Automatically provision and attach AWS EBS volumes to instances
Run pip install ebs-snatcher
, or python ./setup.py
This tool allows AWS instances to self-sufficiently provision or takeover EBS volumes for data storage. It was created to support stateful database instances that should be able to join a replication group autonomously, while making use of snapshots to start from a recent state, instead of scratch.
ebs-snatcher
will attempt to provision an EBS volume with the minimal
possible effort for a target instance, considering that both must reside in
the same availability zone. Suitable volumes and snapshots are identified by
tag key-value pairs, such that different types of volumes can be managed by
calling the program multiple times.
In order of preference, the choices are:
- Keep using any volumes already attached to the instance
- Find an existing but available volume in the same AZ as the instance, and attach it to the instance
- Create a new volume from a suitable snapshot, and attach it
- Create a new volume from scratch, and attach it
Volumes and snapshots will only be considered for usage if they match the set
of tags specified by the --volume-id-tag
and --snapshot-search-tag
arguments, respectively. They take the form of key=value
pairs, and can
be specified multiple times, in which case the conditions are combined in AND
fashion.
Extra tags that are not used for selection can be specified with
--volume-extra-tags
(also in key=value
format).
After a volume is provisioned, it needs to be attached to the instance and
assigned a device name in the operating system. The desired name can be
specified with the --attach-device
argument, or it can be set to auto
to start from the AWS default of /dev/sdf
(earlier devices are "reserved"
for instance-store volumes).
If an attachment attempt fails due to the name already being in use, and it
matches known Linux disk names (/dev/(sd|xvd)[a-z]+
), the next name in
order will be picked and retried, in alphabetical order. The sequence starts as:
sda, sdb, ..., sdz, sdaa, ..., sdaz, sdba, ...
Volume creation settings are exposed as command line arguments, corresponding to the AWS API parameters, with a few observations:
- The Encrypt and KMSKeyId options are combined into the
--encrypt-kms-key-id
argument. Providing it will enable encryption, and omitting it will disable it - Volume size will be silently ignored when creating from a snapshot, as the volume will always have the same size as the snapshot
When no errors are found, the command will exit with status 0, and print a JSON document in stdout, containing at least the following keys:
volume_id: | ID of the EBS volume that has been attached to the instance |
---|---|
attached_device: | Path of the device assigned to the volume. Note that this might not match
exactly the device name visible inside the instance. For example, modern
Linux kernel versions use /dev/xvd* even if /dev/sd* is specified |
result: | One of present , attached or created , indicating the change in
volume state (or lack thereof) |
src_snapshot_id: | Contains the snapshot ID used to provision the volume it result is
created . Is null otherwise, or if the volume was created from
scratch |
In both cases log messages are printed to stderr.
Permissions to list volumes, snapshots and instances, to create volumes and
to attach volumes to instances are necessary for ebs-snatcher
to work.
They should be granted to instances using IAM roles. The simplest policy allows
complete access to all of those actions. It is much easier to handle, but very
broad:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EBSSnatcherAll",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:CreateVolume",
"ec2:AttachVolume"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
It is possible to ensure all managed volumes and instances have some chosen
tags, as long as those same tags are passed to ebs-snatcher
.
An example policy to achieve it follows. Before using it, replace:
db-volume-type
andcassandra
with the desired tags for volumesdb-instance-type
andcassandra
with the desired tags for instances (which must have been already assigned)<REGION>
and<ACCOUNT-ID>
with your own AWS account information
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EBSSnatcherDescribe",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "EBSSnatcherCreateVolume",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/db-volume-type": "cassandra"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "EBSSnatcherCreateVolumeTags",
"Action": [
"ec2:CreateTags"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateVolume"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:volume/*"
},
{
"Sid": "EBSSnatcherAttachVolumeVolume",
"Action": [
"ec2:AttachVolume"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/db-volume-type": "cassandra"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:volume/*"
},
{
"Sid": "EBSSnatcherAttachVolumeInstance",
"Action": [
"ec2:AttachVolume"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/db-instance-type": "cassandra"
}
},
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:instance/*"
}
]
}
- Generate minimal IAM policies programatically
- Pull instance information from the local metadata store (remove the need for DescribeInstances permissions)
usage: ebs-snatcher [-h] --instance-id ID --volume-id-tag KEY=VALUE --volume-size GB --snapshot-search-tag KEY=VALUE --attach-device PATH|auto [--volume-extra-tag KEY=VALUE] [--encrypt-kms-key-id KEY-ID] [--volume-type TYPE] [--volume-iops COUNT] Automatically provision AWS EBS volumes from snapshots optional arguments: -h, --help show this help message and exit --instance-id ID Instance ID to attach volumes to --volume-id-tag KEY=VALUE Tag used to identify desired volumes. Will be used to search currently attached volumes to determine if a new one is needed and applied to new volumes. Can be provided multiple times, in which case tags will be combined as an AND condition. --volume-size GB Size to assign to newly created volumes, in GBs. --snapshot-search-tag KEY=VALUE Tag used to identify snapshots to create new volumes from.Can be provided multiple times, in which case tags will be combined as an AND condition. --attach-device PATH|auto Name of device to use when attaching a volume, such as "/dev/sdb". Can also be set to "auto", in which case sequential device names starting from /dev/sdb will be tried until attaching succeeeds --volume-extra-tag KEY=VALUE Extra tags to be applied to newly create volumes, but which are not used for identification . --encrypt-kms-key-id KEY-ID Enable encryption and use the given KMS key ID for newly created volumes --volume-type TYPE Volume type to use for newly created volumes --volume-iops COUNT Number of provisioned I/O operations to assign to newly created volumes. Make sure to choose an appropriate volume type to match.
Copyright (C) 2017 Cobli Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.