Archive for EC2
Apache mod_proxy_balancer Self Registration : Part 1
Posted by: | CommentsLoad balancers are great, but they become even more powerful when servers have the ability to self-register when they come online, and deregister when they go offline. This is especially true with services such as EC2, when the size of the server group might grow or shrink in response to need. This is a tutorial describing my particular (partially insecure at the moment) solution for allowing self-registration with Apache’s mod_proxy_balancer. Specifically this covers the load balancer side of the equation. Tomorrow I hope to get a post out describing the server side.
Here is my flowchart for how self registration will work:
1. Server comes online.
2. A startup script will register itself with the MySQL database (including hostname, ip, loadfactor, and a hash that it will generate in some way).
3. The server will then call a PHP script on the load balancer: “register/register.php”.
4. The PHP script will verify that a server sent the request.
5. The PHP script will query the database to get the current list of balancer members, and regenerate the balancer_members.conf file.
6. The PHP script will then issue a command to reload Apache’s configuration files.
Deregistration, which my PHP script as presented doesn’t display, will work as follows:
1. Server sends its hash to the PHP script, and shuts down.
2. The PHP script will check the hash against the database.
3. The PHP script will remove the server from the database.
4. The PHP script will repeat steps 5 and 6 above.
First, set up the database and created a user with sufficient privileges.
CREATE DATABASE lb_register; GRANT ALL ON lb_register.* TO 'lbuser'@'%' IDENTIFIED BY 'password'; CREATE TABLE lb2_members( ip VARCHAR(20) NOT NULL PRIMARY KEY, hostname VARCHAR(100) NOT NULL, loadfactor INT NOT NULL DEFAULT 0, hash VARCHAR(40) );
Second, create the PHP script.
$dbhost = "mysql.host.com";
$dbuser = "lbuser";
$dbpass = "password";
$dbname = "lb_register";
$dbtable = "lb2_members";
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die (mysql_error());
mysql_select_db($dbname);
$query = "SELECT count(*) as count FROM " . $dbtable . " WHERE hash='" . $_GET['hash'] . "';";
$result = mysql_query($query);
$row = mysql_fetch_assoc(mysql_query($query));
if ($row['count'] >= 1) {
$file = "<Proxy balancer://mycluster>" . "\n";
$member_query = "SELECT hostname, loadfactor FROM " . $dbtable . ";";
$member_result = mysql_query($member_query);
while ($row = mysql_fetch_array($member_result, MYSQL_BOTH)) {
$file .= " BalancerMember http://" . $row['hostname'] . " ";
$file .= ($row['loadfactor'] > 1) ? ("loadfactor=" . $row['loadfactor'] . "\n") : "\n";
}
$file .= "</Proxy>";
exec('echo "' . $file . '" > /etc/httpd/conf.d/balancer_members.conf');
exec("sudo /usr/local/bin/reload_httpd");
}
mysql_close($conn);
You can tell a few things about the server configuration by looking at the script:
1. User apache will need to be able to write to the “/etc/httpd/conf.d/balancer_members.conf” file.
2. User apache will need to be able to execute the script “/usr/local/bin/reload_httpd”.
3. User apache will need sudoer rights.
4. This script was used for debugging, and not by a server that is actually registering… tyou can see that deregistration is not handled yet.
To grant write privileges to apache, I changed the owner of the balancer_members.conf to apache.
chown apache /etc/httpd/conf.d/balancer_members.conf
This is probably the least secure aspect of my solution, as if the apache user were compromised, then any directives could be written to this file. I’m not sure how big a threat this is, but it’s something that concerns me at least enough to think about this some more (and invite suggestions).
Next is to grant apache privileges to execute “/usr/local/bin/reload_httpd”. We could accomplish this the same as we did above, but then it wouldn’t allow apache to execute what’s inside of the script, which is this:
#!/bin/bash service httpd reload
unless we give execution rights to apache on service, which we don’t want. What we also don’t want is for apache to be able to write to the file reload_httpd. So what I ended up doing was, as you see in the script, to make root the owner of reload_httpd and remove write privileges for all (so apache couldn’t change it) and then add apache to the sudoers file, granting rights to execute this script without a password.
visudo
is the generally accepted way to edit the sudoers file. And I added this line:
apache ALL=(ALL) NOPASSWD: /usr/local/bin/reload_httpd
I’m open to more secure ways of implementing this aspect as well, as I don’t consider myself a sudo configuration expert. I think this gives apache rights to execute everything from anywhere if he knows the password; but he can also execute the /usr/local/bin/reload_httpd script without a password.
