Atomic Secured LInux support for Amazon EC2

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
tomkerswill
Forum User
Forum User
Posts: 40
Joined: Mon Mar 26, 2007 9:47 am

Atomic Secured LInux support for Amazon EC2

Unread post by tomkerswill »

Hi

One of my clients recently paid for ASL on my recommendation. They've got a brand new EC2 instance they're running it on. It's running Amazon Linux, which I think is a supported configuration for ASL.

On the first install, the ASL installer bombs out (when updating RPM packages), saying

Error: Package: 1:kernel-2.6.29.6-1.art.i586 (asl-3.0)
Requires: mkinitrd

I've tried using the support / ticket system, but all I've got is a reply saying that I should contact Amazon directly to resolve the problem and to try and obtain a copy of mkinitrd from Amazon. Before I do that, does anyone have any info / experience with using Amazon Linux with ASL? Does it normally just work with the standard EC2 instance, or are there any tweaks that have to be done?

Support also mentioned a workaround, which is to bypass the kernel install. We'd definitely like to install the kernel if possible - especially if it's something that can be made to work with Amazon Linux.

My worry is there may be other dependency issues, even if Amazon are able to send me a mkinitrd package - so it would be great to have any feedback on how installation has gone, etc.

Thanks in advance for any help!

Tom
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Atomic Secured LInux support for Amazon EC2

Unread post by scott »

Amazon is using a weirdly customized version of centos (or maybe rhel? scientific linux?). I'm not sure what they were trying to acomplish with a few of them... unless it was to break compatibility with all the folks out there that make apps for EL (enterprise linux) environments.

That mkinitrd doesnt exist at all... man.... thats bad. Presumably its because you dont have a kernel under your control. I can understand that its not relevant in certain environments where the kernel is not controllable (also very very bad) but its such a small package & so many other things depend on it (initscripts....glibc... etc) I can only imagine that it was done because:
1) they like increasing their support costs
2) they havent got any visibility into the way it interacts with other stuff.

both dont bode well!

If I could put something together to convert that system to CentOS or something else would you be interested in that?
tomkerswill
Forum User
Forum User
Posts: 40
Joined: Mon Mar 26, 2007 9:47 am

Re: Atomic Secured LInux support for Amazon EC2

Unread post by tomkerswill »

Hi Scott

Thanks for the reply! Yeah, it seems really odd. But for now, even if we can't get the hardened ASL kernel in place straightaway, it would be great to persevere with the install and see if it gets anywhere. I've done the "touch / skipkernel" and re-run the installer. That then seems to remove the dependency on mkinitrd. But I then get a further dependency issue, which is:

Error: Package: roadsend-php-libs-2.9.8-8.el5.art.i386 (asl-3.0)
Requires: libcurl.so.3
Error: Package: roadsend-php-libs-2.9.8-8.el5.art.i386 (asl-3.0)
Requires: libodbc.so.1

I think I was thrown a bit by the support response on the ticket system, because I'd thought that the Amazon Linux release was a supported configuration for ASL. Are there any walk-throughs for installing ASL with Amazon Linux, or something I can work through?

The CentOS option might be good - thanks. I have ASL running on other CentOS boxes on EC2, and they work fine, so I know that's a good solid configuration.

Thanks in advance,

Tom
tomkerswill
Forum User
Forum User
Posts: 40
Joined: Mon Mar 26, 2007 9:47 am

Re: Atomic Secured LInux support for Amazon EC2

Unread post by tomkerswill »

Hi

Just a quick update to my previous post... It looks from the Amazon Linux release notes, that they have obsoleted mkinitrd in favour of dracut:

http://www.ramoonus.nl/2011/10/15/amazo ... -released/

Is there a way that ASL can support dracut instead? I have to say, I'm not really familiar with dracut. It looks like this change happened in the 2011.09 release of Amazon Linux.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Atomic Secured LInux support for Amazon EC2

Unread post by scott »

Yeesh... they just went off the reservation there. Yes we support AMI.. and last time we checked 2011.09 was based on EL5 which did not use dracut (dracut is an EL6 component, which is where we support it).

