我使用Packer构buildVirtualBox图像,使用Ansible置备程序设置图像。 构build器步骤创build一个临时用户( ssh_username和ssh_password )。 Ansibleconfiguration程序使用此临时用户运行。 当然,我想摆脱这个用户后,它build立了我们更安全的公共密钥的用户。 所以我添加了第二个Ansibleconfiguration步骤,作为安全用户连接,并删除不安全的用户。 或者至less是这个计划。 但是,通过打包程序的Ansible无法使用此方法实际连接到VM。
以下是packer.json文件的相关部分:
"provisioners": [ { "type": "ansible", "playbook_file": "playbooks/image/image.yml", "groups": [ "{{user `ansible_group`}}" ], "user": "vagrant", "extra_arguments": [ "--vault-password-file", "scripts/get-vault-password.sh", "-e", "global_configuration_user={{user `configuration_user`}}", "-e", "global_deployment_user={{user `deployment_user`}}", "-e", "ansible_ssh_pass=vagrant", "-vvvvv" ] }, { "type": "ansible", "playbook_file": "playbooks/image/removeVagrant.yml", "groups": [ "{{user `ansible_group`}}" ], "user": "{{user `configuration_user`}}", "extra_arguments": [ "--vault-password-file", "scripts/get-vault-password.sh", "-e", "global_configuration_user={{user `configuration_user`}}", "-e", "global_deployment_user={{user `deployment_user`}}", "-e", "ansible_ssh_private_key_file=~/.ssh/id_{{user `configuration_user`}}_rsa", "-vvvvv" ] } ],
第一个configuration步骤没有问题。 这是第二个失败的权限被拒绝。 Ansible正在尝试执行以下SSH命令:
ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=37947 -o 'IdentityFile="/home/redacted/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=redacted -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ControlPath=/home/redacted/.ansible/cp/ansible-ssh-%h-%p-%r 127.0.0.1 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1491233126.24-276699777493633 `" && echo ansible-tmp-1491233126.24-276699777493633="` echo ~/.ansible/tmp/ansible-tmp-1491233126.24-276699777493633 `" ) && sleep 0'"'"''
SSHdebugging输出的相关部分是:
debug1: SSH2_MSG_NEWKEYS received debug2: key: /home/redacted/.ssh/id_rsa, explicit, agent debug2: key: redacted debug2: key: redacted debug2: key: redacted debug2: key: redacted debug2: key: redacted debug2: key: redacted debug2: key: redacted debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey debug3: authmethod_lookup publickey debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/redacted/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug1: Offering RSA public key: key2 debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51
然后它会继续尝试我的.ssh目录下的其他密钥,当然这些密钥都失败了。 第一个,被要求的,已经失败了。
我用-on-error=abort运行了Packer,这样它就会离开虚拟机了。 我试着用相同的命令进行SSH连接,并得到一个连接拒绝错误。 我发现,原因是它试图连接到Packer设置的SSH代理端口。 因此,我使用在Virtualbox虚拟机上设置的实际转发端口,并且SSH连接成功。 因此,问题出现在SSH代理上。 但是,我不知道如何使其performance。
我也尝试在ssh_authorized_key_fileconfiguration器的Packerconfiguration中使用ssh_authorized_key_file选项( https://www.packer.io/docs/provisioners/ansible.html )。 在这种情况下,我得到了一个派克错误,说它没有parsing授权密钥(源代码在这里: https : //github.com/bhcleek/packer-provisioner-ansible/blob/master/provisioner/ansible/provisioner。去 )。 它没有告诉我问题是什么。 用于SSH库的Go文档表示它是标准的SSH密钥文件格式。 或者这是我最好的解释( https://godoc.org/golang.org/x/crypto/ssh#ParseAuthorizedKey )。