Updating Ubuntu Pro servers automatically with AWS Systems Manager

1. Overview

Ubuntu Pro is Canonical’s recommended choice for professional use. Not only it benefits from all Ubuntu LTS features that we all know and love, but it also comes with 10 years of maintenance and updates for the entire stack, from kernel—through live-patch updates—to apps such as NGINX, MongoDB, Redis, Kafka, NodeJS; using the same PAYG cost model that we are now used to, all by just using the good old apt package manager.

In this tutorial we are going to see how to maintain updated your Ubuntu Pro servers in an automated way, using AWS Systems Manager (SSM). It can also be applied to regular Ubuntu servers (even on premises).

For this exercise, we will use three fresh instances with different versions of Ubuntu Pro with no additional configurations added.

Please note that since Ubuntu 16.04 onward, each AWS-optimized version of Ubuntu Server comes with the SSM agent installed, so you don’t need to install it.

What you’ll learn

  • How to create the role needed for your Ubuntu instance
  • How to create an automated maintenance window in AWS Systems Manager
  • How to run a shell command in AWS SSM Run Command.

What you’ll need

  • Basic understanding of AWS: EC2, IAM Roles
  • Some instances running to test with outbound access to port 443

2. Create an IAM Role for allowing the agent to interact with SSM

We will start opening the IAM console and selecting the create role option. If you have already created this role, you can skip this step.

Select EC2 from the Common use cases, since we want to allow EC2 to access SSM

In the list of policies to attach to this role, we need to search for the SSM policy document called “Managed Instance Core” and attach it as shown below:

Let’s save it and attach it into your instances.

Note
By creating this role, all AWS Systems Manager’s capabilities will be enabled.


3. Create a maintenance window in SSM

SSM Maintenance windows allows to configure time slots for running automatically specific actions.

Let’s click on Create maintenance window and start adding the information as shown below:

Now we can schedule the task, by specifying how often we would like to run this action.

After saving, we should be able to open the maintenance window page as shown below:

To create the task we would like to execute, we need to go to the tasks tab, click on register tasks and click on the option Register Run command task in the drop-down menu. This will take us to the last step.


4. Register a Run command task

A Run command task is a set of instructions that you need to send and run in an instance, without having to log into it. It can be a script, a series of commands, but also, it can run automation documents such as Ansible Playbooks, Chef recipes and other AWS documents created for common tasks (such as installing a package, updating agents and others).

Add general description

Select the action (document) that you want to run.

Since we only want to run a couple of commands, we need the following document:

AWS-RunShellScript

Tip:
At the moment of writing this tutorial, the search function was only searching for the exact term, so you can just paste the term into the text box.

Select targets (Instances)

In this list we will only see the instances that have SSM agent running and are properly configured (Agent installed, Roles attached and outbound network access granted). So, if you don’t see all the instances listed, check again roles and security groups.

We now can continue by selecting all the images we would like to apply this action. Note that this won’t include newer images as this will only apply to the selected ones.

Pro tip:
If you want to make this work even for future instances, use the Resource group option instead. Resource groups are configured in AWS Resource Groups console and uses tags and other options for grouping instances.

Other options: Output and Rate control

If we need to store the output from the operation in an external repository, such as S3, we could configure it here. Otherwise, it is always possible to also browse the results from the AWS Console.

Rate control will allow us to configure concurrency (in how many instances we would like to run this task simultaneously) and error threshold, where we can specify if something goes wrong, stop after a specific number of executions.

Parameters. Where the actual command is.

In the Parameters section, we’ll be able to add which shell commands we would like to run, in which working directory and what should be the timeout in case something takes more time than the usual.

Insert the following in the Commands text box:

sudo apt update
sudo apt upgrade -y

And save changes


5. Enjoy!

We can now sit back and watch how AWS Systems Manager does the work for us and keeps us always updated and more secure.

In this tutorial, we enabled the installed agent from your Ubuntu servers, by adding a IAM Role to allow EC2 to call SSM API. We configured a maintenance window to run the update command automatically, which contains the shell commands apt update and apt upgrade.

Next steps

SSM or AWS Systems Manager is a powerful tool that allows you to manage your fleet avoiding manual intervention and scaling out to hundreds and thousands of machines.

I recommend checking out other AWS SSM capabilities such as the inventory manager, patch manager and session manager for opening a shell without actually logging into the machine.

Further reading