Your first steps within the Amazon Cloud

Quick overview

Before you can start playing with Amazon EC2, you have to create an account on Amazon Web Services, of which EC2, the Elastic Compute Cloud, is part. This is fairly straightforward, and done in two steps:

  1. you "sign-up" directly on Amazon Web Services home-page. This is where you enter your credentials, and confirm your AWS account registration.
  2. you sign-up to EC2 through EC2 AWS home-page. You will be asked some more information, like a credit card (for billing), and a phone-number, for account validation.

What do you need to know?

EC2 uses different types of credentials. In addition to your login and password, you need an access key, a X.509 certificate (with its private key), and a pair of RSA keys, for remote SSH access.

These can be created through the Security Credentials page (also accessible from the Account page):

  1. create the access key. Keep a secured copy of the ID and its associated secret value. These will be used by various scripts later on to perform certain EC2 actions.
  2. note down your account number (different from your access key ID!). This identifier can usually be obtained in the right top part of the page; it is a serie of numbers, separated with dashes: XXXX-XXXX-XXXX.
  3. create, or upload, a X.509 certificate, in PEM format. Keep the private key in a safe place.
  4. lastly, generate Amazon EC2 key pairs that will be used for SSH access. This step will be performed through the Amazon Management Console. Note down the SSH Key Pair Name you chose.

Keep your credentials!

The different credentials created above will be used in various places of EC2, and by a myriad of commands. You are advised to keep them easily accessible, while still reasonably secure regarding their access. Most EC2 tools expect them to be find through a set of environment variables.

For convenience, you could store them under a .ec2 directory inside your $HOME:

$ ls .ec2/                                                                
cert-SOMERANDOMKEY.pem # the X.509 certificate
id_rsa.ec2             # private RSA SSH key
id_rsa.ec2.pub         # public RSA SSH key
pk-SOMERANDOMKEY.pem   # the private key associated to the certificate

then set the environment accordingly:

export EC2_PRIVATE_KEY=$HOME/.ec2/pk-SOMERANDOMKEY.pem
export EC2_CERT=$HOME/.ec2/cert-SOMERANDOMKEY.pem
export EC2_SSH_KEY=$HOME/.ec2/id_rsa.ec2
export EC2_SSH_KEYNAME=<your_ssh_key_pair_name>
export EC2_ACCOUNT_NUM=XXXX-XXXX-XXXX
export EC2_ACCESS_KEY=MYACCESSKEYID
export EC2_SECRET_KEY=MYSECRETACCESSKEY

Please note that the rest of the tutorial will assume that these variables are set.

Installing EC2 API tools

NetBSD provides EC2 API tools, to ease EC2 account management a little bit. The package is found inside pkgsrc, under misc/ec2-api-tools .

cd /usr/pkgsrc/misc/ec2-api-tools
make ACCEPTABLE_LICENSES+=amazon-software-license install

Package depends on Java, so build will take some time to finish. While it builds, just continue reading.

EC2 vocabulary -- last notes

Before starting to play with EC2, you need to be familiar with the EC2 vocabulary used throughout this tutorial.

Briefly said, EC2 uses Xen as virtualization solution. So all operating systems that support Xen para-virtualization can theoretically run inside EC2 as a domU, and NetBSD is one of them.

All operating systems are run as instances, which are, as their name implies, the instantiation of a specific AMI, or Amazon Machine Image. An AMI is an image built from specific snapshots of volumes. The volumes are part of Elastic Block Storage (or EBS for short), which is another service offered by AWS, distinct from EC2.

These instances are tied to a region (a geographical location; typically US East, US West, Europe West, etc.). Each region has availability zones, which can be compared to a sub-region, each one being physically distinct from another. Regions are identified by a name, like us-east-1, eu-west-1. Same goes for availability zones, usually with the region's name as prefix: us-east-1a, us-east-1b, and so forth. Note that resources are not shared between zones, so if you transfer data from one zone to another, you will be charged for it.

AKI, or Amazon Kernel Image, are a specific type of image. It represents the Xen guest para-virtualized kernel, as used by an AMI. Certain AKIs are allowed to boot customized operating systems, e.g. those that are still not officially supported by Amazon. Thanks to PyGrub, it can boot a kernel that resides inside an AMI's snapshot.

Add a comment