Amazon provided EKS packer | Permission Denied
1,021 views
Skip to first unread message
Zachary Estrella
Apr 22, 2019, 11:19:20 AM4/22/19
to Packer
Hello All,
I am trying to use Amazon's provided packer scripts to create a base EKS ami. I am using this packer script here https://github.com/awslabs/amazon-eks-ami/blob/master/eks-worker-al2.json.
One issue that I am running into is a permission denied error for scp. I am not too sure what I need to do to fix this though.
One issue that I am running into is a permission denied error for scp. I am not too sure what I need to do to fix this though.
==> eks: Uploading ./files/ => /tmp/worker/
2019/04/22 10:53:01 packer: 2019/04/22 10:53:01 [DEBUG] Upload dir './files/' to '/tmp/worker/'
2019/04/22 10:53:01 packer: 2019/04/22 10:53:01 [DEBUG] Opening new ssh session
2019/04/22 10:53:01 packer: 2019/04/22 10:53:01 [DEBUG] Starting remote scp process: scp -rvt /tmp/worker/
2019/04/22 10:53:01 packer: 2019/04/22 10:53:01 [DEBUG] Started SCP session, beginning transfers...
2019/04/22 10:53:01 packer: 2019/04/22 10:53:01 [DEBUG] scp: Uploading kubelet-config-with-secret-polling.json: perms=C0644 size=779
2019/04/22 10:53:01 [INFO] (telemetry) ending file
==> eks: Terminating the source AWS instance...
==> eks: Cleaning up any extra volumes...
==> eks: No volumes to clean up, skipping
==> eks: Deleting temporary security group...
==> eks: Deleting temporary keypair...
2019/04/22 10:53:33 [INFO] (telemetry) ending amazon-ebs
2019/04/22 10:53:33 ui error: Build 'eks' errored: scp: /tmp/worker//kubelet-config-with-secret-polling.json: Permission denied
2019/04/22 10:53:33 Builds completed. Waiting on interrupt barrier...
2019/04/22 10:53:33 machine readable: error-count []string{"1"}
Build 'eks' errored: scp: /tmp/worker//kubelet-config-with-secret-polling.json: Permission denied
Is there any chance someone can help me solve this?
Rickard von Essen
Apr 22, 2019, 12:25:00 PM4/22/19
to packe...@googlegroups.com
Could you rerun with PACKER_LOG=1 and supply the full output and what variables you are using.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/46e67e2f-7bfd-49c0-82c4-5ec1e4c8750e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Zachary Estrella
Apr 22, 2019, 12:33:46 PM4/22/19
to Packer
Here is the full logs that are relevant.
==> eks: Waiting for instance (i-02802c4ff2bc6eb91) to become ready...
2019/04/22 12:30:13 packer: 2019/04/22 12:30:13 [INFO] Not using winrm communicator, skipping get password...
==> eks: Using ssh communicator to connect: 18.232.50.43
2019/04/22 12:30:13 packer: 2019/04/22 12:30:13 [INFO] Waiting for SSH, up to timeout: 5m0s
==> eks: Waiting for SSH to become available...
2019/04/22 12:30:15 packer: 2019/04/22 12:30:15 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 18.232.50.43:22: connect: connection refused
2019/04/22 12:30:20 packer: 2019/04/22 12:30:20 [INFO] Attempting SSH connection to 18.232.50.43:22...
2019/04/22 12:30:20 packer: 2019/04/22 12:30:20 [DEBUG] Config to &ssh.Config{SSHConfig:(*ssh.ClientConfig)(0xc0002be0d0), Connection:(func() (net.Conn, error))(0x1a02bc0), Pty:true, DisableAgentForwarding:false, HandshakeTimeout:0, UseSftp:false, KeepAliveInterval:5000000000, Timeout:0}...
