AWS: Recovering keypairs (Linux)

As you know, keypairs are used to connect to AWS instances. During launch process, you select keypair associated to each one. All keypairs have two parts: private key (the PEM file you download from AWS console when it's created) and the public key. Public key is configured inside authorized_keys file associated to login username.

If authorized_keys file is modified, there are ownership/permissions issues associated to this file or .ssh directory where authorized_keys is stored, keypair will be refused and you will get a Permission denied (publickey) error message:

When this occurs, main problem is you won't be able to login to your instance. To resolve this issue an easy way could be:

• Stop the instance
• Create an image from faulty instance
• Launch a replacement instance using this new AMI. During launch process, make sure to select a known keypair (or create a new one)

An alternative procedure to recover unhealthy instances could be use a third (healthy) instance and repair keypair. In our example we have an instance named WIMKP instance with a keypair named testkey associated:

Unfortunately, something happened and we're not able to login using testkey.pem file. To repair it, we'll need to follow next steps:

• Launch a work instance. We'll use this instance to perform all required operations. When finished, you can terminate this instance. It'll be only required during procedure. Make sure you launch work instance in the same availability zone where unhealthy instance is hosted.

• From AWS web console, EC2 service, Instances section, stop unhealthy instance:

• Go to Volumes section and search for root volume associated to unhealthy instance. Set an appropriated name to easily recognize it (in my example, I established ROOT WIMKP). Also, don't forget to copy device name associated to root volume of unhealthy instance (in my example: /dev/xvda). We'll need this information later:

• Right click over root volume of unhealthy instance and select Detach Volume. Wait until volume becomes available:

• Right click over root volume of unhealthy instance and select Attach Volume. Select work instance and attach volume as a secondary volume for this instance (by default, it'll be attached as /dev/sdf device). Wait until attached:

• Copy keypair file inside work instance and login to work instance:

• As you can see in previous screenshot, review dmesg output to know details about how root volume of unhealthy instance has been recognized. In my example, device was named internally as /dev/xvdf1. If you obtain unknown partition table message, this means secondary volume is identified as /dev/xvdf. Please, take this under consideration to adapt next mount command according to your scenario:

1. sudo mkdir /disk
2. sudo mount /dev/xvdf1 /disk

• Now, inside /disk directory root volume of unhealthy instance is mounted. So, we can review content and repair, if required. Because ec2-user is the username required to connect to WIMKP instance, I'll check files and directories associated. Feel free to adapt next check commands according to your needs. For example, Ubuntu instances use ubuntu as default login username. So, with Ubuntu instances, you'll need to review home directory associated to ubuntu username instead of ec2-user:

• By default:

1. home directory should be owned by root with 755 permissions
2. ec2-user home directory should be owned by ec2-user with 700 permissions
3. .ssh directory inside ec2-user home directory should be owned by ec2-user with 700 permissions
4. authorized_keys file inside .ssh directory should be owned by ec2-user with 600 permissions

• If ownership or permissions are not correct, repair them (in my example, .ssh and authorized_keys ownership are incorrect):

• The commands (again, make sure to understand the concept and adapt according to your specific scenario):

1. sudo chmod 755 /disk/home
2. sudo chmod 700 /disk/home/ec2-user
3. sudo chmod 700 /disk/home/ec2-user/.ssh
4. sudo chmod 600 /disk/home/ec2-user/.ssh/authorized_keys

• Finally, don't forget ownership. To know correct UID and GID numbers associated to login username, inspect passwd file with next command (don't forget to replace ec2-user with your login username):

1. sudo cat /disk/etc/passwd | grep ^ec2-user:

• In my example, 500:500 is UID:GID associated to ec2-user. So, I need to run next command to repair ownership:

1. sudo chown -R 500:500 /disk/home/ec2-user

To verify keypair is correct, inspect authorized_keys file to be sure public and private key are related. To check it, just run next commands (don't forget to replace testkey.pem with filename associated to your private keypair and ec2-user with your login username):

1. chmod 600 testkey.pem
2. ssh-keygen -y -f testkey.pem
3. sudo cat /disk/home/ec2-user/.ssh/authorized_keys

If keypair is correct you should obtain the same string in 2. and 3. previous steps. Example of correct output:

If not, you need to replace keypair. To do it, follow next steps:

1. ssh-keygen -y -f testkey.pem | sudo tee /disk/home/ec2-user/.ssh/authorized_keys
2. sudo chmod 600 /disk/home/ec2-user/.ssh/authorized_keys
3. sudo chown -R 500:500 /disk/home/ec2-user

From previous commands make sure (as always) to replace testkey.pem with your keypair file, ec2-user with login username and 500:500 with UID:GID associated to your login username. Example:

Done. Now we can umount /disk and mount root volume associated to faulty instance:

1. sudo umount /disk

• In AWS web console, EC2 service, Volumes section, detach root volume of faulty instance from work instance. Wait until becomes available.

