使用 Knife ec2 插件在 VPC 私有子网中创建 VM [英] Using knife ec2 plugin to create VM in VPC private subnet

查看：39 发布时间：2021/11/27 11:20:37 ssh amazon-ec2 chef-infra amazon-vpc knife

本文介绍了使用 Knife ec2 插件在 VPC 私有子网中创建 VM的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

尽管我已经写了大量的厨师，但我对 AWS/VPC 和管理网络流量(尤其是堡垒主机)还是很陌生.

Although I've written a fair amount of chef, I'm fairly new to both AWS/VPC and administrating network traffic (especially a bastion host).

使用 Knife ec2 插件，我希望能够从我的开发人员工作站动态创建和引导 VM.VM 应该能够存在于我的 VPC 的公共或私有子网中.我想在不使用弹性 IP 的情况下完成所有这些.我也希望我的堡垒主机不用干涉(即我想避免在我的堡垒主机上创建显式的每虚拟机监听隧道)

Using the knife ec2 plugin, I would like the capability to dynamically create and bootstrap a VM from my developer workstation. The VM should be able to exist in either a public or private subnet of my VPC. I would like to do all of this without use of an elastic IP. I would also like for my bastion host to be hands off (i.e. I would like to avoid having to create explicit per-VM listening tunnels on my bastion host)

我已经成功地使用了 Knife ec2 插件在旧版 EC2 模型中(例如在我的 VPC 之外)创建了一个虚拟机.我现在正在尝试在我的 VPC 中创建一个实例.在 Knife 命令行中，我指定了网关、安全组、子网等.VM 已创建，但之后 Knife 无法通过 ssh 连接到它.

I have successfully used the knife ec2 plugin to create a VM in the legacy EC2 model (e.g. outside of my VPC). I am now trying to create an instance in my VPC. On the knife command line, I'm specifying a gateway, security groups, subnet, etc. The VM gets created, but knife fails to ssh to it afterward.

这是我的刀命令行:

knife ec2 server create 
    --flavor t1.micro 
    --identity-file <ssh_private_key> 
    --image ami-3fec7956 
    --security-group-ids sg-9721e1f8 
    --subnet subnet-e4764d88 
    --ssh-user ubuntu 
    --server-connect-attribute private_ip_address 
    --ssh-port 22 
    --ssh-gateway <gateway_public_dns_hostname (route 53)> 
    --tags isVPC=true,os=ubuntu-12.04,subnet_type=public-build-1c 
    --node-name <VM_NAME>

我怀疑我的问题与堡垒主机的配置有关.经过一天的谷歌搜索，我无法找到有效的配置.我可以通过 ssh 连接到堡垒主机，然后从那里通过 ssh 连接到新创建的虚拟机.我无法使用网关参数让刀成功复制此内容.

I suspect that my problem has to do with the configuration of my bastion host. After a day of googling, I wasn't able to find a configuration that works. I'm able to ssh to the bastion host, and from there I can ssh to the newly created VM. I cannot get knife to successfully duplicate this using the gateway argument.

我玩过/etc/ssh/ssh_config.这是它今天的存在方式:

I've played around with /etc/ssh/ssh_config. Here is how it exists today:

    ForwardAgent yes
#ForwardX11 no
#ForwardX11Trusted yes
#RhostsRSAAuthentication no
#RSAAuthentication yes
#PasswordAuthentication no
#HostbasedAuthentication yes
#GSSAPIAuthentication no
#GSSAPIDelegateCredentials no
#GSSAPIKeyExchange no
#GSSAPITrustDNS no
#BatchMode no
   CheckHostIP no
#AddressFamily any
#ConnectTimeout 0
    StrictHostKeyChecking no
    IdentityFile ~/.ssh/identity
#IdentityFile ~/.ssh/id_rsa
#IdentityFile ~/.ssh/id_dsa
#Port 22
#Protocol 2,1
#Cipher 3des
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#EscapeChar ~
    Tunnel yes
#TunnelDevice any:any
#PermitLocalCommand no
#VisualHostKey no
#ProxyCommand ssh -q -W %h:%p gateway.example.com
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
    GatewayPorts yes

我还将/home/ubuntu/.ssh/identity 设置为我的新实例的匹配私钥.

I have also set /home/ubuntu/.ssh/identity to the matching private key of my new instance.

更新:

我在堡垒主机的/var/log/auth.log 中注意到以下内容:

I notice the following in the bastion host's /var/log/auth.log:

May  9 12:15:47 ip-10-0-224-93 sshd[8455]: Invalid user  from <WORKSTATION_IP>
May  9 12:15:47 ip-10-0-224-93 sshd[8455]: input_userauth_request: invalid user  [preauth]

推荐答案

我终于解决了这个问题.指定网关时我缺少用户名.我最初认为 --ssh-user 参数将用于网关和我试图引导的 VM.这是错误的，必须为两者指定用户名.

I finally resolved this. I was missing the username when specifying my gateway. I originally thought that the --ssh-user argument would be used for both the gateway AND the VM I'm attempting to bootstrap. This was incorrect, username must be specified for both.

knife ec2 server create 
    --flavor t1.micro 
    --identity-file <ssh_private_key> 
    --image ami-3fec7956 
    --security-group-ids sg-9721e1f8 
    --subnet subnet-e4764d88 
    --ssh-user ubuntu 
    --server-connect-attribute private_ip_address 
    --ssh-port 22 
    --ssh-gateway ubuntu@<gateway_public_dns_hostname (route 53)> 
    --tags isVPC=true,os=ubuntu-12.04,subnet_type=public-build-1c 
    --node-name <VM_NAME>

仅包含更新的行(注意前面的 ubuntu@):

Just the line containing the update (notice the ubuntu@ in front):

    --ssh-gateway ubuntu@<gateway_public_dns_hostname (route 53)>

我现在已经完成并锁定了我的堡垒主机，包括删除/home/ubuntu/.ssh/identity，因为将私钥存储在堡垒主机上真的让我很烦恼.

I have now gone through and locked my bastion host back down, including removal of /home/ubuntu/.ssh/identity, as storing the private key on the bastion host was really bugging me.

仅供参考:在设置堡垒主机时，sshd 的开箱即用"配置将在使用 Amazon Linux AMI 映像时起作用.此外，上面的一些参数是可选的，例如 --ssh-port.

FYI: When setting up a bastion host, the "out of the box" configuration of sshd will work when using the Amazon Linux AMI image. Also, some of the arguments above are optional, such as --ssh-port.

这篇关于使用 Knife ec2 插件在 VPC 私有子网中创建 VM的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

使用 Knife ec2 插件在 VPC 私有子网中创建 VM [英] Using knife ec2 plugin to create VM in VPC private subnet

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

使用 Knife ec2 插件在 VPC 私有子网中创建 VM [英] Using knife ec2 plugin to create VM in VPC private subnet

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