Fornitura di Fedora CoreOS su Amazon Web Services
Questa guida mostra come effettuare il provisioning di nuove istanze Fedora CoreOS (FCOS) sulla piattaforma cloud di Amazon Web Services (AWS).
Prerequisiti
Prima di configurare una macchina FCOS, è necessario avere un file di configurazione Ignition con le proprie personalizzazioni. Se non ne hai uno, consulta Produzione di un File Ignition.
Fedora CoreOS dispone di un utente predefinito core che può essere utilizzato per esplorare il sistema operativo. Se desideri utilizzarlo, completa la sua configurazione fornendo, ad esempio, una chiave SSH.
|
If you do not want to use Ignition to get started, you can make use of the Afterburn support.
You also need to have access to an AWS account. The examples below use the aws command-line tool, which must be separately installed and configured beforehand.
Avvio di un’istanza VM
Minimal Example
Nuove istanze AWS possono essere create direttamente dalle immagini pubbliche di FCOS. Puoi trovare l’AMI più recente per ciascuna regione dalla [pagina di download](https://fedoraproject.org/coreos/download/).
Se sei interessato solo a esplorare FCOS senza ulteriori personalizzazioni, puoi utilizzare una [coppia di chiavi SSH registrata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) per l’utente predefinito core.
Per testare FCOS in questo modo, dovrai eseguire il comando aws ec2 run-instances e fornire alcune informazioni per avviare l’istanza. Ecco un esempio di comando che puoi utilizzare:
# Nome dell'istanza
NAME='instance1'
# Nome della tua chiave SSH (verifica con: `aws ec2 describe-key-pairs`)
SSHKEY='my-key'
# ID dell'AMI (può essere trovato nella pagina di download di Fedora CoreOS o altra immagine)
IMAGE='ami-xxx'
# Dimensione del disco in GB
DISK='20'
# Regione AWS di destinazione
REGION='us-east-1'
# Tipo di istanza (es. t3.micro, m5.large, ecc.)
TYPE='m5.large'
# ID della subnet (verifica con: `aws ec2 describe-subnets`)
SUBNET='subnet-xxx'
# Gruppi di sicurezza (verifica con: `aws ec2 describe-security
Puoi scoprire l’indirizzo IP assegnato all’istanza eseguendo aws ec2 describe-instances
|
You now should be able to SSH into the instance using the associated IP address.
ssh core@<ip address>Customized Example
In order to launch a customized FCOS instance, a valid Ignition configuration must be passed as its user data at creation time. You can use the same command from the Minimal Example but add --user-data file://path/to/config.ign argument:
In questo esempio, la chiave SSH per l’utente core viene fornita tramite Afterburn.
|
NAME='instance1'
SSHKEY='my-key' # the name of your SSH key: `aws ec2 describe-key-pairs`
IMAGE='ami-xxx' # the AMI ID found on the download page
DISK='20' # the size of the hard disk
REGION='us-east-1' # the target region
TYPE='m5.large' # the instance type
SUBNET='subnet-xxx' # the subnet: `aws ec2 describe-subnets`
SECURITY_GROUPS='sg-xx' # the security group `aws ec2 describe-security-groups`
USERDATA='/path/to/config.ign' # path to your Ignition config
aws ec2 run-instances \
--region $REGION \
--image-id $IMAGE \
--instance-type $TYPE \
--key-name $SSHKEY \
--subnet-id $SUBNET \
--security-group-ids $SECURITY_GROUPS \
--user-data "file://${USERDATA}" \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=${NAME}}]" \
--block-device-mappings "VirtualName=/dev/xvda,DeviceName=/dev/xvda,Ebs={VolumeSize=${DISK}}"| By design, cloud-init configuration and startup scripts are not supported on FCOS. Instead, it is recommended to encode any startup logic as systemd service units in the Ignition configuration. |
Puoi scoprire l’indirizzo IP assegnato all’istanza eseguendo aws ec2 describe-instances
|
You now should be able to SSH into the instance using the associated IP address.
ssh core@<ip address>Remote Ignition configuration
As user-data is limited to 16 KB, you may need to use an external source for your Ignition configuration. A common solution is to upload the config to a S3 bucket, as the following steps show:
NAME='instance1'
aws s3 mb s3://$NAME-infraNAME='instance1'
CONFIG='/path/to/config.ign' # path to your Ignition config
aws s3 cp $CONFIG s3://$NAME-infra/bootstrap.ignYou can verify the file have been correctly uploaded:
NAME='instance1'
aws s3 ls s3://$NAME-infra/Then create a minimal Ignition config as follows:
variant: fcos
version: 1.6.0
ignition:
config:
replace:
source: s3://instance1-infra/bootstrap.ignbutane -p config.bu -o config.ignYou need to create a role that includes s3:GetObject permission, and attach it to the instance profile. See role creation document for more information.
cat <<EOF >trustpolicyforec2.json
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
EOF
# Create the role and attach the trust policy that allows EC2 to assume this role.
ROLE_NAME="my-role"
aws iam create-role --role-name ${ROLE_NAME} --assume-role-policy-document file://trustpolicyforec2.json
# Attach the AWS managed policy named AmazonS3ReadOnlyAccess to the role
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --role-name ${ROLE_NAME}
# Create the instance profile required by EC2 to contain the role
PROFILE="my-instance-profile"
aws iam create-instance-profile --instance-profile-name ${PROFILE}
# Finally, add the role to the instance profile
aws iam add-role-to-instance-profile --instance-profile-name ${PROFILE} --role-name ${ROLE_NAME}To launch the instance, need to attach the created profile. From the command-line, use --iam-instance-profile.
NAME='instance1'
SSHKEY='my-key' # the name of your SSH key: `aws ec2 describe-key-pairs`
IMAGE='ami-xxx' # the AMI ID found on the download page
DISK='20' # the size of the hard disk
REGION='us-east-1' # the target region
TYPE='m5.large' # the instance type
SUBNET='subnet-xxx' # the subnet: `aws ec2 describe-subnets`
SECURITY_GROUPS='sg-xxx' # the security group `aws ec2 describe-security-groups`
USERDATA='/path/to/config.ign' # path to your Ignition config
PROFILE='xxx-profile' # the name of an IAM instance profile `aws iam list-instance-profiles`
aws ec2 run-instances \
--region $REGION \
--image-id $IMAGE \
--instance-type $TYPE \
--key-name $SSHKEY \
--subnet-id $SUBNET \
--security-group-ids $SECURITY_GROUPS \
--user-data "file://${USERDATA}" \
--iam-instance-profile Name=${PROFILE} \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=${NAME}}]" \
--block-device-mappings "VirtualName=/dev/xvda,DeviceName=/dev/xvda,Ebs={VolumeSize=${DISK}}"Once the first boot is completed, make sure to delete the configuration as it may contain sensitive data. See Configuration cleanup.
Configuration cleanup
If you need to have secrets in your Ignition configuration you should store it into a S3 bucket and have a minimal configuration in user-data. Once the instance has completed the first boot, clear the S3 bucket as any process or container running on the instance could access it. See the Ignition documentation for more advice on secret management.
NAME='instance1'
aws s3 rm s3://$NAME-infra/bootstrap.ignOptionnally, you can delete the whole bucket:
NAME='instance1'
aws s3 rb s3://$NAME-infra| The instance’s user data cannot be modified without stopping the instance. |
Want to help? Learn how to contribute to Fedora Docs ›