How to reduce AWS EBS root volume size

Jephe Wu - http://linuxtechres.blogspot.com

Objective:  reduce the AWS EBS root volume size from 8G to 4G since file system only used less than 3G.
Environment:  Amazon Linux AMI 2015.03 (HVM), SSD Volume Type - ami-fd9cecc7, t2.macro instance type with 8G gp EBS volume as root volume (default creation steps with launch instance wizard)

Diagram

original instance: jephe-base, with 8G ebs root volume, need to shrink it to 5G 
lab1 instance: used for the whole shrink process test
ebs volume 'source': created from snapshot of root volume from original instance.
ebs volume 'dest':  manually created new volume with 5G 



Steps:
1.  create another small instance named lab1
Amazon Linux AMI 2015.03 (HVM), SSD Volume Type - ami-fd9cecc7 , t2.macro, 8G gp ebs volume.

2.  make snapshot backup and create volume from it
stop the original base instance, detach its 8G volume, make snapshot of it, then create test volume named 'source' from snapshot, so we can work on the source volume instead of original base volume 

3. create another new volume named 'dest' with expected size (5g) and within same AZ as instance lab1
Note: the actual file system size of base volume must be less than 5G

4. attach volume F and G to small instance lab1 as /dev/xvdf and /dev/xvdg respectively
so the Linux OS will see /dev/xvdf, /dev/xvdf1 and /dev/xvdg as follows

5. while lab1 instance is running, attach both volume source and dest to it as /dev/sdf and /dev/sdg.

[ec2-user@ip-10-0-11-185 ~]$ more /proc/partitions
major minor  #blocks  name

 202        0    8388608 xvda
 202        1    8386543 xvda1
 202       80    8388608 xvdf
 202       81    8386543 xvdf1
 202       96    5242880 xvdg


6. fsck and resize2fs to minimum 

[root@ip-10-0-11-185 mnt]# e2fsck -f /dev/xvdf1
e2fsck 1.42.12 (29-Aug-2014)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/: 38013/524288 files (0.2% non-contiguous), 606002/2096635 blocks

[root@ip-10-0-11-185 mnt]# resize2fs -M -p /dev/xvdf1
resize2fs 1.42.12 (29-Aug-2014)
Resizing the filesystem on /dev/xvdf1 to 944604 (4k) blocks.
Begin pass 2 (max = 139004)
Relocating blocks             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 3 (max = 64)
Scanning inode table          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 4 (max = 4518)
Updating inode references     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/xvdf1 is now 944604 (4k) blocks long.

[root@ip-10-0-11-185 mnt]# resize2fs -M -p /dev/xvdf1
resize2fs 1.42.12 (29-Aug-2014)
Resizing the filesystem on /dev/xvdf1 to 940777 (4k) blocks.
The filesystem on /dev/xvdf1 is now 940777 (4k) blocks long.

[root@ip-10-0-11-185 mnt]# resize2fs -M -p /dev/xvdf1
resize2fs 1.42.12 (29-Aug-2014)
Resizing the filesystem on /dev/xvdf1 to 940770 (4k) blocks.
The filesystem on /dev/xvdf1 is now 940770 (4k) blocks long.

7. calculate the actual file system size after resize2fs -M, round it up a bit to 300
[root@ip-10-0-11-185 mnt]# echo "scale=5; 940770*4/(1024*16)" | bc
229.68017

8.  make partition for /dev/xvdg by fdisk
[root@ip-10-0-11-185 mnt]# fdisk /dev/xvdg
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xaa83e894.

