Sorry, on my last post I mis-typed. Our proxy is denying us using SSH w/IP. SSH w/DNS is allowed. We can re-create this internally as the sec team's filter on proxy is denying ssh via IP and HAS to match white-listed DNS name. That's where packer is failing us as it's not using the public DNS name for the EC2 instance.
And, yes, I know how networking works... On Thu, Feb 8, 2018 at 3:36 PM, Rickard von Essen < [email protected]> wrote: > Ok good the you know that do. In reality the whitelists dns names are > resolved to an IP and that is allowed. > > It can be useful to take a refresher on IP networking and DNS. > > On Feb 8, 2018 21:13, "Christopher Kalan" <[email protected]> > wrote: > >> This is not an AWS issue. Our firewall/proxy denies us using and DNS >> name. For example taking HashiCorp out of the equation: >> >> I can SSH to the DNS name of EC2. Our security teams deny us SSH'ing to >> IP and only allow DNS. They do not want to maintain long lists of >> whitelisted IPs I was told. >> >> On Thu, Feb 8, 2018 at 2:14 PM, Rickard von Essen < >> [email protected]> wrote: >> >>> When you are running with the private DNS name it fails on lookup of the >>> DNS name, since you are not running inside a AWS VPC and use their domain >>> resolvers (DNS servers). >>> > TCP connection to SSH ip/port failed: dial tcp: lookup >>> ip-172-31-34-206.ec2.internal: no such host >>> >>> When you are running with a public DNS name it is resolved to the IP >>> 52.90.77.167 which Packer tries to connect to (on port 22). But nothings >>> answers, most likely one of these four things are wrong: 1) Your local >>> (company) firewall blocks outgoing SSH (tcp/22), 2) a AWS VPC ACL denies >>> tcp/22, 3) AWS Security Group don't allow traffic to the instance on >>> tcp/22, 4) your EC2 instance fails to bring up sshd and thus doesn't >>> answer. >>> > TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>> timeout >>> >>> Just speculating, I would guess the most likely is nr 1. Get into >>> contact with one of your network admins. >>> >>> On 8 February 2018 at 20:01, Christopher Kalan < >>> [email protected]> wrote: >>> >>>> I am confused. We connect to our instances through our proxy with a DNS >>>> name. Our proxy rejects anything that is not DNS. So if we try to SSH to an >>>> EC2 instance using IP through our proxy it will fail but will work with >>>> DNS. >>>> >>>> When setting packer to use private_DNS is shows DNS not IP. This is >>>> what I would expect when setting it to public_DNS also but the log shows it >>>> setting it to IP. >>>> >>>> Here is an comparison of the logs using >>>> >>>> private: >>>> >>>> 2018/02/08 14:00:27 packer: 2018/02/08 14:00:27 [DEBUG] TCP connection >>>> to SSH ip/port failed: dial tcp: lookup ip-172-31-34-206.ec2.internal: no >>>> such host >>>> >>>> public: >>>> >>>> 2018/02/08 13:03:44 packer: 2018/02/08 13:03:44 [DEBUG] TCP connection >>>> to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Feb 8, 2018 at 1:34 PM, Rickard von Essen < >>>> [email protected]> wrote: >>>> >>>>> Sorry I'm not sure I follow what your problem is? >>>>> >>>>> A DNS record resolves to an IP, it is impossible "to connect to a DNS >>>>> name" >>>>> >>>>> On Feb 8, 2018 19:27, "Dayma" <[email protected]> wrote: >>>>> >>>>>> All, our proxy is only allowing us to go after DNS instead of IP. >>>>>> When I use the : "ssh_interface": "public_dns" I was hoping that it >>>>>> would use the DNS of the EC2 instance. Looking in the logs it appears >>>>>> that >>>>>> even though I am telling it to use DNS it's still using the IP of the EC2 >>>>>> instance: >>>>>> >>>>>> 018/02/08 13:02:29 packer: 2018/02/08 13:02:29 [INFO] Waiting for >>>>>> SSH, up to timeout: 5m0s >>>>>> 2018/02/08 13:02:29 ui: [1;32m==> amazon-ebs: Waiting for SSH to >>>>>> become available... [0m >>>>>> 2018/02/08 13:02:44 packer: 2018/02/08 13:02:44 [DEBUG] TCP >>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>> timeout >>>>>> 2018/02/08 13:03:04 packer: 2018/02/08 13:03:04 [DEBUG] TCP >>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>> timeout >>>>>> 2018/02/08 13:03:24 packer: 2018/02/08 13:03:24 [DEBUG] TCP >>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>> timeout >>>>>> 2018/02/08 13:03:44 packer: 2018/02/08 13:03:44 [DEBUG] TCP >>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>> timeout >>>>>> >>>>>> *Interesting though. When I set it to "private_DNS" is seems to >>>>>> actually go after the private DNS of the EC2 instance. So that appears to >>>>>> be working for private_DNS. >>>>>> >>>>>> Any help is appreciated. >>>>>> >>>>>> Thanks!!! >>>>>> >>>>>> -- >>>>>> This mailing list is governed under the HashiCorp Community >>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>> Behavior in violation of those guidelines may result in your removal from >>>>>> this mailing list. >>>>>> >>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>>> IRC: #packer-tool on Freenode >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Packer" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/packer-tool/2d767812-d48a- >>>>>> 4d26-a518-13e03521e8c6%40googlegroups.com >>>>>> <https://groups.google.com/d/msgid/packer-tool/2d767812-d48a-4d26-a518-13e03521e8c6%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- >>>>> This mailing list is governed under the HashiCorp Community Guidelines >>>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>>> violation of those guidelines may result in your removal from this mailing >>>>> list. >>>>> >>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>> IRC: #packer-tool on Freenode >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Packer" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/packer-tool/CALz9Rt_1ojMw3 >>>>> F_K8ju5Du%3Dg6XWj71JDCRaj6t-KCX4XU12nzw%40mail.gmail.com >>>>> <https://groups.google.com/d/msgid/packer-tool/CALz9Rt_1ojMw3F_K8ju5Du%3Dg6XWj71JDCRaj6t-KCX4XU12nzw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> This mailing list is governed under the HashiCorp Community Guidelines >>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>> violation of those guidelines may result in your removal from this mailing >>>> list. >>>> >>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>> IRC: #packer-tool on Freenode >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Packer" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/d/ms >>>> gid/packer-tool/CADd1N9cGSi-LToZoZ-OzFHiDPECZ%3DyK59WYkhwqGJ >>>> VCqDffNuA%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/packer-tool/CADd1N9cGSi-LToZoZ-OzFHiDPECZ%3DyK59WYkhwqGJVCqDffNuA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> This mailing list is governed under the HashiCorp Community Guidelines - >>> https://www.hashicorp.com/community-guidelines.html. Behavior in >>> violation of those guidelines may result in your removal from this mailing >>> list. >>> >>> GitHub Issues: https://github.com/mitchellh/packer/issues >>> IRC: #packer-tool on Freenode >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Packer" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/packer-tool/CALz9Rt8L4VnmsX5uVe-zpoKp8f%3DcrEdQ5JK-8iAQj >>> Db8AXKtRA%40mail.gmail.com >>> <https://groups.google.com/d/msgid/packer-tool/CALz9Rt8L4VnmsX5uVe-zpoKp8f%3DcrEdQ5JK-8iAQjDb8AXKtRA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> This mailing list is governed under the HashiCorp Community Guidelines - >> https://www.hashicorp.com/community-guidelines.html. Behavior in >> violation of those guidelines may result in your removal from this mailing >> list. >> >> GitHub Issues: https://github.com/mitchellh/packer/issues >> IRC: #packer-tool on Freenode >> --- >> You received this message because you are subscribed to the Google Groups >> "Packer" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/packer-tool/CADd1N9f00-Zs4HA_Wy87hXyaAusUZpWw%2BfCmSXzhk >> yZquE%2BiGQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/packer-tool/CADd1N9f00-Zs4HA_Wy87hXyaAusUZpWw%2BfCmSXzhkyZquE%2BiGQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > This mailing list is governed under the HashiCorp Community Guidelines - > https://www.hashicorp.com/community-guidelines.html. Behavior in > violation of those guidelines may result in your removal from this mailing > list. > > GitHub Issues: https://github.com/mitchellh/packer/issues > IRC: #packer-tool on Freenode > --- > You received this message because you are subscribed to the Google Groups > "Packer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/packer-tool/CALz9Rt_qRRpArhKYvu3AfLbW9ZMLFYnbDhcPO > YYdS_49cgb3kg%40mail.gmail.com > <https://groups.google.com/d/msgid/packer-tool/CALz9Rt_qRRpArhKYvu3AfLbW9ZMLFYnbDhcPOYYdS_49cgb3kg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CADd1N9fL6XnK3h1_e7SnHGuh4FymF4kTqmO_iTUbnZokQ8HtEg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
