aws(学习笔记第十五课) 如何从灾难中恢复（recover）

aws(学习笔记第十五课)

• 如何从灾难中恢复

---

学习内容：

• 使用CloudWatch对服务器进行监视与恢复
• 区域(region)，可用区(available zone)和子网(subnet)
• 使用自动扩展(AutoScalingGroup)

---

1. 使用CloudWatch对服务器进行监视与恢复

1. 整体架构
   这里模拟Jenkins Server在灾难时候，可以由AWS Cloudwatch Alarm监视到，之后将其recover。
   在这里，elastic ip定义了，并且将其指向了Jenkins Server。为什么平时没有使用elastic ip，这里特意使用它呢。
   因为默认如果让AWS自动配置给ec2的internet ip，都是临时的ip，每次ec2实例重启了之后，都会重新分配ip。但是作为Jenkins Server来使用，并且一旦从灾难中recover之后，ip address变化的话，运用起来将会特别不方便。

2. 代码解析

• 代码

  {"AWSTemplateFormatVersion": "2010-09-09","Description": " (Jenkins (CI server) running on EC2 with AWS CloudWatch recovery)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"JenkinsAdminPassword": {"Description": "Password for Jenkins admin user","Type": "String","AllowedPattern" : "[a-zA-Z0-9]*","MinLength" : "8","MaxLength" : "42"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"VPC": {"Type": "AWS::EC2::VPC","Properties": {"EnableDnsSupport": "true","EnableDnsHostnames": "true","CidrBlock": "10.0.0.0/16","Tags": [{"Key": "Name","Value": "jenkins-recovery"}]}},"Subnet": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.0.0/24","Tags": [{"Key": "Name","Value": "jenkins-recovery"}]}},"InternetGateway": {"Type": "AWS::EC2::InternetGateway","Properties": {"Tags": [{"Key": "Name","Value": "jenkins-recovery"}]}},"GatewayToInternet": {"Type": "AWS::EC2::VPCGatewayAttachment","Properties": {"VpcId": {"Ref": "VPC"},"InternetGatewayId": {"Ref": "InternetGateway"}}},"RouteTable": {"Type": "AWS::EC2::RouteTable","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-recovery"}]}},"InternetRoute": {"Type": "AWS::EC2::Route","Properties": {"RouteTableId": {"Ref": "RouteTable"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": {"Ref": "InternetGateway"}},"DependsOn": "GatewayToInternet"			},"RouteTableAssociation": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "Subnet"},"RouteTableId": {"Ref": "RouteTable"}}},"NetworkAcl": {"Type": "AWS::EC2::NetworkAcl","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-recovery"}]}},"NetworkAceSSH": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "22","To": "22"}}},"NetworkAceJenkinsHTTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "11","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "8080","To": "8080"}}},"NetworkAceNTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "20","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "123","To": "123"}}},"NetworkAceICMP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "30","Protocol": "1","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","Icmp": {"Code": "-1","Type": "-1"}}},"NetworkAceHighPortsTCP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "40","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceHighPortsUDP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "41","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceEgress": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "-1","RuleAction": "allow","Egress": "true","CidrBlock": "0.0.0.0/0","PortRange": {"From": "0","To": "65535"}}},"NetworkAclAssociation": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "Subnet"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "SecurityGroupforjenkins","VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-recovery"}],"SecurityGroupIngress": [{"IpProtocol": "tcp","FromPort": "22","ToPort": "22","CidrIp": "0.0.0.0/0"},{"IpProtocol": "tcp","FromPort": "8080","ToPort": "8080","CidrIp": "0.0.0.0/0"},{"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}]}},"ElasticIP": {"Type": "AWS::EC2::EIP","Properties": {"InstanceId": {"Ref": "Server"},"Domain": "vpc"},"DependsOn": "GatewayToInternet"},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"},"UserData": {"Fn::Base64": {"Fn::Join": ["", ["#!/bin/bash -ex\n","wget http://pkg.jenkins-ci.org/redhat/jenkins-1.616-1.1.noarch.rpm\n","rpm --install jenkins-1.616-1.1.noarch.rpm\n","sed -i -e 's/JENKINS_ARGS=\\\"\\\"/JENKINS_ARGS=\\\"--argumentsRealm.passwd.admin=", {"Ref": "JenkinsAdminPassword"}, " --argumentsRealm.roles.admin=admin\\\"/g' /etc/sysconfig/jenkins\n","echo \"<?xml version='1.0' encoding='UTF-8'?><hudson><version>1.0</version><useSecurity>true</useSecurity><authorizationStrategy class=\\\"hudson.security.FullControlOnceLoggedInAuthorizationStrategy\\\"/><securityRealm class=\\\"hudson.security.LegacySecurityRealm\\\"/></hudson>\" > /var/lib/jenkins/config.xml\n","service jenkins start\n"]]}},"Tags": [{"Key": "Name","Value": "jenkins-recovery"}]},"DependsOn": "GatewayToInternet"},"RecoveryAlarm": {"Type": "AWS::CloudWatch::Alarm","Properties": {"AlarmDescription": "Recover server when underlying hardware fails.","Namespace": "AWS/EC2" ,"MetricName": "StatusCheckFailed_System","Statistic": "Minimum","Period": "60","EvaluationPeriods": "5","ComparisonOperator": "GreaterThanThreshold","Threshold": "0","AlarmActions": [{"Fn::Join": ["", ["arn:aws:automate:", { "Ref": "AWS::Region"}, ":ec2:recover"]]}],"Dimensions": [{"Name": "InstanceId", "Value": {"Ref": "Server"}}]}}},"Outputs": {"JenkinsURL": {"Description": "URL to access web interface of Jenkins server.","Value": {"Fn::Join": ["", ["http://", {"Ref": "ElasticIP"}, ":8080"]]}},"User": {"Description": "Administrator user for Jenkins.","Value": "admin"},"Password": {"Description": "Password for Jenkins administrator user.","Value": {"Ref": "JenkinsAdminPassword"}}}
  }
  

