cloudsoft.io

AWS Marketplace

AMP is available in the AWS Marketplace, including a Free Trial subscription.

AMI usage

AMP is an AWS EC2 AMI-based application based on Amazon Linux 2, focused on cloud performance and security.

Launch an instance selecting the EC2 AMI from AWS Marketplace. For production, the recommended instance type for common workloads is m6a.large.

The launch through EC2 option is recommended to give more control over server setup options, such as choosing the appropriate private subnet or enabling a public IP so that you can access AMP.

The instance will require a security group accepting traffic through ports 80 for http, 443 for https and 22 for ssh connections. Use 0.0.0.0/0 for accessing from anywhere unless constraining access to the AMP node is required for your organisation.

For modifying the default configuration, connecting with the instance using SSH would be necessary; providing a key pair would be required for the ec2-user user, who is part of the sudoers group.

Cloudsoft AMP exposes a web interface through http and https. For the second, a self-sign certificate is provided, and a security alert in the browser is expected. Replacing the certificate is possible by using one for your domain. Step-by-step instructions can be found at HTTPS configuration.

Once the instance is running, use its public IP or the public DNS name shown in the AWS console for connecting with AMP. The first start could take a couple of minutes to be ready, showing an error on the browser. Once AMP has started, the browser will show a login form.

By default, the only username is admin and the password is the instance ID, e.g. i-0a852fd83f064e5f7. This can be configured by modifying the application files within the instance. See brooklyn.cfg for more information.

After creating the instance, if the controller is not reachable, try to restart it to force a service to reload.

Accessing the VM via SSH

The key pair provided during the instance creation would allow the user to login into the instance using the default Amazon Linux user ec2-user using ssh if port 22 is reachable.

ssh -i /path/to/my-aws-keypair.pem ec2-user@<instance-public-ip>

This user can run commands using sudo, having full control of the system as root.

If login as the internal AMP user amp is required or preferred, it would be necessary to configure a shell for it using chsh. First, it would be necessary to install it:

sudo yum install -y util-linux-user
sudo chsh amp -s /bin/bash

You can then use the su command to switch to the amp user

sudo su amp

Accessing AMP log files

The AMP log files can be found at /var/log/amp. To access the log files you will need to connect to the AMP VM and then access the log files as either the root or amp user. See the section on accessing the VM for details.

For further information on the log files, including configuration, see the logging documentation

Changing default configuration

There are a few configurations that would be recommended to change for production, these are listed below.

Admin password

AMP authentication and authorization is highly flexible. By default, only one user is configured, admin, using the EC2 instance id as a password.

As with other core AMP configurations, the password can be defined in the file brooklyn.cfg in /etc/amp/brooklyn.cfg.

For replace it, change the value of the config key brooklyn.webconsole.security.user.admin.password:

From

brooklyn.webconsole.security.user.admin.password=${amp.admin.password}

To

brooklyn.webconsole.security.user.admin.password=<YOUR NEW PASSWORD>

Is possible to not store the password in plain text using a hashed version, and also to use external credentials providers. Refer to the entitlement section of the documentation for more details.

Persistence state folder

By default, the entities are stored within the volume attached to the EC2 instance. Terminating the instance would end up destroying that volume and losing the data inside it. It’s possible to attach a different volume and configure the instance to mount it and set up AMP to use it as a persistence store. The default path for the persisted state is /var/lib/amp. If you mount a new volume, you’d need to move the data manually from the old file system.

Alternatively, to volumes, the state can be stored in an object store, such as AWS S3. Credentials for AMP to access S3 would need to be provided in the form of an AMP location in the boorklyn.cfg file, and then, use this new location as a persistence location in org.apache.brooklyn.osgilauncher.cfg:

brooklyn.cfg: Adding these lines will create a new location named amp-production-state

brooklyn.location.named.amp-production-state=aws-s3:<AWS REGION>
brooklyn.location.named.amp-production-state.identity=<AWS ACCESS KEY>
brooklyn.location.named.amp-production-state.credential=<AWS SECRET ACCESS KEY>

org.apache.brooklyn.osgilauncher.cfg

persistenceLocation=amp-production-state
persistenceDir=<S3 PREFIX>

Full documentation is available on Persistence.

Externalized configuration

The marketplace instance includes a Hashicorp Vault service enabled by default and AMP is configured connecting with it.

Full documentation about the Vault integration can be found in the Externalized Configuration section

For disabling the Vault service in the instance executing sudo systemctl disable vault or also uninstall it with sudo yum -y remove vault