okochangの馬鹿でありがとう

ふらふら適当に世間を生きる日々でございます

awscliでVPCのDHCP Options Setの設定をする

VPCにはDHCP Options Setという機能があり、DHCPで設定される設定をカスタマイズ出来ます。
今回はawscliでの設定方法と、カスタマイズされた設定の確認をしたいと思います。

環境

今回動作確認した設定はDNSサーバの設定と、NTPサーバの設定で、動作確認に使用した環境は以下のとおりです。

環境構築

VPCの作成

$ aws ec2 create-vpc --cidr-block 10.0.0.0/16 --instance-tenancy default --region ap-northeast-1
{
    "Vpc": {
        "InstanceTenancy": "default", 
        "State": "pending", 
        "VpcId": "vpc-aa4958c8", 
        "CidrBlock": "10.0.0.0/16", 
        "DhcpOptionsId": "dopt-03c5a56a"
    }
}

VPCDNS SupportとDNS Hostnamesを有効にします。

$ aws ec2 modify-vpc-attribute --vpc-id vpc-aa4958c8 --enable-dns-support "{\"Value\":true}" --region ap-northeast-1
{
    "return": "true"
}
$ aws ec2 modify-vpc-attribute --vpc-id vpc-aa4958c8 --enable-dns-hostnames "{\"Value\":true}" --region ap-northeast-1
{
    "return": "true"
}

VPC Subnetを作成します。

$ aws ec2 create-subnet --cidr-block 10.0.0.0/24 --vpc-id vpc-aa4958c8 --availability-zone ap-northeast-1a --region ap-northeast-1
{
    "Subnet": {
        "VpcId": "vpc-aa4958c8", 
        "CidrBlock": "10.0.0.0/24", 
        "State": "pending", 
        "AvailabilityZone": "ap-northeast-1a", 
        "SubnetId": "subnet-e71f1685", 
        "AvailableIpAddressCount": 251
    }
}

カスタマイズしたDHCP Options Setを作成し、VPCに割り当てます

$ aws ec2 create-dhcp-options --dhcp-configuration \
"Key=domain-name,Values=okochang.com" \
"Key=domain-name-servers,Values=8.8.8.8,8.8.4.4" \
"Key=ntp-servers,Values=210.173.160.27" \
--region ap-northeast-1
{
    "DhcpOptions": {
        "DhcpConfigurations": [
            {
                "Values": [
                    "210.173.160.27"
                ], 
                "Key": "ntp-servers"
            }, 
            {
                "Values": [
                    "okochang.com"
                ], 
                "Key": "domain-name"
            }, 
            {
                "Values": [
                    "8.8.4.4", 
                    "8.8.8.8"
                ], 
                "Key": "domain-name-servers"
            }
        ], 
        "DhcpOptionsId": "dopt-8bf1f9e9"
    }
}
$ aws ec2 associate-dhcp-options --vpc-id vpc-aa4958c8 --dhcp-options-id dopt-8bf1f9e9 --region ap-northeast-1
{
    "return": "true"
}

Internet Gatewayを作成し、VPCに割り当てます

$ aws ec2 create-internet-gateway --region ap-northeast-1 
{
    "InternetGateway": {
        "Tags": [], 
        "InternetGatewayId": "igw-d6796cb4", 
        "Attachments": []
    }
}

$ aws ec2 attach-internet-gateway --vpc-id vpc-aa4958c8 --internet-gateway-id igw-d6796cb4 --region ap-northeast-1
{
    "return": "true"
}

Route Tableを作成し、VPCに割り当て、Internet Gatewayにルーティングをします。

$ aws ec2 create-route-table --vpc-id vpc-aa4958c8 --region ap-northeast-1
{
    "RouteTable": {
        "Associations": [], 
        "RouteTableId": "rtb-545b4b36", 
        "VpcId": "vpc-aa4958c8", 
        "PropagatingVgws": [], 
        "Tags": [], 
        "Routes": [
            {
                "GatewayId": "local", 
                "DestinationCidrBlock": "10.0.0.0/16", 
                "State": "active"
            }
        ]
    }
}

$ aws ec2 associate-route-table --subnet-id subnet-e71f1685 --route-table-id rtb-545b4b36 --region ap-northeast-1
{
    "AssociationId": "rtbassoc-950010f7"
}

$ aws ec2 create-route --route-table-id rtb-545b4b36 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-d6796cb4 --region ap-northeast-1
{
    "return": "true"
}

Security Groupに作成し、ルールを追加します

$ aws ec2 create-security-group --group-name okochang-group --description "test security group"  --vpc-id vpc-aa4958c8 --region ap-northeast-1
{
    "return": "true", 
    "GroupId": "sg-654c5007"
}

$ aws ec2 authorize-security-group-ingress --group-id sg-654c5007 --cidr 0.0.0.0/0 --protocol tcp --port 22 --region ap-northeast-1 
{
    "return": "true"
}

接続用のSSHキーを作成します

$ aws ec2 create-key-pair --key-name okochang-key --region ap-northeast-1
{
    "KeyMaterial": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIqr00==中略==JRGHg2o6kls0w==\n-----END RSA PRIVATE KEY-----", 
    "KeyName": "okochang-key", 
    "KeyFingerprint": "11:aa:22:bb:33:cc:44:dd:55:ee:66:ff:77:gg:88:hh:99:ii:10:jj"
}

動作確認用のインスタンスを起動します

$ aws ec2 run-instances \
--image-id ami-0d13700c \
--key-name okochang-key \
--security-group-ids sg-654c5007 \
--instance-type t1.micro \
--subnet-id subnet-e71f1685 \
--disable-api-termination \
--instance-initiated-shutdown-behavior stop \
--private-ip-address 10.0.0.10 \
--associate-public-ip-address --region ap-northeast-1
{
    "OwnerId": "12345678910", 
    "ReservationId": "r-f48d4cf1", 
    "Groups": [], 
    "Instances": [
        {
            "Monitoring": {
                "State": "disabled"
            }, 
            "PublicDnsName": null, 
            "KernelId": "aki-176bf516", 
            "State": {
                "Code": 0, 
                "Name": "pending"
            }, 
            "EbsOptimized": false, 
            "LaunchTime": "2014-01-25T12:58:08.000Z", 
            "PrivateIpAddress": "10.0.0.10", 
            "ProductCodes": [], 
            "VpcId": "vpc-aa4958c8", 
            "StateTransitionReason": null, 
            "InstanceId": "i-eaae01ef", 
            "ImageId": "ami-0d13700c", 
            "PrivateDnsName": "ip-10-0-0-10.ap-northeast-1.compute.internal", 
            "KeyName": "okochang-key", 
            "SecurityGroups": [
                {
                    "GroupName": "okochang-group", 
                    "GroupId": "sg-654c5007"
                }
            ], 
            "ClientToken": null, 
            "SubnetId": "subnet-e71f1685", 
            "InstanceType": "t1.micro", 
            "NetworkInterfaces": [
                {
                    "Status": "in-use", 
                    "SourceDestCheck": true, 
                    "VpcId": "vpc-aa4958c8", 
                    "Description": null, 
                    "NetworkInterfaceId": "eni-e9beaa8b", 
                    "PrivateIpAddresses": [
                        {
                            "PrivateDnsName": "ip-10-0-0-10.ap-northeast-1.compute.internal", 
                            "Primary": true, 
                            "PrivateIpAddress": "10.0.0.10"
                        }
                    ], 
                    "PrivateDnsName": "ip-10-0-0-10.ap-northeast-1.compute.internal", 
                    "Attachment": {
                        "Status": "attaching", 
                        "DeviceIndex": 0, 
                        "DeleteOnTermination": true, 
                        "AttachmentId": "eni-attach-41085c44", 
                        "AttachTime": "2014-01-25T12:58:08.000Z"
                    }, 
                    "Groups": [
                        {
                            "GroupName": "okochang-group", 
                            "GroupId": "sg-654c5007"
                        }
                    ], 
                    "SubnetId": "subnet-e71f1685", 
                    "OwnerId": "12345678910", 
                    "PrivateIpAddress": "10.0.0.10"
                }
            ], 
            "SourceDestCheck": true, 
            "Placement": {
                "Tenancy": "default", 
                "GroupName": null, 
                "AvailabilityZone": "ap-northeast-1a"
            }, 
            "Hypervisor": "xen", 
            "BlockDeviceMappings": [], 
            "Architecture": "x86_64", 
            "StateReason": {
                "Message": "pending", 
                "Code": "pending"
            }, 
            "RootDeviceName": "/dev/sda1", 
            "VirtualizationType": "paravirtual", 
            "RootDeviceType": "ebs", 
            "AmiLaunchIndex": 0
        }
    ]
}

動作確認

resolv.confやntp.confを見るとDHCP Option Setで指定した値が/sbin/dhclient-scriptスクリプトによって設定されたことが分かります。

$ cat /etc/resolv.conf 
; generated by /sbin/dhclient-script
search okochang.com
nameserver 8.8.4.4
nameserver 8.8.8.8

$ tail -3 /etc/ntp.conf 
interface listen eth0
interface ignore ipv6
server 210.173.160.27   # added by /sbin/dhclient-script

まとめ

今回は面倒だったので、GoogleDNSやインターネットマルチフィードのNTPサーバを指定しましたが、内部DNSや内部NTPサーバを使いたい場合はDHCP Option Setと合わせて使えばOKってことですね。