# # Goals of this notebook # # * instantiate a new EC2 instance with which to build a new image # * configure the instance -- what's involved? Essentially turn https://github.com/Gluejar/regluit/blob/master/README.md into a fabric script # * security group # * database # * database security group # * IAM # * elastic IP # # # I'm starting to figure out the pieces using this IPython notebook, but ultimately what am I producing? Something that Eric and Andromeda can run: # # * a set of fabric commands (https://github.com/Gluejar/regluit/blob/master/fabfile.py)? # * some other form? # # In[ ]: from regluit.sysadmin import aws reload(aws) # In[ ]: # look up Ubuntu EC2 image ids from alestic.com # us-east-1 Ubuntu 12.04 LTS Precise # EBS boot ami-e7582d8e #AMI_UBUNTU_12_04_ID = 'ami-79c0ae10' # older one AMI_UBUNTU_12_04_ID = 'ami-e7582d8e' image = aws.ec2.get_all_images(image_ids=[AMI_UBUNTU_12_04_ID])[0] # In[ ]: # name of image follows Eric Hammond's convention of dating the images image.id, image.name # In[ ]: # sometimes we have an instance running or created already # so we just need to get a reference to it (instead of creating a new one) instance = aws.instance('new_test') instance, instance.state # In[ ]: # launch a new instance # use default security group for now -- probably want to make a new one INSTANCE_NAME = 'new_test' SECURITY_GROUP_NAME = 'testsg1' (instance, cmd) = aws.launch_instance(ami=AMI_UBUNTU_12_04_ID, instance_type='t1.micro', key_name='rdhyee_public_key', group_name=SECURITY_GROUP_NAME, tag='new_instance', cmd_shell=False) # In[ ]: instance.update() # In[ ]: # add name INSTANCE_NAME = 'new_test' instance.add_tag('Name', INSTANCE_NAME) # In[ ]: # configure security group testsg1 PORTS_TO_OPEN = [80, 443] for port in PORTS_TO_OPEN: aws.ec2.authorize_security_group(group_name=SECURITY_GROUP_NAME, ip_protocol='tcp', from_port=port, to_port=port, cidr_ip='0.0.0.0/0') # In[ ]: console_output = instance.get_console_output() # In[ ]: # it takes time for the console output to show not be None -- I don't know exactly how long print console_output.output # In[ ]: # http://ubuntu-smoser.blogspot.com/2010/07/verify-ssh-keys-on-ec2-instances.html [line for line in console_output.output.split("\n") if line.startswith("ec2")] # In[ ]: instance_id = instance.id instance_id # In[ ]: output = !source ~/gj_aws.sh; ec2-get-console-output $instance_id | grep -i ec2 # In[ ]: output # In[ ]: # copy a command to ssh into the instance cmdstring = "ssh -oStrictHostKeyChecking=no ubuntu@{0}".format(instance.dns_name) # works on a mac ! echo "$cmdstring" | pbcopy cmdstring ## dynamic execution of fabric tasks to setup the instance # In[ ]: # http://docs.fabfile.org/en/1.6/usage/execution.html#using-execute-with-dynamically-set-host-lists import fabric from fabric.api import run, local, env, cd, sudo from fabric.operations import get from regluit.sysadmin import aws from StringIO import StringIO import github # uncomment for debugging # github.enable_console_debug_logging() from github import Github from django.conf import settings # allow us to use our ssh config files (e.g., ~/.ssh/config) env.use_ssh_config = True GITHUB_REPO_NAME = "Gluejar/regluit" #GITHUB_REPO_NAME = "rdhyee/working-open-data" # maybe generate some random pw -- not sure how important it is to generate some complicated PW if we configure # security groups properly MYSQL_ROOT_PW = "unglueit_pw_123" # can use 3 different types of authn: https://github.com/jacquev6/PyGithub/issues/15 # can be empty, username/pw, or personal API token (https://github.com/blog/1509-personal-api-tokens) g = Github(settings.GITHUB_AUTH_TOKEN) def host_type(): run('uname -s') def deploy(): sudo("aptitude update") sudo("yes | aptitude upgrade") sudo("yes | aptitude install git-core apache libapache2-mod-wsgi mysql-client python-virtualenv python-mysqldb redis-server python-lxml") sudo("yes | aptitude install python-dev") # http://www.whatastruggle.com/postfix-non-interactive-install sudo("DEBIAN_FRONTEND='noninteractive' apt-get install -y -q --force-yes postfix") sudo ("mkdir /opt/regluit") sudo ("chown ubuntu:ubuntu /opt/regluit") run('git config --global user.name "Raymond Yee"') run('git config --global user.email "rdhyee@gluejar.com"') run('ssh-keygen -b 2048 -t rsa -f /home/ubuntu/.ssh/id_rsa -P ""') # how to get the key and push it to github s = StringIO() get('/home/ubuntu/.ssh/id_rsa.pub', s) repo = g.get_repo(GITHUB_REPO_NAME) key = repo.create_key('test deploy key', s.getvalue()) # http://debuggable.com/posts/disable-strict-host-checking-for-git-clone:49896ff3-0ac0-4263-9703-1eae4834cda3 run('echo -e "Host github.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config') # clone the regluit git repo into /opt/regluit with cd("/opt"): run("yes | git clone git@github.com:Gluejar/regluit.git") # for configuring local mysql server (5.5) # http://stackoverflow.com/a/7740571/7782 sudo("debconf-set-selections <<< 'mysql-server-5.5 mysql-server/root_password password {0}'".format(MYSQL_ROOT_PW)) sudo("debconf-set-selections <<< 'mysql-server-5.5 mysql-server/root_password_again password {0}'".format(MYSQL_ROOT_PW)) sudo("apt-get -y install mysql-server") def deploy_next(): pass #hosts = ['ubuntu@ec2-75-101-232-46.compute-1.amazonaws.com'] hosts = ["ubuntu@{0}".format(instance.dns_name)] fabric.tasks.execute(deploy, hosts=hosts) # ## Commands to add? # # By the time we run through a lot of the fabric script, a reboot of the system is required. After installing mysql locally, it seems that the instance needs to be rebooted. Here's some code to do so. Problem remaining is how to reboot, wait for reboot to be completed, and then pick up the next steps. # # I could issue a fabric command to apply security upgrade: `sudo unattended-upgrade` # # or # # I think there is a boto command to restart instance # # In[ ]: rebooted_instance = instance.reboot() rebooted_instance # In[ ]: # looks like reboot works, but that the instance status remains running throughout time reboot happens... # maybe we wait a specific amount of time and the try to connect ## EC2 security groups # * listing key existing security groups # * how to copy parameters # # # In[ ]: # security groups security_groups = aws.ec2.get_all_security_groups() security_groups # In[ ]: # pull out the security group used for unglue.it web_prod_sgroup = [(group.id, group.name, group.description, group.rules) for group in security_groups if group.name=='web-production'][0] # In[ ]: web_prod_sgroup # In[ ]: # http://boto.readthedocs.org/en/latest/security_groups.html rules = web_prod_sgroup[3] [(rule.ip_protocol, rule.from_port, rule.to_port, rule.grants, rule.groups) for rule in rules] # In[ ]: [(grant.cidr_ip) for grant in rule.grants] # In[ ]: [(grant.owner_id, grant.group_id, grant.name, grant.cidr_ip) for grant in rule.grants] # In[ ]: # let's make a new security group to replicate the web-production sg test8_sg = aws.ec2.create_security_group('test8', 'test8 sg') # In[ ]: # You need to pass in either src_group_name OR ip_protocol, from_port, to_port, and cidr_ip. test8_sg.authorize('tcp', 80, 80, '0.0.0.0/0') test8_sg.authorize('tcp', 22, 22, '0.0.0.0/0') test8_sg.authorize('tcp', 443, 443, '0.0.0.0/0') # In[ ]: test9_sg = aws.ec2.create_security_group('test9', 'test9 sg') # In[ ]: test9_sg.authorize(src_group=test8_sg) # In[ ]: test8_sg.rules # In[ ]: rules = test9_sg.rules rule = rules[0] grant = rule.grants[0] # In[ ]: (rule.ip_protocol, rule.from_port, rule.to_port, rule.grants) # In[ ]: grant.owner_id, grant.group_id, grant.name, grant.cidr_ip # In[ ]: test9_sg = [(group.id, group.name, group.description, group.rules) for group in security_groups if group.name=='test9'][0] # In[ ]: rules = test9_sg[3] [(rule.ip_protocol, rule.from_port, rule.to_port, [(grant.owner_id, grant.group_id, grant.name, grant.cidr_ip) for grant in rule.grants], rule.groups) for rule in rules] # In[ ]: aws.ec2.authorize_security_group(group_name='test8', ip_protocol='tcp', from_port=80, to_port=80, cidr_ip='0.0.0.0/0') # In[ ]: # let's compute the instances that are tied to the various security groups # http://boto.readthedocs.org/en/latest/ref/ec2.html#module-boto.ec2.securitygroup # This calculation is useful for reconstructing the relationships among instances and security groups from boto.ec2 import securitygroup for security_group in aws.ec2.get_all_security_groups(): sg = securitygroup.SecurityGroup(name=security_group.name, connection=aws.ec2) print security_group, [inst.id for inst in sg.instances()] # In[ ]: # with the exception of frontend-lb, let's delete the security groups that have no attached instances for sg in [sg for sg in aws.ec2.get_all_security_groups() if len(sg.instances()) == 0 and sg.name != 'frontend-lb']: print sg.name, sg.id, aws.ec2.delete_security_group(group_id=sg.id) ## Setting up MySQL # * plain old mysql on the server ( https://help.ubuntu.com/12.04/serverguide/mysql.html ) # * RDS parameters to figure out # # to run mysql on server -- if you didn't have to worry about interactivity: # # > `sudo apt-get install mysql-server` # In[ ]: thatcvamp"ubuntu@{0}".format(inst.dns_name) # In[ ]: # once mysql installed, how to test the basic connectivity? #
# sudo debconf-set-selections <<< 'mysql-server-5.5 mysql-server/root_password password unglueit_pw_123' # sudo debconf-set-selections <<< 'mysql-server-5.5 mysql-server/root_password_again password unglueit_pw_123' # sudo apt-get -y install mysql-server ## #
# mysql -h 127.0.0.1 --user=root --password=unglueit_pw_123 ## mysql -h 127.0.0.1 --user=root --password=unglueit_pw_123 <<'EOF' # # SHOW DATABASES; # EOF # # ## Creating an Image out of Instance # In[ ]: instance.id # In[ ]: new_image = aws.ec2.create_image(instance.id, "script_built_after_local_mysql_2013-05-24", description="next step figure out RDS") # In[ ]: # sometimes it really does take a surprisingly long time to make an image out of an instance # new_image = aws.ec2.get_image(image_id=u'ami-853a51ec') new_image # In[ ]: new_image = aws.ec2.get_image(new_image) # In[ ]: new_image.state # Fire up an instance # In[ ]: (instance, cmd) = aws.launch_instance(ami=u'ami-853a51ec', instance_type='t1.micro', key_name='rdhyee_public_key', group_name=SECURITY_GROUP_NAME, tag='new_instance', cmd_shell=False) ## RDS # http://calculator.s3.amazonaws.com/calc5.html can be used to estimate costs # # A barebones micro rds costs about $20/month # # References: # # * [boto rds intro](http://boto.readthedocs.org/en/latest/rds_tut.html) # * [boto rds api ref](http://boto.readthedocs.org/en/latest/ref/rds.html) # In[ ]: dbs = aws.all_rds() dbs # In[ ]: db = dbs[1] (db.id, db.allocated_storage, db.instance_class, db.engine, db.master_username, db.parameter_group, db.security_group, db.availability_zone, db.multi_az) # In[ ]: # I forgot I already