设置自定义VPC,子网和安全组时,打包程序SSH超时

时间:2019-07-05 17:10:45

标签: packer packer-builder

因此,我需要能够将我的打包程序生成器移动到专用VPC内,并添加一个锁定的安全组,该安全组仅允许来自受限IP地址的ssh,因此:

"builders": [{
"type": "amazon-ebs",
"associate_public_ip_address": false,
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "{{user `aws_region`}}",
"source_ami_filter": {
  "filters": {
    "virtualization-type": "hvm",
    "name": "{{user `ami_source_name`}}",
    "root-device-type": "ebs"
  },
"owners": ["{{user `ami_source_owner_id`}}"],
"most_recent": true
},
"instance_type": "t3.small",
"iam_instance_profile": "{{user `iam_instance_profile`}}",
"ssh_username": "{{user `ssh_username`}}",
"ami_name": "{{user `ami_name_prefix`}}_{{user `ami_creation_date`}}",
"ami_users": "{{user `share_amis_with_account`}}",
"ebs_optimized": true,
"vpc_id": "vpc-123456",
"subnet_id": "subnet-123456",
"security_group_id": "sg-123456",
"user_data_file": "scripts/disable_tty.sh",
"launch_block_device_mappings": [{
  "device_name": "{{user `root_device_name`}}",
  "volume_size": 10,
  "volume_type": "gp2",
  "delete_on_termination": true
}],
"tags": {
  "packer": "true",
  "ansible_role": "{{user `ansible_role`}}",
  "builtby": "{{user `builtby`}}",
  "ami_name": "{{user `ami_name_prefix`}}_{{user `ami_creation_date`}}",
  "ami_name_prefix": "{{user `ami_name_prefix`}}",
  "project": "{{user `project`}}"
}
 }]

首先,我添加了“ associate_public_ip_address:false”(默认值为false),因为每次我运行打包程序时,主机都会被分配一个公共IP地址,但是即使添加它仍然可以选择一个公共IP? ????

我使用了一个分配给Jenkins构建从站的安全组,该安全组也通过端口22进行通信,从我的基础架构的任何部分访问它们都没有任何问题。

我收到此错误:

1562344256,,ui,error,Build 'amazon-ebs' errored: Timeout waiting for SSH.
1562344256,,error-count,1
1562344256,,ui,error,\n==> Some builds didn't complete successfully and had errors:
1562344256,amazon-ebs,error,Timeout waiting for SSH.
1562344256,,ui,error,--> amazon-ebs: Timeout waiting for SSH.

在SSH响应的等待期间,我能够 nc -v 1.2.3.5 22 并获得连接,因此安全组允许从我的IP地址在端口22上进行通信。 / p>

如果我将安全组更改为 0.0.0.0/0 ,它将立即连接,但是为什么当我可以使用受限的安全组将 nc 连接到端口22时却无法打包启动SSH连接? Packer是否正在尝试使用我一生无法关闭的公共IP地址?

我认为在端口22上进行 tcpdump 通信可能会很有帮助,但是我的笔记本电脑锁死了,不允许安装该特殊的方便物品。

>

我还可以从笔记本电脑上向ssh生成器,但出现身份验证失败太多错误,并且无法登录以查看发生了什么情况。

1 个答案:

答案 0 :(得分:0)

所以打包程序构建器获得公共IP的原因在于子网设置- map_public_ip_on_launch = true

因此,答案是为打包程序构建器构建一个新的专用子网,在公共子网中构建一个新的NAT GW,然后使用新的路由表将其从专用子网路由到NAT GW。