无法使用GCloud Compute访问虚拟机 [英] Cannot access vm using GCloud Compute

问题描述

我无法通过SSH访问它。从我的控制台输入
有效命令：gcloud compute --projectssh
--zone

以下错误消息：

Permission denied（publickey）。
错误：（gcloud.compute.ssh）[/ usr / bin / ssh]退出并返回代码[255]。

• 然后我撤消了SSH：gcloud auth revoke --all


• 然后我做了：gcloud auth login


• 然后尝试再次访问vm：
  gcloud compute --projectssh --zone





我得到以下错误：
错误：（gcloud.compute.ssh）无法获取资源：
- 必需的' compute.instances.get'项目权限





请帮助。
Thanks $ / $>


解决方案




权限被拒绝（publickey）。错误：（gcloud.compute.ssh）[/ usr / bin / ssh]退出，返回码为[255]。


似乎指的是SSH密钥或不完整的Linux Guest环境中的一些错误。





我想知道运行 gcloud auth的目的是什么revoke --all





您可以提供以下命令的输出吗？



1. $ gcloud计算实例描述您的实例名称--zone

zone-the-instance-is-in --project name- of-your-project


2. $ gcloud计算实例get-serial-port-output您的实例名称
- zone zone-the-instance-is-in --project name-of-your-project


3. $ gcloud compute firewall-rules list --project name-of-your-project



这些命令可能会有所帮助，因为：





1. 使用此命令，我们可以检查
   上的 ssh密钥状态实例和在实例中启用的作用域（以及
   其他信息）


2. 该命令提供 串行输出日志条目 帮助解决您遇到的连接问题。请注意，重新启动实例后会擦除此日志，因此不要期待持久记录，但此信息对您的情况可能会有用。
   
3. 此命令输出 防火墙规则 在您的项目中;应该有一个默认或策划的防火墙规则，允许端口22上的TCP入站流量，如果没有的话（您需要创建一个）。
   

您是否尝试过 通过浏览器进行SSH操作 在隐身模式下？
有时，浏览器扩展可能阻止SSH在浏览器功能上正常运行，这就是为什么我建议使用隐身模式。





---





编辑
为了使这个后期有用（并更容易阅读）社区，我在这里总结一些评论



显示的错误：






可以不是获取资源： - 对项目//区域//实例/

需要'compute.instances.get'权限


怎么做：检查用户角色/权限

  $ gcloud beta iam角色列表 - 账户您的账户-here 
 
> ---描述：完全管理App Engine应用程序（但不包括存储）。 
> etag：AA == name：roles / appengine.appAdmin stage：GA title：App Engine Admin 
> ---说明：能够查看App Engine应用程序状态。 etag：AA == name：roles / appengine.appViewer stage：GA title：App Engine Viewer 
  

在上面的输出中：用户只有App Engine权限（但在计算引擎中没有权限）





strong>请项目所有者添加一个角色，授予用户对GCE实例的访问权限（实例管理员角色，计算管理员角色）
这里可用角色的列表： cloud.google.com/compute/docs/access/iam#instance_admin_role





所需信息，运行2个命令：为了检查日志， 从实例：



$ gcloud计算实例get-serial-port-output您的实例名称--zone zone-the-instance-is-in - - 项目项目名称


SeaBIOS（version 1.8.2-20180102_145157-google）Tota l RAM大小= 0x000000006cc00000 = 1740 MiB找到的CPU：1支持的最大CPU数量：
在0：3时发现256个virtio-scsi virtio-scsi vendor ='Google'product ='PersistentDisk'rev ='1'type = 0可移动= 0
virtio-scsi blksize = 512扇区= 20971520 = 10240 MiB驱动器0x000f2330：PCHS = 0/0/0转换= lba LCHS = 1024/255/63 s = 20971520
从硬盘启动0 ... [0.000000]
初始化cgroup子系统cpuset [0.000000]
初始化cgroup子系统cpu [0.000000]
初始化cgroup子系统cpuacct [0.000000]
Linux版本3.16.0- 0.bpo.4-amd





• 确认存在防火墙规则端口22：
  
  $ gcloud计算防火墙规则列表 - 项目项目名称
  名称网络方向优先级允许
  default- allow-ssh default INGRESS 65534 tcp：22

从上面的输出允许SSH流量的防火墙规则具有优先级65534 。
优先级是一个从0到65535的整数，包括两个端点。
较低的优先级意味着较高的优先级。
换句话说，1的优先级高于2.
您可以阅读 本文档 进一步说明

更新防火墙规则以设置更高优先级。
运行命令：

  $ gcloud compute防火墙规则更新--priority 1000 default-allow- ssh 
  

问题：我尝试将SSH加入实例中，相同的旧错误：ssh：连接到主机X.XX.XX.XX端口22：操作超时错误：（gcloud.compute.ssh）[/ usr / bin / ssh]退出并返回代码[255]

检查 ssh服务是否在实例中运行 。
运行以下命令以获取实例的IP：

  $ gcloud计算实例描述[NAME_OF_YOUR_INSTANCE]  - format ='get（networkInterfaces [0] .accessConfigs [0] .natIP）'
  

安装netcat =>是用于读/写网络连接的计算机网络实用程序：

  $ sudo apt-get安装netcat 
  

运行以下命令检查命令的输出：

  $ nc [EXTERNAL_IP] 22 
> 
  

问题：运行nc [EXTERNAL_IP] p>

如果您的实例中 Linux客户环境已启用，请检查。
为此，您应该在GCE实例上添加一个启动脚本。
将启动脚本添加到实例：

1. 单击实例名称


2. 点击编辑


3. 转到自定义元数据部分


4. 在密钥文本字段中添加：启动脚本


5. 在Value文本字段中添加：＃！ / bin / bash sudo systemctl list-unit-files | grep谷歌|保存更改





有关启动脚本的更多详细信息 也是可用的。





然后重新启动实例以允许脚本执行。
确认Linux Guest Environment脚本已安装并正在运行。
为此，请从GCE实例的串行日志控制台中检查启动脚本的输出。
您可以查看 预期产出不同的操作系统 。





