As part of the build phase of Nick Hardiman's AWS EC2 cloud automation series, he walks you through creating a Puppet master and finding its SSH host key fingerprint.
This article is part of a series that chains together Amazon Web Services (AWS), cloud-init, and Puppet to build a small automated cloud system. The build phase includes creating a Puppet master (that's this post) and building the agent (that's coming in the next article). This single command starts the build phase.
aws ec2 run-instances \ --image-id ami-50b64527 \ --count 1 \ --instance-type t1.micro \ --key-name p-keypair \ --security-groups p-master-group \ --user-data "$my_user_data"
A lot of work has gone into that command. If it means nothing to you, head back to part one of my cloud automation series on building a simple web service and work your way forward.
Create the Puppet master
1. Use your workstation with the AWS CLI tools installed.
2. Find your p-master-user-data.yml user data file for the Puppet master.
3. Stick the file contents into a variable.
4. Launch the Puppet master.
nick $ aws ec2 run-instances --image-id ami-50b64527 --count 1 --instance-type t1.micro --key-name p-keypair --security-groups p-master-group --user-data "$my_user_data" 243894605340 r-61b12c20 GROUPS sg-56491421 p-master-group INSTANCES 0 x86_64 None False xen ami-50b64527 i-f0277bb1 t1.micro aki-52a34525 p-keypair 2014-02-21T00:05:58.000None None /dev/sda1 ebs None paravirtual … STATEREASON pending pending nick $
5. Check your work.
nick $ aws ec2 describe-instances RESERVATIONS 243894605340 r-61b12c20 GROUPS sg-56491421 p-master-group INSTANCES 0 x86_64 None False xen ami-50b64527 i-f0277bb1 t1.micro aki-52a34525 p-keypair 2014-02-21T00:05:58.000ip-10-35-13-130.eu-west-1.compute.internal 10.35.13.130 ec2-54-220-141-154.eu-west-1.compute.amazonaws.com 18.104.22.168 /dev/sda1 ebs None paravirtual … STATE 16 running nick $
6. Wait five minutes for the new machine to get going.
Everyone makes mistakes. Yes, everyone. If you made a mistake with this command, delete the new machine with the ec2kill command (AKA ec2-terminate-instances).
nick $ aws ec2 terminate-instances --instance-ids i-f0277bb1 TERMINATINGINSTANCES i-f0277bb1 CURRENTSTATE 32 shutting-down PREVIOUSSTATE 16 running nick $
Find the SSH host key fingerprint of the Puppet master
When logging in to a newly-launched machine for the first time, you have to check its identity. But how? How do you identify a machine you have never seen?
The OpenSSH people solved the problem by creating a mathematical anti-fraud scheme to ensure you are going to the right place. The application openssh-server creates a new SSH host key on every brand new machine. Each host key has a fingerprint, like this.
The SSH server hands over this fingerprint to your SSH client every time you log in. The very first time you use your new machine, your SSH client will ask you to confirm this SSH server fingerprint.
The fingerprint is a little tricky to find — it is buried in the console output. The console is where every Linux machine prints important system messages.
7. Wait five minutes after launching the new machine. Get the console output.
nick $ aws ec2 get-console-output --instance-id i-f0277bb1 i-f0277bb1 Xen Minimal OS! start_info: 0xae2000(VA) nr_pages: 0x26700 …
This prints hundreds of lines. If the new machine is not ready, you will see either the error No console output returned or just one line with a date in it.
8. Find the fingerprints. Near the bottom are the few lines we need, displaying three different styles of fingerprint.
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- ec2: 1024 36:e5:3e:a3:75:8b:20:65:b3:8a:21:3d:59:5b:b2:e0 root@ip-10-34-241-176 (DSA) ec2: 256 62:10:d4:ca:27:8a:6c:77:53:ed:5a:ee:75:96:c0:e5 root@ip-10-34-241-176 (ECDSA) ec2: 2048 81:e4:00:0a:63:d2:c1:bc:05:a3:48:6d:df:2a:24:1a root@ip-10-34-241-176 (RSA) ec2: -----END SSH HOST KEY FINGERPRINTS-----
9. Copy the RSA key fingerprint.
Look around the Puppet master
Log in to your new cloud machine. You built this, you clever person.
10. Find the new public host name. Use the aws ec2 describe-instances command.
11. Log in with SSH (OS X and Linux) or PuTTY (Windows).
nick $ ssh -i p-private.key email@example.com The authenticity of host 'ec2-54-195-158-198.eu-west-1.compute.amazonaws.com (22.214.171.124)' can't be established. RSA key fingerprint is 81:e4:00:0a:63:d2:c1:bc:05:a3:48:6d:df:2a:24:1a. Are you sure you want to continue connecting (yes/no)?
12. Compare this RSA key fingerprint with the one from the console output.
13. If they match, enter yes.
Warning: Permanently added 'ec2-54-195-158-198.eu-west-1.compute.amazonaws.com,126.96.36.199' (RSA) to the list of known hosts. … ubuntu@ip-10-34-241-176:~$
Get the private IP address
The second part of the build phase is creating the Puppet agent machine; this will try to contact the Puppet master to receive its instructions. The agent needs to know where to send its request.
If you are logged in to your new Puppet master, you can either figure this out from the prompt or the host name.
ubuntu@ip-10-34-241-176:~$ hostname ip-10-34-241-176 ubuntu@ip-10-34-241-176:~$
If you are not logged in, you can use the AWS CLI aws ec2 describe-instances command. It's tricky to read — you do have to wade through many fields to find it. Your output may look different, because this aws command can format this information into a few different layouts.
nick $ aws ec2 describe-instances RESERVATIONS 243894605340 r-8df3c4ce GROUPS sg-56491421 p-master-group INSTANCES 0 x86_64 None False xen ami-50b64527 i-40a6b103 t1.micro aki-52a34525 p-keypair 2014-02-21T15:05:14.000Z ip-10-34-241-176.eu-west-1.compute.internal 10.34.241.176 ec2-54-220-112-168.eu-west-1.compute.amazonaws.com 188.8.131.52 /dev/sda1 ebs None paravirtual …
You're nearly there
The next step is to build the Puppet agent machine. The Puppet agent will automatically create a web server that is available to the internet. We'll cover this in the next installment in this cloud automation series.
Catch up on previous installments in this series
- Cloud automation: Everything you need to know to build a web service
- Puppet automation brings a cloud technology stack to life
- Good reasons to install the new AWS CLI tools on a VM on Amazon EC2
- Choose the AWS region closest to customers, unless you need to break this rule
- Keep crackers out of your web service by using AWS security groups
- AWS EC2 cloud automation tricks that will amaze you