AWS CloudFormation – Updating EC2 instance with cfn-hup

In a serie of blog articles I’ll take a closer look at AWS CloudFormation. Read more about what AWS CloudFormation is, how to design templates, bootstrapping an EC2 with userdata and using metadata in my previous blog articles:

In this blog article I’ll take a closer look at updating the configuration of your instances with the cfn-hup deamon. cfn-hup runs user defined actions when a change is detected in the resource metadata.

Updating EC2 instance with cfn-hup

During the creation process in CloudFormation the cfn-init helper script enables you to manage the configuration of the AWS resources and their corresponding meta data. This applies only to the bootstrap of your resource. Through the AWS Management Console, AWS CloudFormation update-stack command, or the UpdateStack API call you can update your resources. The stack update can be a simple change to a parameter value or a more complex update that updates, adds, or removes resources. AWS CloudFormation updates resource properties, adds new resources, or removes unwanted resources. These changes may affect the applications running on instances in one of two ways:

  1. Changing a resource in the template may require an update to the configuration of an instance. For example, if you add a database to the template for scaling, the application on an instance must be provided with the new connection string, and the instance may need a restart.
  2. The meta data on the instance may have been updated. For example, you can update the version of a package that is deployed, add files or packages, or run additional commands.

To facilitate this, CloudFormation provides the cfn-hup helper to reconfigure, restart, or update an application on an instance as part of the stack update process. The cfn-hup helper is a daemon that performs the actions specified in the resource’s Metadata after it detects changes in these Metadata. You can use the daemon to make configuration updates on your running Amazon EC2 instances through UpdateStack.

The cfn-hup helper must be configured to inspect the correct stack. This configuration is stored in the cfn-hup configuration file cfn-hup.conf. The cfn-hup helper uses the AWS credentials from the IAM role to retrieve the meta data. The IAM role is passed to the instance profile when the Amazon EC2 instance is created.

By default, every 10 minutes cfn-hup checks for changes in each configured resource path. When a change to the requested meta data is detected, the user action is triggered. User actions (also known as hooks) are defined in a hook configuration file. Hooks have a unique name. Each hook is configured in a separate section.

To support composition of several applications deploying change notification hooks, cfn-hup uses a directory /hooks.d, which is located in the hooks configuration directory. All files in this directory are parsed and loaded using the same layout as hooks.conf. Hooks in /hooks.d with the same name as a hook in hooks.conf are merged, possibly overwriting values from hooks.conf.
The hooks configurations are loaded when the cfn-hup daemon starts up, so new hooks require the daemon to be restarted. A cache of previous Metadata values is stored at /var/lib/cfn-hup/data/metadata_db (not human readable). This cache can be deleted by forcing cfn-hup to run all post.add actions again.

As described previously, the cfn-hup helper is a small daemon that you can use to execute hooks when the meta data on a resource are changed. The cfn-init function takes the packages and files that are defined in the Metadata and installs them on your Amazon EC2 instance. By combining cfn-hup hooks with the cfn-init script, you can automatically install new versions of software when you change the Metadata by updating the stack template. The following example is a hook file that you can install by using the files section in the AWS::CloudFormation::Init Metadata in your template:

"/etc/cfn/hooks.d/cfn-auto-reloader.conf" : 
{  "  content": {     
  "action=/opt/aws/bin/cfn-init "
      "  --stack ", { "Ref" : "AWS::StackName" },
      "  --resource MyResource",
      "  --region     ", { "Ref" : "AWS::Region" }, "\n",     

In this file, we define a cfn-hup hook that looks for changes to Metadata, defined in the MyResource resource (an EC2 instance for example) in the stack and calls cfn-init if there is a change. When Metadata changes, cfn-init looks at all the versions of the packages that are defined for the MyResource resource and, if there was a change, installs the version from the new template. Because the templates are text files, you can version-control them just like any other application artifacts. By doing so, you can version-control not only your AWS infrastructure configuration but also the set of packages installed on your instances. If you specify a version of a package in the template, cfn-init attempts to install that version even if a newer version of the package is already installed on the instance. If you do not specify a version and a version of the package is already installed, cfn-init does not install a new version, it assumes that you want to keep the existing version.

Updating the configuration of your application or OS is handled by the cfn-hup daemon running on the instance. Updating your AWS resources in your stack can be done with Change sets.

Vincent Lamers

Vincent Lamers, Linux-consultant @ AT Computing

Actieve filters: Wis alle filters