As part of this blog, I wanted to share my learnings towards AWS Systems Manager(previously AWS Simple Systems Manager - SSM) and how I configured Systems Manager to manage and perform auto patching on a hybrid environment. The hybrid environment here is a simple Raspberry Pi running one my home network, with Ubuntu server on it.
AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services, and then automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed instances and reporting on (or taking corrective action on) any policy violations it detects.
When your environment consists of servers / VMs running on AWS cloud, on-premises data centers and on computers like Raspberry Pi, it will be difficult manage them separately on multiple tools/interfaces. Having a single interface to manage both cloud and non-cloud servers would reduce a lot of admin overhead and streamline the process.
AWS Systems Manager provides a single interface to manage, administer and get operational insights from servers running in AWS cloud, on-premise / hybrid environments.
Systems Manager makes use of SSM agent installed on the servers to achieve this. By default SSM agent is pre-installed on instances created using certain AMIs on AWS cloud. For on-premise servers and VMs in hybrid environment, the agent needs to installed and configured manually.
The solution involves following steps:
Create an Hybrid Activation on AWS Systems Manager. This activation also creates an IAM role and grants
AssumeRolepermission to the SSM service.
Install and configure SSM agent on Raspberry Pi running the Ubuntu server 20.04 to enable SSM service to communicate with the server.
Optional. Setup an Inventory association on AWS Systems Manager to collect information about software and settings for a target set of managed instances.
Configure Patch Manager on AWS Systems Manager to automate patching of the managed instances on a pre-configured schedule.
Since I am learning Linux administration, I have a Raspberry Pi set up with Ubuntu server 20.04 on my home Wifi for this purpose. If you are interested to set up the same, you can purchase a Raspberry Pi from here and use the step by step instructions here to install Ubuntu server 20.04. I also setup the Ubuntu server to connect to my home Wifi. Since my home internet router has DHCP reservation by default, the Ubuntu server always gets static IP when it connects to the WiFi network. So I need not worrry about setting up a static IP separately.
- Login to your AWS Console and Navigate to AWS Systems Manager. Click on Hybrid Activations. And then Create an Activation.
- Enter the Activation description and Instance Limit. The Activation also creates an IAM role
AmazonEC2RunCommandForManagedInstanceswhich uses IAM policy
AssumeRolepermission to SSM service.
- Successful creation of Activation provides an Activation Code and Activation ID. Please make a note of these 2 values as these will be used at later step to configure the SSM agent on the server.
- ssh into the Ubuntu server with your credentials and run the following set of commands to install SSM agent
ubuntu@ubuntu:/$ mkdir /tmp/ssm
ubuntu@ubuntu:/$ curl https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_arm64/amazon-ssm-agent.deb -o /tmp/ssm/amazon-ssm-agent.deb % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 29.6M 100 29.6M 0 0 675k 0 0:00:44 0:00:44 --:--:-- 1179k
Note: Since Raspberry Pi comes with ARM architecture, you need to use the corresponding version of the SSM agent.
ubuntu@ubuntu:/$ sudo dpkg -i /tmp/ssm/amazon-ssm-agent.deb
- Stop the SSM agent and register the agent using the Activation code and Activation ID that you noted down in previous step.
ubuntu@ubuntu:/$ sudo service amazon-ssm-agent stop
ubuntu@ubuntu:/$ sudo amazon-ssm-agent -register -code "ACTIVATION_CODE" -id "ACTIVATION_ID" -region "ap-southeast-2" Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory Initializing new seelog logger New Seelog Logger Creation Complete 2021-10-16 22:54:14 WARN Could not read InstanceFingerprint file: InstanceFingerprint does not exist. 2021-10-16 22:54:14 INFO No initial fingerprint detected, generating fingerprint file... 2021-10-16 22:54:15 INFO Successfully registered the instance with AWS SSM using Managed instance-id: mi-001e234567890dd12
Note: You can ignore the warning and error. Make sure you receive a message that your instance/server has been registered with SSM.
- Start the SSM agent
ubuntu@ubuntu:/$ sudo service amazon-ssm-agent start
Now you can see the registered instance / server on AWS Systems Manager --> Fleet Manager (which was earlier referred to as Managed instances)
AWS Systems Manager Inventory Association enables to collect information about your instances and the software installed on them, helping you to understand your system configurations and installed applications.
- From the AWS Systems Manager page, navigate to Inventory section and then Setup Inventory
Leave the default settings.
Once the Inventory association is setup, it runs every 30 mins to gather all the inventory from the managed instances. This makes use of AWS Systems Manager document
AWS-GatherSoftwareinventory. You can verify the same from State Manager section.
Once the status changes to Success, you can view more details from the Resources tab in State Manager section.
Information collected about the software and settings on the managed Ubuntu server are displayed in Inventory section.
AWS Systems Manager patch manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances.
Using patch baselines, you can configure to auto approve a select categories of patches to be installed like OS or high severity patches.
- From the AWS Systems Manager page, navigate to Patch Manager section and then Configure patching
- Then you can define a maintenance window for patches so that they are only applied during preset times.
As you can see, AWS uses the
AWS-UbuntuDefaultPatchBaseline for the patching the Ubuntu servers/instances. This is the default patch baseline for Ubuntu provided by AWS.
System Manger's Maintenance window acts like glue for all the components in Patch Manager.
In the background, Systems Manger use
RUN COMMAND to perform the patching task.
Patching task is auto-executed at the preset time and details of the same can be verified in the History section.
Click on the View Output to see the task execution details.
Using AWS Systems Manager's Patch Manager feature, I was able to successfully patch my Ubuntu server on my home WiFi and also setup a maintenance window to do the same activity at preset time.
Apart from Patch Manager and Inventory, AWS Systems Manager also provides features like Incident Manager, Parameter Store, Automation, Run Command and OpsCenter which I would like to explore in my future blogs.
Thanks for reading my blog. Please share your comments and feedback.