AWS Cloudformation – Updating EC2 instance with cfn-hup

In a serie of blog articles I’ll take a closer look at AWS Cloudformation. Read more about what AWS Cloudformation is, how to design templates, bootstrapping an EC2 with userdata and using metadata in my previous blog articles:

In this blog article I’ll take a closer look at updating the configuration of your instances with the cfn-hup deamon. cfn-hup runs user defined actions when a change is detected in the resource metadata.

Updating EC2 instance with cfn-hup

During the creation process in cloudformation the cfn-init helper script enables you to manage the configuration of the AWS resources and their corresponding metadata. This is only applicable to the bootstrap of your resource. Through the AWS Management Console, the aws cloudformation update-stack command, or the UpdateStack API call you can update your resources. The stack update can be a simple change to a parameter value or a more complex update that updates, adds, or removes resources. AWS CloudFormation updates resource properties, adds new resources, or removes unwanted resources, but these changes might affect the applications running on instances in one of two ways:

  1. Changing a resource in the template might require an update to the configuration of an instance. For example, if you add a database to the template for scaling, the application on an instance must be provided with the new connection string, and the instance might need to be restarted.
  2. The metadata on the instance might have been updated. For example, you could update the version of a package that was deployed, add additional files, add additional packages, or run additional commands.

To facilitate this, CloudFormation provides the cfn-hup helper to reconfigure, restart, or update an application on an instance as part of the stack update process. The cfn-hup helper is a daemon that takes the actions that are specified in the resource metadata after it detects changes in resource metadata. You can use the daemon to make configuration updates on your running Amazon EC2 instances through UpdateStack.

The cfn-hup helper must be configured to inspect the correct stack. This configuration is stored in the cfn-hup configuration file cfn-hup.conf. The cfn-hup helper uses the AWS credentials from the IAM role to retrieve the metadata. The IAM role is passed to the instance profile when the Amazon EC2 instance is created.

By default, every 10 minutes cfn-hup checks for changes in each resource path it is given. When a change to the requested metadata is detected, the user action is triggered. User actions (also known as hooks) are defined in a hook configuration file. Hooks are uniquely named, and each hook is configured in one section.

To support composition of several applications deploying change notification hooks, cfn-hup supports a directory /hooks.d that is located in the hooks configuration directory. Each file within this directory is parsed and loaded that uses the same layout as hooks.conf. If any hooks in /hooks.d have the same name as a hook in hooks.conf, they are merged, overwriting any values in hooks.conf that both specify.
The hooks configurations are loaded when the cfn-hup daemon starts up, so new hooks require the daemon to be restarted. A cache of previous metadata values is stored at /var/lib/cfn-hup/data/metadata_db (not human readable). This cache can be deleted by forcing cfn-hup to run all post.add actions again.

As already described, the cfn-hup helper is a small daemon that you can use to execute hooks when the metadata on a resource is changed. The cfn-init function takes the packages and files that are defined in the metadata and installs them on your Amazon EC2 instance. By combining cfn-hup hooks with the cfn-init script, you can automatically install new versions of software when you change the metadata by updating the stack template. The following example is a hook file that you might install by using the files section in the AWS::CloudFormation::Init metadata in your template:

"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : 
{  "  content": {     
  "action=/opt/aws/bin/cfn-init "
      "  --stack ", { "Ref" : "AWS::StackName" },
      "  --resource MyResource",
      "  --region     ", { "Ref" : "AWS::Region" }, "\n",     

In this file, we define a cfn-hup hook that looks for changes to the metadata that is defined in the MyResource resource (an EC2 instance for example) in the stack and calls cfn-init if there is a change. If the metadata changes, cfn-init looks at all the versions of the packages that are defined for the MyResource resource and, if there has been a change, installs the version from the new template. Because the templates are text files, you can version-control them just like other application artifacts. By doing so, you can version-control not only your AWS infrastructure configuration but also the set of packages installed on your instances. If you specify a version of a package in the template, cfn-init attempts to install that version even if a newer version of the package is already installed on the instance. If you do not specify a version and a version of the package is already installed, cfn-init does not install a new version, it assumes that you want to keep and use the existing version.

Updating your configuration of your application or OS is handled by the cfn-hup daemon running on the instance. Updating your AWS resources in your stack can be done with Change sets.

Vincent Lamers

Vincent Lamers, Linux-consultant @ AT Computing

Actieve filters: Wis alle filters