Migrating Amazon Linux instances using Migrate for Compute Engine
You might not realize, but Amazon Linux instances are unsupported in Google Cloud’s Migrate for Compute Engine 4.x (formerly known as Velostrata, later referred as M4CE in this post) in other modes than offline migration.
Amazon Linux 2 instances are based on Red Hat Enterprise Linux 7 and aside from a few quirks and incompatibilities, most of the packages needed are available. M4CE requires a few things from the EC2 instance to support all the cool features like test clones and streaming. These are:
- Installation of preparation package
- Necessary modules for supporting booting from an iSCSI target
- Correct permissions for the M4CE AWS IAM user
Unfortunately, not everything works outside the box: the installation package fails to account for certain Dracut module denylists, the Amazon Linux kernel doesn’t come with the necessary iscsi_ibft(iSCSI Boot Firmware Table) module and the CloudFormation stack that creates the IAM roles are missing a few permissions. But, with a little elbow grease, we can work around these problems (please note that following these instructions will not make Amazon Linux officially supported on GCP):
Make sure the instance is fully updated
We don’t want any pending updates to cause issues, so make sure that the instance has the latest updates (especially kernel updates).
Rebuild the kernel with iscsi_ibft support
You can rebuild the current kernel with iscsi_ibft support using the chroot-based Mock build environment, all without polluting the source instance with unnecessary build tools (which security folks frown upon).
All you need to do is run these commands:
# Enable mock2 repository and install the mock tool
sudo amazon-linux-extras install mock2
sudo yum install -y rpm-build# Download the source RPM for the current kernel and install it
yumdownloader --source $(rpm -q kernel-$(uname -r))
rpm -i kernel-*.src.rpm# Add iscsi_ibft to the build
echo "iscsi_ibft.ko" >> ~/rpmbuild/SOURCES/mod-extra.list
sed -i 's/.*CONFIG_ISCSI_IBFT.*/CONFIG_ISCSI_IBFT=m/g' ~/rpmbuild/SOURCES/config-x86_64# Add the current user to mock group
sudo usermod -a -G mock $(whoami)# Build a new source RPM
rpmbuild -bs --define '__python /usr/bin/python3' ~/rpmbuild/SPECS/kernel.spec# Use mock to rebuild the kernel source RPM - you'll probably
# want to run this in screen or tmux
mock -r amazonlinux-2-x86_64 --config-opts use_nspawn=False -v ~/rpmbuild/SRPMS/kernel-*.src.rpm# Install the new kernel!
sudo rpm -i --force /var/lib/mock/amzn-2-x86_64/result/kernel-$(uname -r).rpm# Clean up leftover mock caches and files
sudo yum remove -y rpm-build
rm -f ~/rpmbuild/SRPMS/kernel-*.src.rpm
Installing the prep package
Since Amazon Linux 2 is based on RHEL7, we can use the RPM package and install it via yum localinstall. However, as Amazon Linux has a few Dracut modules that are omitted that we will need for multipath support (the device mapper module, dm, in /etc/dracut.conf.d/ec2.conf), we should first fix that file:
# Remove dm (device-mapper) module to allow dm-multipath
sudo sed -i 's/"dm /"/' /etc/dracut.conf.d/ec2.confNow we can go ahead and download the preparation package and install it (there might have been newer versions since this document was written, so please check for the latest version):
# Download RPM package
curl -o migrate-for-gce-prep-4.11.7-0.redhat.x86_64.rpm https://storage.googleapis.com/velostrata-release/4.11.7/migrate-for-gce-prep-4.11.7-0.redhat.x86_64.rpm# Install prep RPM package
sudo yum localinstall -y migrate-for-gce-prep-4.11.7-0.redhat.x86_64.rpm
Fixing the AWS IAM policy
The IAM policy for AWS (VxCF-GA-V3-IAMONLY.rev1.json) is missing two permissions related to EC2 snapshots (ec2:CreateSnapshots and ec2:DeleteSnapshot). So please use this updated policy:
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:Describe*",
"ec2:CreateTags",
"ec2:GetConsoleOutput",
"ec2:ModifyInstanceAttribute",
"ec2:CreateSnapshots",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/ManagedByVelostrata": "Yes"
}
},
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Effect": "Allow"
}]
}Conclusion
That’s it — now you should be able to use all the fancy M4CE features for Amazon Linux instances.
