因此,我需要能够将我的打包程序生成器移动到专用VPC内,并添加一个锁定的安全组,该安全组仅允许来自受限IP地址的ssh,因此:
"builders": [{
"type": "amazon-ebs",
"associate_public_ip_address": false,
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "{{user `aws_region`}}",
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "{{user `ami_source_name`}}",
"root-device-type": "ebs"
},
"owners": ["{{user `ami_source_owner_id`}}"],
"most_recent": true
},
"instance_type": "t3.small",
"iam_instance_profile": "{{user `iam_instance_profile`}}",
"ssh_username": "{{user `ssh_username`}}",
"ami_name": "{{user `ami_name_prefix`}}_{{user `ami_creation_date`}}",
"ami_users": "{{user `share_amis_with_account`}}",
"ebs_optimized": true,
"vpc_id": "vpc-123456",
"subnet_id": "subnet-123456",
"security_group_id": "sg-123456",
"user_data_file": "scripts/disable_tty.sh",
"launch_block_device_mappings": [{
"device_name": "{{user `root_device_name`}}",
"volume_size": 10,
"volume_type": "gp2",
"delete_on_termination": true
}],
"tags": {
"packer": "true",
"ansible_role": "{{user `ansible_role`}}",
"builtby": "{{user `builtby`}}",
"ami_name": "{{user `ami_name_prefix`}}_{{user `ami_creation_date`}}",
"ami_name_prefix": "{{user `ami_name_prefix`}}",
"project": "{{user `project`}}"
}
}]
首先,我添加了“ associate_public_ip_address:false”(默认值为false),因为每次我运行打包程序时,主机都会被分配一个公共IP地址,但是即使添加它仍然可以选择一个公共IP? ????
我使用了一个分配给Jenkins构建从站的安全组,该安全组也通过端口22进行通信,从我的基础架构的任何部分访问它们都没有任何问题。
我收到此错误:
1562344256,,ui,error,Build 'amazon-ebs' errored: Timeout waiting for SSH.
1562344256,,error-count,1
1562344256,,ui,error,\n==> Some builds didn't complete successfully and had errors:
1562344256,amazon-ebs,error,Timeout waiting for SSH.
1562344256,,ui,error,--> amazon-ebs: Timeout waiting for SSH.
在SSH响应的等待期间,我能够 nc -v 1.2.3.5 22 并获得连接,因此安全组允许从我的IP地址在端口22上进行通信。 / p>
如果我将安全组更改为 0.0.0.0/0 ,它将立即连接,但是为什么当我可以使用受限的安全组将 nc 连接到端口22时却无法打包启动SSH连接? Packer是否正在尝试使用我一生无法关闭的公共IP地址?
我认为在端口22上进行 tcpdump 通信可能会很有帮助,但是我的笔记本电脑锁死了,不允许安装该特殊的方便物品。
>我还可以从笔记本电脑上向ssh生成器,但出现身份验证失败太多错误,并且无法登录以查看发生了什么情况。
答案 0 :(得分:0)
所以打包程序构建器获得公共IP的原因在于子网设置- map_public_ip_on_launch = true 。
因此,答案是为打包程序构建器构建一个新的专用子网,在公共子网中构建一个新的NAT GW,然后使用新的路由表将其从专用子网路由到NAT GW。