Replace SSH with SSM on AWS

Setting up SSM can be a bit of a black art.  The AWS docs are extensive, but it's hard to figure out exactly what you need to do.  A lot of it is that SSM can do so much and it's got ops center various other stuff bundled in.  So let's do this quick and dirty.

Setup System Manager

• Go to AWS System Manager
• On the left of the screen select Quick Setup
• If it’s already been used select “Edit all” button on the right side of the screen.
• Use default roles
• Use default quick setup options
• For targets select “Specify instance tags”
• I used the tag ssm:true
• Click reset

Add Instance to Inventory

• Find instance in EC2 console
• Attach IAM role “AmazonSSMRoleForInstancesQuickSetup
• Alternately add "AmazonSSMManagedInstanceCore" to the existing role.
• Set the tag for ssm (example ssm:true)
• Install SSM agent 
• You’re are done if you are using a recent Amazon Linux image, but it may take 10 minutes to connect up if it's backed off.  
• If you are in a hurry manually restart it or reboot the instance.
• Some newer Ubuntu AMIs also seem to have the ssm agent installed via snap.
• 
  

Install SSM Agent Ubuntu

Note that newer Ubuntu AMIs also seem to have the ssm agent installed via snap.

• wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
• sudo dpkg -i amazon-ssm-agent.deb
• sudo systemctl enable amazon-ssm-agent
• sudo systemctl start amazon-ssm-agent

Note if this fails because ssm agent was installed with snap.  Just restart the agent:

• sudo snap restart amazon-ssm-agent
• sudo snap services amazon-ssm-agent
• dpkg -r amazon-ssm-agent

Install SSM Centos

• sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
• sudo systemctl enable amazon-ssm-agent
• sudo systemctl start amazon-ssm-agent

Installing SSM at install.

Setup Instance normally with the following changes on the Configure Instance Page:

• Set IAM role to AmazonSSMRoleForInstancesQuickSetup
• Add Tags add ssm:true
• For Linux Images without ssm agent install by default
• Open Advanced Details and add the installation commands to user data.

Install via Snap

Snap really isn't what you want to use for this, but if there is no native rpm, deb or whatever it's better than a tar file install.

• sudo snap install amazon-ssm-agent --classic
• sudo snap enable amazon-ssm-agent
• sudo snap restart amazon-ssm-agent

SSM endpoints

You must create these endpoints if your instances don’t have public ips and are on isolated networks. If you have a NAT you should be fine as well. Note you only need to get out to ssm.

• Go to VPC service, and select “Endpoints” on the left.
• Create endpoints for various services (note the region is different for various regions)
• com.amazonaws.region.ssm
• com.amazonaws.region.ssmmessages
• com.amazonaws.region.ec2
• com.amazonaws.region.ec2messages
• com.amazonaws.region.s3

Getting a Console

Web

• Go to AWS Systems Manager
• Find Session Manager on the Left
• Select Start Session on Right
• Select instance, and click start session.

CLI

• Install session manager plugin https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
• Check that you can see instances with “aws ssm get-inventory”
• Run “aws ssm start-session --target <instance ID>”

SSH via SSM

Install session manager plugin https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

• Check that you can see instances with “aws ssm get-inventory”
• Edit ~/.ssh/config to add:

# SSH over Session Manager
host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session  --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

• Use the instance name instead of the dns name or ip.

Now you can do this.
sftp -i my.pem ubuntu@i-ffdfgdsb:

scp -i my.pem stuff.tgz ubuntu@i-dsdffgds:

ssh -i my.pem ubuntu@i-dsdfsdf

You may need to set the region or profile in .ssh/config.  You can set an exact host if you have a one in another region.  If you have multiple accounts you might need to set a profle.

Troubleshooting

Can’t connect with the aws cli

• Are you trying the right region? “--region <region>”
• Are you using the right profile.

Can connect via the web, but not the cli on an instance you recently installed the ssm agent on.

• Check that the ssm-user user and group exist
• Check the logs for the amazon-ssm-agent

Can’t get the ssm agent to connect on an isolated network.

Remember that SSM needs to connect to AWS services to work so do one of the following:

• Create a NAT gateway and network access to it allowing connection to AWS services.
• Create endpoints (lots of endpoints) https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html
• Note that you’ll need to adjust the path to the regional S3 url to download the agent.

So Long Adobe Flash

The Linux Flash player is ancient as Adobe stopped supporting the NPAPI plugin for Linux years ago.  Security updates trickle in, but the lead time for fixes is pretty long.  So this week I took the plunge and removed Adobe flash from my workstation at work, and workstation at home.  I'm trying lightspark (not to be confused with lightspark pro the malware) at work, and gash at home as well as just forcing sites to use html 5 where possible.  The real question is if the internet is over flash enough to survive or if gash or lightspark have what it takes.  I may just end up switching back to Chrome for the PPAPI plugin that's built into the browser.