Command (m for help): p

Disk /dev/xvdg: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xaa83e894

    Device Boot      Start         End      Blocks   Id  System

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-10485759, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759):
Using default value 10485759
Partition 1 of type Linux and of size 5 GiB is set

Command (m for help): wq
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
[root@ip-10-0-11-185 mnt]# fdisk -l /dev/xvdg

Disk /dev/xvdg: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xaa83e894

    Device Boot      Start         End      Blocks   Id  System
/dev/xvdg1            2048    10485759     5241856   83  Linux

[root@ip-10-0-11-185 mnt]# cat /proc/partitions 
major minor  #blocks  name

 202        0    8388608 xvda
 202        1    8386543 xvda1
 202       80    8388608 xvdf
 202       81    8386543 xvdf1
 202       96    5242880 xvdg
 202       97    5241856 xvdg1

9.  use dd to copy file system 
[root@ip-10-0-11-185 mnt]# dd if=/dev/xvdf1 of=/dev/xvdg1 bs=16M count=230 
230+0 records in
230+0 records out
3858759680 bytes (3.9 GB) copied, 113.625 s, 34.0 MB/s

Note: you can run kill -USR1 pidofdd from another terminal to get the dd progress

10. mount /dev/xvdg1 to /mnt/g and bind mount /dev to /mnt/g/dev 

[root@ip-10-0-11-185 mnt]# mount /dev/xvdg1 g
[root@ip-10-0-11-185 mnt]# cd g
[root@ip-10-0-11-185 g]# ls
bin  boot  dev  etc  home  lib  lib64  local  lost+found  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var

[root@ip-10-0-11-185 g]# mount --bind /dev /mnt/g/dev/


11. install grub on /dev/xvdg

[root@ip-10-0-11-185 g]# chroot .
[root@ip-10-0-11-185 /]# ls
bin  boot  dev  etc  home  lib  lib64  local  lost+found  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
[root@ip-10-0-11-185 /]# grub
Probing devices to guess BIOS drives. This may take a long time.


    GNU GRUB  version 0.97  (640K lower / 3072K upper memory)

 [ Minimal BASH-like line editing is supported.  For the first word, TAB
   lists possible command completions.  Anywhere else TAB lists the possible
   completions of a device/filename.]
grub> find /boot/grub/stage1
find /boot/grub/stage1
 (hd0,0)
 (hd1,0)
 (hd2,0)
grub> root (hd2,0)
root (hd2,0)
 Filesystem type is ext2fs, partition type 0x83
grub> setup (hd2)
setup (hd2)
 Checking if "/boot/grub/stage1" exists... yes
 Checking if "/boot/grub/stage2" exists... yes
 Checking if "/boot/grub/e2fs_stage1_5" exists... yes
 Running "embed /boot/grub/e2fs_stage1_5 (hd2)"...  29 sectors are embedded.
succeeded
 Running "install /boot/grub/stage1 (hd2) (hd2)1+29 p (hd2,0)/boot/grub/stage2 /boot/grub/grub.conf"... succeeded
Done.
grub> quit
quit
[root@ip-10-0-11-185 /]# exit
exit
[root@ip-10-0-11-185 g]# cd /

[root@ip-10-0-11-185 /]# umount /mnt/g/dev
[root@ip-10-0-11-185 /]# umount /mnt/g/
[root@ip-10-0-11-185 /]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda1      7.8G  919M  6.8G  12% /
devtmpfs        490M   72K  490M   1% /dev
tmpfs           499M     0  499M   0% /dev/shm


[root@ip-10-0-11-185 ec2-user]# e2fsck -f /dev/xvdg1
e2fsck 1.42.12 (29-Aug-2014)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/: 38013/237568 files (0.3% non-contiguous), 587515/940770 blocks

Now stop instance lab1, detach all 3 volumes including os base volume for lab1, attach dest volume to lab1 with root device as /dev/xvda. start up instance lab1 again to make sure it can start up successfully.

Now, stop test instance lab1, detach volume named 'dest' , stop original instance and detach its volume,  attach volume 'dest' to original instance to start up.

Note: during ec2 instance startup, it will automatically resize file sytem to the maximum.

Here is the df -h result after startup the 'dest' volume with original instance jephe-base.