• 分析
  • 这里使用了AWS:CloudWatch:Alarm，如下所示。

    "RecoveryAlarm": {"Type": "AWS::CloudWatch::Alarm","Properties": {"AlarmDescription": "Recover server when underlying hardware fails.","Namespace": "AWS/EC2" ,"MetricName": "StatusCheckFailed_System","Statistic": "Minimum","Period": "60","EvaluationPeriods": "5","ComparisonOperator": "GreaterThanThreshold","Threshold": "0","AlarmActions": [{"Fn::Join": ["", ["arn:aws:automate:", { "Ref": "AWS::Region"}, ":ec2:recover"]]}],"Dimensions": [{"Name": "InstanceId", "Value": {"Ref": "Server"}}]}}
    

    这里，设置了AWS::CloudWatch::Alarm，每隔60秒检查下ec2的状态，如有ec2有问题，那么使用arn:aws:automate:进行在其他的Available Zone恢复，但是这里无法让ec2 server模拟出问题的场合，所以这里不能实际上让arn:aws:automate:ec2:recover发生。

2. 区域(region)，可用区(available zone)和子网(subnet)

1. 区域(region)，可用区(available zone)
   • 一个区域(region)里面，包含多个可用区(available zone)，每个可用区(available zone)有多个数据中心(DataCenter)。
   • 不同区域（region）的之间通过低延时的链路链接。可以想象，在同一个region的服务之前的网络延时会非常小。
     
2. 全球性的服务跨多个区域
   • 各种服务的不同区域
     
3. VPC，区域（region）以及子网（subnet）
   • VPC一定会属于一个区域（region）
   • 子网（subnet）一定属于一个可用区（Availibility Zone）
     

3. 使用自动扩展(AutoScalingGroup)