Edit Jan 22:
Seriously you should to at least have a flash blocker to prevent random web sites from owning your system.

http://threatpost.com/adobe-patches-one-zero-day-in-flash-still-investigating-separate-vulnerability/110586

Making Civ V work under Linux

After numerous attempts I've happened upon how to get Civ V for linux to work under the lastest version of Ubuntu.  It appears that the game doesn't like dual monitor setups.  For me this manifests as an extremely small display on one of my monitors of the initial splash screen generally with missing parts.  After a lot of research I discovered the config file.  :~/.local/share/Aspyr/Sid\ Meier\'s\ Civilization\ 5/GraphicsSettingsDX9.ini"  There are 3 settings to tweak FSResID, WindowResX, and WindowResY.  The trick is to set WindowResX, and WindowResY to your monitor's resolution.  This might be enough but most people find they need to tweak FSResID.  I can't find a reference to what the settings mean, but in general it appears you can set it from 0-9 or more.  The larger numbers seemed to work well for me.

I used:

FSResID = 9

WindowResX = 1600

WindowResY = 900

This resulted in a full screen display 2/3 on one monitor and 1/3 on the other, but it worked well enough to change to windowed mode.  (Which honestly is what I wanted.)

My wife the writer

I'm so impressed with my wife.  Some people afflicted with migraines that made going to the office 9-5 a migraine trigger hell of florescent lights and eye strain would simply give up.  Instead my wife is busily reinventing herself as a writer. Work on a her novel continues a pace (although she has yet to let me read more than the occasional snatched glimpse), and she posts weekly on the flourishingedge blog.  Now we've started studying html competitively as part of our gamification of our lives with habitrpg.  Brenna is not one let anything define her.

It's a lucky thing that as a geek I make enough to not worry about the loss of income.  Sure I was happy when we became DINK/DILDOs (dual income no kids / dual income large dog owners) as the extra money was nice, but I've always subscribed to the idea that past a certain point more money doesn't make you happier.  There are some classes of problems that throwing money at will completely solve, but past that you have to ask yourself what personal cost does the increasing your income cost? Ah 1st world problems....

Ouya Game Console Failure

I got the Ouya as part of the kickstart more as a xbmc/CM project than a game console.  I figured I'd try a few games, and maybe like it enough to buy another for gaming.  Boy I was I wrong.

  It requires a credit card to even finish booting. That's annoying in and of itself as it's billed as an "open" device. To make matters worse their bloody device won't actually take my credit card number. "Problem sending to server" Neither will their web site which hangs. After a day of trying to actually use the Ouya as a gaming console I gave up.  Ouya support never responded to any of my support requests beyond automated responses.

The sad thing is I like the idea of the device and would have bought a game or 2 just to play around with it. Now the principle of the matter is such that I have to hack the device.  Which is ironic to do so for a device I bought merely to get the device to boot up.  It's not exactly hard to hack given it has abd enabled over usb out of the box.  But if you intend to use this as a gaming console based on my day with it good luck.

BTW- If you are stuck with abject failure of the Ouya credit card validation like me you might try looking up the test numbers for various credit cards as the Ouya seems to accept them without issue.  Obvious unless someone at Ouya is a complete idiot you won't be able to buy anything with them, but it does get you past the credit card validation and allow you to use the device with free sideloaded apps.

Is it wrong?

Is it wrong that I have rooted my nook and installed a lot of aps, but haven't signed up with B&amp;N to buy books with my nook?

Is it worse that I have install google books and kindle for android?

On the other hand B&amp;N did try to sell me a copy of Sherlock Holmes instead of presenting me the option of getting the free one.  Then won't let be download the free version for free without giving them a credit card number.

Color Nook

My wife has until recently been under employed.  As a result I've not been buying neat toys.  Now that she is working full time again she insisted that she get a gadget for* me  for Crhistmas.  I've been interested in android as while I'd love to believe the n900 is the phone of the future I think Nokia lost it's chance it had with maemo.  At the same time the N900 is still a good phone, and I'm hard press to justify a new phone just to hack on.

While the color is likely not the best e-reader due to lack of e-ink, size, and low battery life.  It's a cheap high quality android tablet.  Sure in 6 months it will be obsolete, but that will be true of anything I buy in 6 months.  I'm looking forward to hacking it in the next few months.  Worst case it's led display that likely won't give my wife head aches.

*Edit was "from me" which is completely untrue.