Tuesday Oct 27, 2009

Immutable Service Containers on OpenSolaris 2009.06

US AMI Details
AMI ID :
ami-48c32021
 AMI Manifest :
sun-opensolaris-2009-06/ISC_hardened_opensolaris_2009.06_32_V_1.1.img.manifest.xml
 AKI / ARI ID:
aki-1783627e / ari-9d6889f4
 License :
Public

Europe AMI Details
AMI ID :
ami-78567d0c
 AMI Manifest :
sun-opensolaris-2009-06-eu/ISC_hardened_opensolaris_2009.06_32_V_1.1.img.manifest.xml
 AKI / ARI ID:
aki-2181a955 / ari-b49fb7c0
 License :
Public

Description

Immutable Service Container configuration is intended to be used as a virtual single system. The global zone performs administrative and monitoring functions similar to those of a system controller whereas all end-user services and functions should be installed into the non-global zone. In this way, services such as packet filtering, NAT and auditing can operate without being exposed to services or users operating inside of the non-global zone. This enables greater operational integrity as those services and users are not able to alter the configurations or logs associated with these services. Additional non-global zones can be added as needed. This configuration uses a single exposed network interface and IP address for all of its communication even though internally the service is separated to run inside of its own non-global zone.

Organizations can further customize the configuration based upon their requirements to add things such as resource controls, read-only and read-write file systems (to the non-global zone), specific users and services, etc.

More Details

For detailed explanations on Immutable Service Container Configuration, Please Visit

Architecture Diagram

Europe Launch:

To run this AMI in Europe (AMI ID: ami-78567d0c), change the following environment variables before launching the AMI:

bash # export EC2_URL="https://eu-west-1.ec2.amazonaws.com"
bash # export LOCATION="EU"

The other env variables remain the same as documented in the getting started guide.

NOTE:  a unique <your-keypair-name> must be generated for each region before launching an AMI.(Use ec2-add-keypair <name> > keypairfile after setting the above env variables).

Documentation

Support

  • Register at http://www.sun.com/third-party/global/amazon/ to receive latest news on OpenSolaris AMIs
  • For technical support during Beta period, please send emails to ec2-solaris-support[AT]SUN[DOT]COM.
  • AMP Stack within OpenSolaris are delivered as part of WebStack project. For any questions related to these components, please write to webstack-discuss[AT]opensolaris[DOT]org

Tuesday Sep 01, 2009

Drupal with AMP Stack AMI build on Hardened Security OpenSolaris 2008.11 AMI

AMI ID: ami-d9ee0eb0
AMI Manifest: sun-opensolaris-2008-11-hardened/hardened_2008.11_32_AMP_Drupal_V1.1.img.manifest.xml
AKI/ARI ID:
aki-6552b60c / ari-6452b60d
License: Public

Description:

Sun Microsystems Inc. is pleased to announce the release of Drupal AMI with AMP Stack based on Hardened OpenSolaris 2008.11 AMI on Amazon EC2's cloud computing service. 

This 32-bit AMI gives you the power and security of OpenSolaris combined with the flexibility of Amazon's cloud computing service, and is optimized for Amazon EC2's cloud computing environment.


Following components are included in the AMI.
  • Drupal 6.10 (pre-configured state) 
  • Apache 2.2, MySQL 5.0 
  • PHP 5.2 (along with extensions like APC, DTrace, Suhosin, Memcache) runtime 
  • phpMyAdmin for administering the MySQL data base
  • OpenSolaris AMI Hardening update.  For Hardening Details, please visit  http://wikis.sun.com/display/ISC/OpenSolaris+AMI+Hardening

Configurations:

  • Drupal (bundled within this AMI in pre-configured state) is available under location /var/drupal-6.10
  • Drupal specific configuration for Apache Web Server is available within /etc/apache2/2.2/conf.d/drupal.conf.
  • Users can launch and configure Drupal by accessing http://<DNS name associated with the instance> in their browser.
  • Apache and MySQL services are pre-configured to start on boot.
  • If you would like to use phpMyAdmin, you will need to do the following:

                  # cp /etc/apache2/2.2/samples-conf.d/phpmyadmin.conf /etc/apache2/2.2/conf.d/

                  # svcadm restart http:apache22

  • Drupal recommends having a database protected with a valid user name and password to be created on the system before configuring Drupal. Hence, users are advised to either use 'ssh' to login to your AMI or phpMyAdmin to create such database before proceeding to configuring Drupal.
  • DTrace probes are available within Apache and PHP runtime. Sample Dtrace scripts are available under /opt/DTT/

For more details on security information and image usage instructions, please refer to the '/root/ec2sun/
README' file.


