects constantly under change or have very large objects such as database backups or large videos.

Perhaps to try and keep the S3 distinguishable from their other options, Amazon has given the name of their S3 “devices” the name of bucket.  Which to most users won’t be confused with hard drive or disk drive.

Setting up a bucket

The process of setting up a S3 storage bucket is really just a matter of a few clicks.  Before you do so there are a few small details that must be considered before starting.

The most important detail is what is the name of the bucket.  This is more important than the normal “computer” reason of good naming makes using it easier.  The reason is that despite a bucket being associated with a specific region the name of the bucket must be unique for all buckets in S3 worldwide.

You also need to know which region your data should be stored.  There doesn’t seem to be any limitations on accessing this data regardless of the region.  A few of the reasons that the region might be important depends on the company or personal situation.

  • close to clients who will access data
  • stored in a specific region for legal reasons (ie. EU data privacy)
  • stored in a specific region for safety reasons (far away for catastrophe concerns  )

Does the data need to be encrypted and who should be able to access this data are the final important questions.

 

      

Just like many of the AWS services it is possible to set tags on the various objects you create.  This might be a tag on the bucket or a tag on an uploaded data file.  Tags are not so useful for the sake of description but are helpful to try and discover where exactly the costs are being used when examining your bill.

Uploading an object

Actually uploading a file is as simple as saving a file on your personal computer but does contain a few elements from the bucket creation.  The important elements are storage class, encryption, tagging, and permissions.

     

    

The good news is that the file is uploaded but if you took a close look at the permissions of the uploaded file, it is not actually possible for anyone else to read this but my account.

Simply go back to the file and change the permissions so this file is public.

Permissions before

 

Permissions after

Once this small permission change is completed then it is possible to access this file from the S3 bucket as an average user with no AWS account.

It is interesting to note that there are two different layers of permissions and if both of them do not allow a normal person to access the file you will receive a 403 error when trying to access this object.

Other features of S3

Object versioning

This is by no means the end of the story for S3 buckets.  It is also possible to enable file versioning.  This is not totally unique in the history of computer science to have such a “file-system” with versioning.  This was also implemented RSX-11 and OpenVMS which simply stored (VMS) a simple ordinal number with the file that was increased with each successive new file of that name.

I am not planning on discussing the versioning that Amazon provides but there are a number of different videos available on YouTube.  It is interesting that Amazon provides such a long unique identifier.  It is possible that this identifier is unique across all versioned files that are saved in S3.

Notifications / events

It is possible to publish notify events when something occurs in your bucket.  It is also possible to have a lambda function use this event as its input.  Depending on how you are using S3 it is also possible to use the life cycle rules to transition the data to a different storage class after a certain period of time.  Likewise it is also possible to expire objects or delete expired objects after a given period of time.

Finally it is possible to replicate your data to other regions as well as gather analytics and metrics for your bucket.  This information could be used in reporting.

Parting shot

S3 is really pretty amazing and despite the fact it doesn’t have elastic in the name is is a pretty elastic service.  It does provide a nice place to save rather static data but it does have one thing going for it that may easily overlooked – it is as big as you need it to be.

You are allowed to have objects between one byte and 5 terabytes in size.  This is pretty huge but it will automatically scale in the background.  It is not a disk with a fixed size, it is a work-space that you can store an unlimited number of objects that can be really quite large.

Although I haven’t done it, it makes you wonder if this would be an interesting replacement for other services that allow you to have a “virtual disk” on the internet.  The pricing is fairly cheap.

AWS pricing

I currently use another service for sharing videos of family events but after looking at the aws pricing it might be possible to reduce my costs.

Your mileage may vary but if the files are not heavily accessed nor super large this might be an alternative.

Posted in Setup From Scratch | Tagged , , , | Leave a comment

Is security a fallacy?

How many times have you heard or read that the best course of action is to keep your computer up to date with security patches.  This is true for your computers operating systems, device drivers, computer BIOS, software applications including your smart phone.

Software is created by people and not everyone is perfect.  Programs can have a virtually any number of problems but these commons can be grouped into a small number of generic problems.

