SysAdmin

AWS Fault Injection service, the unknown service

Let’s discuss something near and dear to every AWS Architect and DevOps Engineer’s heart: resilience. Or, as I like to call it, “making sure your digital baby doesn’t throw a tantrum when things go sideways.”

We’ve all been there. Like a magnificent sandcastle, you build this beautiful, intricate system in the cloud. It’s got auto-scaling, high availability, and the works. You’re feeling pretty proud of yourself. Then, BAM! Some unforeseen event, a tiny ripple in the force of the internet, and your sandcastle starts to crumble. Panic ensues.

But what if, instead of waiting for disaster to strike, you could be a bit… mischievous? What if you could poke and prod your system before it has a meltdown in front of your users? Enter AWS Fault Injection Simulator (FIS), a service that’s about as well-known as a quiet librarian at a rock concert, but far more useful.

What’s this FIS thing, anyway?

Think of FIS as your friendly neighborhood chaos monkey but with a PhD in engineering and a strict code of conduct. It’s a fully managed service that lets you run controlled chaos experiments on your AWS workloads. Yes, you read that right. You can intentionally break things but in a safe and measured way. It is like playing Jenga but only for advanced players.

Why would you do that, you ask? Well, my friends, it’s all about finding those hidden weaknesses before they become major headaches. It’s like giving your application a stress test, similar to how doctors check your heart’s health. You want to see how it handles the pressure before it’s out there running a marathon in the real world. The idea is simple: you don’t know how strong the dam will be until you put the river on it.

Why is this CHAOS stuff so important?

In the old days (you know, like five years ago), we tested for predictable failures. Server goes down? No problem, we have a backup! But the cloud is a complex beast, and failures can be, well, weird. Latency spikes, partial network outages, API throttling… it’s a jungle out there.

FIS helps you simulate these real-world, often unpredictable scenarios. By deliberately injecting faults, you expose how your system behaves under stress. This way you will discover if your great ideas in whiteboards are translated into a great and resilient system in the cloud.

This isn’t just about avoiding downtime, though that’s a big plus. It’s about:

  • Improving Reliability: Find and fix weak points, leading to a more robust and dependable system.
  • Boosting Performance: Identify bottlenecks and optimize your application’s response under duress.
  • Validating Your Assumptions: Does your fancy auto-scaling work as intended? FIS will tell you.
  • Building Confidence: Knowing your system can handle the unexpected gives you peace of mind. And maybe, just maybe, you can sleep through the night without getting paged. A DevOps Engineer can dream, right?

Let’s get our hands dirty (Virtually, of course)

So, how does this magical chaos tool work? FIS operates through experiment templates. These are like recipes for disaster (the good kind, of course). In these templates, you define:

  • Actions: What kind of mischief do you want to unleash? FIS offers a menu of pre-built actions, like:
    • aws:ec2:stop-instances: Stop EC2 instances. You pick which ones.
    • aws:ec2:terminate-instances: Terminate EC2 instances. Poof, they are gone.
    • aws:ssm:send-command: Run a script on an instance that causes, for example, CPU stress, or memory stress.
    • aws:fis:inject-api-latency: Add latency to internal or external APIs.
  • Targets: Where do you want to inject these faults? You can target specific EC2 instances, ECS clusters, EKS clusters, RDS databases… You get the idea. You can select the resources by tags, by name, by percentage… You have plenty of options here.
  • Stop Conditions: This is your “emergency brake.” You define CloudWatch alarms that, if triggered, will automatically halt the experiment. Safety first, people! Imagine that the experiment is affecting more components than expected, the stop condition will be your friend here.
  • IAM Role: This role is very important. It will give the FIS service permission to inject the fault into your resources. Remember to assign only the necessary permissions, nothing more.

Once you’ve crafted your experiment template, you can run it and watch the magic (or mayhem) unfold. FIS provides detailed logs and integrates with CloudWatch, so you can monitor the impact in real time.

FIS in the Wild

Let’s say you have a microservices architecture running on ECS. You want to test how your system handles the failure of a critical service. With FIS, you could create an experiment that:

  • Action: Terminates a percentage of the tasks in your critical service.
  • Target: Your ECS service, specifically the tasks tagged as “critical-service.”
  • Stop Condition: A CloudWatch alarm that triggers if your application’s latency exceeds a certain threshold or the error rate increases.

By running this experiment, you can observe how your other services react, whether your load balancing works as expected, and if your system can gracefully recover.

Or, imagine you want to test the resilience of your RDS database. You could simulate a failover by:

  • Action: aws:rds:reboot-db-instance with the failover option set to true.
  • Target: Your primary RDS instance.
  • Stop Condition: A CloudWatch alarm that monitors the database’s availability.