have a working rds db info displayer aws.db_info(db) # In[ ]: # parameter group # http://boto.readthedocs.org/en/latest/ref/rds.html#module-boto.rds.parametergroup # I think functionality is more primitive # In[ ]: pg = aws.rds.get_all_dbparameters('production1') # In[ ]: rds = aws.rds def parameter_group_iteritems(group_name): first_page = True get_next_page = True while get_next_page: if first_page: pg = rds.get_all_dbparameters(group_name) first_page = False else: pg = rds.get_all_dbparameters(group_name, marker = pg.Marker) for key in pg.keys(): yield (key, pg[key]) get_next_page = hasattr(pg, 'Marker') # In[ ]: # try to turn parameter group into a dict to enable reproducibiity of group pg_dict = {} for (key, param) in parameter_group_iteritems('production1'): try: key, {'name':param.name, 'type':param.type, 'description':param.description, 'value':param.value} except Exception as e: print key, e # In[ ]: sorted(pg_dict.keys()) # In[ ]: # https://github.com/boto/boto/blob/2.8.0/boto/rds/parametergroup.py#L71 param = pg_dict.get('tx_isolation') {'name':param.name, 'type':param.type, 'description':param.description, 'value':param.value} # In[ ]: # security group # In[ ]: # how to create RDS # db = conn.create_dbinstance("db-master-1", 10, 'db.m1.small', 'root', 'hunter2') ## IAM # good to get an automated handle of the IAM groups and users. To use boto to manage IAM, you will need to have AWS keys with sufficient permissions. # In[ ]: from regluit.sysadmin import aws iam = aws.boto.connect_iam() IAM_POWER_USER_PERMISSION = """{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] }""" # get group names def all_iam_group_names(): return [g.group_name for g in iam.get_all_groups()['list_groups_response']['list_groups_result']['groups']] # get user names def all_iam_user_names(): return [u.user_name for u in iam.get_all_users()[u'list_users_response'][u'list_users_result']['users']] # mapping between groups and users # list users and their corresponding groups. def iam_group_names_for_user(user_name): return [g.group_name for g in iam.get_groups_for_user(user_name)['list_groups_for_user_response'][u'list_groups_for_user_result']['groups']] # for given groups, list corresponding users def iam_user_names_for_group(group_name): return [u.user_name for u in iam.get_group(group_name=group_name)[u'get_group_response'][u'get_group_result']['users']] # find keys associated with user def access_keys_for_user_name(user_name): keys = iam.get_all_access_keys(user_name=user_name)['list_access_keys_response'][u'list_access_keys_result']['access_key_metadata'] return keys # can we use IAM to create new IAM user and get the key / secret? def create_iam_user(user_name, generate_key=True): iam_user = iam.create_user(user_name=user_name) if generate_key: key_output = iam.create_access_key(user_name=user_name) access_key = key_output['create_access_key_response']['create_access_key_result']['access_key'] (key, secret) = (access_key['access_key_id'], access_key['secret_access_key']) return (iam_user, key, secret) else: return (iam_user, key, None, None) def delete_iam_user(user_name): # check to see whether there is such a user_name. try: iam.get_user(user_name) except boto.exception.BotoServerError as e: return None # delete associated keys keys = access_keys_for_user_name(user_name) for key in keys: # print key.access_key_id, key.status iam.delete_access_key(access_key_id=key.access_key_id, user_name=user_name) #result = iam.update_access_key(access_key_id=key.access_key_id, user_name=user_name, status='Inactive') # also need to delete associated policies policy_names = iam_policy_names_for_user(user_name) for policy_name in policy_names: iam.delete_user_policy(user_name=user_name,policy_name=policy_name) # once the keys associated with the user are deleted, then proceed to delete the user result = iam.delete_user(user_name) return result # policies def iam_policy_names_for_group(group_name): return iam.get_all_group_policies(group_name=group_name)['list_group_policies_response'][u'list_group_policies_result']['policy_names'] def iam_policy_names_for_user(user_name): return iam.get_all_user_policies(user_name=user_name)['list_user_policies_response'][u'list_user_policies_result']['policy_names'] def policy_document(policy_name, user_name=None, group_name=None): if group_name is not None: document = iam.get_group_policy(group_name=group_name, policy_name=policy_name)[u'get_group_policy_response'][u'get_group_policy_result'][u'policy_document'] return urlparse.parse_qs("policy={0}".format(document))['policy'][0] if user_name is not None: document = iam.get_user_policy(user_name=user_name, policy_name=policy_name)[u'get_user_policy_response'][u'get_user_policy_result'][u'policy_document'] return urlparse.parse_qs("policy={0}".format(document))['policy'][0] # get general IAM stats (iam.get_account_summary(), all_iam_group_names(), all_iam_user_names(), iam_group_names_for_user('eric'), iam_user_names_for_group('gluejar'), access_keys_for_user_name('ry-dev') ) # In[ ]: # test -> grab all groups and list of corresponding users for g in all_iam_group_names(): print g, iam_user_names_for_group(g) # In[ ]: # list all keys by looping through users for u in all_iam_user_names(): print u, [(k.access_key_id, k.status) for k in access_keys_for_user_name(u)] # In[ ]: # look at permission structures of groups and users from urllib import urlencode import urlparse policy_names = iam_policy_names_for_group('gluejar') for p in policy_names: print policy_document(group_name='gluejar', policy_name=p) # In[ ]: iam_user, key, secret = create_iam_user('ry-dev-3', True) iam.put_user_policy( user_name='ry-dev-3', policy_name='power_user_2013-06-12', policy_json=IAM_POWER_USER_PERMISSION) # In[ ]: # write out a shell script for configuring the environment with the keys for AWS print """#!/bin/bash export AWS_ACCESS_KEY_ID={AWS_ACCESS_KEY_ID} export AWS_SECRET_ACCESS_KEY={AWS_SECRET_ACCESS_KEY} # EC2 API tools export EC2_ACCESS_KEY=$AWS_ACCESS_KEY_ID export EC2_SECRET_KEY=$AWS_SECRET_ACCESS_KEY""".format(**{'AWS_SECRET_ACCESS_KEY':secret, 'AWS_ACCESS_KEY_ID':key}) # In[ ]: [policy_document(p, user_name='ry-dev-3') for p in iam_policy_names_for_user('ry-dev-3')] # In[ ]: delete_iam_user(user_name='ry-dev-3') # # Different ways to pass in AWS keys to boto # # http://boto.readthedocs.org/en/latest/boto_config_tut.html # # * Credentials passed into Connection class constructor. # * Credentials specified by environment variables # * Credentials specified as options in the config file. # #
# # #!/bin/bash # # export AWS_ACCESS_KEY={AWS_ACCESS_KEY} # export AWS_SECRET_KEY={AWS_SECRET_KEY} # # # EC2 API tools # export EC2_ACCESS_KEY=$AWS_ACCESS_KEY # export EC2_SECRET_KEY=$AWS_SECRET_KEY # ## # In[ ]: %%bash # something to convert this notebook to Python source cd /Users/raymondyee/D/Document/Gluejar/Gluejar.github/regluit; python ~/C/src/nbconvert/nbconvert.py python build_ec2_instances_for_django.ipynb # In[ ]: import fabric from fabric.api import run, local, env, cd, sudo from fabric.operations import get def run_on_ry_dev(): run("ls -lt") hosts = ["ubuntu@ry-dev.unglue.it"] fabric.tasks.execute(run_on_ry_dev, hosts=hosts) # In[ ]: instance.state