1. 使用自动扩展(AutoScalingGroup)，可以保证执行数量的虚拟服务器一直运行。

   • 代码

     {"AWSTemplateFormatVersion": "2010-09-09","Description": "(Jenkins (CI server) running with Auto Scaling Group over multiple AZs)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"JenkinsAdminPassword": {"Description": "Password for Jenkins admin user","Type": "String","AllowedPattern" : "[a-zA-Z0-9]*","MinLength" : "8","MaxLength" : "42"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"VPC": {"Type": "AWS::EC2::VPC","Properties": {"EnableDnsSupport": "true","EnableDnsHostnames": "true","CidrBlock": "10.0.0.0/16","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"SubnetA": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.0.0/24","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"SubnetB": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["1", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.1.0/24","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"InternetGateway": {"Type": "AWS::EC2::InternetGateway","Properties": {"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"GatewayToInternet": {"Type": "AWS::EC2::VPCGatewayAttachment","Properties": {"VpcId": {"Ref": "VPC"},"InternetGatewayId": {"Ref": "InternetGateway"}}},"RouteTable": {"Type": "AWS::EC2::RouteTable","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"InternetRoute": {"Type": "AWS::EC2::Route","Properties": {"RouteTableId": {"Ref": "RouteTable"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": {"Ref": "InternetGateway"}},"DependsOn": "GatewayToInternet"},"RouteTableAssociationA": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "SubnetA"},"RouteTableId": {"Ref": "RouteTable"}}},"RouteTableAssociationB": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "SubnetB"},"RouteTableId": {"Ref": "RouteTable"}}},"NetworkAcl": {"Type": "AWS::EC2::NetworkAcl","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"NetworkAceSSH": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "22","To": "22"}}},"NetworkAceJenkinsHTTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "11","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "8080","To": "8080"}}},"NetworkAceNTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "20","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "123","To": "123"}}},"NetworkAceICMP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "30","Protocol": "1","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","Icmp": {"Code": "-1","Type": "-1"}}},"NetworkAceHighPortsTCP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "40","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceHighPortsUDP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "41","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceEgress": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "-1","RuleAction": "allow","Egress": "true","CidrBlock": "0.0.0.0/0","PortRange": {"From": "0","To": "65535"}}},"NetworkAclAssociationA": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "SubnetA"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"NetworkAclAssociationB": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "SubnetB"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"SecurityGroupJenkins": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "SecurityGroupforjenkins","VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}],"SecurityGroupIngress": [{"IpProtocol": "tcp","FromPort": "22","ToPort": "22","CidrIp": "0.0.0.0/0"},{"IpProtocol": "tcp","FromPort": "8080","ToPort": "8080","CidrIp": "0.0.0.0/0"},{"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}]}},"LaunchTemplate": {"Type": "AWS::EC2::LaunchTemplate","Properties": {"LaunchTemplateName": "LaunchTemplate","LaunchTemplateData":{"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"KeyName": {"Ref": "KeyName"},"NetworkInterfaces":[{"DeviceIndex":0,"AssociatePublicIpAddress":true,"Groups":[{"Ref": "SecurityGroupJenkins"}],"DeleteOnTermination":true}],"InstanceType": "t2.micro","UserData": {"Fn::Base64": {"Fn::Join": ["",["#!/bin/bash -ex\n","wget http://pkg.jenkins-ci.org/redhat/jenkins-1.616-1.1.noarch.rpm\n","rpm --install jenkins-1.616-1.1.noarch.rpm\n","sed -i -e 's/JENKINS_ARGS=\\\"\\\"/JENKINS_ARGS=\\\"--argumentsRealm.passwd.admin=", {"Ref": "JenkinsAdminPassword"}, " --argumentsRealm.roles.admin=admin\\\"/g' /etc/sysconfig/jenkins\n","echo \"<?xml version='1.0' encoding='UTF-8'?><hudson><version>1.0</version><useSecurity>true</useSecurity><authorizationStrategy class=\\\"hudson.security.FullControlOnceLoggedInAuthorizationStrategy\\\"/><securityRealm class=\\\"hudson.security.LegacySecurityRealm\\\"/></hudson>\" > /var/lib/jenkins/config.xml\n","service jenkins start\n"]]}}}}},"AutoScalingGroup": {"Type": "AWS::AutoScaling::AutoScalingGroup","Properties": {"LaunchTemplate" : {"LaunchTemplateId" : {"Ref" : "LaunchTemplate"},"Version" : {"Fn::GetAtt" : ["LaunchTemplate","LatestVersionNumber"]}},"Tags": [{"Key": "Name","Value": "jenkins-multiaz","PropagateAtLaunch": true}],"DesiredCapacity": 1,"MinSize": 1,"MaxSize": 1,"VPCZoneIdentifier": [{"Ref": "SubnetA"}, {"Ref": "SubnetB"}],"HealthCheckGracePeriod": 600,"HealthCheckType": "EC2"},"DependsOn": "GatewayToInternet"}}
     }
     