[root@ip-172-31-13-17 ec2-user]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda1      4.8G  2.2G  2.7G  46% /
devtmpfs        490M   56K  490M   1% /dev
tmpfs           499M     0  499M   0% /dev/shm



How to create AWS NAT and Bastion Hosts in VPC

Jephe Wu - http://linuxtechres.blogspot.com


Objective:  Use VPC wizard to create public and private subnets in different AZ and use NAT service for private subnets and access servers on private subnets through bastion host.

Steps:


1. Use VPC wizard to create required subnets.


We will create the following VPC network and subnets:
10.0.0.0/16 with subnets:

10.0.0.0/24 public subnet A in ap-southeast-2a with Elastic IP 1 hosting company web server and NAT box
10.0.1.0/24 private subnet C in ap-southeast-2a  hosting SQL server, access Internet through NAT box in public subnet A
10.0.10.0/24 public subnet B in ap-southeast-2b with Elastic IP 2 hosting a bostion server which is Windows 2008 R2 base OS, jumphost for accessing SQL server in subnet C
10.0.11.0/24 private subnet D in ap-southeast-2b hosting other servers or applications, accessing Internet through NAT box in public subnet A


Above wizard will only create subnet A and C and NAT box. 
After that, follow normal procedure to create Internet facing web server instance with elastic IP and automatic assigned or manually specified private IP e.g. 10.0.0.104/24

Eventually, we need to create 2 more subnet in another AZ manually to make it like this:

Network Diagram:
----Internet --- public subnet A (with 10.0.0.0/24)  --- private subnet C ( with 10.0.1.0/24)  [ ap-southeast-2a ]
----Internet ----pubic subnet B  (with 10.0.10.0/24) ---- private subnet D  (with 10.0.11.0/24) [ ap-southeast-2b ]
          

2. Configure NAT box
After finishing wizard, the NAT is up and running, you still need to configure the following to make it as masquerading NAT box for your entire VPC network 10.0.0.0/16, by default, it only allow the outbound Internet traffic.

  • check security group configuration of NAT box instance, by default, it doesn't allow the entire VPC 10.0.0.0/16 for incoming traffic which will block Internet access for all private subnets.
Also, check other settings such as disable src/destination check, the routing table for private subnet hosts routing table (must be pointing to NAT box ENI).

You can also ssh into NAT box from Internet to check iptables rules and ip forwarding:

[root@ip-10-0-0-104 ec2-user]# iptables -L -v -n -t nat | grep 10.0
  531 31715 MASQUERADE  all  --  *      eth0    10.0.0.0/16          0.0.0.0/0 

[root@ip-10-0-0-104 ec2-user]# more /proc/sys/net/ipv4/ip_forward
1

[root@ip-10-0-0-104 ec2-user]# grep nameserver /etc/resolv.conf 
nameserver 10.0.0.2

2.1 use NAT instance as port forwarding for RDS instance (e.g. to RDS Postgres)
Firstly make sure from Nat box e.g 10.0.20.254, you can telnet to e.g. 10.0.23.114 port 5432, then run commands below on NAT box
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 5432 -j DNAT --to 10.0.23.114:5432
iptables -A FORWARD -p tcp -d 10.0.23.114 --dport 5432 -j ACCEPT (might be optional)
iptables -A POSTROUTING -t nat -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 5432 -j SNAT --to 10.0.20.254
Note: 10.0.23.114 is the RDS internal ip and 10.0.20.254 is NAT internal ip 
Now add the external application ip into the NAT box security group to allow connection.

3. Configure Bostion Windows Server in public subnet C

Create another 2 more subnets C and D in another AZ ap-southeast-2b,  replace public subnet C routing table from ENI of NAT box to igw so that we can access it from Internet as jumphost.


4. Create SQL server database host in private subnet B
configure security group setting to only allow the internal IP of Bostion Windows server or the whole private subnet 10.0.0.0/16.

Notes for security group:
You can also specify another security group groupid in the customer IP part to quote the same security group settings. 

For either Linux or Windows server, if you remove your current connection source IP from security group while you are on the servers, the existing connection will be still okay, but if you exit ssh/rdp, the new connection won't be able to make.