First of all I can ensure you that packer is using the public DNS name that the AWS API returns for the instance. (See https://github.com/hashicorp/packer/blob/master/builder/amazon/common/ssh.go#L45-L48 )
And there isn't really anything as SSH w/DNS. If you SSH to a DNS name the host resolves the DNS name and uses the IP address. (Otherwise please clarify in which IPv4 header field the DNS host name is put and how it's routed.) Some steps to trouble shoot this: 1) Check the DNS hostname the instance returns as its public DNS name in the API/AWS Console. 2) Check which IP it resolves to (dig <hostname>) 3) Check which DNS name you whitelisted in the FW 4) Check which IP address the FW resolved this DNS name to If you ant to keep the EC2 instance running while trouble shooting and enable verbose debug messages do: PACKER_LOG=1 packer build -on-error=ask <template.json> On 8 February 2018 at 22:36, Christopher Kalan <[email protected]> wrote: > Sorry, on my last post I mis-typed. > > Our proxy is denying us using SSH w/IP. SSH w/DNS is allowed. We can > re-create this internally as the sec team's filter on proxy is denying ssh > via IP and HAS to match white-listed DNS name. That's where packer is > failing us as it's not using the public DNS name for the EC2 instance. > > And, yes, I know how networking works... > > > On Thu, Feb 8, 2018 at 3:36 PM, Rickard von Essen < > [email protected]> wrote: > >> Ok good the you know that do. In reality the whitelists dns names are >> resolved to an IP and that is allowed. >> >> It can be useful to take a refresher on IP networking and DNS. >> >> On Feb 8, 2018 21:13, "Christopher Kalan" <[email protected]> >> wrote: >> >>> This is not an AWS issue. Our firewall/proxy denies us using and DNS >>> name. For example taking HashiCorp out of the equation: >>> >>> I can SSH to the DNS name of EC2. Our security teams deny us SSH'ing to >>> IP and only allow DNS. They do not want to maintain long lists of >>> whitelisted IPs I was told. >>> >>> On Thu, Feb 8, 2018 at 2:14 PM, Rickard von Essen < >>> [email protected]> wrote: >>> >>>> When you are running with the private DNS name it fails on lookup of >>>> the DNS name, since you are not running inside a AWS VPC and use their >>>> domain resolvers (DNS servers). >>>> > TCP connection to SSH ip/port failed: dial tcp: lookup >>>> ip-172-31-34-206.ec2.internal: no such host >>>> >>>> When you are running with a public DNS name it is resolved to the IP >>>> 52.90.77.167 which Packer tries to connect to (on port 22). But nothings >>>> answers, most likely one of these four things are wrong: 1) Your local >>>> (company) firewall blocks outgoing SSH (tcp/22), 2) a AWS VPC ACL denies >>>> tcp/22, 3) AWS Security Group don't allow traffic to the instance on >>>> tcp/22, 4) your EC2 instance fails to bring up sshd and thus doesn't >>>> answer. >>>> > TCP connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>> timeout >>>> >>>> Just speculating, I would guess the most likely is nr 1. Get into >>>> contact with one of your network admins. >>>> >>>> On 8 February 2018 at 20:01, Christopher Kalan < >>>> [email protected]> wrote: >>>> >>>>> I am confused. We connect to our instances through our proxy with a >>>>> DNS name. Our proxy rejects anything that is not DNS. So if we try to SSH >>>>> to an EC2 instance using IP through our proxy it will fail but will work >>>>> with DNS. >>>>> >>>>> When setting packer to use private_DNS is shows DNS not IP. This is >>>>> what I would expect when setting it to public_DNS also but the log shows >>>>> it >>>>> setting it to IP. >>>>> >>>>> Here is an comparison of the logs using >>>>> >>>>> private: >>>>> >>>>> 2018/02/08 14:00:27 packer: 2018/02/08 14:00:27 [DEBUG] TCP connection >>>>> to SSH ip/port failed: dial tcp: lookup ip-172-31-34-206.ec2.internal: no >>>>> such host >>>>> >>>>> public: >>>>> >>>>> 2018/02/08 13:03:44 packer: 2018/02/08 13:03:44 [DEBUG] TCP connection >>>>> to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o timeout >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Feb 8, 2018 at 1:34 PM, Rickard von Essen < >>>>> [email protected]> wrote: >>>>> >>>>>> Sorry I'm not sure I follow what your problem is? >>>>>> >>>>>> A DNS record resolves to an IP, it is impossible "to connect to a DNS >>>>>> name" >>>>>> >>>>>> On Feb 8, 2018 19:27, "Dayma" <[email protected]> wrote: >>>>>> >>>>>>> All, our proxy is only allowing us to go after DNS instead of IP. >>>>>>> When I use the : "ssh_interface": "public_dns" I was hoping that it >>>>>>> would use the DNS of the EC2 instance. Looking in the logs it appears >>>>>>> that >>>>>>> even though I am telling it to use DNS it's still using the IP of the >>>>>>> EC2 >>>>>>> instance: >>>>>>> >>>>>>> 018/02/08 13:02:29 packer: 2018/02/08 13:02:29 [INFO] Waiting for >>>>>>> SSH, up to timeout: 5m0s >>>>>>> 2018/02/08 13:02:29 ui: [1;32m==> amazon-ebs: Waiting for SSH to >>>>>>> become available... [0m >>>>>>> 2018/02/08 13:02:44 packer: 2018/02/08 13:02:44 [DEBUG] TCP >>>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>>> timeout >>>>>>> 2018/02/08 13:03:04 packer: 2018/02/08 13:03:04 [DEBUG] TCP >>>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>>> timeout >>>>>>> 2018/02/08 13:03:24 packer: 2018/02/08 13:03:24 [DEBUG] TCP >>>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>>> timeout >>>>>>> 2018/02/08 13:03:44 packer: 