Welcome back to the SysAdmin Series, where we pick apart another app geared towards system administration. My apologies for missing Sunday’s post, a family emergency kept me offline most of the weekend.

One of the very first apps I installed on my Nexus One when it arrived in February, was Decaf by 9Apps; it was also the first paid app I bought for my Nexus One. They’ve played with their pricing scheme over time – I bought the app for 4.99 Euros mid-February, they raised the price to 9.99 Euros a month later, then up to 24.99 Euros a few weeks ago, before settling on the current 19.99 Euros price. They describe their app in the market as:

Manage and monitor your Amazon EC2 infrastructure.

- monitoring instances
- sms alert integration
- account health widget
- dashboard
- instances and images
- volumes and snapshots
- elastic IPs
- security groups & key pair
- integration ssh clients (connectbot)

The current version in the market is v1.1.11 for all Android versions and is about a 900Kb download.


My employer uses Amazon EC2 for a fair amount of its infrastructure, and has agreed to let me post screenshots of our Amazon setup, with the understanding that critical information will be blurred.

Getting Started

The first thing that impressed me about Decaf was its UI. It looks unlike so many other apps in the Market. Their choice of color/font is great for reading at a glance on my Nexus One.

When you first launch Deaf, you are prompted with a EULA (image 1 below), and then an alert that it has detected that you’re running the app for the first time and ask if you want to start setting up your account right away (image 2). If you tap on “No, thank you!” the app will generate some sample data so you can at least check out the main features of the app, learn the navigation system and so on.

Image 1 - EULA Image 2 - Do you want to see test data, or set up your real account?

If you tap on “Yes, please!”, you will see a screen similar to image 3 below, where no sample data is present.

Image 3 - Blank setup on the Home screen

Initial Setup

Of course, before you can go much further, you must enter your Amazon EC2 credentials. To do so, tap your submenu button on your device to display some options (image 4). Tap on the Settings option to be do the credentials setup (image 5). When you tap on the arrow for the Access Key ID, it will prompt you (image 6) as to whether or not you want to log into your AWS account at Amazon to retrieve your credentials. Sadly, at the time of this writing, this feature seems to be broken, and actually crashed the app.

Image 4 - Submenu for settings Image 5 - Settings menu Image 6 - Fetching my AWS key failed and crashed the app

Entering your Access Key ID and Secret Access Key can be a pretty time-consuming task given the randomness of Amazon’s security, especially when using the Swype keyboard like myself. It took me a few minutes to get everything entered and double-checked before continuing. Once finished though, you will see at the top of the settings screen that your credentials have been tested and validated, which then enables the other settings within the app.

Image 7 - All settings are enabled when validated

Initial Loading of Information from Amazon

Returning to the home screen, we see everything is still as we left it – blank – so we can use the submenu to trigger a refresh (image 8) which will begin to communicate with Amazon and start to count up all of your instances, AMIs, and so on. For our setup, this initial load took a minute or two to fully populate the home screen (image 9). Sadly, this list does not auto-update – if you start or stop instances, you must manually trigger a refresh of the data.

Image 8 - Empty home screen and Refresh Image 9 - Refreshed home screen with our data


Decaf excels at linking your data points together in a fluid navigation system. Since your instances may include AMIs and security groups and elastic IPs, you can navigate through several layers over and over and get lost. The quickest way back to the home screen maybe be to press the submenu button on your device, select Regions, and choose a region where you have instances running.

Monitoring Your Instances

Scrolling through a list of running instances (images 10 and 11) will show you basic information such as the instance ID, the type of instance (small, medium, large, etc), how many security groups you have assigned to the instance, and a public IP address from your Elastic IP range if one is assigned. If you can manage to tap on the information icon beside the instance Type, you can view a small bubble of information containing specifics about RAM, compute units, disk storage, whether it is a 32 or 64 bit platform, and overall IO performance (image 12).