Then youve got your libcurl and libodbc issues, those come from the curl and unixODBC packages respectively. Both of those come from the distro vendor and they're pretty important packages. They would absolutely break compatibility with atomic, epel, rpmforge, etc. You definitely need to report those up to amazon as a problem.
tomkerswill
Forum User
Forum User
Posts: 40
Joined: Mon Mar 26, 2007 9:47 am

Re: Atomic Secured LInux support for Amazon EC2

Unread post by tomkerswill »

Hi

I'm not sure if me reporting this to Amazon is going to make them go back to using mkinitrd or get us any closer to ASL being compatible with Amazon Linux again. Is there anything that my client can do for now, or is better for them to request a refund for now and see if it can be made to work in future?

I think the ideal thing would be if you guys are able to get an instance running with the latest Amazon Linux, replicate the install problems and launch a discussion with them to try and get it resolved and working with the latest version. Would it be possible for you to do this and let me know when it's looking more hopeful?

I think if I report this to Amazon as a bug, they're just going to refer me straight back to you, saying that ASL isn't compatible with Amazon, whereas if you're able to talk directly to them as developers, you should be able to resolve it a lot more quickly.

Thanks in advance,

Tom
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Atomic Secured LInux support for Amazon EC2

Unread post by scott »

If this was strictly an atomic & asl integration issue, sure. We're talking about things like integration with EPEL (which they are saying they support) as well. I cant do anything about fixing that, and EPEL would rightly put this back at Amazon.

To make this more interesting, I do have access to AMI images at the same version that do not have this issue. So that begs the question... is the AMI version the thing that matters here? Is there some kind of out of band update channel going on? And if so how are we as users of that environment to have high assurance that there wont be some kind of update that will break compatibility again?
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: Atomic Secured LInux support for Amazon EC2

Unread post by Highland »

I thought Atomic didn't support EC2 at all because of the kernel problems?

From a support ticket
All we can say is it seems AWS is really slow, like there is something wrong with AWS. Our parent company works with a number of large apple application developers (in the top 5) and of the 2 that used AWS they both moved off it. And neither of them was using modsecurity.

So all we can say is AWS is really slow, we would not recommend you use it. Scotts team spent several weeks looking into AWS, and it seems like it might be the older version of Xen they use and their older kernels:

Linux ip-10-32-81-223 2.6.18-xenU-ec2-v1.2 #2 SMP Wed Aug 19 09:04:38 EDT 2009 i686 i686 i386 GNU/Linux

A lot has changed since 2.6.18, and that kernel is missing a lot of the real time speed improvements too.

But we're open to ideas. The fact that apache itself without modsec is so slow tells us something is wrong with their builds, if you have any ideas we're all ears.
"Its not a mac. I run linux... I'm actually cool." - scott
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Atomic Secured LInux support for Amazon EC2

Unread post by scott »

Except when you can.... AWS is super consistent like that :P
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Atomic Secured LInux support for Amazon EC2

Unread post by mikeshinn »

I thought Atomic didn't support EC2 at all because of the kernel problems?
We support it. Not sure what that quote has to do with not supporting it, we never said we don't support Amazon.

What we said is that EC2 is slow, on Amazons kernel, and without modsecurity installed. You opened a case about Amazon being slow, and we can tell you that we have also seen that. If you want to use Amazon, please do, just know that they provide a much slower platform (significantly) than any other virtualization provider we have worked with and that its repeatedly a slow platform without modsecurity, ASL, or anything from us installed. Slow enough in fact that our parent company had to move some large and popular Apple application developers off it (and they were not using ASL or modsecurity either).

Its just a slow platform.
gaia
Forum Regular
Forum Regular
Posts: 213
Joined: Tue Jun 09, 2009 12:57 pm

Re: Atomic Secured LInux support for Amazon EC2

Unread post by gaia »

mikeshinn wrote: We support it. Not sure what that quote has to do with not supporting it, we never said we don't support Amazon.

What we said is that EC2 is slow, on Amazons kernel, and without modsecurity installed. You opened a case about Amazon being slow, and we can tell you that we have also seen that. If you want to use Amazon, please do, just know that they provide a much slower platform (significantly) than any other virtualization provider we have worked with and that its repeatedly a slow platform without modsecurity, ASL, or anything from us installed. Slow enough in fact that our parent company had to move some large and popular Apple application developers off it (and they were not using ASL or modsecurity either).

Its just a slow platform.
This still holds true in 2014?
CentOS 6.9
ASL 4.0.19-37
Post Reply