This allows you to validate your read replica setup and ensure a smooth transition in case of a real-world primary instance failure.

I remember one time I was helping a startup that had a critical application running on EC2. They were convinced their auto-scaling was flawless. We used FIS to simulate a sudden surge in traffic by terminating a bunch of instances. Guess what? Their auto-scaling took longer to kick in than they expected, leading to a brief period of performance degradation. Thanks to the experiment, they were able to fix the issue, avoiding real user impact in the future.

My Two Cents (and Maybe a Few More)

I’ve been around the AWS block a few times, and I can tell you that FIS is a game-changer. It’s not just about breaking things; it’s about understanding things. It’s about building systems that are not just robust on paper but resilient in the face of the unpredictable chaos of the real world.

January 18, 2025 by Cloud stuff DevOps stuff SRE stuff 0

Managing SSL certificates with SNI on AWS ALB and NLB

The challenge of hosting multiple SSL-Secured sites

Let’s talk about security on the web. You want your website to be secure. Of course, you do! That’s where HTTPS and those little SSL/TLS certificates come in. They’re like the secret handshakes of the internet, ensuring that the information flowing between your site and visitors is safe from prying eyes. But here’s the thing: back in the day, if you wanted a bunch of websites, each with its secure certificate, you needed a separate IP address. Imagine having to get a new phone number for every person you wanted to call! It was a real headache and cost a pretty penny, too, especially if you were running a whole bunch of websites.

Defining SNI as a modern SSL/TLS extension

Now, what if I told you there was a clever way around this whole IP address mess? That’s where this little gem called Server Name Indication (SNI) comes in. It’s like a smart little addition to the way websites and browsers talk to each other securely. Think of it this way, your server’s IP address is like a big apartment building, and each website is a different apartment. Without SNI, it’s like visitors can only shout the building’s address (the IP address). The doorman (the server) wouldn’t know which apartment to send them to. SNI fixes that. It lets the visitor whisper both the building address and the apartment number (the website’s name) right at the start. Pretty neat.

Understanding the SNI handshake process

So, how does this SNI thing work? Let’s lift the hood and take a peek at the engine, shall we? It all happens during this little dance called the SSL/TLS handshake, the very beginning of a secure connection.

  • Client Hello: First, the client (like your web browser) says “Hello!” to the server. But now, thanks to SNI, it also whispers the name of the website it wants to talk to. It is like saying “Hey, I want to connect, and by the way, I’m looking for ‘www.example.com‘”.
  • Server Selection: The server gets this message and, because it’s a smart cookie, it checks the SNI part. It uses that website name to pick out the right secret handshake (the SSL certificate) from its big box of handshakes.
  • Server Hello: The server then says “Hello!” back, showing off the certificate it picked.
  • Secure Connection: The client checks if the handshake looks legit, and if it does, boom! You’ve got yourself a secure connection. It’s like a secret club where everyone knows the password, and they’re all speaking in code so no one else can understand.

AWS load balancers and SNI as a perfect match

Now, let’s bring this into the world of Amazon Web Services (AWS). They’ve got these things called load balancers, which are like traffic cops for websites, directing visitors to the right place. The newer ones, Application Load Balancers (ALB) and Network Load Balancers (NLB) are big fans of SNI. It means you can have a whole bunch of websites, each with its certificate, all hiding behind one of these load balancers. Each of those websites could be running on different computers (EC2 instances, as they call them), but the load balancer, thanks to SNI, knows exactly where to send the visitors.

CloudFront’s adoption of SNI for secure content delivery at scale

And it’s not just load balancers, AWS has this other thing called CloudFront, which is like a super-fast delivery service for websites. It makes sure your website loads quickly for people all over the world. And guess what? CloudFront loves SNI, too. It lets you have different secret handshakes (certificates) for different websites, even if they’re all being delivered through the same CloudFront setup. Just remember, the old-timer, Classic Load Balancer (CLB), doesn’t know this SNI trick. It’s a bit behind the times, so keep that in mind.

Cost savings through optimized resource utilization

Why should you care about all this? Well, for starters, it saves you money! Instead of needing a whole bunch of IP addresses (which cost money), you can use just one with SNI. It is like sharing an office space instead of everyone renting their building.

Simplified management by streamlining certificate handling

And it makes your life a whole lot easier, too. Managing those secret handshakes (certificates) can be a real pain. But with SNI, you can manage them all in one place on your load balancer. It is way simpler than running around to a dozen different offices to update everyone’s secret handshake.

