AWS Import

[Nick]

In an earlier thread Daniel mentioned sending any notes anyone had regarding importing DradisPro into AWS.  Below are my old notes on how I got the Luks encrypted VM into AWS.  I have used two different methods for importing it, both worked and but please note: I'm not sure if this is the easiest or best way, but they worked for me.

In short, one way is to boot your DP VM to a LiveCD, mount the luks volume, dd the unencrypted mapper volume to /dev/sda5, chroot into sda5, perform grub and kernel cleanup, reboot and suck into AWS.

The other way is to attach a new drive to your VM, fdisk it, rsync the necessary bits over, chroot into sda5, perform grub and kernel cleanup, reboot and suck into AWS.

It might be best to make a backup copy of your vmdk file prior to perform this since you overwrite the drive in the process.

Boot to your DradisPro VM to a Debian x86_64 LiveCD (I likely used the standard iso).

$ sudo su - 

# aptitude install lvm2 cryptsetup

# cryptsetup luksOpen /dev/sda5 dradispro

# pvscan 

# lvscan

# vgscan

# vgchange -a y

# vgdisplay

# mkdir /tmp/test

# mount /dev/mapper/dradispro-root /tmp/test/ - ls to ensure everything is golden, then umount /tmp/test

# dd if=/dev/mapper/dradispro-root of=/dev/sdb5 bs=1M

# mount /dev/mapper/dradispro-root /tmp/test/  

# mount /dev/sda1 /tmp/test/boot

# mount -t proc proc /tmp/test/proc/

# mount --rbind /sys /tmp/test/sys

# rmount --rbind /dev /tmp/test/dev

# chroot /tmp/test /bin/bash

# vi /boot/grub/grub.cfg  - swap out mapper parts with /dev/sda5

# grub-mkconfig -o /boot/grub/grub.cfg

# update-grub

# grub-install /dev/sda

# vi /etc/fstab --- change / and /boot to the proper uuid (ls -l /dev/disk/by-uuid) or just put /dev/sda5 and sda1 to /boot.  I removed the swap

Backup the initrd image in case it dorks up

# cp initrd* /root

# mkinitramfs -o /boot/initrd.img-3.2.0-4-amd64 $(uname -r)

# exit

# reboot

In my notes it looks like I converted the vmdk to a Type 5 compressed disk.  I somewhat recall the need for this based on some AWS issue.

I was using Fusion but vmware-vdiskmanager is available on Linux too.  I believe at this point you could also shrink the disk if needed with vdiskmanager.

# /Applications/VMware\ Fusion.app/Contents/Library/vmware-vdiskmanager -r dradispro.vmdk -t 5 New_DradisPro_AWS.vmdk

Then use the overly complex AWS SDK to import the vmdk (this should help http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ImportingYourVM.html).  I made mine a m3.large.

# ec2-import-instance New_DradisPro_AWS.vmdk -f VMDK -t m3.large -a x86_64 -b AWS_bucket_name -o AWS_owner_key -w AWS_secret_key --subnet AWS_subnet_id -z time_zone --region AWS_region -p Linux

From there you can set Security Groups to only allow access from /32's or whatever, setup a AWS VPC gateway VPN or whatever it is called and of course a handful of host based protections.

AWS does offer volume encryption (if I recall it's TrueCrypt, an old TrueCrypt too) but I don't think it works on boot volumes, so some other magic may need to happen.

Rsync method

The other method was to add a second drive to the original DradisPro VM and rsync everything over.  Both methods worked fine for me and I might have used the rsync method the last time I did it.  If I recall, it was easier to get a much smaller disk since AWS charges you for those 75GBs.  Steps are below:

Add a new disk within VMware to your DradisPro (I made a 15GB drive)

Boot to livecd

# fdisk /dev/sdb - for a 15GB disk try first partition at +100M, then an extended and logical part eating up the rest.

# mkdir /mnt/drive{1,2}p{1,5}

# mount /dev/sda1 /mnt/drive1p1

# mount /dev/sda5 /mnt/drive1p5

# mount /dev/sdb1 /mnt/drive2p1

# mount /dev/sdb5 /mnt/drive2p5

# rsync -avrh —exclude={/dev/*,/proc/*,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lost+found} /mnt/drive1p5 /mnt/drive2p5

# rsync -avrh /mnt/drive1p1 /mnt/drive2p1

# mount -t proc proc /mnt/drive2p5/proc/

# mount --rbind /sys /mnt/drive2p5/sys

# rmount --rbind /dev /mnt/drive2p5/dev

# chroot /mnt/drive2p5 /bin/bash

# vi /boot/grub/grub.cfg  - swap out mapper parts with /dev/sda5

# grub-mkconfig -o /boot/grub/grub.cfg

# update-grub

# grub-install /dev/sda

# vi /etc/fstab --- change / and /boot to the proper uuid (ls -l /dev/disk/by-uuid) or just put /dev/sda5 and sda1 to /boot.  I removed the swap

Backup the initrd image in case it dorks up

# cp initrd* /root

# mkinitramfs -o /boot/initrd.img-3.2.0-4-amd64 $(uname -r)

# exit

# reboot

My notes don't mention it but I suspect I created a new custom vm feeding it an existing vmdk for the disk (the second drive's vmdk) and test booted it to ensure everything was cool.

Convert to a compressed streaming vmdk

# /Applications/VMware\ Fusion.app/Contents/Library/vmware-vdiskmanager -r dradispro.vmdk -t 5 New_DradisPro_AWS.vmdk

Import into AWS

# ec2-import-instance New_DradisPro_AWS.vmdk -f VMDK -t m3.large -a x86_64 -b AWS_bucket_name -o AWS_owner_key -w AWS_secret_key --subnet AWS_subnet_id -z time_zone --region AWS_region -p Linux

Hope it helps,

Nick Baronian

[Daniel Martin]

Nick,

This is brilliant. Hopefully find some time to put this in our website as a guide for future reference.

Thanks for sharing,
Daniel

> --
> You received this message because you are subscribed to the Google Groups "Dradis Pro users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dradis-pro+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

—
Director
Security Roots Ltd.
Registered company no 07389856 in England and Wales