11.12.2018

AWS: Accessing S3 buckets from the internet and from ec2 instances

After reading about endpoints for AWS S3 i was wondering how i can use this feature.

First step was to create a bucket and just tried to access this bucket over the internet:

$ aws s3api create-bucket --bucket my.webtest --region eu-west-1 --create-bucket-configuration LocationConstraint=eu-west-1
{
    "Location": "http://my.webtest.s3.amazonaws.com/"
}
And the i put this location into my browser:


This is like expected, because i did not allow public access for this bucket:


Ok. Let's try this from an EC2 instance:
$ wget http://my.webtest.s3.amazonaws.com/
--2018-12-04 20:09:47--  http://my.webtest.s3.amazonaws.com/
Auflösen des Hostnamen »my.webtest.s3.amazonaws.com (my.webtest.s3.amazonaws.com)«... 52.216.107.108
Verbindungsaufbau zu my.webtest.s3.amazonaws.com (my.webtest.s3.amazonaws.com)|52.216.107.108|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 307 Temporary Redirect
Platz: http://my.webtest.s3-eu-west-1.amazonaws.com/[folge]
--2018-12-04 20:09:47--  http://my.webtest.s3-eu-west-1.amazonaws.com/
Auflösen des Hostnamen »my.webtest.s3-eu-west-1.amazonaws.com (my.webtest.s3-eu-west-1.amazonaws.com)«... 52.218.96.155
Verbindungsaufbau zu my.webtest.s3-eu-west-1.amazonaws.com (my.webtest.s3-eu-west-1.amazonaws.com)|52.218.96.155|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2018-12-04 20:09:47 FEHLER 403: Forbidden.
This was not like expected, but how should my bucket know, that this access was from an EC2 instance beloging to the same AWS account.

Let's try to access the bucket with aws cli:
$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
To get this working you have to add an IAM role to your EC2 instance. So let's create a new role:
 choose ec2:
and AmazonS3FullAccess:
Move on (without configuring tags)

 And then attach this role to your EC2 instance:

 and choose your new "AccessToS3Role":

After that the aws cli works like expected:
[ec2-user@ip-172-31-2-99 ~]$ aws s3 ls
2018-12-04 20:02:11 my.webtest
[ec2-user@ip-172-31-2-99 ~]$ aws s3 ls my.webtest 
2018-12-04 20:23:12        130 website.json
But still no access via wget possible. This is because the aws cli uses the Amazon API to access the keys which come with the IAM role attached to the ec2 instance. The wget does not know anything about these keys.

08.12.2018

AWS: IAM & security - Best practices: Using a non-root user

After my successful solutions architect practice i knew that i had to take care of my shortcomings in security.
So i decided to visit the IAM (Identity and Access Managemen) of AWS:

So let's move to IAM users:
Click an "add user"

Then insert a "user name", choose an access type and click next:

Then you have to create the first group:

 I created a group with full AWS access:



Then move on with creating the user:

 Additional Tags:
 And finally click "create user"
 This will show you a page with an AWS management console URL:

Use this URL to login with the new user:
 (i had to change the passwort - the checkbox "require password reset")

And then i am logged into my AWS Management console with this non-root user:


If you want to login with your root user, you have to use the link blow the "sign in" button:

07.12.2018

Ubuntu: if WLAN is gone after an update and lspci lists no wlan devices

On my ubuntu laptop after an update the WLAN networking was gone. First check was to boot into Windows and check wether the WLAN devices is still working:
The WLAN still worked with Windows, so the worst case (hardware error) did not hit me ;-)

So i switched back to Ubuntu and tried the following:

$ lspci -nnk | grep -iA2 net;
02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 15)
    Subsystem: Acer Incorporated [ALI] RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [1025:104c]
    Kernel driver in use: r8169
    Kernel modules: r8169
Very strange - the WLAN network adapter was not even listed with lspci!
Another check shows:
$ lshw|grep -iA2 network
WARNUNG: Sie sollten dieses Programm mit Systemverwalterrechten (root) ausführen.
           *-network
                Beschreibung: Ethernet interface
                Produkt: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
It look like the hardware controller is missing, but the check with Windows explicitly showed, that the WLAN is still ok.

The solution was to run:
apt-get install bcmwl-kernel-source
(After connecting the laptop via ethernet to my router)

Then the commands showed up again with the WLAN adapter:
$ lspci -nnk | grep -iA2 net;
02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 15)
    Subsystem: Acer Incorporated [ALI] RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [1025:104c]
    Kernel driver in use: r8169
    Kernel modules: r8169
03:00.0 Network controller [0280]: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter [168c:003e] (rev 32)
    Subsystem: Lite-On Communications Inc QCA6174 802.11ac Wireless Network Adapter [11ad:0807]
    Kernel driver in use: ath10k_pci
    Kernel modules: ath10k_pci, wl

$ lshw|grep -iA2 network

WARNUNG: Sie sollten dieses Programm mit Systemverwalterrechten (root) ausführen.