2019/04/22 12:30:20 packer: 2019/04/22 12:30:20 [DEBUG] reconnecting to TCP connection for SSH
2019/04/22 12:30:20 packer: 2019/04/22 12:30:20 [DEBUG] handshaking with SSH
2019/04/22 12:30:20 packer: 2019/04/22 12:30:20 [DEBUG] handshake complete!
2019/04/22 12:30:20 packer: 2019/04/22 12:30:20 [DEBUG] Opening new ssh session
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] agent forwarding enabled
==> eks: Connected to SSH!
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 Running the provision hook
2019/04/22 12:30:21 [INFO] (telemetry) Starting provisioner shell
==> eks: Provisioning with shell script: /var/folders/h_/lz750kv55h7gm_fc8svh52nr1_gwwm/T/packer-shell643574894
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 Opening /var/folders/h_/lz750kv55h7gm_fc8svh52nr1_gwwm/T/packer-shell643574894 for reading
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] 72 bytes written for 'uploadData'
2019/04/22 12:30:21 [INFO] 72 bytes written for 'uploadData'
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Opening new ssh session
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Starting remote scp process: scp -vt /tmp
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Started SCP session, beginning transfers...
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Copying input data into temporary file so we can read the length
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] scp: Uploading script_6094.sh: perms=C0644 size=72
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] SCP session complete, closing stdin pipe.
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Waiting for SSH session to complete.
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] scp stderr (length 30): Sink: C0644 72 script_6094.sh
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Opening new ssh session
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] starting remote command: chmod 0755 /tmp/script_6094.sh
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] RPC endpoint: Communicator ended with: 0
2019/04/22 12:30:21 [INFO] RPC client: Communicator ended with: 0
2019/04/22 12:30:21 [INFO] RPC endpoint: Communicator ended with: 0
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] RPC client: Communicator ended with: 0
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] Opening new ssh session
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [DEBUG] starting remote command: chmod +x /tmp/script_6094.sh; PACKER_BUILDER_TYPE='amazon-ebs' PACKER_BUILD_NAME='eks' /tmp/script_6094.sh
2019/04/22 12:30:21 [INFO] 46 bytes written for 'stdout'
2019/04/22 12:30:21 [INFO] 0 bytes written for 'stderr'
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [ERROR] Remote command exited with '126': chmod +x /tmp/script_6094.sh; PACKER_BUILDER_TYPE='amazon-ebs' PACKER_BUILD_NAME='eks' /tmp/script_6094.sh
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] RPC endpoint: Communicator ended with: 126
2019/04/22 12:30:21 [INFO] RPC client: Communicator ended with: 126
2019/04/22 12:30:21 [INFO] RPC endpoint: Communicator ended with: 126
eks: bash: /tmp/script_6094.sh: Permission denied
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] 46 bytes written for 'stdout'
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] 0 bytes written for 'stderr'
2019/04/22 12:30:21 packer: 2019/04/22 12:30:21 [INFO] RPC client: Communicator ended with: 126
2019/04/22 12:30:21 [INFO] (telemetry) ending shell
==> eks: Terminating the source AWS instance...
==> eks: Cleaning up any extra volumes...
==> eks: No volumes to clean up, skipping
==> eks: Deleting temporary security group...
==> eks: Deleting temporary keypair...
2019/04/22 12:30:53 [INFO] (telemetry) ending amazon-ebs
2019/04/22 12:30:53 ui error: Build 'eks' errored: Script exited with non-zero exit status: 126.Allowed exit codes are: [0]
2019/04/22 12:30:53 Builds completed. Waiting on interrupt barrier...
Build 'eks' errored: Script exited with non-zero exit status: 126.Allowed exit codes are: [0]
2019/04/22 12:30:53 machine readable: error-count []string{"1"}
2019/04/22 12:30:53 ui error:
==> Some builds didn't complete successfully and had errors:
2019/04/22 12:30:53 machine readable: eks,error []string{"Script exited with non-zero exit status: 126.Allowed exit codes are: [0]"}
==> Some builds didn't complete successfully and had errors:
2019/04/22 12:30:53 ui error: --> eks: Script exited with non-zero exit status: 126.Allowed exit codes are: [0]
==> Builds finished but no artifacts were created.