  • Incorrect calculations
  • Inconsistent processing
  • Inadequate security

It is possible for these types of errors to be hidden for years or crash the first time they are run.

Critical PGP and smime bugs

Thus the common position is to update your particular device with the most recent security patches.

It’s a matter of Trust

The grand assumption is that any software bugs are not malicious and your software vendor has your best interests in mind.  Well, they probably want your money but that seems to be a fair trade for reliable software – right?

The whole situation gets a bit sticky when asking you for your money isn’t enough and it is necessary to cut corners and sell your information to top up the company coffers. The information gleamed from your purchases, browsing history, or viewing habits help to build a profile which is also a valuable commodity.

It is this hidden wealth potential that helps make gathering information from ones customers all too enticing.  Thus it is not overly surprising to see smart-phone apps taking excessive amounts of permissions beyond what is needed by the application in order to gather this important personal information.

This problem was reported years ago, but this problem has not gone away. It is reported in Germany by the Technical University of Braunschweig but does not seem to be limited to either Android or IOS.

I have personally seen this first hand when a friend received an upgrade notice for this keyboard app.  The permissions went from nothing special to needing to access contact data – which is fairly suspicious for a keyboard app.

Tinfoil hat

It is really not possible for the the average person to verify that every smart phone app or patch is safe.  Who really knows if the mountain of upgrades that are being installed on your phone are are protecting you or watching what you are doing.  It comes down to a level of trust.

Seriously just how bad could it really be?

I used google to see what different apps are available and was completely blown away by what is possible.  Just put the following terms into your search engine.

“innovative features for remote spying on your phone”

The app that I looked at was able to do all of the following actions – well for a monthly fee.

  • Real Time Location Tracking
  • View Location History of the Phone
  • View Sent / Received SMS / iMessage
  • View Deleted SMS/iMessage
  • Call Tracking
  • View Call History
  • View Call Deleted History
  • View Photos
  • View Videos
  • Listen to Voice Recording
  • WhatsApp Chats
  • Facebook Messages
  • Viber Messages
  • Skype Messages

This allows you to know where someone is, was, when the camera used and for what, who was called and with whom did you exchange text messages.

Did I mention that this is all possible remotely?  I have no inside knowledge but this same level of spying used to also be possible but you had to be a government and have some serious resources to do so. Now it is possible to install your own spy on someone’s device.  Not only that they will make a concerted to ensure that little spy is with them at all times.

Patching your computers is still a really good idea but you still do need to have trust in the security of those supporting your eco-system.  Well, that and to remember another golden rule.

Anyone who has physical access to a device can take over that device!

Physical security is still king. These types of spy programs cannot be installed on your device unless someone has access to that device.  Use strong passwords and keep your hardware away from prying eyes.

Posted in Soapbox | Tagged , | Leave a comment

The carrot and the stick

Google pushes web towards more security

It isn’t really news any longer, Google is pushing to secure the web.  Just like any parent they have decided that the carrot isn’t working out quite as planned and now they are using the stick.

The only stick that really matters in the world of internet searches is the ranking your webpage is when other try and find you.  If your webpage is not using a https then chrome users will see warnings.

Too much technology

It isn’t that I wanted to have an insecure website but it wasn’t clear exactly how to setup my server to support this.  This is despite all the work of the LetsEncrypt project.  Their  goal is to provide digitial certificates to enable web sites to support HTTPS (SSL/TLS) without having to purchase expensive certificates.

My host 1blu.de actually does have support for LetsEncrypt but for some reason it did not work using this automated method.  I decided to give the manual install a try. I can only imagine that over the last six years a considerable amount of work has been done.  I downloaded the certbot-auto program for Debian and ran it.  It was just about as painless as it could be.

All necessary packages were installed, my (virtual) machine was queried and determined which domains were being hosted on it and I had the choice to getting a certificate for any of those domains.

Once the upgrade was finished they even provided me a link to test the certificate on my site.

https://www.ssllabs.com/ssltest/analyze.html?d=blog.paranoidprofessor.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/blog.paranoidprofessor.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/blog.paranoidprofessor.com/privkey.pem
   Your cert will expire on 2018-07-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I think that if I had installed linux on a computer and hooked it up to the internet the process probably would not have been so smooth but at this point I feel confident it has been considered and would work.