AMP Stack File Layouts


Apache

PHP

MySQL

Binary Runtime Files

/usr/apache2/2.2/bin

/usr/php/5.2/bin

/usr/mysql/5.0/bin

Configuration Files

/etc/apache2/2.2

/etc/php/5.2

/etc/mysql/5.0

Web Documents / Data Files

/var/apache2/2.2

/var/php/5.2

/var/mysql/5.0

Administering AMP Stack

Command

Apache

MySQL

Start Service

svcadm enable http:apache22

svcadm enable mysql:version_50

Stop Service

svcadm disable http:apache22

svcadm disable mysql:version_50

Restart Service

svcadm restart http:apache22

svcadm restart mysql:version_50


You can reset MySQL 'root'password by running following command:

# /usr/mysql/5.0/bin/mysqladmin -u root -p password '<MySQL password>'

It is highly recommended to secure your MySQL database by following the guidelines mentioned within the MySQL 5 database documentation:

The root file system is ZFS in this AMI and includes the pre-installed packages and tools necessary to get started with using OpenSolaris on Amazon EC2. You can obtain more details about the OpenSolaris project at http://www.opensolaris.org.

Also, just like in our previous AMIs, the "pkg image-update" command updates the kernel and ramdisk which is not allowed in Amazon EC2. Therefore, in order to prevent your instances from becoming non-compatible with the Amazon EC2 environment, we have disabled this command.

More details including re-bundling instructions can be found in the Getting Started Guide



Support:

For technical support during the Beta period, please contact ec2­-solaris­-support[AT]SUN[DOT]COM.

Please check OpenSolaris on Amazon EC2 blog for latest updates and new information about OpenSolaris AMIs.

The "OpenSolaris on Amazon EC2 Getting Started Guide" is located at:
http://www.sun.com/third-party/global/amazon/Sun_AmazonEC2_GettingStartedGuide.pdf


Register for OpenSolaris AMIs here.


Friday Aug 14, 2009

Hardened OpenSolaris 2009.06 on Amazon EC2 Released

AMI ID: ami-e56e8f8c
AMI Manifest: sun-opensolaris-2009-06/hardened_opensolaris_2009.06_32_1.2.img.manifest.xml
AKI/ARI ID:
aki-1783627e / ari-9d6889f4
License: Public

Description:

Sun Microsystems Inc. is pleased to announce the release of Hardened OpenSolaris 2009.06 on Amazon EC2's cloud computing service. This 32-bit AMI gives you the power and security of OpenSolaris combined with the flexibility of Amazon's cloud computing service, and is optimized for Amazon EC2's cloud computing environment.

The OpenSolaris system configuration has been adjusted to comply with the recommendations published by Sun and the Center for Internet Security, a non-profit organization chartered to develop and encourage widespread use of security configuration benchmarks developed through a global consensus process involving participants from academia, industry and government. 

Working together for more than six years, Sun and the Center for Internet Security have consistently developed best-in-class, supportable and complete security hardening guidance for the Solaris operating system.

The latest version developed for the Solaris 10 operating system was completed with substantial contributions from Sun, CIS, the U.S. National Security Agency (NSA), as well as the U.S. Defense Information Systems Agency (DISA).

Building upon this foundation, Sun and the Center for Internet Security collaborated to adapt the security recommendations published in the Solaris 10 Benchmark to the OpenSolaris operating system and document those changes specific to virtual machine images such as those available on Amazon EC2. 

All of the specific changes made to the base OpenSolaris 2009.06 AMI are discussed on the Sun OpenSolaris AMI Hardening Wiki : http://wikis.sun.com/display/ISC/OpenSolaris+Security+Hardening

For more information on the Center for Internet Security's Solaris 10 Benchmark, see:
http://www.cisecurity.org/bench_solaris.html

New features introduced with this latest release of Hardened Security AMI are "Encrypted swap memory" and "auditing".

More information on "Encrypted Swap Memory" feature is available at
http://blogs.sun.com/gbrunett/entry/encrypted_swap_in_opensolaris_2009 


This project is affiliated with the Immutable Service Container project whose goal is to develop security reinforced virtual machine images. The Immutable Service Container project developed the code used by this AMI to implement hardening, encrypted swap and auditing.  Additional information regarding Immutable Service Containers can be found at:
http://kenai.com/projects/isc/pages/OpenSolaris


The root file system is ZFS in this AMI and includes the pre-installed packages and tools necessary to get started with using OpenSolaris on Amazon EC2. You can obtain more details about the OpenSolaris project at http://www.opensolaris.org.