Enhanced scalability for efficient infrastructure growth

And if your website gets popular, no problem, SNI lets you add new websites to your load balancer without breaking a sweat. You don’t have to worry about getting new IP addresses every time you want to launch a new site. It’s like adding new apartments to your building without having to change the building’s address.

Client compatibility to ensure broad support

Now, I have to be honest with you. There might be some really, really old web browsers out there that haven’t heard of SNI. But, honestly, they’re becoming rarer than a dodo bird. Most browsers these days are smart enough to handle SNI, so you don’t have to worry about it.

SNI as a cornerstone of modern Web hosting on AWS

So, there you have it. SNI is like a secret weapon for running websites securely and efficiently on AWS. It’s a clever little trick that saves you money, simplifies your life, and lets your website grow without any headaches. It is proof that even small changes to the way things work on the internet can make a huge difference. When you’re building things on AWS, remember SNI. It’s like having a master key that unlocks a whole bunch of possibilities for a secure and scalable future. It’s a neat piece of engineering if you ask me.

January 5, 2025 by Cloud stuff DevOps stuff SRE stuff 0

User-Agent and Amazon CloudFront behaviors explained

We all love a good glass of lemonade, right? But let’s be honest: ” One size fits all” doesn’t always work. Some like it sweet, some like it tart, and some like it with a twist. Running a successful lemonade stand or website means understanding these individual preferences. The first step? Listening to your customers, or in the case of the web, understanding the information their browsers send you.

The internet works similarly. Websites are like your lemonade stand, and users’ browsers are the customers coming up to ask for a drink. But instead of just saying “lemonade, please,” browsers send a whole bunch of information with their requests, tucked away in “headers.”

The User-Agent, your browser’s secret identity

One of these headers is the mighty “User-Agent.” Think of it as your browser’s secret identity. It tells the website, “Hey, I’m Chrome on a Windows laptop!” or “Howdy, I’m Safari on an iPhone!”

This is super important because, just like you’d tweak your lemonade recipe, websites want to serve the best experience for each device. A website designed for a big desktop screen might look cramped and clunky on a tiny phone. Using the User-Agent, the website can say, “Aha! This is a mobile user, let me send them the mobile-optimized version of my page!”

Now, let’s say your lemonade stand has become so popular that you need help. You hire someone to stand at the end of the block and direct people to you. This helper is like Amazon CloudFront, a content delivery network (CDN) that makes your website faster by storing copies of it all over the world.

CloudFront, the speedy delivery guy

CloudFront is brilliant. It’s like having mini lemonade stands everywhere, so customers get their drinks quicker. But there’s a catch. By default, CloudFront is a bit too eager to simplify things. It might think, “Lemonade is lemonade! Everyone gets the same!” and throw away some of those important headers, including the User-Agent.

This can lead to situations where users don’t get the optimal experience. For instance, mobile users might be served a clunky desktop version of a website, leading to frustration and a poor user experience. It becomes evident that CloudFront, while powerful, needs a little guidance to handle these nuances.

Behaviors, teaching CloudFront some manners

Luckily, CloudFront is a fast learner. You can teach it to handle those headers properly using “Behaviors.” Think of behaviors as special instructions you give to CloudFront. You can say things like, “Hey CloudFront, when someone asks for my website, please forward the User-Agent header to my origin server.” The “origin server” is where your website’s content ultimately resides. Typically, this is an Application Load Balancer (ALB) acting as a single point of contact and distributing traffic to a group of EC2 instances running your web application.

The solution, straight from the horse’s mouth

So, to ensure the best user experience for all visitors of a website delivered through CloudFront, you need to configure the CloudFront distribution’s behavior. Specifically, you tell it to forward the User-Agent header. This way, the website (your origin server) will know what kind of device is asking for the page and can serve the right version.

Why not add the User-Agent to the origin custom headers, as an alternative approach? Well, that’s like whispering the secret identity to the lemonade stand instead of letting the customer shout it out loud. The origin might not know what to do with that information in that format. Forwarding the header as part of the standard request is much cleaner and more reliable.

Wrapping it up, keep it simple and smart

And there you have it! The User-Agent header is a browser’s way of saying what it is, and CloudFront behaviors let you customize how your website handles that information. By understanding these simple concepts, you can make sure your website is serving the right experience to every user, whether they’re on a phone, a tablet, or a good old-fashioned desktop computer.

The internet, just like a good lemonade recipe, is all about understanding your audience and delivering the best experience possible. And sometimes, all it takes is a little tweak in the right place.