Image 10 - Short details about all nstances in this region Image 11 - Instances showing public IP Image 12 - Instance info bubble

If you tap on the arrow to the right of the instance ID, you will open a new screen showing even more information about that particular instance, such as the AMI image ID used too boot the instance, how many EBS volumes you’ve connected, whether you’ve enabled CloudWatch monitoring, the launch date/time, Amazon zone (ie: us-east-1c), pubic DNS information, which key pair is used, a kernel and ramdisk ID, private IP address and so on (images 13 and 14):

Image 13 - Full instance details Image 14 - Second page of full instance details

Launching New Instances

When viewing the full list of instances currently running, tapping the submenu key will give you an option to Launch a new instance. It will begin by prompting you for which AMI you wish to use, an your options are limited to whichever AMIs you already have configured. The following screen will prompt you for how many instances of this type to launch, the type (small, medium, large, etc), which key pair to use, which security groups to allow, the availability zone, and any user data to pass. The number of instances and the key pair are required data points, and the ‘Launch’ button will not be enabled until you enter at least these two pieces of information.

Altering An Existing Instance

While viewing the full details for an instance, you can tap the submenu button to see options for viewing CloudWatch monitoring data for just that instance, controls to reboot or terminate the instance, view what appears to be the last boot log of the instance, and connect to the system via SSH.

SSH connections require that you have ConnectBot installed. Unfortunately, Decaf doesn’t seem to be able to utilize the key pairs you have set up, so while I could connect to one of my EC2 instances using this SSH option, our setup requires that the key pair be used for all logins where ConnectBot would otherwise wait for keyboard-entered credentials.

I even checked the submenu options when navigated to the Key Pairs area from the home screen, but there was no mechanism there to import the key into ConnectBot. If you have experience in how to get this working, please post in the comments below.


Monitoring AMIs

From the Home screen, tapping on AMIs will, of course, list your AMIs (image 15), and from here, you can navigate to a particular AMI which will show how many instances are using that AMI, the architecture, whether you’ve shared that AMI publicly or not and who owns it (the ID listed will be your own if the AMI is private), and will list the full manifest xml path (image 16). You can navigate through to see which instances are using that AMI (image 17), which you can then navigate further into other detail areas via the Instance interface.

Image 15 - AMI list for this account Image 16 - Details for a single AMI Image 17 - A list of which instances use this AMI

Altering an AMI

When you browse to a particular AMI (image 16 above), you can tap the submenu button on your device to see options for launching a new instance using this AMI, altering the visibility of this particular AMI, or de-registering the AMI.

Creating a New AMI

While browsing the full list of AMIs from the home screen, accessing the submenu will show you an option to register a new AMI. This will require you to enter the path of your manifest xml file.

EBS Volumes

Monitoring EBS Volumes

This screen will list your available EBS volumes, if any (image 18). Tapping on one of them will show you the number of snapshots taken, whether it’s currently in use and when it was attached, which zone it resides in, and when it was created.

Image 18 - List of EBS volumes 

Altering an EBS Volume

While viewing a single EBS volume, the submenu will give you controls to detach or delete an EBS volume, or to create a new snapshot.

Creating a new EBS Volume

When you are viewing the full list of EBS volumes, the submenu will provide an option to create a new EBS volume. It will require you to enter a size in Gigabytes, and allow optional controls for which availability zone to place it in, which snapshot to use as a basis for the volume or allow you to enter a particular snapshot ID.

EBS Snapshots

I will only touch briefly on this area. This screen lists every snapshot you’ve taken of your EBS volumes, or show you a progress indicator for snapshots which are currently being taken. When viewing this list of snapshots, the submenu will allow you to create a new snapshot and will prompt you for which volume to use. If you navigate down to a single snapshot, the submenu will give you the ability to delete a snapshot.

Elastic IPs

Monitoring Your Public IP Addresses

This area of Decaf will show the IP addresses allocated to your AWS account (image 19). Navigating through from any entry that has an instance attached will take you to the full detail Instance screen as in images 13 and 14 above.

Image 19 - Your list of IP addresses allocated to you by Amazon

Allocating an IP address

From the list of IP addresses, the submenu will give you an “Allocate” option to allocate an unused IP address and prompt you for confirmation.

Security Groups

Listing Your Security Groups

Image 20 below shows an non-blurred screenshot of some of the security groups we’ve created at my workplace. We openly talk about the technologies we use, so didn’t feel the need to keep secret the fact that we use Memcached, or have a Load Balancer, or that we’re evaluating CouchDB and Cassandra. We *do* however, need to keep secret what we actually allow within our security groups, but I can describe them well enough.

