AWS Ubuntu

I’m looking to purchase two new servers. One just for the database as we’re getting about 100k unique visitors a day, and expecting about a million a day starting on Monday for about 3 weeks. So I’m working on optimizing my stack as much as I can.

Right now I have a 8gb MT server that I’m using the default LEMP stack using Trellis. I want to separate by DB to another server, and then have another DB server for reading. The only time we post to the database is post/page creation, and product purchases, which comes with user creation and obviously all the WooCommerce stuff.

I have a fourth server that I want to setup Varnish on.

Unfortunately I’m not really sure how to go about this using Trellis and Ansible. I could do it just via apt-get but I want to manage everything via Trellis.

Suggestions?

As i know Varnish doesn’t work well or at all with SSL?

As for DB, i think you either manage it yourself on another server or you could get the AWS one and just change the connection info in wp-config.php?

You could still use Trellis for other things.

+1 For RDS. On stuff that actually needs to scale I very often back away from managing the DB server. Multi-AZ RDS is incredibly robust and the backup features are to die for.

Would I be able to provision an AWS server with Trellis? This way I could keep all my eggs in one basket?

Yep. Works great for me. Just choose Ubuntu 14.

Cool thanks.

AWS specific question. How do you use the PEM in combination with the user ubuntu and ssh with server.yml and deploy.yml?

Prior to AWS, I would just ssh ssh admin@ip but now I cannot.

You should be able to just do ssh-add ~/.ssh/keypair.pem.

2 Likes

Perfect, thanks. Everything I was Googling was telling me to make a ~/.ssh/config file. This worked. Thanks so much

SSH Error: command-line line 0: garbage at end of line; "login".

Running into this trying to provision the server. The logs don’t give me a real clue as to where I should look. This is a fresh install of trellis

Don’t think that has anything to do with Trellis. Did you modify your ~/.ssh/config file? Googling leads to it being an error in SSH configuration.

@swalkinshaw No, I ended up never doing that. It’s definitely something with Trellis.

Starting up a DO box, and using root I don’t have any issues. The weird part is however, even after I set root as no, it still logs in as root.

Edit, I read the wiki and it logs in more time as root. I think it’s because root doesn’t exist on an AWS box.

So it ended up being because the root account is automatically disabled in AWS. I followed this guide: here to allow root again, and we’re off to the races!

1 Like

@brandon I have just a few seconds to skim this thread and am not sure my response will be on target, but if you’re in the situation that AWS disables root login and but gives you a different sudoer to work with, my understanding is that Trellis can still work with root login disabled. You’d just have to add the available user to the definition for admin_user in group_vars/all.

From the SSH Keys wiki:

If your hosting provider disables root but provides a default user such as ubuntu, specify admin_user: ubuntu

Trellis will try to connect as root, but then will fallback to admin_user. If you had left admin_user: admin but your AWS server only had a user account for ubuntu, you would have run into trouble.

I’m eager to know, however, if you can have sshd_permit_root_login: "no" and admin_user: ubuntu (or whatever user) and still have things work, so I hope you’ll report back. Thanks!

1 Like

This is what I originally had. This didn’t work either.

How exactly did it fail?

I’m firing up an instance right now. I’ll report back shortly with the same errors.

users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/brandonshutter.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      - https://github.com/brandonshutter.keys

admin_user: ubuntu
sshd_permit_root_login: "no" # If "no", admin_user must be in 'users' above (with sudo group) and in sudoer_passwords
sshd_password_authentication: "no"

Running the typical playbook stuff on a brand new instance results in the same error, again.

Brandons-MacBook-Pro:ansible shutter$ ansible-playbook -i hosts/production server.yml 

PLAY [Determine Remote User] ************************************************** 

TASK: [remote-user | Determine whether to connect as root or admin_user] ****** 
The authenticity of host '52.3.121.253 (52.3.121.253)' can't be established.
ECDSA key fingerprint is SHA256:JSCehRTUP7BtHuB1ic797M7X2qbEjr1xAQoJUgX8d2s.
Are you sure you want to continue connecting (yes/no)? yes
ok: [52.3.121.253 -> 127.0.0.1]

TASK: [remote-user | Set remote user for each host] *************************** 
ok: [52.3.121.253]

PLAY [WordPress Server - Install LEMP Stack with PHP 5.6 and MariaDB MySQL] *** 

GATHERING FACTS *************************************************************** 
fatal: [52.3.121.253] => SSH Error: command-line line 0: garbage at end of line; "login".
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

TASK: [common | Validate Ansible version] ************************************* 
FATAL: no hosts matched or all hosts have already failed -- aborting


PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/Users/shutter/server.retry

52.3.121.253               : ok=2    changed=0    unreachable=1    failed=0

@brandon thanks for posting output. Could your run again with -vvvv and post output for “Set remote user for each host”? I want to confirm that it shows it is setting “remote_user=ubuntu”.