December 28, 2024 by Cloud stuff 0

How to check if a folder is used by services on Linux

You know that feeling when you’re spring cleaning your Linux system and spot that mysterious folder lurking around forever? Your finger hovers over the delete key, but something makes you pause. Smart move! Before removing any folder, wouldn’t it be nice to know if any services are actively using it? It’s like checking if someone’s sitting in a chair before moving it. Today, I’ll show you how to do that, and I promise to keep it simple and fun.

Why should you care?

You see, in the world of DevOps and SysOps, understanding which services are using your folders is becoming increasingly important. It’s like being a detective in your own system – you need to know what’s happening behind the scenes to avoid accidentally breaking things. Think of it as checking if the room is empty before turning off the lights!

Meet your two best friends lsof and fuser

Let me introduce you to two powerful tools that will help you become this system detective: lsof and fuser. They’re like X-ray glasses for your Linux system, letting you see invisible connections between processes and files.

The lsof command as your first tool

lsof stands for “list open files” (pretty straightforward, right?). Here’s how you can use it:

lsof +D /path/to/your/folder

This command is like asking, “Hey, who’s using stuff in this folder?” The system will then show you a list of all processes that are accessing files in that directory. It’s that simple!

Let’s break down what you’ll see:

  • COMMAND: The name of the program using the folder
  • PID: A unique number identifying the process (like its ID card)
  • USER: Who’s running the process
  • FD: File descriptor (don’t worry too much about this one)
  • TYPE: Type of file
  • DEVICE: Device numbers
  • SIZE/OFF: Size of the file
  • NODE: Inode number (system’s way of tracking files)
  • NAME: Path to the file

The fuser command as your second tool

Now, let’s meet fuser. It’s like lsof’s cousin, but with a different approach:

fuser -v /path/to/your/folder

This command shows you which processes are using the folder but in a more concise way. It’s perfect when you want a quick overview without too many details.

Examples

Let’s say you have a folder called /var/www/html and you want to check if your web server is using it:

lsof +D /var/www/html

You might see something like:

COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2  1234    www-data  3r  REG  252,0   12345 67890 /var/www/html/index.html

This tells you that Apache is reading files from that folder, good to know before making any changes!

Pro tips and best practices

  • Always check before deleting When in doubt, it’s better to check twice than to break something once. It’s like looking both ways before crossing the street!
  • Watch out for performance The lsof +D command checks all subfolders too, which can be slow for large directories. For quicker checks of just the folder itself, you can use:
lsof +d /path/to/folder
  • Combine commands for better insights You can pipe these commands with grep for more specific searches:
lsof +D /path/to/folder | grep service_name

Troubleshooting common scenarios

Sometimes you might run these commands and get no output. Don’t panic! This usually means no processes are currently using the folder. However, remember that:

  • Some processes might open and close files quickly
  • You might need sudo privileges to see everything
  • System processes might be using files in ways that aren’t immediately visible

Conclusion

Understanding which services are using your folders is crucial in modern DevOps and SysOps environments. With lsof and fuser, you have powerful tools at your disposal to make informed decisions about your system’s folders.

Remember, the key is to always check before making changes. It’s better to spend a minute checking than an hour fixing it! These tools are your friends in maintaining a healthy and stable Linux system.

Quick reference

# Check folder usage with lsof
lsof +D /path/to/folder

# Quick check with fuser
fuser -v /path/to/folder

# Check specific service
lsof +D /path/to/folder | grep service_name

# Check folder without recursion
lsof +d /path/to/folder

The commands we’ve explored today are just the beginning of your journey into better Linux system management. As you become more comfortable with these tools, you’ll find yourself naturally integrating them into your daily DevOps and SysOps routines. They’ll become an essential part of your system maintenance toolkit, helping you make informed decisions and prevent those dreaded “Oops, I shouldn’t have deleted that” moments.

Being cautious with system modifications isn’t about being afraid to make changes,  it’s about making changes confidently because you understand what you’re working with. Whether you’re managing a single server or orchestrating a complex cloud infrastructure, these simple yet powerful commands will help you maintain system stability and peace of mind.

Keep exploring, keep learning, and most importantly, keep your Linux systems running smoothly. The more you practice these techniques, the more natural they’ll become. And remember, in the world of system administration, a minute of checking can save hours of troubleshooting!

December 25, 2024 by DevOps stuff Linux Stuff SRE stuff 0

Beyond 404, Exploring the Universe of Elastic Load Balancer Errors

In the world of cloud computing, Elastic Load Balancers (ELBs) play a crucial role in distributing incoming application traffic across multiple targets, such as EC2 instances, containers, and IP addresses. As a Cloud Architect or DevOps engineer, understanding the error messages associated with ELBs is essential for maintaining robust and reliable systems. This article aims to demystify the most common ELB error messages, providing you with the knowledge to quickly identify and resolve issues.

