Thursday, May 28, 2009

Automating AMI builds for Amazon EC2

I started to use Amazon EC2 cloud for penetration tests. Besides having short-term (costs money) scalable processing power for various tasks it also enables me to care less if automated IPS response blocks my IP. I can always bring up another instance...

Provisioning new instances is not hard. There's now AWS console to take advantage of. Useful and pretty. What's been bugging me is that the EC2 images are snapshots of system configuration that revert back to known configuration. So if I apt-get my system and/or download some software I have to rebuild the image so I don;t loose the work. Yes I can mount S3 persistent storage drive and "try" to install all my software there; and then just move it between instances as I bring them up. However it may not work for me all the time. I want to have an (semi)-automated way of "fixating" changes I make to core system and staring new instances with updated image.





So here is somewhat automated way of building Amazon EC2 AMIs.


#!/bin/bash


usage(){
echo "ERROR: arguments "
}

EC2_HOST="$1"
EC2_SNAPSHOT="$2"

# Environment
EC2_HOME=/usr/local/ec2
EC2_PRIVATE_KEYF=pk-RKxxxxxxxxxxxxxxxxxxxxxx.pem
EC2_PRIVATE_KEY=$EC2_HOME/pk-RKxxxxxxxxxxxxxxxxxxxxxxx.pem
EC2_CERTF=cert-RKxxxxxxxxxxxxxxxxxxxxxxxxx.pem
EC2_CERT=$EC2_HOME/cert-RKxxxxxxxxxxxxxxxxxxxxxxxxxx.pem
EC2_HOST_DIR="/mnt"
EC2_RSA="$EC2_HOME/id_rsa-dxs-keypair"
EC2_ACCT=2245946456456456
EC2_DEFAULT_ARCH=i386

S3_BUCKET="dxs-yZksjhflsaudhflkajsdf"
EC2_ACCESSKEY="05HAPBln3245jk32j45"
EC2_SECKEY="pdyyyyyyyyyyyyyyyyyyyyyyyyyyy"

if [[ $# -ne 2 ]]
then
usage && exit 1
fi


echo "[*] Going to $EC2_HOME"
cd $EC2_HOME

echo "[*] Copying [PRIV] and [CERT] from $EC2_HOME to $EC2_HOST"
scp -i $EC2_RSA $EC2_CERT $EC2_PRIVATE_KEY root@$EC2_HOST:$EC2_HOST_DIR



echo "[*] Building AMI $EC2_SNAPSHOT to $EC2_HOST_DIR"
ssh -i $EC2_RSA root@$EC2_HOST \
"EC2_HOME=$EC2_HOME $EC2_HOME/bin/ec2-bundle-vol -d $EC2_HOST_DIR -k \
$EC2_HOST_DIR/$EC2_PRIVATE_KEYF \
-c $EC2_HOST_DIR/$EC2_CERTF -u $EC2_ACCT -r $EC2_DEFAULT_ARCH -p $EC2_SNAPSHOT"

echo "[*] Uploading AMI $EC2_SNAPSHOT to S3"
ssh -i $EC2_RSA root@$EC2_HOST "EC2_HOME=$EC2_HOME $EC2_HOME/bin/ec2-upload-bundle \
-b $S3_BUCKET -m $EC2_HOST_DIR/${EC2_SNAPSHOT}.manifest.xml -a $EC2_ACCESSKEY -s \
$EC2_SECKEY"

echo "[*] Checking S3 bucket"
/usr/bin/s3cmd ls s3://$S3_BUCKET

echo "[*] Currently Registered Instances"
$EC2_HOME/bin/ec2-describe-images

echo "[*] Registering Instance ${EC2_SNAPSHOT} "
$EC2_HOME/bin/ec2-register $S3_BUCKET/${EC2_SNAPSHOT}.manifest.xml

echo "[*] Newly Registered Instances"
$EC2_HOME/bin/ec2-describe-images If

You may need to fetch Amazon AMI Tools and creating AMI build environment
on EC2 instance if you don;t have it yet.

#echo "[*] Getting ec2-ami-tools from AMAZON"
wget http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip -o /tmp/ec2-ami-tools.zip

#echo "[*] Getting ec2-ami-tools to $EC2_HOST"
scp -i $EC2_RSA /tmp/ec2-ami-tools.zip root@$EC2_HOST:$EC2_HOST_DIR

#echo "[*] Making $EC2_HOME on $EC2_HOST"
ssh -i $EC2_RSA root@$EC2_HOST "mkdir -p /usr/local/ec2"


Of course, there's no limit to how automated you can make it.

0 comments: