From f205ecd6f8489153cbf7774545ee738281a9e8a9 Mon Sep 17 00:00:00 2001 From: "S. X. Liang" <60531983+Scottpedia@users.noreply.github.com> Date: Sat, 2 Jan 2021 12:40:04 -0500 Subject: [PATCH] Add CentOS 7/8 and Amazon Linux 2 support to Cloudformation template (#901) Add CentOS 7/8 and Amazon Linux 2 support to Cloudformation template. See #901 for details. Co-authored-by: Scottpedia --- aws/README-zh.md | 2 +- aws/README.md | 31 +++++++-- aws/cloudformation-template-ipsec | 107 ++++++++++++++++++++++-------- 3 files changed, 107 insertions(+), 33 deletions(-) diff --git a/aws/README-zh.md b/aws/README-zh.md index 8bae3f4..f743354 100644 --- a/aws/README-zh.md +++ b/aws/README-zh.md @@ -10,7 +10,7 @@ - Amazon EC2 实例类型 > **注:** 在某些 AWS 区域中,此模版提供的某些实例类型可能不可用。比如 `m5a.large` 可能无法在 `ap-east-1` 区域部署(仅为假设)。在此情况下,你会在部署过程中遇到此错误:`The requested configuration is currently not supported. Please check the documentation for supported configurations`。新开放的 AWS 区域更容易出现此问题,因为它们提供的实例类型较少。 -- VPN 服务器的操作系统(Ubuntu 20.04/18.04/16.04,Debian 9) +- VPN 服务器的操作系统(Ubuntu 20.04/18.04/16.04, Debian 9, CentOS 7/8, AmazonLinux2 > **注:** 在 EC2 上使用 Debian 9 映像之前,你需要先在 AWS Marketplace 上订阅:[Debian 9](https://aws.amazon.com/marketplace/pp/B073HW9SP3)。 - 你的 VPN 用户名 - 你的 VPN 密码 diff --git a/aws/README.md b/aws/README.md index 05373a7..a4db4bd 100644 --- a/aws/README.md +++ b/aws/README.md @@ -9,8 +9,8 @@ This template will create a fully-working IPsec VPN server on Amazon Elastic Com Available customization parameters: - Amazon EC2 instance type -> **Note**: It is possible that not all instance type options offered by this template are available in a specific AWS region. For example, you may not be able to deploy an `m5a.large` instance in `ap-east-1` (hypothetically). In that case, you might experience the following error during deployment: `The requested configuration is currently not supported. Please check the documentation for supported configurations`. Newly released regions are more prone to having this problem as there are less variety of instances. -- OS for your VPN server (Ubuntu 20.04/18.04/16.04, Debian 9) +> **Note**: It is possible that not all instance type options offered by this template are available in a specific AWS region. For example, you may not be able to deploy an `m5a.large` instance in `ap-east-1` (hypothetically). In that case, you might experience the following error during deployment: `The requested configuration is currently not supported. Please check the documentation for supported configurations`. Newly released regions are more prone to having this problem as there are less variety of instances. For more info about instance type availability in AWS regions, you might want to visit https://ec2instances.info/. +- OS for your VPN server (Ubuntu 20.04/18.04/16.04, Debian 9, CentOS 7/8, AmazonLinux2) > **Note:** Before using the Debian 9 image on EC2, you need to first subscribe at the AWS Marketplace: [Debian 9](https://aws.amazon.com/marketplace/pp/B073HW9SP3). - Your VPN username - Your VPN password @@ -41,16 +41,37 @@ You may choose an AWS region using the selector to the right of your account inf How to connect to the server via SSH after deployment? -After deployment, the default username for an Ubuntu instance is **ubuntu**, and for a Debian instance it is **admin**. Amazon EC2 does not allow users to access newly created instances with an SSH password. Instead, users are required to create "key pairs", which are used as credentials for SSH access. +You need to know the username and the private key for your instance in order to login to it via SSH. -This template generates a key pair for you during deployment, and the private key will be available as text under the **Outputs** tab after the stack is successfully created. +Each Linux server distribution on AWS has its own default login username, while password login is disabled since the use of private key, or "key pairs", is enforced. + +The following is a list of default usernames used by the distributions provided: +> **Reference**: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html + +| Distribution | Default Login Username | +| --- | --- | +| Ubuntu (`Ubuntu *.04`) | `ubuntu` | +| Debian (`Debian 9` only) | `admin` | +| CentOS (`CenOS 7` and `CentOS 8`) | `centos` | +| AmazonLinux2 | `ec2-user` | + +For the private key(aka "Key pair"), this template generates one for you during deployment, and it will be available as text under the **Outputs** tab after the stack is successfully created. You will need to save the private key from the **Outputs** tab to a file on your computer, if you want to access the VPN server via SSH. -> **Note:** You may need to format the private key by replacing all spaces with newlines, before saving to a file. +> **Note:** You may need to format the private key by replacing all spaces with newlines, before saving to a file. The file also needs to be set with [proper permission](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html#connection-prereqs-private-key) before it can be used by SSH client. ![Show key](show-key.png) +To add proper permissions to your private key file, run the following command under the directory where the file is located: +```bash +sudo chmod 400 my-key-pair.pem +``` + +As a result, the command to login to your instance should look like: +```bash +$ ssh -i path/to/your/key.pem instance-username@instance-ip-address +``` ## Author diff --git a/aws/cloudformation-template-ipsec b/aws/cloudformation-template-ipsec index 04d0e58..d25d0c2 100644 --- a/aws/cloudformation-template-ipsec +++ b/aws/cloudformation-template-ipsec @@ -1,5 +1,37 @@ { "AWSTemplateFormatVersion": "2010-09-09", + "Mappings": { + "OS": { + "Ubuntu1604": { + "HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + "InstallationLinks": "https://git.io/vpnsetup" + }, + "Ubuntu1804": { + "HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + "InstallationLinks": "https://git.io/vpnsetup" + }, + "Ubuntu2004": { + "HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + "InstallationLinks": "https://git.io/vpnsetup" + }, + "Debian9": { + "HelperInstallationCommands": "export DEBIAN_FRONTEND=noninteractive\napt-get -yq update\napt-get -yq install python3-pip\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + "InstallationLinks": "https://git.io/vpnsetup" + }, + "CentOS7": { + "HelperInstallationCommands": "yum -y check-update\nyum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + "InstallationLinks": "https://git.io/vpnsetup-centos" + }, + "CentOS8": { + "HelperInstallationCommands": "yum -y check-update\nyum -y install python3 wget\npython3 -m pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + "InstallationLinks": "https://git.io/vpnsetup-centos" + }, + "AmazonLinux2": { + "HelperInstallationCommands": "export PATH=\"$PATH:/opt/aws/bin\"\n", + "InstallationLinks": "https://git.io/vpnsetup-amzn" + } + } + }, "Metadata": { "AWS::CloudFormation::Designer": { "0a162613-8f2e-4864-be99-75d946934a4a": { @@ -110,14 +142,6 @@ "parent": "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", "embeds": [], "iscontainedinside": [ - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", - "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2", "5198eb6d-da4f-43e2-8a4b-b9bff02b26a2" ], "dependson": [ @@ -344,10 +368,15 @@ }, "' ERR\n", "sleep 60\n", - "export DEBIAN_FRONTEND=noninteractive\n", - "apt-get -yq update\n", - "apt-get -yq install python3-pip\n", - "pip3 install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz\n", + { + "Fn::FindInMap": [ + "OS", + { + "Ref": "OS" + }, + "HelperInstallationCommands" + ] + }, "export VPN_IPSEC_PSK='", { "Ref": "VpnIpsecPsk" @@ -363,7 +392,17 @@ "Ref": "VpnPassword" }, "'\n", - "wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup\n", + "wget -t 3 -T 30 -nv -O vpnsetup.sh ", + { + "Fn::FindInMap": [ + "OS", + { + "Ref": "OS" + }, + "InstallationLinks" + ] + }, + "\n", "sh vpnsetup.sh\n", "cfn-signal -e 0 ", " --stack ", @@ -600,6 +639,10 @@ [ "import boto3", "import cfnresponse", + "'''", + "This python script should be embeded into its designated cloudformation template.", + "Its function is to sort out the correct AMI image to use for each of the distribution options available.", + "'''", "def creation_date(e):", " return e['CreationDate']", "", @@ -608,16 +651,22 @@ " regionName = event['ResourceProperties']['Region']", " distribution = event['ResourceProperties']['Distribution']", " ec2 = boto3.client('ec2',regionName)", - " IAMName = ''", - " if distribution == 'Ubuntu16.04':", - " IAMName = 'ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*'", - " elif distribution == 'Ubuntu18.04':", - " IAMName = 'ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*'", - " elif distribution == 'Ubuntu20.04':", - " IAMName = 'ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*'", + " AMIName = ''", + " if distribution == 'Ubuntu1604':", + " AMIName = 'ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*'", + " elif distribution == 'Ubuntu1804':", + " AMIName = 'ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*'", + " elif distribution == 'Ubuntu2004':", + " AMIName = 'ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*'", " elif distribution == 'Debian9':", - " IAMName = 'debian-stretch-hvm-x86_64-gp2-*'", - " response = ec2.describe_images(Filters=[{'Name':'name', 'Values':[IAMName]}], Owners=['099720109477', '379101102735'])", + " AMIName = 'debian-stretch-hvm-x86_64-gp2-*'", + " elif distribution == 'CentOS7':", + " AMIName = 'CentOS 7.9.2009 x86_64'", + " elif distribution == 'CentOS8':", + " AMIName = 'CentOS 8.3.2011 x86_64'", + " elif distribution == 'AmazonLinux2':", + " AMIName = 'amzn2-ami-hvm-*.*-x86_64-gp2'", + " response = ec2.describe_images(Filters=[{'Name':'name', 'Values':[AMIName]}], Owners=['099720109477', '379101102735', '125523088429', 'amazon'])", " images = response['Images']", " images.sort(key=creation_date,reverse=True)", " AMIId = images[0]['ImageId']", @@ -762,12 +811,15 @@ "OS": { "Type": "String", "Description": "The OS of your VPN server. Default: Ubuntu 20.04", - "Default": "Ubuntu20.04", + "Default": "Ubuntu2004", "AllowedValues": [ - "Ubuntu20.04", - "Ubuntu18.04", - "Ubuntu16.04", - "Debian9" + "Ubuntu2004", + "Ubuntu1804", + "Ubuntu1604", + "Debian9", + "CentOS7", + "CentOS8", + "AmazonLinux2" ] }, "InstanceType": { @@ -832,4 +884,5 @@ "Value": "https://github.com/hwdsl2/setup-ipsec-vpn#next-steps" } } + }