The Power of Load Balancers

Before we explore the error messages, let’s briefly recap the main features of Load Balancers:

  1. Traffic Distribution: ELBs efficiently distribute incoming application traffic across multiple targets.
  2. High Availability: They improve application fault tolerance by automatically routing traffic away from unhealthy targets.
  3. Auto Scaling: ELBs work seamlessly with Auto Scaling groups to handle varying loads.
  4. Security: They can offload SSL/TLS decryption, reducing the computational burden on your application servers.
  5. Health Checks: Regular health checks ensure that traffic is only routed to healthy targets.

Now, let’s explore the error messages you might encounter when working with ELBs.

Decoding ELB Error Messages

When troubleshooting issues with your ELB, you’ll often encounter HTTP status codes. These codes are divided into two main categories:

  1. 4xx errors: Client-side errors
  2. 5xx errors: Server-side errors

Understanding this distinction is crucial for pinpointing the source of the problem and implementing the appropriate solution.

Client-Side Errors (4xx)

These errors indicate that the issue originates from the client’s request. Some common 4xx errors include:

  • 400 Bad Request: The request was malformed or invalid.
  • 401 Unauthorized: The request lacks valid authentication credentials.
  • 403 Forbidden: The client cannot access the requested resource.
  • 404 Not Found: The requested resource doesn’t exist on the server.

Server-Side Errors (5xx)

These errors suggest that the problem lies with the server. Common 5xx errors include:

  • 500 Internal Server Error: A generic error message when the server encounters an unexpected condition.
  • 502 Bad Gateway: The server received an invalid response from an upstream server.
  • 503 Service Unavailable: The server is temporarily unable to handle the request.
  • 504 Gateway Timeout: The server didn’t receive a timely response from an upstream server.

The Frustrating HTTP 504: Gateway Timeout Error

The 504 Gateway Timeout error deserves special attention due to its frequency and the frustration it can cause. This error occurs when the ELB doesn’t receive a response from the target within the configured timeout period.

Common causes of 504 errors include:

  1. Overloaded backend servers
  2. Network connectivity issues
  3. Misconfigured timeout settings
  4. Database query timeouts

To resolve 504 errors, you may need to:

  • Increase the timeout settings on your ELB
  • Optimize your application’s performance
  • Scale your backend resources
  • Check for and resolve any network issues

List of Common Error Messages

Here’s a more comprehensive list of error messages you might encounter:

  1. 400 Bad Request
  2. 401 Unauthorized
  3. 403 Forbidden
  4. 404 Not Found
  5. 408 Request Timeout
  6. 413 Payload Too Large
  7. 500 Internal Server Error
  8. 501 Not Implemented
  9. 502 Bad Gateway
  10. 503 Service Unavailable
  11. 504 Gateway Timeout
  12. 505 HTTP Version Not Supported

Tips to Avoid Errors and Quickly Identify Problems

  1. Implement robust logging and monitoring: Use tools like CloudWatch to track ELB metrics and set up alarms for quick notification of issues.
  2. Regularly review and optimize your application: Conduct performance testing to identify bottlenecks before they cause problems in production.
  3. Use health checks effectively: Configure appropriate health check settings to ensure traffic is only routed to healthy targets.
  4. Implement circuit breakers: Use circuit breakers in your application to prevent cascading failures.
  5. Practice proper error handling: Ensure your application handles errors gracefully and provides meaningful error messages.
  6. Keep your infrastructure up-to-date: Regularly update your ELB and target instances to benefit from the latest improvements and security patches.
  7. Use AWS X-Ray: Implement AWS X-Ray to gain insights into request flows and quickly identify the root cause of errors.
  8. Implement proper security measures: Use security groups, network ACLs, and SSL/TLS to secure your ELB and prevent unauthorized access.

In a few words

Understanding Elastic Load Balancer error messages is crucial for maintaining a robust and reliable cloud infrastructure. By familiarizing yourself with common error codes, their causes, and potential solutions, you’ll be better equipped to troubleshoot issues quickly and effectively.

Remember, the key to managing ELB errors lies in proactive monitoring, regular optimization, and a deep understanding of your application’s architecture. By following the tips provided and continuously improving your knowledge, you’ll be well-prepared to handle any ELB-related challenges that come your way.

As cloud architectures continue to evolve, staying informed about the latest best practices and error-handling techniques will be essential for success in your role as a Cloud Architect or DevOps engineer.

July 12, 2024 by Cloud stuff DevOps stuff SRE stuff 0
NivelEpsilon
Exploring the Cloud: Insights into DevOps, Linux & Architectural Evolution