logo标签列表

使用Packer遇到问题:amazon-ebs:等待SSH超时。

amazon-ec2sshpacker
4

我是Packer的新手,正在尝试使用VPC的私有网络创建镜像,但一直出现错误*amazon-ebs: Timeout waiting for SSH.*

使用的Packer版本是1.3.4,私有子网通过公共子网和路由表可以访问NAT网关。但问题可能是无法到达实例,所以我也尝试了其他参数,比如:ssh_interface值为private_dnsassociate_public_ip_address。但即使更改后仍然出现相同的错误。

我使用的模板内容如下:

"builders": [
{
  "type": "amazon-ebs",
  "access_key": "{{user `aws_access_key`}}",
  "secret_key": "{{user `aws_secret_key`}}",
  "region": "{{user `region`}}",
  "source_ami": "{{user `source_ami`}}",
  "instance_type": "{{user `instance_type`}}",
  "iam_instance_profile": "{{user `role`}}",
  "ssh_username": "{{user `ssh_username`}}",
  "ssh_timeout": "15m",
  "vpc_id": "{{user `vpc_id`}}",
  "subnet_id": "{{user `subnet_id`}}",
  "associate_public_ip_address": true,
  "ami_name": "{{user `name`}}.{{isotime \"2006-01-02T150405Z\"}}",
  "ami_description": "based on {{user `source_ami`}}",
  "tags": {
    "Name": "{{user `name`}}"
  }]

在这个模板中,我没有定义安全组,但是在Packer的日志中,我看到它能够创建一个临时的安全组,因此对端口22的访问也应该是可用的。

==> amazon-ebs: Pausing after run of step 'StepKeyPair'. Press enter to continue. 
==> amazon-ebs: Creating temporary security group for this instance: packer_5
c6b3667-c41f-92bc-aa89-efc5f3a2d8a8
==> amazon-ebs: Authorizing access to port 22 from 0.0.0.0/0 in the temporary security group...
==> amazon-ebs: Pausing after run of step 'StepSecurityGroup'. Press enter to continue. 
==> amazon-ebs: Pausing after run of step 'StepCleanupVolumes'. Press enter to continue. 
==> amazon-ebs: Launching a source AWS instance...

但问题仍然存在。在模板中是否有我遗漏的内容?或者我应该采取不同的方法生成AMI呢?

jww,感谢您的提示,我将移动这个问题。我在这里提出了这个问题,因为它涉及基础设施即代码,并涉及Terraform和Packer等主题。我还猜想可以通过公共网络中的堡垒机来解决该问题,从而通过路由表访问私有网络中的实例。再次感谢。 - Alfchee
6个回答
6

您无法通过NAT网关访问EC2实例。在AWS中,NAT网关用于从VPC提供Internet访问,而不是从VPC访问Internet。

您有几个选项:

  1. 使用公共子网和公共IP使Packer启动EC2实例。在VPC和路由表中正确配置互联网网关(IGW)。
  2. 部署安全的堡垒机在AWS上,并使用它从工作站跳转到EC2实例。您需要使用自定义通信器在packer.json中配置一些内容。此处是文档https://www.packer.io/docs/templates/communicator.html#ssh

祝好!

谢谢,我想第一种选项会快速解决我的问题,但我会阅读第二个选项以避免未来出现问题。 - Alfchee
2

我曾经遇到了同样的问题,原因是我使用了一个加密的AMI,并且明确声明为“false”。

  "builders": [
    {
      "launch_block_device_mappings": [
        {
          "device_name": "/dev/sda1",
          "volume_type": "gp2",
          "encrypted": true      <-- I was setting it to 'false' while only 'true' works
        }
      ],
      ...
    }
  ],
1
我遇到了相同的问题。我发现问题是所有实例都在默认VPC中启动。即使我设置了安全组和路由表以允许来自 0.0.0.0/0 的SSH流量,仍然无法从控制台访问。 因此,我不得不创建一个带有正确互联网网关、安全组和路由表的自定义VPC,我的最终构建器如下所示。
  "builders": [{
        "type": "amazon-ebs",
        "access_key": "{{user `aws_access_key`}}",
        "secret_key": "{{user `aws_secret_key`}}",
        "region": "us-******",
        "source_ami": "ami-*********",
        "instance_type": "t2.micro",
        "ssh_username": "ubuntu",
        "ami_name": "packer-example {{timestamp}}",
        "vpc_id": "{VPC id i had created}",
        "subnet_id": "{Subnet i had created}",
        "security_group_id": "sg with proper ingress port 22 rule enabled from 0.0.0.0"

  }],

希望这解决了你的问题,抱歉我的词汇表达能力不好 :)
0

我设置了一个安全组(防火墙),阻止来自移动网络的连接。当我从受信任的(允许的)网络连接时,它运行良好。

请注意以下步骤:

2022/07/31 05:58:15 packer-builder-amazon-ebs plugin: Using specified security groups: [sg-0123456789abcd sg-0123456789abce]
0

如果您没有堡垒主机,这可能会有所帮助 associate_public_ip_address = true

0

还有一种可能性是打包工具无法定位用于登录堡垒机的密钥,并正在等待其他登录方法。

以下是使用 export PACKER_LOG=1 收集日志的内容:

==> amazon-ebs: Waiting for SSH to become available...
2020/07/30 12:19:22 packer: 2020/07/30 12:19:22 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [publickey none], no supported methods remain
2020/07/30 12:19:27 packer: 2020/07/30 12:19:27 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:32 packer: 2020/07/30 12:19:32 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:37 packer: 2020/07/30 12:19:37 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:43 packer: 2020/07/30 12:19:43 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2020/07/30 12:19:48 packer: 2020/07/30 12:19:48 [DEBUG] TCP connection to SSH ip/port failed: Error connecting to bastion: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

另外,为了验证ssh-add -l不应列出密钥,那么我们就知道Packer无法找到用于登录的密钥。

在这种情况下,我们只需要使用ssh-add <您的ssh密钥路径>添加ssh密钥即可解决问题。

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接