I also had to comment out the line:
#Defaults requiretty
to allow sudo to function properly from a script not executed in a terminal.
Finally I had to disable proxying for the register script in my balancer.conf file:
ProxyPass /register/ !
And then your server is configured to dynamically update its list of balance members, you can check by going to the balancer-manager if you’ve got that enabled. Next I will discuss how to handle the web server side of things.
BlazeDS on EC2 from Dobeweb.com
Posted by: | CommentsI stumbled upon this post by Allen of Dobeweb.com, where he gives detailed instructions for setting up an EC2 image complete with BlazeDS. He gets down into the nitty-gritty of running EC2 from the command line (which I haven’t done in a long time… I use the Elasticfox plugin for keypair and instance management) and made it very interesting.
http://dobeweb.com/2008/guide-for-setup-blazeds-in-less-than-an-hour-with-amazon-ec2.html
Book Review: Programming Amazon Web Services
Posted by: | CommentsI don’t know if they’re just a more established tech book publishing company, but I usually have a good experience with O’Reilly books. Programming Amazon Web Services, subtitled S3, EC2, SQS, FPS, and SimpleDB, by James Murty, was great. 5 stars.
I enjoyed this book mainly because I love using Amazon’s web services for recreation and work. If I didn’t enjoy Amazon’s web services in the first place I probably would have found the book excessively detailed. In chapter 5 the author writes, “This chapter delves into the nitty-gritty aspects of running a Linux server in EC2,” and he ain’t kidding! This book really gets down into the API (and this is true for all the services treated in the book, not just EC2).
So if you’re looking to do some casual computing on EC2 or S3, you’d probably be better off without this book. I’d recommend installing the Firefox plugins for EC2 and S3, and going from there. Here’s a link (from the web site of a class I took last fall) that will probably be useful to someone in that situation. On that page you’ll find links to some tutorial pages, and a webcast or two.
On the other hand, if your intention is one of the following:
- Author a tool similar to the Firefox EC2 plugin.
- Create complex scripts to manage your EC2 instances or S3 buckets.
- Write a code library for any of the Amazon web services.
- Increase your understanding of what’s going on when you use the Firefox plugins.
Then this is the book for you.
That said, this book exposed me to FPS and SimpleDB for the first time (never had a chance to use either). As far as EC2, S3, and SQS go… I didn’t really learn how to do anything new with them from this book, per se. But it did significantly increase the depth of my understanding regarding each of these services. There’s a benefit to depth of knowledge with these kinds of technologies, because I’m sure I’ll encounter a problem in the future that can be solved with these tools, whose solution I might have overlooked before.
Starting To Learn Cold Fusion
Posted by: | CommentsI may be doing an internship this summer, at which I will begin developing back-end support for my Flex applicatiopns using Cold Fusion. I may be posting on that in the future, depending on how it goes. I just wanted to document two resources I will be using along this process.
The first is The Smith Project, which is an open source Cold Fusion server. There is a version that install on Windows, one for Linux, and there’s also a WAR file that can be deployed on your J2EE server of choice. I’ve installed it on an EC2 instance, but have been having a bit of trouble getting it configured (I need the Linux experience).
Download Smith binaries here
The second is CFEclipse, an Eclipse plugin that I have heard others speak very highly of. I've installed it on my office computer, but haven't had time to try it out yet. Here's the update site where Eclipse can find the plugin: http://www.cfeclipse.org/update.
We'll see how it goes.
Lab 5 : PHP and SOAP
Posted by: | CommentsThe only SOAP requests I’ve ever made were made on the .NET platform. They’re not that much of a beast on .NET, but it wasn’t exactly a cake walk either. So I had been bracing myself for the worst trying to implement it in PHP.