Also, just like in our previous AMIs, the "pkg image-update" command updates the kernel and ramdisk which is not allowed in Amazon EC2. Therefore, in order to prevent your instances from becoming non-compatible with the Amazon EC2 environment, we have disabled this command.

More details including re-bundling instructions can be found in the Getting Started Guide.

Rebundling Changes:

 You must disable auditing during re-bundling. You can execute following commands in your clean up tasks before executing "ec2-bundle-image" command.

bash # audit -t
bash # > /var/log/auditlog
bash # rm -f /var/audit/\*

 As you can see we have introduced the new ARI (ari-9d6889f4) with this AMI, make sure you use the correct ARI with the "ec2-bundle-image" command as given below.

bash # ec2-bundle-image -c $EC2_CERT -k $EC2_PRIVATE_KEY \\
 --kernel aki-1783627e --ramdisk ari-9d6889f4 \\
 --block-device-mapping "root=rpool/56@0,ami=0,ephemeral0=1" \\
 --user <userid> --arch i386 \\
 -i $DIRECTORY/$IMAGE -d $DIRECTORY/parts

You can restart the audit daemon on the instance where you disabled it temporarily for re-bundling with following command.

bash # audit -s


Support:

Sunday May 31, 2009

Hardened OpenSolaris 2008.11 on Amazon EC2 Released

AMI ID: ami-35ac4a5c
AMI Manifest: sun-opensolaris-2008-11-hardened/hardened_2008.11_32_4.0.img.manifest.xml
AKI/ARI ID:
aki-6552b60c / ari-6452b60d
License: Public

Description:

Sun Microsystems Inc. is pleased to announce the release of Hardened OpenSolaris 2008.11 on Amazon EC2's cloud computing service. This 32-bit AMI gives you the power and security of OpenSolaris combined with the flexibility of Amazon's cloud computing service, and is optimized for for Amazon EC2's cloud computing environment.

The OpenSolaris system configuration has been adjusted to comply with the recommendations published by Sun and the Center for Internet Security, a non-profit organization charted to develop and encourage widespread use of security configuration benchmarks developed through a global consensus process involving participants from academia, industry and government. 

Working together for more than six years, Sun and the Center for Internet Security have consistently developed best-in-class, supportable and complete security hardening guidance for the Solaris operating system.

The latest version developed for the Solaris 10 operating system was completed with substantial contributions from Sun, CIS, the U.S. National Security Agency (NSA), as well as the U.S. Defense Information Systems Agency (DISA).

Building upon this foundation, Sun and the Center for Internet Security collaborated to adapt the security recommendations published in the Solaris 10 Benchmark to the OpenSolaris operating system and document those changes specific to virtual machine images such as those available on Amazon EC2. 

All of the specific changes made to the base OpenSolaris 2008.11 AMI are discussed on the Sun OpenSolaris AMI Hardening Wiki : http://wikis.sun.com/display/ISC/OpenSolaris+AMI+Hardening

For more information on the Center for Internet Security's Solaris 10 Benchmark, see:
http://www.cisecurity.org/bench_solaris.html

The root file system is ZFS in this AMI and includes the pre-installed packages and tools necessary to get started with using OpenSolaris on Amazon EC2. You can obtain more details about the OpenSolaris project at http://www.opensolaris.org.

Also, just like in our previous AMIs, the "pkg image-update" command updates the kernel and ramdisk which is not allowed in Amazon EC2. Therefore, in order to prevent your instances from becoming non-compatible with the Amazon EC2 environment, we have disabled this command.

More details including re-bundling instructions can be found in the Getting Started Guide.


Support:

For technical support during the Beta period, please contact ec2­-solaris­-support[AT]SUN[DOT]COM.

Please check OpenSolaris on Amazon EC2 blog for latest updates and new information about OpenSolaris AMIs.

The "OpenSolaris on Amazon EC2 Getting Started Guide" is located at:
http://www.sun.com/third-party/global/amazon/Sun_AmazonEC2_GettingStartedGuide.pdf


Register for OpenSolaris AMIs here.

About

Information about Solaris and OpenSolaris on Amazon Web Services (AWS) EC2. Look here for the latest information on the program and any late breaking information on (Open)Solaris on EC2.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today