无法SSH到由Terraform部署的Packer映像创建的VM上

Question

λ封隔器版本1.3.2

封隔器文件：

{
  "builders"                           : [{
    "type"                             : "azure-arm",

    "client_id"                        : "asdf",
    "client_secret"                    : "asdf",
    "tenant_id"                        : "asdf",
    "subscription_id"                  : "asdf",

    "managed_image_resource_group_name": "asdf",
    "managed_image_name"               : "cis-rhel7-l1",

    "os_type"                          : "Linux",
    "image_publisher"                  : "center-for-internet-security-inc",
    "image_offer"                      : "cis-rhel-7-v2-2-0-l1",
    "image_sku"                        : "cis-rhel7-l1",

    "plan_info"                        : {
        "plan_name"                    : "cis-rhel7-l1",
        "plan_product"                 : "cis-rhel-7-v2-2-0-l1",
        "plan_publisher"               : "center-for-internet-security-inc"
    },

    "communicator"                     : "ssh",

    "azure_tags"                       : {
        "docker"                       : "18.09.0"
    },

    "location"                         : "West Europe",
    "vm_size"                          : "Standard_D2_v3"
  }],
  "provisioners"                       : [
        {
            "type"                     : "shell",
            "script"                   : "./cisrhel7-script.sh"
        }
    ]
}

它调用的脚本：

DOCKERURL="asdf"

sudo -E sh -c 'echo "asdf/rhel" > /etc/yum/vars/dockerurl'

sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'

sudo yum install -y yum-utils device-mapper-persistent-data lvm2

sudo yum-config-manager --enable rhel-7-server-extras-rpm

sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms

curl -sSL "asdf/rhel/gpg" -o /tmp/storebits.gpg

sudo rpm --import /tmp/storebits.gpg

sudo -E yum-config-manager --add-repo "asdf/rhel/docker-ee.repo"

sudo yum -y install docker-ee-18.09.0

sudo yum-config-manager --enable docker-ee-stable-18.09

sudo systemctl unmask --now firewalld.service

sudo systemctl enable --now firewalld.service

systemctl status firewalld

list=(
    "22/tcp"
    "80/tcp"
    "179/tcp"
    "443/tcp"
    "2376/tcp"
    "2377/tcp"
    "4789/udp"
    "6443/tcp"
    "6444/tcp"
    "7946/tcp"
    "7946/udp"
    "10250/tcp"
    "12376/tcp"
    "12378/tcp"
    "12379/tcp"
    "12380/tcp"
    "12381/tcp"
    "12382/tcp"
    "12383/tcp"
    "12384/tcp"
    "12385/tcp"
    "12386/tcp"
    "12387/tcp"
    "12388/tcp"
)
for i in "${list[@]}"; do
    sudo firewall-cmd --zone=public --add-port=$i --permanent
done

sudo firewall-cmd --reload

sudo firewall-cmd --list-all

sudo systemctl stop docker

sudo sh -c 'echo "{\"storage-driver\": \"overlay2\"}" > /etc/docker/daemon.json'

CURRENT_USER=$(whoami)

if [ "$CURRENT_USER" != "root" ]
then
        sudo usermod -g docker "$CURRENT_USER"
fi

sudo systemctl start docker

sudo docker info

然后我使用Terraform来部署它：

# skipping pre-TF resources...
resource "azurerm_virtual_machine" "main" {
  name                              = "${var.prefix}-vm"
  location                          = "${azurerm_resource_group.main.location}"
  resource_group_name               = "${azurerm_resource_group.main.name}"
  network_interface_ids             = ["${azurerm_network_interface.main.id}"]
  vm_size                           = "Standard_D2_v3"

  delete_os_disk_on_termination     = true

  storage_image_reference {
    id                            = "${data.azurerm_image.custom.id}"
  }

  storage_os_disk {
    name                            = "${var.prefix}-osdisk"
    caching                         = "ReadWrite"
    create_option                   = "FromImage"
    managed_disk_type               = "Standard_LRS"
  }

  os_profile {
    computer_name                   = "${var.prefix}"
    admin_username                  = "rhel76"
  }

  os_profile_linux_config {
    disable_password_authentication = true

    ssh_keys {
      path                          = "/home/rhel76/.ssh/authorized_keys"
      key_data                      = "${file("rhel76.pub")}"
    }
  }

  plan {
      name                          = "cis-rhel7-l1"
      publisher                     = "center-for-internet-security-inc"
      product                       = "cis-rhel-7-v2-2-0-l1"
  }
}

构建OK，部署OK，但是当我去连接时：

λ ssh -i rhel76 rhel76@some-ip
The authenticity of host 'some-ip (some-ip)' can't be established.
ECDSA key fingerprint is SHA256:some-fingerprint.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'some-ip' (ECDSA) to the list of known hosts.
Authorized uses only. All activity may be monitored and reported.
rhel76@some-ip: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

我不确定这是封隔器还是地形问题。我已经通过Terrraform部署了基本映像"cis-rhel7-l1“，将只将图像从我的更改为基本的映像，将ssh的关键部分单独放在一边，它工作得很好(我能够对SSH进行SSH)。

连接到VM的唯一方法是在Azure中重新设置SSH密钥。我使用admin_username作为rhel76(从模板中)重新设置它，工作正常，检查了/home/rhel76/.ssh/*和其他东西。很明显，因为我刚做了一次重置。因此，重新构建了整个程序，没有做任何更改，但是当我下次无法登录时，我对随机用户名asdf重新设置了SSH键，然后查看了/home/rhel76目录，找不到.ssh/或./ssh/authorized_keys文件夹/文件，好像它没有创建它们的权限一样。

从那时起，我就一直在使用脚本，试图创建这些文件夹并对它们进行CHMOD，以防万一，但这是行不通的，因为我在Packer构建过程中遇到了错误：

azure-arm: chmod: cannot access ‘/home/rhel76/.ssh/authorized_keys’: Permission denied

有人有什么想法吗？

Answer 1

因此，您需要运行Azure Linux代理的“取消供应”，我已经在provisioners部分中加入了推荐：

  "provisioners"                       : [
        {
            "type"                     : "shell",
            "script"                   : "./cisrhel7-script.sh"
        },
        {
            "type"                     : "shell",
            "inline"                   : [
                "echo '************ DEPROVISION'",
                "sudo /usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"
            ]
        }
    ]
}

摘自：https://learn.microsoft.com/en-us/azure/virtual-machines/linux/build-image-with-packer