Packer TCP connection to SSH ip/port when setting "ssh_interface": "public_dns",

[Dayma]

All, our proxy is only allowing us to go after DNS instead of IP. When I use the : "ssh_interface": "public_dns" I was hoping that it would use the DNS of the EC2 instance. Looking in the logs it appears that even though I am telling it to use DNS it's still using the IP of the EC2 instance:

018/02/08 13:02:29 packer: 2018/02/08 13:02:29 [INFO] Waiting for SSH, up to timeout: 5m0s

2018/02/08 13:02:29 ui: [1;32m==> amazon-ebs: Waiting for SSH to become available... [0m

2018/02/08 13:02:44 packer: 2018/02/08 13:02:44 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout

2018/02/08 13:03:04 packer: 2018/02/08 13:03:04 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout

2018/02/08 13:03:24 packer: 2018/02/08 13:03:24 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout

2018/02/08 13:03:44 packer: 2018/02/08 13:03:44 [DEBUG] TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout

*Interesting though. When I set it to "private_DNS" is seems to actually go after the private DNS of the EC2 instance. So that appears to be working for private_DNS.

Any help is appreciated.

Thanks!!!

[Rickard von Essen]

Sorry I'm not sure I follow what your problem is?

A DNS record resolves to an IP, it is impossible "to connect to a DNS name" 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/2d767812-d48a-4d26-a518-13e03521e8c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Christopher Kalan]

I am confused. We connect to our instances through our proxy with a DNS name. Our proxy rejects anything that is not DNS. So if we try to SSH to an EC2 instance using IP through our proxy it will fail but will work with DNS.

When setting packer to use private_DNS is shows DNS not IP. This is what I would expect when setting it to public_DNS also but the log shows it setting it to IP.

Here is an comparison of the logs using 

private:

2018/02/08 14:00:27 packer: 2018/02/08 14:00:27 [DEBUG] TCP connection to SSH ip/port failed: dial tcp: lookup ip-172-31-34-206.ec2.internal: no such host

public:

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CALz9Rt_1ojMw3F_K8ju5Du%3Dg6XWj71JDCRaj6t-KCX4XU12nzw%40mail.gmail.com.

[Rickard von Essen]

When you are running with the private DNS name it fails on lookup of the DNS name, since you are not running inside a AWS VPC and use their domain resolvers (DNS servers).

> TCP connection to SSH ip/port failed: dial tcp: lookup ip-172-31-34-206.ec2.internal: no such host

When you are running with a public DNS name it is resolved to the IP 52.90.77.167 which Packer tries to connect to (on port 22). But nothings answers, most likely one of these four things are wrong: 1) Your local (company) firewall blocks outgoing SSH (tcp/22), 2) a AWS VPC ACL denies tcp/22, 3) AWS Security Group don't allow traffic to the instance on tcp/22, 4) your EC2 instance fails to bring up sshd and thus doesn't answer. 

> TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout

Just speculating, I would guess the most likely is nr 1. Get into contact with one of your network admins.

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CADd1N9cGSi-LToZoZ-OzFHiDPECZ%3DyK59WYkhwqGJVCqDffNuA%40mail.gmail.com.

[Christopher Kalan]

This is not an AWS issue. Our firewall/proxy denies us using and DNS name. For example taking HashiCorp out of the equation:

I can SSH to the DNS name of EC2. Our security teams deny us SSH'ing to IP and only allow DNS. They do not want to maintain long lists of whitelisted IPs I was told. 

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CALz9Rt8L4VnmsX5uVe-zpoKp8f%3DcrEdQ5JK-8iAQjDb8AXKtRA%40mail.gmail.com.

[Rickard von Essen]

Ok good the you know that do. In reality the whitelists dns names are resolved to an IP and that is allowed.

It can be useful to take a refresher on IP networking and DNS. 

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CADd1N9f00-Zs4HA_Wy87hXyaAusUZpWw%2BfCmSXzhkyZquE%2BiGQ%40mail.gmail.com.

[Christopher Kalan]

Sorry, on my last post I mis-typed.

Our proxy is denying us using SSH w/IP. SSH w/DNS is allowed. We can re-create this internally as the sec team's filter on proxy is denying ssh via IP and HAS to match white-listed DNS name. That's where packer is failing us as it's not using the public DNS name for the EC2 instance.

And, yes, I know how networking works...

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CALz9Rt_qRRpArhKYvu3AfLbW9ZMLFYnbDhcPOYYdS_49cgb3kg%40mail.gmail.com.

[Rickard von Essen]

First of all I can ensure you that packer is using the public DNS name that the AWS API returns for the instance. (See https://github.com/hashicorp/packer/blob/master/builder/amazon/common/ssh.go#L45-L48)

And there isn't really anything as SSH w/DNS. If you SSH to a DNS name the host resolves the DNS name and uses the IP address. (Otherwise please clarify in which IPv4 header field the DNS host name is put and how it's routed.)

Some steps to trouble shoot this:

1) Check the DNS hostname the instance returns as its public DNS name in the API/AWS Console.

2) Check which IP it resolves to (dig <hostname>)

3) Check which DNS name you whitelisted in the FW

4) Check which IP address the FW resolved this DNS name to 

If you ant to keep the EC2 instance running while trouble shooting and enable verbose debug messages do: PACKER_LOG=1 packer build -on-error=ask <template.json>

To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CADd1N9fL6XnK3h1_e7SnHGuh4FymF4kTqmO_iTUbnZokQ8HtEg%40mail.gmail.com.