{"id":94,"date":"2014-09-24T19:58:07","date_gmt":"2014-09-24T19:58:07","guid":{"rendered":"https:\/\/www.pendragonsfolly.com\/?p=94"},"modified":"2014-09-24T20:07:40","modified_gmt":"2014-09-24T20:07:40","slug":"aws-linux-ec2-instance-creation-checklist","status":"publish","type":"post","link":"https:\/\/www.pendragonsfolly.com\/?p=94","title":{"rendered":"AWS Linux EC2 Instance Creation Checklist"},"content":{"rendered":"

This is intended to be an ongoing check list of tasks (with implementation notes) to perform when creating a new Linux instances on AWS<\/p>\n

    \n
  1. Choose OS (I am trying to use Ubuntu for instances that don’t specifically require RHEL )<\/li>\n
  2. Create the instance with desired root volume size. \u00a0RHEL seems to create a volume with the specified size, but then allocates a 6GB root partition.<\/li>\n
  3. Choose appropriate VPC, subnet (considerations: public, private, AZ, what RDS or other instances need to communicate with it)<\/li>\n
  4. Select the appropriate Key (will create additional accounts and assign keys as needed)<\/li>\n
  5. Select or Configure Initial security rules<\/li>\n
  6. Start instance<\/li>\n
  7. Resize root partition if necessary (currently only necessary for RHEL 7 instances)\n
      \n
    1. Stop the instance<\/li>\n
    2. If you have done any configuration already, take a snapshot of the volume to protect your work (only if restoring the snapshot would be worthwhile should something go wrong)<\/li>\n
    3. Note the mount point and volume name of the root volume<\/li>\n
    4. detach the volume and attach it to another instance (preferable running the same OS\u00a0\u2013 spin a temporary one up if needed). \u00a0You do not need (nor want) to mount it.<\/li>\n
    5. See:\u00a0http:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/storage_expand_partition.html#prepare-linux-root-part<\/a>\u00a0 (read this to verify the next steps still hold\u00a0\u2013 and to see example output)<\/li>\n
    6. make sure that the filesystem is OK BEFORE<\/strong> <\/span>you resize it. \u00a0(the URL above skips this step): \u00a0 xfs_repair \/dev\/xvdf1 \u00a0(for xfs used by RHEL 7<\/em>) OR<\/span> for ext4<\/em>:<\/strong> sudo e2fsck -f \/dev\/xvdf1 \u00a0(or whatever device you attached the volume as)<\/li>\n
    7. parted \/dev\/xvdf (or whatever device you attached it as)<\/li>\n
    8. (parted) unit s<\/li>\n
    9. (parted) print<\/li>\n
    10. (parted) rm 1<\/li>\n
    11. (parted) mkpart primary 2048s 100% OR<\/span> (for gpt partitions<\/em>)<\/strong> (parted) mkpart Linux 4096s 100%<\/li>\n
    12. (parted) print<\/li>\n
    13. (parted) set 1 boot on<\/li>\n
    14. (parted) quit<\/li>\n
    15. xfs_repair \/dev\/xvdf1 \u00a0(for xfs used by RHEL 7<\/em>)\u00a0OR<\/span>\u00a0for\u00a0ext4<\/em>:<\/strong>\u00a0e2fsck -f \/dev\/xvdf1 \u00a0(or whatever device you attached the volume as)<\/li>\n
    16. detach the volume and reattach it in the proper place on the new instance<\/li>\n
    17. start the instance<\/li>\n<\/ol>\n<\/li>\n
    18. Allocate desired swap space as a swap file\n
        \n
      1. This example will assume an 8 GB swap file (\/var\/swap.1)<\/li>\n
      2. sudo\u00a0\u00a0\/bin\/dd if=\/dev\/zero of=\/var\/swap.1 bs=1M count=8000<\/li>\n
      3. chmod 600 \/var\/swap.1<\/li>\n
      4. sudo \/sbin\/mkswap \/var\/swap.1<\/li>\n
      5. sudo \/sbin\/swapon \/var\/swap.1<\/li>\n
      6. To enable it by default after reboot, add this line to \/etc\/fstab:\u00a0\/var\/swap.1 swap swap defaults 0 0<\/li>\n<\/ol>\n<\/li>\n
      7. Configure hostname\n
          \n
        1. hostnamectl set-hostname <hostname.FQDN><\/li>\n
        2. add hostname and FQHN to \/etc\/hosts<\/li>\n
        3. modify \/etc\/cloud\/cloud.cfg and comment out the set_hostname, update-hostname, and update_etc_hosts lines<\/li>\n<\/ol>\n<\/li>\n
        4. Set timezone\n
            \n
          1. (RHEL 7) \u00a0timedatectl set-timezone America\/Chicago<\/li>\n
          2. ln -sf \/usr\/share\/zoneinfo\/America\/Chicago \/etc\/localtime \u00a0 \u00a0(verify that timedatectl did this for RHEL 7 \u2013 if not, do it!)<\/li>\n<\/ol>\n<\/li>\n
          3. Create additional accounts\n
              \n
            1. groups ubuntu (or ec2-user)<\/li>\n
            2. useradd -s \/bin\/bash -m -d \/home\/newuser -G adm,cdrom,floppy,sudo,audio,dip,video,plugdev,netdev\u00a0newuser<\/li>\n
            3. edit \/etc\/sudoers:
              \nnewuser ALL=(ALL) NOPASSWD:ALLOR change%sudo ALL=(ALL:ALL) NOPASSWD:ALL \u00a0(put NOPASSWD: into existing line\u00a0\u2013 for some reason this works for ubuntu but not for the second user without spec’ing this)<\/li>\n
            4. mkdir ~newuser\/.ssh<\/li>\n
            5. vi ~newuser\/.ssh\/authorized_keys<\/li>\n
            6. add in the contents of the newuser.pub file from the my\u00a0repository<\/li>\n
            7. chmod 700 ~newuser\/.ssh<\/li>\n
            8. chmod 600 ~newuser\/.ssh\/authorized_keys<\/li>\n
            9. chown -R newuser:newuser ~newuser\/.ssh<\/li>\n
            10. test logging into the account from another machine and verify that “sudo bash” works.<\/li>\n<\/ol>\n<\/li>\n
            11. Allow passwords for SSH (ONLY if required\/desired)\n
                \n
              1. edit \/etc\/ssh\/sshd_config and set PasswordAuthentication yes<\/li>\n
              2. restart sshd<\/li>\n<\/ol>\n<\/li>\n
              3. Create and mount additional volumes<\/li>\n
              4. Configure automatic backups\n
                  \n
                1. set the Autosnapshot tag to True for all volumes that you want backed up automatically<\/li>\n<\/ol>\n<\/li>\n
                2. Install additional software<\/li>\n
                3. Do initial software update\n
                    \n
                  1. apt-get update && apt-get dist-upgrade<\/li>\n
                  2. yum update<\/li>\n<\/ol>\n<\/li>\n
                  3. Configure automatic updates\n
                      \n
                    1. RHEL: yum install yum-cron\n
                        \n
                      1. for RHEL < 7, edit \/etc\/sysconfig\/yum-cron<\/li>\n
                      2. \/etc\/init.d\/yum-cron start<\/li>\n
                      3. chkconfig yum-cron on<\/li>\n
                      4. For RHEL >= 7, edit \/etc\/yum\/yum-cron.conf<\/li>\n
                      5. if you only want security updates => update_cmd = security<\/li>\n
                      6. apply_updates = yes (also download_updates)<\/li>\n<\/ol>\n<\/li>\n
                      7. Ubuntu:\n
                          \n
                        1. apt-get install unattended-upgrades<\/li>\n
                        2. dpkg-reconfigure -plow unattended-upgrades<\/li>\n
                        3. verify\u00a0\/etc\/apt\/apt.conf.d\/20auto-upgrades<\/li>\n
                        4. verify\u00a0\/etc\/apt\/apt.conf.d\/50unattended-upgrades (verify reboot time and that automatic reboot is true)<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n
                        5. Tag volumes for automatic backup\n
                            \n
                          1. set the Autosnap tag to True<\/li>\n<\/ol>\n<\/li>\n
                          2. Configure and test additional security rules<\/li>\n
                          3. Create a restore AMI! \u00a0(Since this creates a snapshot, I don’t <think> this will take up a lot of extra space for instances that we plan to backup anyway.) \u00a0This is a REALLY good idea since restoring a snapshot relies on you to first create a new instance based off the same AMI as the original and then replace or attach the volume on that instance. \u00a0We can’t guarentee that the original instance will still be available.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

                            This is intended to be an ongoing check list of tasks (with implementation notes) to perform when creating a new Linux instances on AWS Choose OS (I am trying to use Ubuntu for instances that don’t specifically require RHEL ) …<\/p>\n

                            Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4,1,3],"tags":[],"class_list":["post-94","post","type-post","status-publish","format-standard","hentry","category-aws","category-linux","category-uncategorized","category-work"],"_links":{"self":[{"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94"}],"version-history":[{"count":3,"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":100,"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions\/100"}],"wp:attachment":[{"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pendragonsfolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}