I should explain that my lab 5 client connects to a PHP service that in turn makes the SQS requests, etc. I initially wanted to implement an SQS library in Actionscript (and probably will in the future when I’m not pressed by deadlines) but I decided it was too ambitious for the amount of time I wanted to spend on this lab. So alas, a PHP service also handles my SOAP request to WHOIS.
Anyway, I was expecting SOAP on PHP to be a seriously complex affair. Here’s my code that makes the request:
$client = new SOAPClient("http://www.webservicex.net/whois.asmx?WSDL");
$params = array('HostName' => $_GET['url']);
$whois = $client->GetWhoIS($params);
Granted, it would have required about 2 more lines if there wasn’t a URL to the WSDL, but it doesn’t get much simpler than that. I should mention that this requires that PHP SOAP be enabled (uncomment a line in your php.ini if you’re running Windows; recompile from source using ‘enable-soap’ if you’re running Linux). I didn’t have to recompile, thanks once again to Remi Collet (the French guy who has yum rpms for all this stuff, see my previous post).
Well, the SQS library I’m using is pretty old and doesn’t have a means of querying the queue for the number of messages. So, I thought I’d try sending a SOAP message to Amazon to get it. Amazon’s WSDL is a little more complex, and I probably could have gotten it to work if I wanted to play around with the messages for another hour or so. It turned out to be a miserable failure, and I resorted to my old tricks: (file_get_contents()) which worked perfectly. Here’s the code I used, which shows the query string needed to get the number of messages:
$timestamp = gmdate('Y-m-d\TH:i:s\Z');
$qs = "http://queue.amazonaws.com/A3N3IV5XJH079S/processing" .
"?Action=GetQueueAttributes" .
"&Attribute=ApproximateNumberOfMessages" .
"&AWSAccessKeyId=[AMAZON_ACCESS_KEY]" .
"&Version=2007-05-01" .
"&Timestamp=" . urlencode($timestamp) .
"&Signature=" . urlencode(constructSig('GetQueueAttributes' . $timestamp));
$response = file_get_contents($qs);
The constructSig is the same method I listed in a previous post.
Here are a few links that were helpful:
SQS Query and SOAP API
Getting SQS Attributes
SQS WSDL
SQS: Queue Length / Auth Signature
Posted by: | CommentsTo get the queue length, as well as the visibility timeout, you make a request using the GetQueueAttributes action. The PHP library I’m using to make my calls to SQS doesn’t support this call (must have been written before the 2007-05-01 release of SQS) so my options are to find a new library, or to write my own function to do this.
I decided to try writing my own first, and while researching this I found something I was looking for while doing lab 4. How to compute the authorization header, or Signature.
The process is as follows, you take the query parameters and concatenate them all end to end (key preceding value). Don’t include the ?, &, or = signs. Then you calculate the HMAC-SHA1 signature of that string (using your secret access key). Then convert it to base64.
Here’s the example Amazon gives on their site.
The following request:
?Action=CreateQueue &QueueName=queue2 &AWSAccessKeyId=0A8BDF2G9KCB3ZNKFA82 &SignatureVersion=1 &Expires=2007-01-12T12:00:00Z &Version=2006-04-01
translates into the following string:
ActionCreateQueueAWSAccessKeyId0A8BDF2G9KCB3ZNKFA82Expires2007-01-12T12:00:00ZQueueNamequeue2SignatureVersion1Version2006-04-01
which when hashed with the secret key (fake-secret-key, used in this example) yields:
wlv84EOcHQk800Yq6QHgX4AdJfk= (URL encoded version: wlv84EOcHQk800Yq6QHgX4AdJfk%3D)
I looked at my PHP library, and sure enough here are the methods that create the signature. They require the PEAR Crypt_HMAC package.
function hex2b64($str) {
$raw = '';
for ($i=0; $i < strlen($str); $i+=2) {
$raw .= chr(hexdec(substr($str, $i, 2)));
}
return base64_encode($raw);
}
[/php]
function constructSig($str) {
$hasher =& new Crypt_HMAC($this->secretKey, "sha1");
$signature = $this->hex2b64($hasher->hash($str));
return($signature);
}
[php]