Please also confirm in output for GATHERING FACTS (with -vvvv) that it is trying to connect as ubuntu, not root.

If you haven’t already, double-check that you can ssh manually as ubuntu user.

If you’ve modified the remote-user role, or if you’ve modified server.yml, let us know.

I have not modified anything other than group_vars/all.

Here’s the output of -vvvv:

Brandons-MacBook-Pro:ansible shutter$ ansible-playbook -i hosts/production server.yml -vvvv

PLAY [Determine Remote User] ************************************************** 

TASK: [remote-user | Determine whether to connect as root or admin_user] ****** 
<127.0.0.1> REMOTE_MODULE command ssh -o PasswordAuthentication=no  "echo root" || echo ubuntu #USE_SHELL
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1438381915.22-77758919300933 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1438381915.22-77758919300933 && echo $HOME/.ansible/tmp/ansible-tmp-1438381915.22-77758919300933']
<127.0.0.1> PUT /var/folders/lf/878x4xqx5q71w08fpj496mnh0000gn/T/tmpnwxIKk TO /Users/shutter/.ansible/tmp/ansible-tmp-1438381915.22-77758919300933/command
<127.0.0.1> EXEC ['/bin/sh', '-c', u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /Users/shutter/.ansible/tmp/ansible-tmp-1438381915.22-77758919300933/command; rm -rf /Users/shutter/.ansible/tmp/ansible-tmp-1438381915.22-77758919300933/ >/dev/null 2>&1']
ok: [52.3.121.253 -> 127.0.0.1] => {"changed": false, "cmd": "ssh -o PasswordAuthentication=no root@52.3.121.253 \"echo root\" || echo ubuntu", "delta": "0:00:11.073787", "end": "2015-07-31 18:32:06.360790", "rc": 0, "start": "2015-07-31 18:31:55.287003", "stderr": "", "stdout": "Please login as the user \"ubuntu\" rather than the user \"root\".", "stdout_lines": ["Please login as the user \"ubuntu\" rather than the user \"root\"."], "warnings": []}

TASK: [remote-user | Set remote user for each host] *************************** 
<52.3.121.253> ESTABLISH CONNECTION FOR USER: shutter
ok: [52.3.121.253] => {"ansible_facts": {"ansible_ssh_user": "Please login as the user \"ubuntu\" rather than the user \"root\"."}}

PLAY [WordPress Server - Install LEMP Stack with PHP 5.6 and MariaDB MySQL] *** 

GATHERING FACTS *************************************************************** 
<52.3.121.253> ESTABLISH CONNECTION FOR USER: Please login as the user "ubuntu" rather than the user "root".
<52.3.121.253> REMOTE_MODULE setup
<52.3.121.253> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/shutter/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=Please login as the user "ubuntu" rather than the user "root". -o ConnectTimeout=10 52.3.121.253 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1438381926.4-222011237551738 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1438381926.4-222011237551738 && echo $HOME/.ansible/tmp/ansible-tmp-1438381926.4-222011237551738'
fatal: [52.3.121.253] => SSH Error: command-line line 0: garbage at end of line; "login".
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

TASK: [common | Validate Ansible version] ************************************* 
FATAL: no hosts matched or all hosts have already failed -- aborting


PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/Users/shutter/server.retry

52.3.121.253               : ok=2    changed=0    unreachable=1    failed=0   

Brandons-MacBook-Pro:ansible shutter$ ssh ubuntu@52.3.121.253
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-48-generic x86_64)

You can see the error AWS is giving is trying to use root instead of ubuntu.

ESTABLISH CONNECTION FOR USER: Please login as the user "ubuntu" rather than the user "root".

The “Determine remote user task” was designed to echo “root” if root can connect (connection attempt returns 0), or echo “ubuntu” if root connection fails (connection attempt returns 1). This echoed output is designed to be captured in the set fact for ansible_ssh_user.

BUT, it looks like attempting to connect as root to AWS overrides the Trellis echoed output, so the “set remote user” task tries to set ansible_ssh_user to the error message string. Sad that I didn’t anticipate that. Till we fix it, you could just manually set “remote_user: ubuntu” in server.yml.

2 Likes