如果未安装Linux客户环境，请重新安装它。
您可以按照 本文档 strong> 安装LGE。


I cannot access to it via SSH. From my console I enter the valid command : gcloud compute --project " ssh --zone "" ""

But I keep having the following error message:

Permission denied (publickey). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

• Then I did revoke the SSH: gcloud auth revoke --all
• Then I did: gcloud auth login
• Then tried to access the vm again with: gcloud compute --project " ssh --zone """"

I got the following errors: ERROR: (gcloud.compute.ssh) Could not fetch resource: - Required 'compute.instances.get' permission for 'projects

Please Help. Thanks

解决方案

Permission denied (publickey). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

This error seems to refer to some error with the SSH keys or an incomplete Linux Guest environment.

I'm wondering what is the purpose on running gcloud auth revoke --all

Can you provide the output of the following commands?

1. $ gcloud compute instances describe name-of-your-instance --zone
zone-the-instance-is-in --project name-of-your-project
2. $ gcloud compute instances get-serial-port-output name-of-your-instance --zone zone-the-instance-is-in --project name-of-your-project
3. $ gcloud compute firewall-rules list --project name-of-your-project

The commands can be helpful because:

1. With this command we can check the state of the ssh keys on the instance and the scopes that are enabled in the instance (along with other info)
2. This command provides the serial output log entries from the instance that can help troubleshoot the connection issues you're experiencing. Note that this logs are wiped after a reboot of the instance so don't expect persistent logs here, but this info can be useful for your case.
3. This command outputs the firewall rules within your project; there should be a default or curated firewall rule allowing TCP ingress traffic on port 22, if not (you'll need to create one).

Have you tried to SSH from the browser in incognito mode? Sometimes, browser extensions can prevent the normal functioning of the SSH over the browser feature, that's why I recommend the incognito mode.

---

EDIT In order to make this post useful (and easier to read) for the community I'm summarizing here some of the comments from below:

Error shown:

Could not fetch resource: - Required 'compute.instances.get' permission for 'projects//zones//instances/

What to do: Check the user roles/permissions

$ gcloud beta iam roles list --account your-account-here

> --- description: Full management of App Engine apps (but not storage).
> etag: AA== name: roles/appengine.appAdmin stage: GA title: App Engine Admin
> --- description: Ability to view App Engine app status. etag: AA== name: roles/appengine.appViewer stage: GA title: App Engine Viewer

From the output above: the user has only App Engine permissions (but not permissions in Compute Engine)

What to do: ask the project owner to add a role that grants the user access to the GCE instances (Instance Admin Role, Compute Admin Role) List of the available roles here: cloud.google.com/compute/docs/access/iam#instance_admin_role

Required info, run 2 commands:

• in order to check the log from the instance:

  $ gcloud compute instances get-serial-port-output name-of-your-instance --zone zone-the-instance-is-in --project name-of-your-project

  SeaBIOS (version 1.8.2-20180102_145157-google) Total RAM Size = 0x000000006cc00000 = 1740 MiB CPUs found: 1 Max CPUs supported: 256 found virtio-scsi at 0:3 virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0 virtio-scsi blksize=512 sectors=20971520 = 10240 MiB drive 0x000f2330: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=20971520 Booting from Hard Disk 0... [ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.16.0-0.bpo.4-amd

• to confirm there's a firewall rule allowing ingress traffic on port 22:

  $ gcloud compute firewall-rules list --project name-of-your-project NAME NETWORK DIRECTION PRIORITY ALLOW default-allow-ssh default INGRESS 65534 tcp:22

From the output above the firewall rule allowing SSH traffic has priority 65534. Priority is an integer from 0 to 65535, both inclusive. Lower value of priority implies higher precedence. In other words, 1 is higher priority than 2. You can read this document for further explanation

Update the firewall rule to set a higher priority. To do so run the command:

$ gcloud compute firewall-rules update --priority 1000 default-allow-ssh

Issue: I tried to SSH into the instance I still got the same old error : ssh: connect to host X.XX.XX.XX port 22: Operation timed out ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255]

Check if the ssh service is running in the instance. Run the following command to get the IP of the instance:

$ gcloud compute instances describe [NAME_OF_YOUR_INSTANCE] --format='get(networkInterfaces[0].accessConfigs[0].natIP)' 

Install netcat => is a computer networking utility for reading/writing to network connections:

$ sudo apt-get install netcat

Run the following command to check the output of the command:

$ nc [EXTERNAL_IP] 22 
> 

Issue: Nothing is returned from running nc [EXTERNAL_IP] 22

Check if the Linux Guest Environment is enabled in your instance. To do so, you should add an startup script on the GCE instance. To add the startup script to the instance:

1. Click on the instance name
2. Click on edit
3. Go to the "custom metadata" section
4. In the "Key" text field add: startup-script
5. In the "Value" text field add: #! /bin/bash sudo systemctl list-unit-files | grep google | grep enabled
6. Save the changes

More detailed info on startup scripts is also available.

Then restart the instance so to allow the script to execute. Verify that the Linux Guest Environment scripts are installed and running. To do so, check the output of the startup script in the serial log console from the GCE instance. You can check the expected outputs for the different Operating Systems.

If the Linux Guest Environment is not installed, re-install it. You can follow this documentation to install the LGE.

这篇关于无法使用GCloud Compute访问虚拟机的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！