• Attach root volume of faulty instance to faulty instance. Don't forget to put device name you copied previously (in my example: /dev/xvda) to attach root volume as root volume. Wait until attached.

Finally, in AWS EC2 web console, Intances section, select faulty instance, right click over it and select Start. Wait until started. If everything was correctly done, you should be able to login now using your existing keypair.

Bonus track

If you want existing users can perform sudo commands without password, login to your instance and add next line to /etc/sudoers file replacing username with the username you want to grant sudo permissions:

username ALL=(ALL) NOPASSWD: ALL

Last, next shell script named keypair.sh could be useful if you need to create new users establishing different keypairs, repair ownership/permissions or reset existing keypairs. Just copy the shell script inside your instance and use it. The script is designed to be run by an username with root permissions (or an existing username enabled to perform sudo commands as root username). Feel free to use it!

NOTE: Previous procedure won't work with Marketplace based instances. This kind of instances have signed devices and because of this you won't be able to perform attach/detach actions. If you need to recover information from faulty Marketplace instances, contact with AWS Support team.

AWS: How to auto attach public IP from ElasticIP pool

When an EC2 instance is launched, you can select to attach a Public IP (or not). This Public IP is randomly selected. Here is an example:

i-cf27aa8d instance has 54.72.151.117 Public IP address assigned. This IP is taken from general AWS pool. If you stop and start the instance from AWS EC2 console, a different Public IP address will be selected.

Now, imagine instance launch is controlled by an auto-scaling policy. Following explained behavior, a new random Public IP address will be attached each time a new (or replacement) instance is launched attending auto-scaling group needs.

In the context of need a predictable Public IP addresses, general behavior doesn't fit our needs. When instance is launched manually is easy to resolve: you can attach an IP address from Elastic IP pool through AWS EC2 console, for example. But this could be difficult in an auto-scaling context.

A way to resolve this situation could be using ipassign script. Let verify this with an example!

Imagine previous instance (i-cf27aa8d). To use ipassign script we need to:

• Verify AWS CLI and ec2-utils packages are installed. By default, Amazon Linux instances arrive with them pre-installed. For Ubuntu distributions, probably you'll need to install them manually using apt-get commands:

• Login to the instance as root username. If role instance is not assigned, you need to configure AWS CLI with an IAM user allowed to execute describe-addresses, associate-address and disassociate-address EC2 actions.

• Install ipassign script. Just follow next instructions:

1. Download ipassign script and copy inside your instance in "/etc/init.d" directory
2. Modify script permissions: chmod 755 /etc/init.d/ipassign
3. Add script to instance startup process: chkconfig ipassign on

• Review ipassign configuration. At the beginning of the script, there are two parameters you need to review and ensure are correctly configured:

1. REGION: Defines the AWS region. Value must be the same used by instance. By default is set to eu-west-1 (Ireland) region.
2. IPLOGFILE: Defines log file. By default is set to "/var/log/ipassign.log" and my suggestion is maintain this value.

Done! If we restart the instance, during startup process will try to attach a free Public IP address from Elastic IP pool. Imagine we have three IP address associated to our account, all of them are currently in use:

In this context, instance can't attach any Public IP. Script is designed to avoid changes if an IP from Elastic IP pool can't be attached. Next time we login to the instance, if we review log file will see an error message registered:

Just go to AWS EC2 web console and request a new Elastic IP:

Now (with a free Public IP in Elastic IP pool), if we restart instance again, we'll see ipassign script can find one free IP address in Elastic IP pool and attach it to the instance:

Login to the instance (now, using the new Public IP attached) and checking log file, next information is displayed:

Finally, in instance general information panel, we can review how the instance has a new Public IP address (54.76.166.221) from the Elastic IP pool correctly assigned:

By default, 5 Elastic IP addresses can be associated to an AWS account. But this limit could be increased, if needed.

Test your ELB

ELB (Elastic Load Balancer) is a service provided by AWS to allow you include easily scalable load balancers in your architecture. But sometimes, you detect issues difficult to determinate if they are related with backend instances or ELB itself. Some alternatives in this situation: you can review your CloudWatch metrics trying to find any related issue or you can design a specific test to ensure your environment is working as expected.

In the second situation, several tools can be used to perform an in-depth test (jmeter, for example). But if you want to make an easy test based in a URL, testELB.sh could be what you need.

tesELB.sh will test an URL during a period (by default, ten minutes), making random queries through all associated IPs in your ELB. Additionally, will show you interesting information about:

• Average response time
• Maximum response time
• Percentile 95 response time
• Average payload size
• Error request (including percent)

Here is an execution example:

testELB.sh output

Usage:

testELB.sh ELB [LOOP] [URL] [PORT] [PROTOCOL]

  ELB: DNS Name associated to ELB

  LOOP: Number of loops. Default value: 600 (ten minutes)

  URL: URL to check in ELB. Default value: /

  PORT: Port in ELB to check. Default value: 80

  PROTOCOL: Protocol to use. Default value: http

This shell script could be a good starting point to troubleshoot ELB issues. Fell free to use it!