A Few Notes on Migrating an Ubuntu Instance from AWS to Digital Ocean
Digital Ocean, the cloud provider, has been garnering more attention of late. I'm the latest of late adopters for all things, as that practice has saved me a great deal of wasted time and frustration over the years. So I still run most of my own web and mail servers on AWS, largely to keep my hand in and stay up to date. For my level of personal use the high cost to processing power ratio obtained from AWS instances isn't much of an issue. Times change, however, and I decided to move a couple of Ubuntu servers from AWS to Digital Ocean to test the waters.
A Brief Note on Cost Differences
The cost of running a roughly equivalent web server on Digital Ocean is between a third and two-thirds of that on AWS: lower if you don't much care about RAM size, higher if you do. Of course you don't have access to the vast array of services provided by Amazon, but it you aren't using them then why pay for them?
You Can Create Boxes Without SSH Keys
It's possible to set up boxes on Digital Ocean that have no SSH key provided to them, and where the initial root login password is emailed to you. This is probably not the best way forward, all things considered, and I set up servers with an accompanying SSH key for logging in. It's easy to assign public keys for use via the Digital Ocean website.
No Ubuntu User by Default
The generic Ubuntu images on AWS use an "ubuntu" user as the default login. A fresh Ubuntu 12.04 box on Digital Ocean uses root as the default login. But it's easy to add an Ubuntu user and then copy over the SSH keys you assigned to the server from the root user's .ssh directory:
useradd -m -d /home/ubuntu ubuntu mkdir /home/ubuntu/.ssh cp /root/.ssh/authorized_keys /home/ubuntu/.ssh chown -R ubuntu:ubuntu /home/ubuntu/.ssh
To give the ubuntu user sudo privileges without needing to enter a password, add a file /etc/sudoers.d/ubuntu with this in it:
ubuntu ALL=(ALL) NOPASSWD:ALL
Now edit the following line in /etc/ssh/sshd_config to turn off root login via SSH:
PermitRootLogin no
Setting up Your Own Firewall
Digital Ocean doesn't provide firewalling as a service in the way that AWS does via its security groups, so your newly instantiated Ubuntu box is naked on the internet. This is generally acknowledged to be a bad thing: you want to lock it down so that only permitted IP addresses can log in via SSH for example.
A good way to manage firewall setup on Ubuntu is to use UFW, the Uncomplicated Firewall management tool that configures iptables for you. The following bash commands set up a firewall for a web server, for example, assuming there were no rules in place to begin with - which is the case for a newly instantiated Ubuntu 12.04 instance at Digital Ocean. The server will allow port 22, 80, and 443 access from anywhere, while limiting connections to 22 in an attempt at least somewhat mitigate the roving machinery that will at some point try to brute-force an SSH login:
apt-get install ufw ufw enable ufw logging low ufw limit 22/tcp ufw allow 80/tcp ufw allow 443/tcp
You can then see the current set of firewall rules by running this command:
ufw status verbose
Firewall Versus Console Access
Digital Ocean gives you console access to running boxes via their website. This bypasses firewall restrictions on the box - i.e. you can change the rule set above to allow SSH access from your IP address only:
ufw delete limit 22/tcp ufw allow from 111.111.111.111 to any port 22
You will still then be able to access via the console in case of emergency, such as accidentally locking yourself out. However, and this is an important point, console login is by password only. So you must set a password for your emergency access user otherwise you'll still be locked out:
passwd ubuntu
No Allocated Swap Space by Default
The Digital Ocean images have no swap space allocated by default. What you choose to do about this is dependent on the use you're putting the server to, but you'll find a short article on how to set up swap space in the Digital Ocean community.
Assuming you are root, proceed as follows. First create a swapfile at the desired size, here 256K:
dd if=/dev/zero of=/swapfile bs=1024 count=256k mkswap /swapfile swapon /swapfile chown root:root /swapfile chmod 0600 /swapfile
Next edit /etc/fstab to add this line:
/swapfile none swap sw 0 0
Lastly update a few settings as recommended by Digital Ocean for swap performance on their virtual machines:
echo 10 | sudo tee /proc/sys/vm/swappiness echo vm.swappiness = 10 | sudo tee -a /etc/sysctl.conf