           *-network

                Beschreibung: Ethernet interface

                Produkt: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

--

           *-network

                Beschreibung: Kabellose Verbindung

                Produkt: QCA6174 802.11ac Wireless Network Adapter

                Hersteller: Qualcomm Atheros

                Physische ID: 0

I found the following with google:
https://ubuntuforums.org/showthread.php?t=1411216


So let's try this:
# apt-mark hold bcmwl-kernel-source
bcmwl-kernel-source auf Halten gesetzt.

04.12.2018

Oracle VM Server x86: How to get a redundant network for the heartbeat (part 2)

A while ago i played around with Oracle VM Manager
I was wondering, if i can setup a redundant network for the heartbeat on my virtualbox playground. My question was: Can i add an additional network and stripe the heartbeat over both networks or do i have to configure 2 network interfaces and use bonding.

A few day ago i tried to stripe the "Heartbeat Network" over 2 networkss, but this failed: Oracle VM Server x86: How to get a redundant network for the heartbeat

Now i tried to configure bonding for the "Heartbeat Network":
First step is to navigate to "Server and VMs" and change to the perspective "Bond Ports":

Select the bond0 port and add eth1:

 Then click ok and after that make a check via perpective "Ethernet ports":

That was easy.

Conclusion: The heartbeat inside OVM is implemented, that it can only work on the same subnet. It is not possible to use two different subnets for the heartbeat.

01.12.2018

AWS: What services are free of charge? How to control your costs...(part 3)

After looking into my bill (see post 1 and post 2) i was keen, how fine granular the cost statistics are inside the aws web console. So i moved to the billing dashboard and to the cost explorer:
This provides you with the following dashboard:
You can play around with the settings to get for example something like this:




29.11.2018

AWS Billing: Set an alarm to a cost threshold

Knowing about some details about the costs inside aws and some of the services (especially, that Docker, VPNs and Kubernetes are not included in the free trials)

i set an alarm on my account, to get informed about new costs:

So move to "Cloudwatch" and there you have to choose "Alarms":

 Then "Create Alarm":
 And click on "select metric":
 Inside "select metric" click on "Billing" (at the bottom):
And select "Total Estimated Charge"
Select the Checkbox for USD and then "Select metric"
 After that you have to specify an exceed and an e-mail address:
If this is your first alarm you have to verify your e-mail:
 And if the confirmation is done, you will get:
Now the Dashboard shows:

And i got an e-mail with this alarm:



26.11.2018

AWS: AWS Solutions Architect Associate - Practice

After reading the book AWS Certified Solutions Architect - Official Study Guide i decided to go for a online exam at https://aws.amazon.com/training/




I had to answer 25 question in about 30 minutes, which was quite exhausting. Only a few minutes after the exam i got the following mail:
Hmmm.
3.0 Specify Secure Applications and Architectures: 50%
An unconvincing result for this area, but with some more reading and more exercises i should get above 80%.

4.0 and 5.0 with 100%: Better than expected.

But is an overall score of 76% enough?
One day later inside my aws certification account the following line appeared:


;-)

25.11.2018

Oracle VM Server x86: How to get a redundant network for the heartbeat

A while ago i played around with Oracle VM Manager
I was wondering, if i can setup a redundant network for the heartbeat on my virtualbox playground. My question was: Can i add an additional network and stripe the heartbeat over both networks or do i have to configure 2 network interfaces and use bonding.

So let's start:
Open the OVM Manager and go to "Networking":
and hit the green plus to add a network:
Just hit next and provide a name and toggle the checkbox "heartbeat":

Then expand the tree to the new NIC and choose it:

Then mark the row and hit next:
For my use case  i did not add any VLANs - and after all the heartbeat is striped over both networks:
But this is not really true:
OVMRU_001079E Cannot add Ethernet device: eth1 on oraclevm, to network: hearbeat, because server: oraclevm, already has cluster network: 192.168.178.0. [Sat Nov 24 11:39:39 EST 2018]

Hmmm. This means the OVM Manager shows two hooks, but the second one does not work.
After some investigation: The network "heartbeat" was created but the port (eth1) was missing. 
So i removed the "Cluster Heartbeat" and then i added the port eth1 including the checkbox "Virtual Machines".
The ovm server showed up eth1:
# ifconfig |grep ^[a-z,0-9]
108e472f6e Link encap:Ethernet  Hardware Adresse 08:00:27:43:D9:4C  
bond0     Link encap:Ethernet  Hardware Adresse 08:00:27:61:51:35  
c0a8b200  Link encap:Ethernet  Hardware Adresse 08:00:27:61:51:35  
eth0      Link encap:Ethernet  Hardware Adresse 08:00:27:61:51:35  
eth1      Link encap:Ethernet  Hardware Adresse 08:00:27:43:D9:4C  
lo        Link encap:Lokale Schleife  
But adding "Cluster Heartbeat" once again results in a job, which was in status "running" forever.

Conclusion: You should never stripe the "Cluster Heartbeat" over more than one network!