You can choose to enable https on your site for any number of reasons.

  • show off your technical skills
  • build trust that your site is who it says it is
  • to get better rankings with Google
  • make national security agencies work harder

Any of these are legitimate reasons depending on your view.  The last choice in the list is only interesting if you are worried that organizations are watching your web browsing.  Changing one site over to https won’t make much difference as which web site I am visiting will still be visible but what data is being transferred won’t be.  This will also prevent some over eager ISP from injecting advertisements into your pages.

No matter what your reasons, computing power is cheap enough that https is the smart option.

Posted in security | Tagged , | Comments Off on The carrot and the stick

command line fun – finding security problems with find

I cannot actually remember how it happened.  I wasn’t paying enough attention and was viewing one of my scripts on production.  When I was finished I did what I always do in vi – I exited the script using : x which actually saves and exits.  In this instance instead of getting an readonly error it actually saved the file.  I almost had a heart attack.

This shouldn’t have saved as my guest user has only viewing rights.

The good news was that I actually didn’t make any changes to my script but how exactly did my script end up as read/write for everyone (ie chmod O+rw myscript.sh) and their dog.

Well, I started by checking my development project and the package that gets built from it.  I was, an still am, happy that my package build script does use 755 to make sure that my work doesn’t get changed by bad actors.

I can only assume that the package installation process somehow modifies the file permissions.  This is being followed up on but I was curious just how wide spread this was.  I did some further checking and there is a easier way to determine which files than editing each one.

Find

I wish I knew the back story on the find command as there is probably a lot of interesting stories how those features came into being.  In my case, on Solaris, there is a argument that will allow you to search for a specific file permission.

find /path -perm 777

This simplest call will show you a list of all rather naughty file permissions.  This is however a rather crude way of searching.  You might want to know which permissions world users have but are unconcerned with those for owner or group.

Find still has you covered.  It is possible to check for read,write or execute permissions or any combination thereof for user, group or world.  The method is actually very similar to the chmod command.

find /path -perm -o+rwx

This command will return a list of all files that are defined as read, write and execute for everyone on the machine. This should hopefully be a very small number of files or at least they should be some simple developer files (on a test machine).

Of course there is a second syntax for producing the same output.

find /path -perm -o=rwx

This syntax might be a bit more intuitive if you are not very familiar with unix.

It is possible to even go one more step and check for files that have the SUID set.  This is done in exactly the same way as the other permissions.

I have run this SUID check on my personal computer and you can see a very reasonable list of files that would have that bit set.

myuser@laptop ~ $ find /bin -perm -u+s -ls
  5242947     32 -rwsr-xr-x   1 root     root        30800 Jul 12  2016 /bin/fusermount
  5242997    140 -rwsr-xr-x   1 root     root       142032 Jan 28  2017 /bin/ntfs-3g
  5243023     44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /bin/ping6
  5242927     40 -rwsr-xr-x   1 root     root        40152 Jun 14 23:51 /bin/mount
  5242931     28 -rwsr-xr-x   1 root     root        27608 Jun 14 23:51 /bin/umount
  5243049     40 -rwsr-xr-x   1 root     root        40128 May 17 01:37 /bin/su
  5243022     44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /bin/ping
myuser@laptop ~ $ 

In the end, I never did hear back why my files changed their permissions but the problem was corrected.  This particular command might be an interesting command to keep in mind for budding system administrators.

Posted in Command line | Tagged , , , | Comments Off on command line fun – finding security problems with find

AWS – Simple Notification Service

AWS can provide you a LOT of functionality.  Some of what it can provide is so powerful because you can automate given actions.  It isn’t necessary to monitor your EC2 instances to see if your machines are running at a high load, it is possible to configure the autoscaling to start up and shutdown instances based on the machine loads.

If you have ever setup the perfect system, program or script you realize it is still important to keep your finger on the pulse to prevent any unexpected surprises.

Amazon assists you in this by their simple notification service (SNS) which can be configured to send off messages when certain activities or thresholds are crossed.  Unsurprisingly, you cannot use/subscribe to the SNS until you have configured it with topics that interest you.

