我一直在使用 Packer v0.10.1 来构建图像,并在尝试通过 Hashicorp 的 Atlas 工具运行时遇到了这个访问安全问题。
Packer v0.10.1
[1;32mgooglecompute output will be in this color.[0m
[1;32m==> googlecompute: Checking image does not exist...[0m
[1;32m==> googlecompute: Creating temporary SSH key for instance...[0m
[1;32m==> googlecompute: Creating instance...[0m
[0;32m googlecompute: Loading zone: us-central1-a[0m
[1;31m==> googlecompute: Error creating instance: Get https://www.googleapis.com/compute/v1/projects/united-course-124523/zones/us-central1-a?alt=json: oauth2/google: can't get a token from the metadata service; not running on GCE[0m
[1;31mBuild 'googlecompute' errored: Error creating instance: Get https://www.googleapis.com/compute/v1/projects/united-course-124523/zones/us-central1-a?alt=json: oauth2/google: can't get a token from the metadata service; not running on GCE[0m
==> Some builds didn't complete successfully and had errors:
--> googlecompute: Error creating instance: Get https://www.googleapis.com/compute/v1/projects/united-course-124523/zones/us-central1-a?alt=json: oauth2/google: can't get a token from the metadata service; not running on GCE
==> Builds finished but no artifacts were created.
有什么想法吗,它似乎应该是 GCE 错误,但我已经将 account.json 变量上传到环境变量,如下面的 Packer 模板文件所示。
{
"variables": {
"instance_name": "hdqc-redis-{{timestamp}}",
"image_name": "testing-hdqc-redis-{{timestamp}}"
},
"builders": [
{
"type": "googlecompute",
"project_id": "united-course-124523",
"source_image": "debian-8-jessie-v20160718",
"zone": "us-central1-a",
"instance_name": "{{user `instance_name`}}",
"image_name": "{{user `image_name`}}",
"image_description": "Nginx Server.",
"communicator": "ssh",
"ssh_username": "redisadmin"
}
],
"provisioners": [
{
"type": "shell",
"inline": [
"sleep 3",
"echo \"slept for 3 seconds.\""
]
},
{
"type": "file",
"source": "install-redis.sh",
"destination": "install-redis.sh"
},
{
"type": "shell",
"script": "install-redis.sh",
"pause_before": "10s"
}
]
}
后来我意识到,这仅仅是排除了 account.json,正如这里显示的那样,它需要 GCE 中的特定服务帐户。所以我修改并添加了 account.json 文件内容的变量。
{
"variables": {
"instance_name": "hdqc-redis-{{timestamp}}",
"image_name": "testing-hdqc-redis-{{timestamp}}",
"account_json": "{{env `packer_account_json`}}",
},
"builders": [
{
"type": "googlecompute",
"account_file": "{{user `account_json`}}",
"project_id": "united-course-124523",
"source_image": "debian-8-jessie-v20160718",
"zone": "us-central1-a",
"instance_name": "{{user `instance_name`}}",
"image_name": "{{user `image_name`}}",
"image_description": "Nginx Server.",
"communicator": "ssh",
"ssh_username": "redisadmin"
}
],
"provisioners": [
{
"type": "shell",
"inline": [
"sleep 3",
"echo \"slept for 3 seconds.\""
]
},
{
"type": "file",
"source": "install-redis.sh",
"destination": "install-redis.sh"
},
{
"type": "shell",
"script": "install-redis.sh",
"pause_before": "10s"
}
]
}
但是然后添加此更改,其中我将 account.json 文件内容存储为名为“packer_account_json”的变量,最终出现以下错误。
Packer v0.10.1
googlecompute output will be in this color.
1 error(s) occurred:
* account_file path does not exist: {
对此,我深思,这到底是怎么回事。它不能接受变量吗?这类似于我将 account.json 内容存储为 Terraform 的变量的方式,而且它工作得很好。
答案1
Packer 需要凭证来启动 GCE VM 以创建映像。如果您在 GCE 上运行 Packer 进程,则这些凭证将由实例元数据服务提供。
由于 Atlas 未在 GCE 上运行,因此您需要创建一个服务帐户密钥,下载它并将其添加到您的 Packer 清单中。这将是account_file此简单清单中的条目:
{ "type": "googlecompute", "account_file": "account.json", "project_id": "your-project", "source_image": "your-base-image", "zone": "us-central1-a" }
这无需 Compute Engine 服务帐号即可运行部分Packer 文档提供创建服务帐户密钥的分步说明。