2018/02/08 13:03:44 [DEBUG] TCP >>>>>>> connection to SSH ip/port failed: dial tcp 52.90.77.167:2: i/o >>>>>>> timeout >>>>>>> >>>>>>> *Interesting though. When I set it to "private_DNS" is seems to >>>>>>> actually go after the private DNS of the EC2 instance. So that appears >>>>>>> to >>>>>>> be working for private_DNS. >>>>>>> >>>>>>> Any help is appreciated. >>>>>>> >>>>>>> Thanks!!! >>>>>>> >>>>>>> -- >>>>>>> This mailing list is governed under the HashiCorp Community >>>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>>> Behavior in violation of those guidelines may result in your removal >>>>>>> from >>>>>>> this mailing list. >>>>>>> >>>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>>>> IRC: #packer-tool on Freenode >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Packer" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/packer-tool/2d767812-d48a- >>>>>>> 4d26-a518-13e03521e8c6%40googlegroups.com >>>>>>> <https://groups.google.com/d/msgid/packer-tool/2d767812-d48a-4d26-a518-13e03521e8c6%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>>> This mailing list is governed under the HashiCorp Community >>>>>> Guidelines - https://www.hashicorp.com/community-guidelines.html. >>>>>> Behavior in violation of those guidelines may result in your removal from >>>>>> this mailing list. >>>>>> >>>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>>> IRC: #packer-tool on Freenode >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Packer" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/packer-tool/CALz9Rt_1ojMw3 >>>>>> F_K8ju5Du%3Dg6XWj71JDCRaj6t-KCX4XU12nzw%40mail.gmail.com >>>>>> <https://groups.google.com/d/msgid/packer-tool/CALz9Rt_1ojMw3F_K8ju5Du%3Dg6XWj71JDCRaj6t-KCX4XU12nzw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>>> This mailing list is governed under the HashiCorp Community Guidelines >>>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>>> violation of those guidelines may result in your removal from this mailing >>>>> list. >>>>> >>>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>>> IRC: #packer-tool on Freenode >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Packer" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/packer-tool/CADd1N9cGSi-LT >>>>> oZoZ-OzFHiDPECZ%3DyK59WYkhwqGJVCqDffNuA%40mail.gmail.com >>>>> <https://groups.google.com/d/msgid/packer-tool/CADd1N9cGSi-LToZoZ-OzFHiDPECZ%3DyK59WYkhwqGJVCqDffNuA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> This mailing list is governed under the HashiCorp Community Guidelines >>>> - https://www.hashicorp.com/community-guidelines.html. Behavior in >>>> violation of those guidelines may result in your removal from this mailing >>>> list. >>>> >>>> GitHub Issues: https://github.com/mitchellh/packer/issues >>>> IRC: #packer-tool on Freenode >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Packer" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/d/ms >>>> gid/packer-tool/CALz9Rt8L4VnmsX5uVe-zpoKp8f%3DcrEdQ5JK-8iAQj >>>> Db8AXKtRA%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/packer-tool/CALz9Rt8L4VnmsX5uVe-zpoKp8f%3DcrEdQ5JK-8iAQjDb8AXKtRA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> This mailing list is governed under the HashiCorp Community Guidelines - >>> https://www.hashicorp.com/community-guidelines.html. Behavior in >>> violation of those guidelines may result in your removal from this mailing >>> list. >>> >>> GitHub Issues: https://github.com/mitchellh/packer/issues >>> IRC: #packer-tool on Freenode >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Packer" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/packer-tool/CADd1N9f00-Zs4HA_Wy87hXyaAusUZpWw%2BfCmSXzhk >>> yZquE%2BiGQ%40mail.gmail.com >>> <https://groups.google.com/d/msgid/packer-tool/CADd1N9f00-Zs4HA_Wy87hXyaAusUZpWw%2BfCmSXzhkyZquE%2BiGQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> This mailing list is governed under the HashiCorp Community Guidelines - >> https://www.hashicorp.com/community-guidelines.html. Behavior in >> violation of those guidelines may result in your removal from this mailing >> list. >> >> GitHub Issues: https://github.com/mitchellh/packer/issues >> IRC: #packer-tool on Freenode >> --- >> You received this message because you are subscribed to the Google Groups >> "Packer" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/packer-tool/CALz9Rt_qRRpArhKYvu3AfLbW9ZMLFYnbDhcPOYYdS_ >> 49cgb3kg%40mail.gmail.com >> <https://groups.google.com/d/msgid/packer-tool/CALz9Rt_qRRpArhKYvu3AfLbW9ZMLFYnbDhcPOYYdS_49cgb3kg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > This mailing list is governed under the HashiCorp Community Guidelines - > https://www.hashicorp.com/community-guidelines.html. Behavior in > violation of those guidelines may result in your removal from this mailing > list. > > GitHub Issues: https://github.com/mitchellh/packer/issues > IRC: #packer-tool on Freenode > --- > You received this message because you are subscribed to the Google Groups > "Packer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/packer-tool/CADd1N9fL6XnK3h1_e7SnHGuh4FymF4kTqmO_ > iTUbnZokQ8HtEg%40mail.gmail.com > <https://groups.google.com/d/msgid/packer-tool/CADd1N9fL6XnK3h1_e7SnHGuh4FymF4kTqmO_iTUbnZokQ8HtEg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/CALz9Rt9AE53WrmgaR2VVXFVrtBnFbpZ85-em8gfKJj7tkiXnOA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