Configuring Simple Notification Service

The simple notification service, or SNS, is just a clever implementation of the standard publish and subscribe pattern that you may have experienced at some e-commerce site or other interactive system.

One example of this would be to subscribe to a web site that suggests it has notify you when more articles relating to your interests are available.  Another example might be in a realtime trading system you subscribe to which stock or currency prices you wish to follow so your client will then receive that information as new information becomes available.

All that is necessary for using SNS is to create a topic.

The topic setup is actually two different names.  The topic field is up to 256 alpha-numeric characters while the display name is both more friendly except it is limited to 10 characters.

Subscribing to the service

Setting up the service itself is very quick and easy but in order for a person or system to receive any of these notifications they need to subscribe to SNS for that topic.

To subscribe simply select which topic you wish to subscribe to and select “subscribe to topic” from the actions button.  The rest is to simply fill out this dialog.

The topic ARN will be filled from the topic you selected.  Amazon will provide a sample endpoint depending on which protocol you choose.  Fill this in with the proper value for your protocol, in this example a valid email address for receiving the emails.

Amazon has done a nice little twist in that this service is a bit more generic, it can send these messages to interested parties via one of the following methods.

  • Http
  • Https
  • Email
  • Email JSON
  • Amazon SQS
  • AWS Lambda
  • SMS

Note: SMS seems to be a new feature and is not yet rolled out to all regions.

That is all you need to do in order to create the topic and subscribe to it, however, just like almost every other mailing list or system AWS requires that the email address ( in this case) confirms this request.

It is not possible to edit these pending confirmations, they need to be confirmed by the account that they were sent to.  It is possible to manually confirm these requests from the topic overview page.  Simply select the topic to be confirmed which will open up a new dialog box asking for the proper confirmation URL.

In the case of responding to an email confirmation it is actually much easier to simply select the URL from the email which will perform the confirmation.

Testing setup

Once all of the previous steps are done then it is possible to “queue up” a message for the simple notification service to test out that the recipient will receive his or her message.  Simply select the topic from the list and press the “publish to topic” button.  You will be rewarded with the following dialog which can then be filled in with any test data you wish to send.

Once you press the publish button then the message will be sent out.

This is all the setup in order to create a SNS topic which can be used to notify yourself or your systems with information about the running state of your “machines” but all of this setup will not send a single message anywhere without further setup.

.

Posted in Setup From Scratch | Tagged , , | Comments Off on AWS – Simple Notification Service

don’t forget to periodically vote with your wallet

I don’t usually purchase any Windows software as I am a “Linux” guy.  I guess it makes sense as most Windows software packages wouldn’t work on your distribution even with a lot of prayers and the most current version of Wine (“Wine Is Not an Emulator”).

I say “usually purchase” because there are a few tasks that I cannot yet perform on Linux but I am trying to get past those issues.

Windows hasn’t always been the perfect operating system that it is today with Windows 10, arguably it isn’t all that perfect right now in my personal opinion.  I remember the “Windows XP” years where I had to purchase some utilities and other software packages to round out my computing experience.  I was fairly happy until I had to upgrade to Windows 7 as not everything I had purchased was still working after the upgrade.

I was initially a bit upset that that this or that fabulous little shareware software needed to be either repurchased or replaced by something else.  It didn’t take me too long before I realized that if I was a representative user then the income stream then most of those developers were going to die of hunger.  I saw a similar rant about this from a developer who used the Ubuntu software center – https://youtu.be/SMKeWTVYBUo?t=1249 

The free market works because it sends signals to companies providing goods or services. The companies selling products that are really desired get voted up (with money) which allows them to stay in business and expanse while the poor performers eventually go out of business.

I remember all of that from my economics class but I don’t remember them speaking at all about how open source software development models fit into the rest of economy. The answer is that it works in a similar fashion – companies or people need resources to continue.

These resources might be money, hardware or talented individuals to help out with any of the tasks related to the development and shipping of software.

Help to support your favorite organizations

The number of good companies to support is without end so I can only list some of the bigger ones that impact most of us every day.  This list covers just a few of the big open source players.

To help keep open source strong we all need to try and support our favorite organizations.

Some of these organizations help us process our data while others inform us of what is happening in our world or even provide computers with our favorite operating systems. This support might be in the form of time, talent or treasure.

It isn’t important that we all support the exact same organizations but that we support the ones that make a difference to each of us.

 

 

Posted in Soapbox | Tagged | Comments Off on don’t forget to periodically vote with your wallet

Wireless Access point – EDIMAX

I don’t really feel the need to pimp out various hardware manufacturers but we just recently moved and our wireless network no longer reached all of the rooms.

The goal was to have seamless internet across the apartment without having two different wireless networks.  I did not have a large budget nor any preconceived notions which brand would be best. I tried going to a local electronics store and it would have been easy to walk away with at least 10 different brands of repeaters but from what I was seeing on the internet repeaters don’t discriminate which signals they repeat.  The internet also mentioned that most devices will be both a repeater and an access point, but as none of the pretty colored boxes mentioned this I abandoned my local store … for the internet.

I did some searching on Amazon to try and find a model or two and the trick was not finding a model that was an access point but to find one that did not have a lot of negative reviews.  I will be honest, I simply settled with the EDIMAX N300 access-point (EW-7438APn)

The actual device was quite tiny and the box also included a flat network cable.  It was perhaps 10 or 12 cm long but was too short for me.  The box also came with a tiny quick setup booklet that did describe what you needed to do if you are planning on using it just out of the box.  I felt changing the admin password away from the default would be a good idea.

The only reason that I am writing this up is because of just how painless this was.  I didn’t quite follow the instructions but to be honest they could have provided a link for something a bit beefier.

The setup

Once I plugged in the device, I connected it to the network and turned it on.

I was able to reach the device from my desktop computer.  Simply login using the provided admin and password and proceed to change a few of the values.

Of the values I only changed the SSID from the factory default to be the same value as my existing wireless network.  I changed the admin password and the wireless passphrase.  The only other change that I did was to setup the NTP server, select my timezone and  to enable the watchdog service check every 10 minutes.

I also did find a lot of very useful information about the topic in general on superuser.com

https://superuser.com/questions/122441/how-can-i-get-the-same-ssid-for-multiple-access-points

It was pointed out that setting the SSID to the same value for multiple access points will work but it depends on the client that connects to it.  If that client is not very clever, it will remain stuck to its original connection even when a better one exists.

There was one other small problem.  Despite setting up a connection to a time service the date and time of the device doesn’t get properly set.  This wasn’t a problem for me but would be a problem if you wanted to schedule the wireless turn off period.

I actually do have one more small possible issue.  I personally haven’t had any problems connecting to the network using our new edimax using either android (Samsung, Huawei or Kindle) but my wife has complained that she has problems connecting from her Apple tablet.

Posted in Review | Tagged | Comments Off on Wireless Access point – EDIMAX

AWS – Autoscaling

The cloud isn’t really the cloud without some additional functionality beyond the ability of creating a virtual machine to run your software.

The cloud isn’t just somebody else’s data center either.  A short definition might be.

A Cloud solution is one where the software solution or service available over the internet and the user has the ability to allocate or deallocate this on own their own without the involvement of IT.  Usually the cloud solution can expand or contract as required.

The National Institute of Standards and Technology has a slightly bigger, and much more elegant definition of what Cloud computing is – Cloud computing.

The part of this definition that I will be focusing on today is the ability of a cloud solution to expand or contact as necessary.  Amazon refers to this as elasticity and make it possible by allowing you to setup Autoscaling.

Autoscaling

The ability to launch or shutdown an EC2 instance by uising system statistics such as CPU load to determine if more or fewer instances are required.

If it were only that easy in practice.  In order to take advantage of autoscaling the programs need to be written in so that it is possible to have multiple programs or processes running independent of each other.  This doesn’t have to be a difficult task however, this may be an undertaking for monolithic legacy systems that have certain expectations.

