Pro tip: Master AWS EC2 cloud automation with Puppet

As part of the build phase of Nick Hardiman's AWS EC2 cloud automation series, he walks you through creating a Puppet master and finding its SSH host key fingerprint.


This article is part of a series that chains together Amazon Web Services (AWS), cloud-init, and Puppet to build a small automated cloud system. The build phase includes creating a Puppet master (that's this post) and building the agent (that's coming in the next article). This single command starts the build phase.

aws ec2 run-instances \
  --image-id        ami-50b64527 \
  --count           1 \
  --instance-type   t1.micro \
  --key-name        p-keypair \
  --security-groups p-master-group \
  --user-data       "$my_user_data"

A lot of work has gone into that command. If it means nothing to you, head back to part one of my cloud automation series on building a simple web service and work your way forward.

Create the Puppet master

Create a new EC2 machine with the aws ec2 run-instances command.

1. Use your workstation with the AWS CLI tools installed.

2. Find your p-master-user-data.yml user data file for the Puppet master.

3. Stick the file contents into a variable.

my_user_data=`cat p-master-user-data.yml`

4. Launch the Puppet master.

nick $ aws ec2 run-instances --image-id ami-50b64527 --count 1 --instance-type t1.micro --key-name p-keypair --security-groups p-master-group --user-data "$my_user_data"
243894605340	r-61b12c20
GROUPS	sg-56491421	p-master-group
INSTANCES	0	x86_64	None	False	xen	ami-50b64527	i-f0277bb1	t1.micro	aki-52a34525	p-keypair	2014-02-21T00:05:58.000None	None	/dev/sda1	ebs	None	paravirtual
STATEREASON	pending	pending	
nick $

5. Check your work.

nick $ aws ec2 describe-instances 
RESERVATIONS	243894605340	r-61b12c20
GROUPS	sg-56491421	p-master-group
INSTANCES	0	x86_64	None	False	xen	ami-50b64527	i-f0277bb1	t1.micro	aki-52a34525	p-keypair	/dev/sda1	ebs	None	paravirtual
STATE	16	running
nick $ 

6. Wait five minutes for the new machine to get going.

Everyone makes mistakes. Yes, everyone. If you made a mistake with this command, delete the new machine with the ec2kill command (AKA ec2-terminate-instances).

nick $ aws ec2 terminate-instances --instance-ids i-f0277bb1
CURRENTSTATE	32	shutting-down
nick $ 

Find the SSH host key fingerprint of the Puppet master

When logging in to a newly-launched machine for the first time, you have to check its identity. But how? How do you identify a machine you have never seen?

The OpenSSH people solved the problem by creating a mathematical anti-fraud scheme to ensure you are going to the right place. The application openssh-server creates a new SSH host key on every brand new machine. Each host key has a fingerprint, like this.

•	81:e4:00:0a:63:d2:c1:bc:05:a3:48:6d:df:2a:24:1a 

The SSH server hands over this fingerprint to your SSH client every time you log in. The very first time you use your new machine, your SSH client will ask you to confirm this SSH server fingerprint.

The fingerprint is a little tricky to find -- it is buried in the console output. The console is where every Linux machine prints important system messages.

7. Wait five minutes after launching the new machine. Get the console output.

nick $ aws ec2 get-console-output --instance-id i-f0277bb1
i-f0277bb1	Xen Minimal OS!
  start_info: 0xae2000(VA)
    nr_pages: 0x26700

This prints hundreds of lines. If the new machine is not ready, you will see either the error No console output returned or just one line with a date in it.

8. Find the fingerprints. Near the bottom are the few lines we need, displaying three different styles of fingerprint.

ec2: 1024 36:e5:3e:a3:75:8b:20:65:b3:8a:21:3d:59:5b:b2:e0  root@ip-10-34-241-176 (DSA)
ec2: 256 62:10:d4:ca:27:8a:6c:77:53:ed:5a:ee:75:96:c0:e5  root@ip-10-34-241-176 (ECDSA)
ec2: 2048 81:e4:00:0a:63:d2:c1:bc:05:a3:48:6d:df:2a:24:1a  root@ip-10-34-241-176 (RSA)

9. Copy the RSA key fingerprint.

Look around the Puppet master

Log in to your new cloud machine. You built this, you clever person.

10. Find the new public host name. Use the aws ec2 describe-instances command.

11. Log in with SSH (OS X and Linux) or PuTTY (Windows).

nick $ ssh -i p-private.key
The authenticity of host ' (' can't be established.
RSA key fingerprint is 81:e4:00:0a:63:d2:c1:bc:05:a3:48:6d:df:2a:24:1a.
Are you sure you want to continue connecting (yes/no)?

12. Compare this RSA key fingerprint with the one from the console output.

13. If they match, enter yes.

Warning: Permanently added ',' (RSA) to the list of known hosts.

Get the private IP address

The second part of the build phase is creating the Puppet agent machine; this will try to contact the Puppet master to receive its instructions. The agent needs to know where to send its request.

If you are logged in to your new Puppet master, you can either figure this out from the prompt or the host name.

ubuntu@ip-10-34-241-176:~$ hostname

If you are not logged in, you can use the AWS CLI aws ec2 describe-instances command. It's tricky to read -- you do have to wade through many fields to find it. Your output may look different, because this aws command can format this information into a few different layouts.

nick $ aws ec2 describe-instances 
RESERVATIONS	243894605340	r-8df3c4ce
GROUPS	sg-56491421	p-master-group
INSTANCES	0	x86_64	None	False	xen	ami-50b64527	i-40a6b103	t1.micro	aki-52a34525	p-keypair	2014-02-21T15:05:14.000Z	/dev/sda1	ebs	None	paravirtual

You're nearly there

The next step is to build the Puppet agent machine. The Puppet agent will automatically create a web server that is available to the internet. We'll cover this in the next installment in this cloud automation series.

Catch up on previous installments in this series


Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the ...


Editor's Picks