我一直在使用Packer v0.10.1来构build一个映像,并试图通过Hashicorp的Atlas工具运行时遇到此访问安全问题。
Packer v0.10.1 [1;32mgooglecompute output will be in this color.[0m [1;32m==> googlecompute: Checking image does not exist...[0m [1;32m==> googlecompute: Creating temporary SSH key for instance...[0m [1;32m==> googlecompute: Creating instance...[0m [0;32m googlecompute: Loading zone: us-central1-a[0m [1;31m==> googlecompute: Error creating instance: Get https://www.googleapis.com/compute/v1/projects/united-course-124523/zones/us-central1-a?alt=json: oauth2/google: can't get a token from the metadata service; not running on GCE[0m [1;31mBuild 'googlecompute' errored: Error creating instance: Get https://www.googleapis.com/compute/v1/projects/united-course-124523/zones/us-central1-a?alt=json: oauth2/google: can't get a token from the metadata service; not running on GCE[0m ==> Some builds didn't complete successfully and had errors: --> googlecompute: Error creating instance: Get https://www.googleapis.com/compute/v1/projects/united-course-124523/zones/us-central1-a?alt=json: oauth2/google: can't get a token from the metadata service; not running on GCE ==> Builds finished but no artifacts were created. 任何想法,它似乎应该是一个GCE错误,但我已经上传了一个环境variables的account.jsonvariables,如下面的Packer模板文件所示。
{ "variables": { "instance_name": "hdqc-redis-{{timestamp}}", "image_name": "testing-hdqc-redis-{{timestamp}}" }, "builders": [ { "type": "googlecompute", "project_id": "united-course-124523", "source_image": "debian-8-jessie-v20160718", "zone": "us-central1-a", "instance_name": "{{user `instance_name`}}", "image_name": "{{user `image_name`}}", "image_description": "Nginx Server.", "communicator": "ssh", "ssh_username": "redisadmin" } ], "provisioners": [ { "type": "shell", "inline": [ "sleep 3", "echo \"slept for 3 seconds.\"" ] }, { "type": "file", "source": "install-redis.sh", "destination": "install-redis.sh" }, { "type": "shell", "script": "install-redis.sh", "pause_before": "10s" } ] }
在实现之后,这仅仅是不包括account.json,如这里所示,需要在GCE中有一个特定的服务帐户。 所以我改变并添加了account.json文件内容的variables。
{ "variables": { "instance_name": "hdqc-redis-{{timestamp}}", "image_name": "testing-hdqc-redis-{{timestamp}}", "account_json": "{{env `packer_account_json`}}", }, "builders": [ { "type": "googlecompute", "account_file": "{{user `account_json`}}", "project_id": "united-course-124523", "source_image": "debian-8-jessie-v20160718", "zone": "us-central1-a", "instance_name": "{{user `instance_name`}}", "image_name": "{{user `image_name`}}", "image_description": "Nginx Server.", "communicator": "ssh", "ssh_username": "redisadmin" } ], "provisioners": [ { "type": "shell", "inline": [ "sleep 3", "echo \"slept for 3 seconds.\"" ] }, { "type": "file", "source": "install-redis.sh", "destination": "install-redis.sh" }, { "type": "shell", "script": "install-redis.sh", "pause_before": "10s" } ] }
但是,然后添加这个变化,在那里我把account.json文件的内容存储为一个名为“packer_account_json”的variables,并以下列错误结束。
Packer v0.10.1 googlecompute output will be in this color. 1 error(s) occurred: * account_file path does not exist: {
我思考,现在世界上是什么。 它不能采取一个variables? 这与我已经将account.json内容存储为Terraform的variables类似,并且工作得很好。
Packer需要证书才能启动GCE VM来创build映像。 如果您在GCE上运行Packer进程,这些凭证将由实例元数据服务提供。
由于Atlas未在GCE上运行,因此您需要创build服务帐户密钥,下载并将其添加到您的打包程序清单。 这将是这个简单清单中的account_file条目:
{ "type": "googlecompute", "account_file": "account.json", "project_id": "your-project", "source_image": "your-base-image", "zone": "us-central1-a" }
Packer文档中的“ 计算引擎服务帐户没有运行”部分提供了创build服务帐户密钥的分步说明。