   • 代码解析
     • AutoScalingGroup设定了两个subnet，可以在一个subnet的EC2 server出现问题的时候，在另一个subnet启动另一个EC2 server。
       
     • subnet A和subnet B
       每个subnet都在不同的Availability Zone。
       
   • 创建一个jenkins task
     
   • 删除jenkins实例
     
   • 检测Auto Scaling Group的动作
     可以看到Auto Scaling Group会马上启动另一个EC2 server来支持jenkins服务。

   
   注意，这里，IP地址和建立的jenkins task都已经没有了，接下来解决两个问题。

2. 使用AMI进行恢复。

   • 在现在的jenkins server上建立task
     
   • 对当前的jenkins server保存镜像

     Dell@DESKTOP-DHMQMJG MINGW64 ~/.ssh
     $ aws ec2 create-image --instance-id i-05593a7ba7b94e566 --name jenkins-multiaz
     {"ImageId": "ami-01ed9b718c5a467c4"
     }
     

   • 对cloudformation进行更新
     *在参数中增加AMISnapshot，稍后更新CloudFormation的时候会选择上面建立的AMI。
     

     • 对cloudformation进行更新，LaunchTemplate里面设定AMI参数

       • 在参数中增加AMISnapshot，稍后更新CloudFormation的时候会选择上面建立的AMI。

       

       • 对cloudformation进行更新
         

     • Cloudformation更新成功
       

     • 删除当前的Jenkins server
       

     • 重启之后的jenkins server确认
       可以看到上面建立的jenkins task已经保留过来了，原因是使用了AMI，对当前的EBS进行了保存。
       

