AWS: DevOps Pro study notes

So I covered my eyes for a bit when I clicked ‘Finish’ (the test attempt), as this was the toughest exam I’d faced thus far, and I was maybe 70% satisfied with my body of work. Fortuitously, I passed, albeit with an overall score of 65%:-

1.0  Continuous Delivery and Process Automation: 47%
2.0  Monitoring, Metrics, and Logging: 93%
3.0  Security, Governance, and Validation: 75%
4.0  High Availability and Elasticity: 83%

I really need to backtrack, figure out this CI/CD thing, then.

  • ASG (lifecycle hooks {Terminating > Terminating:Wait}, span AZs evenly by default, Launch Configs cannot be edited, suspense AddToLoadBalancer and subsequent manual reg., Termination Policy {Default|OldestInstance});
  • CI tooling (e.g., Jenkins) can perform syntax/build tests;
  • CloudFormation (CreationPolicy {post-config}, ::CustomResource, {RDS} DeletionPolicy=Retain, nested stacks, UpdatePolicy=AutoScalingRollingUpdate);
  • CloudTrail;
  • CloudWatch (dimensions {per-ASG}, retention period, aggregation, Logs {agent}, Log Filters, subscriptions);
  • DynamoDB (cache S3 object metadata);
  • EB (Applications > Versions > Environments, Container Commands {leader-only}, Docker containers, Saved Configs., Swap URLs, .ebextensions);
  • EBS (unencrypted to encrypted, pre-warming);
  • ECS (Dockerrun.aws.json);
  • ElastiCache;
  • Elasticsearch?;
  • IAM (Database Authentication {Aurora|MySQL}, Instance Profile > Role);
  • Kinesis Streams (real time);
  • OpsWorks; i.e., Chef+ (Configure {custom cookbook});
  • RDS (Multi-AZ, Read Replicas, sharding);
  • S3 (key-based naming scheme, store developer’s public keys, MFA Delete);
  • SNS;
  • SQS;
  • WiF (via some IdP {e.g., Google});
Advertisements

AWS: SysOps Administrator (SOA) study notes

Hello, world. Penned down some keywords after passing my recent AWS SOA exam, and then expanded on ’em below. Perhaps you’ll find ’em useful then.


EBS
RAID 0 (striped) vs. 1 (mirrored); i.e., the lower the number, the higher the risk, see https://www.diffen.com/difference/RAID_0_vs_RAID_1.

Just like EC2 instances, EBS volumes reside in a specific AZ of a Region; i.e., they can only be attached to a running instances within the same AZ. To switch AZs, use snapshots, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html.

EC2
AMIs can be referred to as being backed by EBS, or ephemeral/instance store. Ephemeral/instance AMIs are stored in S3; i.e., terminating an EC2 instance running the S3-based AMI means that data in the root volume is gone forever, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html.

EBS optimized; i.e., minimizing contention between EBS I/O and other traffic from your EC2 instance, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html.

Cluster-type placement groups: low-latency grouping (of EC2 instances) within a single AZ, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html.

RDS
Automated Backups allow users to restore to data within about 5 minutes of the current time, see https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIT.html.

S3
TA, as its name suggests, allows users to accelerate file transfers to S3, for when users are underutilizing available Internet bandwidth at upload time, see https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html.

VPC
Tenancy is typically default (i.e., shared) tenancy. Users cannot change from default to dedicated/host, and vice-versa, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html#change-tenancy-vpc.

IPv4 CIDR blocks can range from large (/16 netmask, 65k addresses) to small (/28 netmask, 16 addresses), see https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html.

Direct Connect, use private (virtual interface) to connect to your VPC, public for services that aren’t in a VPC (e.g., Glacier), see https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html.

Within VPCs, there is a “local” route allowing communication between subnets using private IP addresses only, see https://medium.com/@mda590/aws-routing-101-67879d23014d, https://acloud.guru/forums/aws-certified-solutions-architect-professional/discussion/-KGl5vgVKjHuXcpWM0S6/communication_between_subnets.

Windows
Active Directory and AWS, see https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/, https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html.

Windows EC2 instances can be configured using EC2Config (2.2.10+) to export data to CloudWatch, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2config-service.html.

AWS: Analysis of the Certified SysOps Administrator – Associate exam

I recently became fully AWS certified (at the Associate Level), most recently passing the the SysOps Administrator – Associate exam at my third attempt.

  1. In late 2016, I failed with a score of 61% (or  67%). It was my first failure — I deleted the “unsuccessful” notification email in a fit of rage;
  2. In early 2018, I failed with a score of 71%;
  3. In April 2018, I passed with a score of 80%.

My experience was that the Certified SysOps Administrator – Associate exam was the toughest of the lot. In the table below, I compare the weighted scores between attempts #2 and #3 for individual domains:

SysOps Administrator

While I improved in 3 domains, I obtained the same score in the other 4 domains (Monitoring and Metrics, Deployment and Provisioning, Security, & Networking). This gelled with my observation that many of the questions for attempt #3 I’d actually attempted 2 weeks earlier!

Of course, your own mileage may vary, plus you still need to spend time/effort reading through and understanding the AWS FAQs — th9/: are really in-depth, and helped me answer 5 questions correctly; i.e., 9% of 55 ~= 4.95.

In a subsequent post I’ll discuss particular areas that showed up at exam time.

AWS Certified Associate

After an extended hiatus away from AWS certification, finally I’m certified at the Associate level, 3 times over!

Photo 18-4-18, 1 16 13 PM.png

To date I’ve taken and passed:

  1. Certified Developer – Associate
  2. Certified Solutions Architect – Associate
  3. Certified SysOps Administrator – Associate

AWS has a nice road map, so I just re-purposed the following image off their site:

AWS_Certification_Roadmap_April_2018.d51f56ef22f8d98ad54423c132a976eab2b94abf

I’m told that the Professional level exams are much harder, but that’s a post for another day…

Docker containers can’t resolve DNS

I’ve recently switched over to using Docker for dev. work on a Windows 10 host, and it’s worked pretty well. Today, apt-get somehow stopped working; e.g.,

...RUN apt-get update && apt-get install...
---> Running in ...
Err:1 http://security.ubuntu.com/ubuntu xenial-security InRelease
Temporary failure resolving 'security.ubuntu.com'
Err:2 http://archive.ubuntu.com/ubuntu xenial InRelease
Temporary failure resolving 'archive.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
Temporary failure resolving 'archive.ubuntu.com'
Reading package lists...
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

This StackOverflow.com post suggests it might be DNS-related, so I changed it from the (default) Google DNS config to Cloudflare’s. Google’s seem to have been (very recently) blocked for whatever reason. Here’s how my Settings -> Network looks like now:

docker-settings-network

CentOS: Forced shutdown

Yesterday, we encountered a disk issue on one of our CentOS servers. Some of the disks had either failed, or were predicting failure, so our vendor swooped in, changed some of the disks, as well as the RAID controller. Unfortunately, this worked for only a short time, before we started seeing “input/output error” verbiage in the console. The concern was data loss, so we tried to shutdown, reboot: same “input/output error”.

And then I learnt that it’s possible to force a shutdown via the Magic SysRq key. I mean, magic!!

echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger

New disks are incoming as I type this, we’ll have to keep a close look on this developing situation.

https://www.linuxquestions.org/questions/linux-newbie-8/input-output-error-222152/
https://en.wikipedia.org/wiki/Magic_SysRq_key