Autoscaling

Setting up Autoscaling is a two part process.  The first part is to define a launch configuration (ie a template) describing how each machine should be configured.  This would probably to use one of your previously created AMI’s which would probably have your most if not all of your software configuration.

For brevity sake, I will skip a few of the screens for creating the launch creation.  The reason is that these steps should be familiar as they are the same as setting up a EC2 instance.

First we give our launch configuration a name.

Once everything has been selected, we do a quick verify that all tags, storage and such are correctly defined.

Auto Scaling Group

I cannot say if it is good “style” that AWS automatically launches in the creation of a scaling group once your launch configuration has been setup, however, it certainly is convenient.

First you give your auto scaling group a name, decide how many instances should be in the group, pick a network and decide which availability zones will be used when autoscaling.  The Amazon literature is pretty specific that for a high availability solution you would want your solutions to span availability zones when possible to counter the unlikely chance that a AZ goes down or becomes unreachable.

The scaling policies is the location where you get to decide on how big your solution should scale.  You do have the opportunity to keep your group size the same as previously defined.

Doing so would be the equivalent of a high availability solution.  This guarantees that AWS will launch a new instance if for any reason your existing instance(s) go down.

You also decide what metrics will be used when deciding to increase or decrease the number of instances you have.

You can see that I have decided that 45% cpu utilization should be the signal to create another EC2 instance.

You can also see that if the overall CPU utilization goes below 25% then AWS will decrease the number of EC2 instances that are running.

Once you have setup everything for your group (notification and tags not displayed here), then you get a chance to verify that you are satisfied with the setup.

The non-obvious step here is that once you actually create this group then AWS will proceed to create everything for you.  This is in one sense exactly what you want, however, it does make it impossible to create the group setup and then trigger once you are ready.

 

Posted in Setup From Scratch | Tagged , , | Comments Off on AWS – Autoscaling

AWS – Your own machine image

Until you start to actually use Amazon storage (elastic block store) you end up repeating yourself a lot getting your machine images into a working state.  This  might be something really simple such as adding your world class html code to your web site, or it might be adding other tools to your environment, it could even be the setup of your web server.

In anycase, the act of repeating the same actions time and time again does begin to it lose it charm after about 3 or 4 times.  It is possible to actually save the state of your machine images by creating your own custom image.  I don’t have an entire data  center full of machines so I will start with a single image – the web server.

In my opinion, this turns out that this is actually easier than a lot of other steps that i have had to perform.  The steps are pretty easy.

  • Pick an existing AMI as base
  • Start your image
  • Connect to your virtual machine and modify
  • Save image with new name

Pick an existing Amazon machine image

A lot of the steps for creating an Amazon machine image, AMI, is actually the same as when you first pick out an image when creating an EC2 instance.

Select an Amazon Machine Image

 

Choose which instance type of that image you wish

It depends on either which linux flavor you desire (or which windows version you require).

 

Start your image

This is exactly the same steps that you had to perform to start an EC2 image. This has been described in my article “AWS – Setting up EC2”.

 

Connect to your virtual machine and modify

Connecting to your machine is actually made quite painless by Amazon.  Simply select your machine and press the “connect” button on your dashboard.  This will bring up a big friendly dialog on how to connect to your machine.

Not only that, it is possible to copy and paste the command from the dialog to your shell.

If you are a windows user or are using some other operating system how to do your connection may vary.  Amazon does have instructions for windows users.

Once you are connected to the instance you can do any of the normal command line operations.  One such example is the stress command.  The stress command comes in handy when testing autoscaling.

I have been using the Amazon Linux image which uses yum for installing software.

sudo yum install stress

Once the stress utility is installed or even Apache web server then you are ready for creating your own image.  I didn’t install the entire LAMP for this test but Amazon does describe how to install the entire stack.

 

Save image with new name

Once you have an instance up and running that contains all of your personal changes the rest is trivial.  From the dashboard simply select Image from the “Actions” button and select create image (Actions -> Image -> Create image).

This will bring up a dialog box asking for both the image name and a description of the image.

Once you have filled this out press the create image button and after a few minutes the image will be saved under your list of Amazon images.

 

Posted in Setup From Scratch | Tagged , , | Comments Off on AWS – Your own machine image