   • cloudformation代码

     {"AWSTemplateFormatVersion": "2010-09-09","Description": "AWS in Action: chapter 11 (Jenkins (CI server) running with Auto Scaling Group over multiple AZs)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"JenkinsAdminPassword": {"Description": "Password for Jenkins admin user","Type": "String","AllowedPattern" : "[a-zA-Z0-9]*","MinLength" : "8","MaxLength" : "42"},"AMISnapshot": {"Description": "AMI ID to start virtual server from.","Type": "String","AllowedPattern" : "[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*","MinLength" : "1","MaxLength" : "255"}},"Resources": {"VPC": {"Type": "AWS::EC2::VPC","Properties": {"EnableDnsSupport": "true","EnableDnsHostnames": "true","CidrBlock": "10.0.0.0/16","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"SubnetA": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.0.0/24","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"SubnetB": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["1", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.1.0/24","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"InternetGateway": {"Type": "AWS::EC2::InternetGateway","Properties": {"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"GatewayToInternet": {"Type": "AWS::EC2::VPCGatewayAttachment","Properties": {"VpcId": {"Ref": "VPC"},"InternetGatewayId": {"Ref": "InternetGateway"}}},"RouteTable": {"Type": "AWS::EC2::RouteTable","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"InternetRoute": {"Type": "AWS::EC2::Route","Properties": {"RouteTableId": {"Ref": "RouteTable"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": {"Ref": "InternetGateway"}},"DependsOn": "GatewayToInternet"},"RouteTableAssociationA": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "SubnetA"},"RouteTableId": {"Ref": "RouteTable"}}},"RouteTableAssociationB": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "SubnetB"},"RouteTableId": {"Ref": "RouteTable"}}},"NetworkAcl": {"Type": "AWS::EC2::NetworkAcl","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"NetworkAceSSH": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "22","To": "22"}}},"NetworkAceJenkinsHTTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "11","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "8080","To": "8080"}}},"NetworkAceNTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "20","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "123","To": "123"}}},"NetworkAceICMP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "30","Protocol": "1","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","Icmp": {"Code": "-1","Type": "-1"}}},"NetworkAceHighPortsTCP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "40","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceHighPortsUDP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "41","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceEgress": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "-1","RuleAction": "allow","Egress": "true","CidrBlock": "0.0.0.0/0","PortRange": {"From": "0","To": "65535"}}},"NetworkAclAssociationA": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "SubnetA"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"NetworkAclAssociationB": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "SubnetB"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"SecurityGroupJenkins": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "SecurityGroupforjenkins","VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}],"SecurityGroupIngress": [{"IpProtocol": "tcp","FromPort": "22","ToPort": "22","CidrIp": "0.0.0.0/0"},{"IpProtocol": "tcp","FromPort": "8080","ToPort": "8080","CidrIp": "0.0.0.0/0"},{"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}]}},"LaunchTemplate": {"Type": "AWS::EC2::LaunchTemplate","Properties": {"LaunchTemplateName": "LaunchTemplate","LaunchTemplateData":{"ImageId": {"Ref": "AMISnapshot"},"KeyName": {"Ref": "KeyName"},"NetworkInterfaces":[{"DeviceIndex":0,"AssociatePublicIpAddress":true,"Groups":[{"Ref": "SecurityGroupJenkins"}],"DeleteOnTermination":true}],"InstanceType": "t2.micro","UserData": {"Fn::Base64": {"Fn::Join": ["",["#!/bin/bash -ex\n","wget http://pkg.jenkins-ci.org/redhat/jenkins-1.616-1.1.noarch.rpm\n","rpm --install jenkins-1.616-1.1.noarch.rpm\n","sed -i -e 's/JENKINS_ARGS=\\\"\\\"/JENKINS_ARGS=\\\"--argumentsRealm.passwd.admin=", {"Ref": "JenkinsAdminPassword"}, " --argumentsRealm.roles.admin=admin\\\"/g' /etc/sysconfig/jenkins\n","echo \"<?xml version='1.0' encoding='UTF-8'?><hudson><version>1.0</version><useSecurity>true</useSecurity><authorizationStrategy class=\\\"hudson.security.FullControlOnceLoggedInAuthorizationStrategy\\\"/><securityRealm class=\\\"hudson.security.LegacySecurityRealm\\\"/></hudson>\" > /var/lib/jenkins/config.xml\n","service jenkins start\n"]]}}}}},"AutoScalingGroup": {"Type": "AWS::AutoScaling::AutoScalingGroup","Properties": {"LaunchTemplate" : {"LaunchTemplateId" : {"Ref" : "LaunchTemplate"},"Version" : {"Fn::GetAtt" : ["LaunchTemplate","LatestVersionNumber"]}},"Tags": [{"Key": "Name","Value": "jenkins-multiaz","PropagateAtLaunch": true}],"DesiredCapacity": 1,"MinSize": 1,"MaxSize": 1,"VPCZoneIdentifier": [{"Ref": "SubnetA"}, {"Ref": "SubnetB"}],"HealthCheckGracePeriod": 600,"HealthCheckType": "EC2"},"DependsOn": "GatewayToInternet"}}
     }
     

3. 使用elastic IP进行对网络接口进行固定。

   • IP地址每次都要发生变化，还是不理想。
   • 利用elastic IP进行网络接口的固定
   • 修改的代码

     • 设定IamRole

       "IamRole": {"Type": "AWS::IAM::Role","Properties": {"AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": ["ec2.amazonaws.com"]},"Action": ["sts:AssumeRole"]}]},"Path": "/","Policies": [{"PolicyName": "root","PolicyDocument": {"Version": "2012-10-17","Statement": [{"Action": ["ec2:AssociateAddress"],"Resource": ["*"],"Effect": "Allow"}]}}]}},"IamInstanceProfile": {"Type": "AWS::IAM::InstanceProfile","Properties": {"Path": "/","Roles": [{"Ref": "IamRole"}]}},
       

       

       • 为LaunchTemplate设定IamRole参数
         这里主要是为了给EC2 server实例设定IamRole，以便EC2 server能够执行aws ec2 associate-address命令，在灾难恢复的时候设定固定的Elastic IP。
         