--> eks: Script exited with non-zero exit status: 126.Allowed exit codes are: [0]
==> Builds finished but no artifacts were created.
2019/04/22 12:30:53 [INFO] (telemetry) Finalizing.
2019/04/22 12:30:53 waiting for all plugin processes to complete...
2019/04/22 12:30:53 /usr/local/bin/packer: plugin process exited
2019/04/22 12:30:53 /usr/local/bin/packer: plugin process exited
2019/04/22 12:30:53 /usr/local/bin/packer: plugin process exited
2019/04/22 12:30:53 /usr/local/bin/packer: plugin process exited
2019/04/22 12:30:53 /usr/local/bin/packer: plugin process exited
And these are my variables.
{
"variables": {
"ami_name_prefix": "rhel76",
"kubernetes_version": "1.12",
"aws_region": "us-east-1",
"ami_name": "amazon-eks-node-{{timestamp}}",
"version_str": "{{ timestamp }}",
"binary_bucket_name": "amazon-eks",
"binary_bucket_region": "us-east-1",
"binary_bucket_path": "1.12.7/2019-03-27/bin/linux/amd64",
"docker_version": "18.06",
"aws_subnet_id": "subnet-111111111",
"creator": "DevOps",
"instance_type": "m4.large",
"source_ami_owners": "1111111111",
"source_ami_regex": "rhel76-hardened*",
"encrypted": "false",
"kms_key_id": "",
"cni_version": "v0.6.0",
"cni_plugin_version": "v0.7.5",
"aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_session_token": "{{env `AWS_SESSION_TOKEN`}}"
}
To unsubscribe from this group and stop receiving emails from it, send an email to packe...@googlegroups.com.
Zachary Estrella
Apr 22, 2019, 12:37:06 PM4/22/19
to Packer
Something worth mentioning is this is being ran on top of a CIS lvl1 Hardened machine. I think I am doing something wrong or not in the right steps to get the expected results, but then again I have not modified the original packer .json file provided by amazon enough to break it.
Rickard von Essen
Apr 22, 2019, 1:19:09 PM4/22/19
to packe...@googlegroups.com
Most likely your hardening prevents executables in /tmp.
It fails on:
chmod +x /tmp/script_6094.sh
Try to set:
To somewhere inside the ssh users home directory.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/02e4100a-0099-4825-8c5b-e908b5635627%40googlegroups.com.
Zachary Estrella
Apr 22, 2019, 1:50:32 PM4/22/19
to Packer
So in the packer config file, I would set it like this? How would I properly create the folder and then point to that folder for use in the file provisioner and last shell provisioner?
"provisioners": [
{
"type": "shell",
"inline": ["mkdir -p ~/home/ec2-user/tmp/worker/"]
},
{
"type": "file",
"source": "./files/",
"destination": "/home/ec2-user/tmp/worker"
},
{
"type": "shell",
"script": "shell/install-worker.sh",
"remote_folder": "~/home/ec2-user/tmp",
"environment_vars": [
"KUBERNETES_VERSION={{user `kubernetes_version`}}",
"BINARY_BUCKET_NAME={{user `binary_bucket_name`}}",
"BINARY_BUCKET_PATH={{user `binary_bucket_path`}}",
"BINARY_BUCKET_REGION={{user `binary_bucket_region`}}",
"DOCKER_VERSION={{user `docker_version`}}",
"CNI_VERSION={{user `cni_version`}}",
"CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}",
"AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}",
"AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}",
"AWS_SESSION_TOKEN={{user `aws_session_token`}}"
]
}
],Rickard von Essen
Apr 22, 2019, 2:38:53 PM4/22/19
to packe...@googlegroups.com
Yes, except that ~ won't work. See
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/dfd88b39-a3f1-41cd-9f76-57bfa77c05a6%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages