Elastic Security

Icon

Security for the Cloud

November 18, 2009 • 11:44 0

Alternatives to AMIs?

Foto: ilovecode

Some weeks ago, I discussed the dangers of using Amazon Machine Images (AMIs) from third-party providers and suggested that a web-service combining profound security scanning with community feedback could be a solution to reach a good level of  transparency and trust. But are AMIs really the right abstraction for a software marketplace? Can they replace installers? Is searching for an AMI that fits the need of a customer and then launching it, the way that people want to install software? Are AMIs the determining abstraction of cloud IT?

I see two important limitations to the role of the AMI:

  • The first is the problem of sharing resources on application level: starting an AMI for every application is costly, the customer needs to pay for every running instance that is in most cases overprovisioned. At the other hand, you loose all advantages of simplicity when you deploy, maintain, and upgrade several applications on the same instance. There’s probably no AMI that deploys your preferred CRM plus your preferred bug-tracking tool plus WordPress – you need to create it yourself (and run into new questions, e.g. how to maintain and upgrade your setup).
  • The second is that launching is just not enough: instances must also be configured, e.g. with IP addresses, application specific parameters, or to achieve persistency. An AMI is not just a simpler software installer or even a DVD-like digital asset that can be played with one click, it is only one brick of a service or an application among others and it rarely works out-of-the-box.

If AMIs are not the right entity for a cloud infrastructure marketplace, which could be the right one then? One possibility could be a marketplace for “cloud deployment services” where a deployment service is basically a programming routine that takes input from the user and performs the complete setup, i.e. starting AMIs, attaching persistent storages, configuring static IP addresses, applying account information, connecting application-servers to database, encrypting storage, etc.

Such deployment services would clearly solve problem number two (configuration), but could also be enabled to reuse existing resources and thus solve the problem number one (resource sharing). At the other hand, they may become so specific that they are often needed only once. Any thoughts?

Filed under: AWS, Discussions, Solutions

November 5, 2009 • 16:45 0

Software Updates on EC2

Foto: Lady-Bug

Let’s imagine I am a small software vendor that uses Amazon EC2 for his complete IT infrastructure. Let’s say I have around 20 virtual machines on Ubuntu Linux running all my applications. There are internal applications, i.e. applications that only my company uses – like a CRM, code-repository, a document-management tool,  a project-management tool, a billing-system or a mail-server. And there are external applications that are shared with the outside such as a file-server to download documents and software, a bug-tracking tool, and a SaaS version of my products. Almost any software is also using a database instance in the backend. Of course, there are also a couple of management tools running and scripted processes for backup, integrity checks, or auditing.

So far so good. Now a new version of Ubuntu comes out that fixes a potential security leak. In addition, I want to use the latest release of MySQL for performance reasons. And there’s this new version of my bugtracking system with the long-awaited new feature. In the classical IT world, I would start software updates (e.g. for Ubuntu) or download and install the latest version of MySQL and my bug-tracking tool. How would I do it in the EC2 Cloud?

I could try it the same way. But I might run into problems like this – a new OS version might require an update of the kernel, which is not possible with EC2. So I do need to start up a new instance from an AMI containing the last Ubuntu version, reinstall and configure my software, reimport my data, and copy and reactivate my scripts. When I choose to do it like that, I must also be prepared for the (rare) case of corrupted instances or unintentional termination of an instance. In such cases, I need to do the whole process from scratch. RightScale helps to automate those kind of updates, since it allows to write and assign reusable scripts to AMIs that are executed on startup or termination of an instance.

With VMWare, I would install the new software and create a snapshot after the upgrade, which allows me to switch back immediately to a certain system state at any time I want. This feature is not available for EC2, but can be somehow simulated: the process of creating a VM snapshot corresponds to the process of bundling a new AMI. Everytime I need to upgrade, I would do my updates on the running instance (or better: a clone of that instance based on the same AMI) and then create a new AMI out of it. Elastic-Server is a service that helps you to do that more easily. Afterwards, I need to shut-down my instance based on the old AMI and start a new one based on the new AMI. However, that only works for application and service software upgrades and for OS upgrades without kernel modifications. For kernel upgrades, I still need to do the whole installation process from scratch…

Ideally, I would like to separate my AMI from the installation information of the software. What about a solution like this: I start from a clean OS-only image and store all modifications on persistent storage i.e. EBS (Elastic Block Storage). On my AMI, there is an installation script executed at startup that checks the current setup against the target setup stored on EBS.  Installing MySQL? Store the whole bin+lib+config on EBS. The installation script will check if it needs to apply modifications and gets them directly from the EBS. Upgrading MySQL means simply updating the target state on EBS. Upgrading the OS means: using another AMI (that includes the installation script – that’s the catch).

I will try to formalize those solutions and add them to the list of EC2 Patterns. Every input is welcome (especially, I am still searching for good pattern names)!

Filed under: AWS, Solutions

Twitter Updates

Follow

Get every new post delivered to your Inbox.