       • 更新cloudformation堆栈
         
       • Elastic IP整体代码

         {"AWSTemplateFormatVersion": "2010-09-09","Description": "AWS in Action: chapter 11 (Jenkins (CI server) running with Auto Scaling Group over multiple AZs)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"JenkinsAdminPassword": {"Description": "Password for Jenkins admin user","Type": "String","AllowedPattern" : "[a-zA-Z0-9]*","MinLength" : "8","MaxLength" : "42"},"AMISnapshot": {"Description": "AMI ID to start virtual server from.","Type": "String","AllowedPattern" : "[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\r\n\t]*","MinLength" : "1","MaxLength" : "255"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"VPC": {"Type": "AWS::EC2::VPC","Properties": {"EnableDnsSupport": "true","EnableDnsHostnames": "true","CidrBlock": "10.0.0.0/16","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"SubnetA": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.0.0/24","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"SubnetB": {"Type": "AWS::EC2::Subnet","Properties": {"VpcId": {"Ref": "VPC"},"AvailabilityZone": {"Fn::Select": ["1", {"Fn::GetAZs": ""}]},"CidrBlock": "10.0.1.0/24","Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"InternetGateway": {"Type": "AWS::EC2::InternetGateway","Properties": {"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"GatewayToInternet": {"Type": "AWS::EC2::VPCGatewayAttachment","Properties": {"VpcId": {"Ref": "VPC"},"InternetGatewayId": {"Ref": "InternetGateway"}}},"RouteTable": {"Type": "AWS::EC2::RouteTable","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"InternetRoute": {"Type": "AWS::EC2::Route","Properties": {"RouteTableId": {"Ref": "RouteTable"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": {"Ref": "InternetGateway"}},"DependsOn": "GatewayToInternet"},"RouteTableAssociationA": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "SubnetA"},"RouteTableId": {"Ref": "RouteTable"}}},"RouteTableAssociationB": {"Type": "AWS::EC2::SubnetRouteTableAssociation","Properties": {"SubnetId": {"Ref": "SubnetB"},"RouteTableId": {"Ref": "RouteTable"}}},"NetworkAcl": {"Type": "AWS::EC2::NetworkAcl","Properties": {"VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}]}},"NetworkAceSSH": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "22","To": "22"}}},"NetworkAceJenkinsHTTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "11","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "8080","To": "8080"}}},"NetworkAceNTP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "20","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "123","To": "123"}}},"NetworkAceICMP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "30","Protocol": "1","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","Icmp": {"Code": "-1","Type": "-1"}}},"NetworkAceHighPortsTCP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "40","Protocol": "6","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceHighPortsUDP": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "41","Protocol": "17","RuleAction": "allow","Egress": "false","CidrBlock": "0.0.0.0/0","PortRange": {"From": "1024","To": "65535"}}},"NetworkAceEgress": {"Type": "AWS::EC2::NetworkAclEntry","Properties": {"NetworkAclId": {"Ref": "NetworkAcl"},"RuleNumber": "10","Protocol": "-1","RuleAction": "allow","Egress": "true","CidrBlock": "0.0.0.0/0","PortRange": {"From": "0","To": "65535"}}},"NetworkAclAssociationA": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "SubnetA"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"NetworkAclAssociationB": {"Type": "AWS::EC2::SubnetNetworkAclAssociation","Properties": {"SubnetId": {"Ref": "SubnetB"},"NetworkAclId": {"Ref": "NetworkAcl"}}},"SecurityGroupJenkins": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "SecurityGroupforjenkins","VpcId": {"Ref": "VPC"},"Tags": [{"Key": "Name","Value": "jenkins-multiaz"}],"SecurityGroupIngress": [{"IpProtocol": "tcp","FromPort": "22","ToPort": "22","CidrIp": "0.0.0.0/0"},{"IpProtocol": "tcp","FromPort": "8080","ToPort": "8080","CidrIp": "0.0.0.0/0"},{"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}]}},"IamRole": {"Type": "AWS::IAM::Role","Properties": {"AssumeRolePolicyDocument": {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": ["ec2.amazonaws.com"]},"Action": ["sts:AssumeRole"]}]},"Path": "/","Policies": [{"PolicyName": "AttachIP","PolicyDocument": {"Version": "2012-10-17","Statement": [{"Action": ["ec2:AssociateAddress"],"Resource": ["*"],"Effect": "Allow"}]}}]}},"IamInstanceProfile": {"Type": "AWS::IAM::InstanceProfile","Properties": {"Path": "/","Roles": [{"Ref": "IamRole"}]}},"ElasticIP": {"Type": "AWS::EC2::EIP","Properties": {"Domain": "vpc"},"DependsOn": "GatewayToInternet"},"LaunchTemplate": {"Type": "AWS::EC2::LaunchTemplate","Properties": {"LaunchTemplateName": "LaunchTemplate","LaunchTemplateData":{"ImageId": {"Ref": "AMISnapshot"},"KeyName": {"Ref": "KeyName"},"IamInstanceProfile": { "Arn": {"Fn::GetAtt": ["IamInstanceProfile","Arn"]}},"NetworkInterfaces":[{"DeviceIndex":0,"AssociatePublicIpAddress":true,"Groups":[{"Ref": "SecurityGroupJenkins"}],"DeleteOnTermination":true}],"InstanceType": "t2.micro","UserData": {"Fn::Base64": {"Fn::Join": ["",["#!/bin/bash -ex\n","aws configure set default.region ", {"Ref": "AWS::Region"},"\n","INSTANCE_ID=`curl -s http://169.254.169.254/latest/meta-data/instance-id`\n","aws ec2 associate-address --instance-id $INSTANCE_ID --allocation-id ", {"Fn::GetAtt": ["ElasticIP", "AllocationId"]}, "\n","wget http://pkg.jenkins-ci.org/redhat/jenkins-1.616-1.1.noarch.rpm\n","rpm --install jenkins-1.616-1.1.noarch.rpm\n","sed -i -e 's/JENKINS_ARGS=\\\"\\\"/JENKINS_ARGS=\\\"--argumentsRealm.passwd.admin=", {"Ref": "JenkinsAdminPassword"}, " --argumentsRealm.roles.admin=admin\\\"/g' /etc/sysconfig/jenkins\n","echo \"<?xml version='1.0' encoding='UTF-8'?><hudson><version>1.0</version><useSecurity>true</useSecurity><authorizationStrategy class=\\\"hudson.security.FullControlOnceLoggedInAuthorizationStrategy\\\"/><securityRealm class=\\\"hudson.security.LegacySecurityRealm\\\"/></hudson>\" > /var/lib/jenkins/config.xml\n","service jenkins start\n"]]}}}}},"AutoScalingGroup": {"Type": "AWS::AutoScaling::AutoScalingGroup","Properties": {"LaunchTemplate" : {"LaunchTemplateId" : {"Ref" : "LaunchTemplate"},"Version" : {"Fn::GetAtt" : ["LaunchTemplate","LatestVersionNumber"]}},"Tags": [{"Key": "Name","Value": "jenkins-elasticip","PropagateAtLaunch": true}],"DesiredCapacity": 1,"MinSize": 1,"MaxSize": 1,"VPCZoneIdentifier": [{"Ref": "SubnetA"}, {"Ref": "SubnetB"}],"HealthCheckGracePeriod": 600,"HealthCheckType": "EC2"},"DependsOn": "GatewayToInternet"}},"Outputs": {"JenkinsURL": {"Description": "URL to access web interface of Jenkins server.","Value": {"Fn::Join": ["", ["http://", {"Ref": "ElasticIP"}, ":8080"]]}},"User": {"Description": "Administrator user for Jenkins.","Value": "admin"},"Password": {"Description": "Password for Jenkins administrator user.","Value": {"Ref": "JenkinsAdminPassword"}}}
         }
         

       • Jenkins Server的IP地址是Elastic IP
         可以看到IP地址是54.92.85.184，和Elastic IP相同的。

       

       • 删除了Jenkins Server之后，重新启动的的IP地址还是Elastic IP