Non-standard SSH port not working with googlecompute builder

[Jonathan Hall]

I'm trying to debug some Packer configuration I've inherited. One configuration in particular works from our CI pipeline, but does not work locally. One difference is the SSH port used. When I use the default SSH port locally, packer works. When I try to use 5222, I get a timeout:

==> googlecompute: Using ssh communicator to connect: 35.193.105.225
2020/09/17 14:17:56 packer: 2020/09/17 14:17:56 [INFO] Waiting for SSH, up to timeout: 5m0s
==> googlecompute: Waiting for SSH to become available...
2020/09/17 14:18:11 packer: 2020/09/17 14:18:11 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 35.193.105.225:5222: i/o timeout
< .. snip .. >
2020/09/17 14:22:51 packer: 2020/09/17 14:22:51 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 35.193.105.225:5222: i/o timeout
2020/09/17 14:22:56 ui error: ==> googlecompute: Timeout waiting for SSH.
==> googlecompute: Timeout waiting for SSH.
2020/09/17 14:22:56 packer: 2020/09/17 14:22:56 [DEBUG] SSH wait cancelled. Exiting loop.
2020/09/17 14:22:56 ui error: ==> googlecompute: Timeout waiting for SSH.
==> googlecompute: Timeout waiting for SSH.

However, SSH responds from the same machine when I connect myself:

$ ssh 35.193.105.225 -P 5222

The authenticity of host '35.193.105.225 (35.193.105.225)' can't be established.

ECDSA key fingerprint is SHA256:+Cls2Qe932m0yNrDWLbjUfeZcOpORGUT9p9rCjLbotg.

Are you sure you want to continue connecting (yes/no)? ^C

I'm running packer with this command:

PACKER_LOG=1 packer build \

-var "instance_name=${INSTANCE_NAME}" \

-var "shutdown_script=$(cat files/metadata_shutdown_script.sh)" \

-var "startup_script=$(cat files/metadata_startup_script.sh)" \

-var "ssh_private_key_file=${SSH_KEY}" \

-var "ssh_public_keys=root:$(cat "${SSH_KEY}.pub")" \

-on-error=ask \

test.json

test.json looks like this:

{

"variables": {},

"builders": [

{

"image_description": "Custom packer base image for other images, debian based",

"image_family": "debian9-base",

"image_labels": {

"type": "debian-base"

},

"image_name": "debian9-base-{{timestamp}}",

"instance_name": "{{ user `instance_name` }}",

"metadata": {

"block-project-ssh-keys": "TRUE",

"enable-oslogin": "FALSE",

"shutdown-script": "{{user `shutdown_script`}}",

"ssh-keys": "{{user `ssh_public_keys`}}",

"startup-script": "{{user `startup_script`}}"

},

"preemptible": "true",

"project_id": "lana-gitlab",

"scopes": [

"https://www.googleapis.com/auth/userinfo.email",

"https://www.googleapis.com/auth/compute",

"https://www.googleapis.com/auth/devstorage.read_write",

"https://www.googleapis.com/auth/cloudkms"

],

"source_image_family": "debian-9",

"ssh_port": "5222",

"ssh_username": "packer",

"type": "googlecompute",

"zone": "us-central1-a"

}

]

}

and files/metadata_startup_script.sh looks like this:

set -eufCo pipefail

export SHELLOPTS

IFS=$'\t\n'

cat >| /etc/ssh/sshd_config <<-EOF

# AllowUsers root

ListenAddress 0.0.0.0:22

ListenAddress 0.0.0.0:5222

LogLevel DEBUG

PasswordAuthentication no

PermitRootLogin prohibit-password

EOF

sshd -t

systemctl reload ssh

If I remove the `"ssh_port": "5222",` from test.json, packer succeeds.

What am I overlooking that's preventing this non-standard SSH port from working?

Thank you.

[Megan Marsh]

Packer cannot change the port that the ssh daemon is listening on in the guest; if your startup-script isn't changing this, or it isn't being configured elsewhere in your googlecompute configs, then it's probably listening on the default and Packer's attempts to connect to the custom port are in vain because no one is listening on the other end.

[Jonathan Hall]

Hi Megan,

Thanks for taking the time to reply.

As you can see from my above config, I am configuring the SSH listen port in the startup script, and as I've also indicated, I have verified that it is also working by doing a manual SSH to the alternate port, which succeeds.

So I'm confident that something _is_ listening on the other end.

Is something else needed within Packer to allow this? Is there some other network/firewall type config I'm overlooking that applies to Packer, but not to direct SSH communication?

Thank you,

Jonathan

[Megan Marsh]

Ah, sorry I didn't see your script when I read initially. There shouldn't be anything that applies to Packer and not normal ssh. It looks like your ssh timeout is only about five minutes; no guarantees but you can try bumping that higher and seeing if it's just a timing thing. Is there anything exciting going on with proxies in your environment?

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/cd9eb73b-259e-4427-8506-c0caf447ec72n%40googlegroups.com.