Image 20 - Security groups

When you navigate through to any single security group, you can see how many instances use that security group, the plaintext description you gave when you created the group, your owner ID, and the number of permissions you’ve allowed. If you navigate through to the instances using this security group, you can navigate further to a single instance.

If you navigate through to the number of IP permissions you’ve set up for that security group, you will see a list of the services, port ranges, and source IPs allowed to get through Amazon’s firewall services. Each entry in this list has an arrow beside each service name (ie: HTTP, SSH) as if you could navigate further, but this did not do anything for our setup.

Modifying a Security Group

When navigated through to a single security group, the submenu will allow you to delete a security group. I’m not experienced enough with AWS/EC2 yet to understand the implications of deleting a security group on the fly other than restricting any new connections on the port ranges you had specified. That is, I am unaware if deleting a security group will terminate any active connections on those ports.

Adding a New Security Group

If you are navigating the full list of security groups available on your account, the submenu will provide you with a “New” control to add a new security group. Of course, you cannot add a security group to an instance which is already running, but the Amazon AWS site will allow you to add additional port ranges and source IP addresses to a security group already attached to an instance. Decaf, however, does not seem to allow you to modify an existing security group, even to add additional port ranges, etc.

If you opt to create a whole new security group, you will be prompted for a name (required data), and a description. At the time of this writing, the description field does not have a asterisk beside it, noting that it is required data, but you are unable to proceed further until you provide a description. Tap the Create button and you will be prompted for confirmation that you really do want to create a new group and will return you to the list of all security groups which does NOT auto-refresh – you need to manually force a refresh via the submenu. When my new test group showed up in the list, trying to tap on it returns me to the list of all security groups with an error saying the group didn’t exist and to try refreshing the data. Another refresh, and the same error occurs.

Key Pairs

This is something we definitely wanted to keep secret, so no screenshots. You can list your existing key pairs from here, and the submenu will give you access to create a new key pair. Using the ‘New’ submenu control, you give the key pair a name, then are prompted if you really want to create the key pair. There’s not much else to see here. A submenu control to import a key pair into ConnectBot would have been nice here.

CloudWatch and Widget Graph Access

The final chapter in this post is about the CloudWatch graphing within the application, shown in image 21. When loaded for the first time, the graph is blank for a few moments while it downloads your CloudWatch data. If you so choose, you can pull this same graph in widget form onto a panel of your device’s Android home screen. It’s currently a 4x3 widget (image 22), so you’ll use almost an entire panel just for the widget information.

20 - b - cloudwatch Image 22 - Home screen widget

Conclusions and Final Thoughts

Decaf is clearly well thought out, the UI is intuitive and friendly, it’s easy to read and navigate, and it’s obviously spent lots of time in its testing phases as it’s nearly bug-free on Froyo.

Is Decaf Worth the Money?

Personally, I’m glad I bought the app at 4.99 Euros. I’d have a hard time justifying the expense at 19.99 Euros (or anything higher than their 9.99 price point from mid-March, really). While it’s by far one of my favorite sysadmin apps, it’s still a little buggy, and if something serious happens with our EC2 setup, I’m more likely to tether my laptop to my Nexus One and use Amazon’s web interface and a native SSH client on a full keyboard to solve any issues. However, if I were stuck at an event where a laptop couldn’t be used, I can certainly get around just fine using Decaf alone to start or stop instances, but our current security practices of not allowing keyboard-entered authentication means I cannot use the integrated SSH support.

In my opinion, Decaf should return to the 9.99 Euros price point and fix the remaining bugs with ConnectBot (and build in a new feature for key pair imports) and initial AWS key retrieval.

Bugs and Support

Notable bugs had to do with AWS key retrieval during initialization of the app, which crashed the app during my screenshot testing, and a serious bug with connecting via ConnectBot when there is no means to import a key pair from within Decaf. In the past, I registered on their support forum to ask why Decaf kept showing up in my task killer app; speculation was that I had enabled the background monitoring at some point and that there was a bug that caused the app to re-launch itself at random intervals. One of the developers contacted me and was extremely friendly and understanding, and had me try a few new builds to resolve the problem. I still lurk in their support forums form time to time to see what’s new, or what others hare having issues with.

Got Anything to Add?

If you use Decaf and have any additional tips or tricks, please leave a comment below.