我正在使用 Packer 在 AWS EC2 的免费层上设置 Windows VM。映像已正确设置,我可以启动它,但我无法使用 SSM 连接到它。这是我的 Packer 模板:
{
"variables": {
"aws_access_key": null,
"aws_secret_key": null
},
"builders": [
{
"name": "windows",
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "us-east-1",
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "Windows_Server-2019-English-Full-Base-2020.11.11",
"root-device-type": "ebs"
},
"owners": "amazon",
"most_recent": true
},
"instance_type": "t2.micro",
"ami_name": "build-runner-windows {{timestamp}}",
"communicator": "winrm",
"force_deregister": true,
"winrm_insecure": true,
"winrm_username": "Administrator",
"winrm_use_ssl": true,
"user_data_file": "./windows_bootstrap.txt"
}
]
}
还没有供应商,我只是想让它正常工作。
以下是的内容./windows_bootstrap.txt,如官方文档:
<powershell>
write-output "Running User Data Script"
write-host "(host) Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start= auto
cmd.exe /c net start winrm
</powershell>
下面是我用它创建图像的输出。到目前为止一切顺利。
PS C:\Users\Jesse\Infrastructure> packer build -var-file="template-vars.json" minimal.json
windows: output will be in this color.
==> windows: Force Deregister flag found, skipping prevalidating AMI Name
windows: Found Image ID: ami-02b5cd5aa444bee23
==> windows: Creating temporary keypair: <redacted>
==> windows: Creating temporary security group for this instance: packer_5fb7fe2a-14c6-e0e1-feb5-1eae06766ef3
==> windows: Authorizing access to port 5986 from [0.0.0.0/0] in the temporary security groups...
==> windows: Launching a source AWS instance...
==> windows: Adding tags to source instance
windows: Adding tag: "Name": "Packer Builder"
windows: Instance ID: <redacted>
==> windows: Waiting for instance (<redacted>) to become ready...
==> windows: Waiting for auto-generated password for instance...
windows: It is normal for this process to take up to 15 minutes,
windows: but it usually takes around 5. Please wait.
windows:
windows: Password retrieved!
==> windows: Using winrm communicator to connect: <redacted>
==> windows: Waiting for WinRM to become available...
windows: WinRM connected.
==> windows: #< CLIXML
==> windows: <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><Obj S="progress" RefId="1"><TNRef RefId="0" /><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>
==> windows: Connected to WinRM!
==> windows: Stopping the source instance...
windows: Stopping instance
==> windows: Waiting for the instance to stop...
==> windows: Creating AMI build-runner-windows 1605893672 from instance <redacted>
windows: AMI: ami-08986fa2707bad0dd
==> windows: Waiting for AMI to become ready...
==> windows: Terminating the source AWS instance...
==> windows: Cleaning up any extra volumes...
==> windows: No volumes to clean up, skipping
==> windows: Deleting temporary security group...
==> windows: Deleting temporary keypair...
Build 'windows' finished after 5 minutes 31 seconds.
==> Wait completed after 5 minutes 31 seconds
==> Builds finished. The artifacts of successful builds are:
--> windows: AMIs were created:
us-east-1: ami-08986fa2707bad0dd
PS C:\Users\Jesse\Infrastructure>
问题就出在这里。当我尝试通过 AWS 控制面板连接时,我收到以下错误消息:
问题是:
- 我的 Packer 映像基于内置 Windows 映像,其中应包含 SSM 代理。
- 我的 IAM 应该启用 SSM 访问(尽管我实际上不知道自己在做什么)。
- 我遵循了会话管理器设置的所有必需步骤。
以下是我当前正在运行的实例,如下所述aws ec2 describe-instances:
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-08986fa2707bad0dd",
"InstanceId": "<redacted>",
"InstanceType": "t2.micro",
"KeyName": "test",
"LaunchTime": "2020-11-20T17:44:50+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1a",
"GroupName": "",
"Tenancy": "default"
},
"Platform": "windows",
"PrivateDnsName": "<redacted>",
"PrivateIpAddress": "<redacted>",
"ProductCodes": [],
"PublicDnsName": "<redacted>",
"PublicIpAddress": "<redacted>",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "<redacted>",
"VpcId": "<redacted>",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2020-11-20T17:44:51+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "<redacted>"
}
}
],
"ClientToken": "",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "<redacted>",
"Id": "<redacted>"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "<redacted>",
"PublicIp": "<redacted>"
},
"Attachment": {
"AttachTime": "2020-11-20T17:44:50+00:00",
"AttachmentId": "<redacted>",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "<redacted>",
"GroupId": "<redacted>"
}
],
"Ipv6Addresses": [],
"MacAddress": "<redacted>",
"NetworkInterfaceId": "<redacted>",
"OwnerId": "<redacted>",
"PrivateDnsName": "<redacted>",
"PrivateIpAddress": "<redacted>",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "<redacted>",
"PublicIp": "<redacted>"
},
"Primary": true,
"PrivateDnsName": "<redacted>",
"PrivateIpAddress": "<redacted>"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "<redacted>",
"VpcId": "<redacted>",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "<redacted>",
"GroupId": "<redacted>"
}
],
"SourceDestCheck": true,
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
},
"EnclaveOptions": {
"Enabled": false
}
}
],
"OwnerId": "<redacted>",
"ReservationId": "<redacted>"
}
]
}
我究竟做错了什么?
答案1
您至少需要运行 SSM 的快速设置,和您需要将 AmazonSSMManagedInstanceCore 策略添加到 EC2 实例的角色(或者,如果不需要任何其他策略集,则只需使用 AmazonSSMRoleForInstancesQuickSetup 角色)
请注意,快速设置需要一些时间才能完成,我发现如果您在启动实例时没有设置角色,有时您可能需要在 SSM“启动”之前对其进行 SSH 会话(我不知道这是为什么)。在此过程中,请检查 SSM 代理是否确实在运行。
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html
答案2
问题是这是否是你的自定义 AMI坏了,或者是其他设置- 网络设置、IAM 角色等。
尝试使用以下工具启动官方 Windows AMI完全相同的配置和现在一样(相同的子网、相同的 IAM 角色、相同的安全组等),看看它是否有效。如果有效,则需要修复打包程序配置;如果无效,则需要修复启动设置。
一旦确定了原因,就从那里着手。
更新:由于问题似乎出在 Packer 配置中,因此你必须进行一些故障排除。从非常小的打包器配置开始,验证镜像是否仍然有效,添加更多更改,验证它是否仍然有效,依此类推,直到它崩溃。一旦它崩溃,您就会知道是什么更改/行导致了它崩溃,然后我们就可以找出原因。
希望有帮助:)
答案3
事实证明,使用windows-restart配置程序重新启动构建器解决了我的问题。我所做的一切(包括我的安全组和 IAM)都是正确的。你知道什么?