无法使用 CloudFormation 模板通过 SSH 连接到 EC2 实例
Posted
技术标签:
【中文标题】无法使用 CloudFormation 模板通过 SSH 连接到 EC2 实例【英文标题】:Not able to SSH into the EC2 Instance with CloudFormation Template 【发布时间】:2018-03-17 09:51:33 【问题描述】:我想从容器实例启动时开始一个任务。所以我遵循了这个Starting task at instance launch Document,它提供了 MIME 多部分用户数据脚本。我创建了一个云形成模板来使用 MIME 多部分用户数据脚本启动一个实例。
已使用云形成模板创建了 EC2 资源,但我无法通过 SSH 连接到该实例,也无法从 EC2 管理控制台获取系统日志。
CloudFormation 模板
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" :" ECS instance",
"Parameters" :
,
"Resources" :
"EC2Instance":
"Type" : "AWS::EC2::Instance",
"Properties" :
"SecurityGroupIds":["sg-16021f35"]
"ImageId" : "ami-ec33cc96",
"UserData":
"Fn::Base64":
"Fn::Join":[
"\n",
[
"Fn::Join":[
"",
[
"Content-Type: multipart/mixed; boundary=",
"==BOUNDARY=="
]
]
,
"MIME-Version: 1.0",
"--==BOUNDARY==",
"Fn::Join":[
"",
[
"Content-Type: text/upstart-job; charset=",
"us-ascii"
]
]
,
"#!/bin/bash",
"# Specify the cluster that the container instance should register into",
"echo ECS_CLUSTER=Demo >> /etc/ecs/ecs.config",
"# Install the AWS CLI and the jq JSON parser",
"yum install -y aws-cli jq",
"#upstart-job",
"Fn::Join":[
" ",[
"description",
"Amazon EC2 Container Service (start task on instance boot)"
]
]
,
"Fn::Join":[
" ",[
"author",
"Amazon Web Services"
]
]
,
"start on started ecs",
"script",
"exec 2>>/var/log/ecs/ecs-start-task.log",
"set -x",
"until curl -s http://localhost:51678/v1/metadata",
"do",
"sleep 1",
"done",
"# Grab the container instance ARN and AWS region from instance metadata",
"instance_arn=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F/ 'print $NF' )",
"cluster=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .Cluster' | awk -F/ 'print $NF' )",
"region=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F: 'print $4')",
"# Specify the task definition to run at launch",
"task_definition=ASG-Task",
"# Run the AWS CLI start-task command to start your task on this container instance",
"aws ecs start-task --cluster $cluster --task-definition $task_definition --container-instances $instance_arn --started-by $instance_arn",
"end script",
"--==BOUNDARY==--"
]
]
,
"IamInstanceProfile":"ecsInstanceRole",
"InstanceType":"t2.micro",
"SubnetId":"subnet-841103e1"
,
"Outputs" :
MIME 多部分用户数据:
Content-Type: multipart/mixed; boundary="==BOUNDARY=="
MIME-Version: 1.0
--==BOUNDARY==
Content-Type: text/x-shellscript; charset="us-ascii"
#!/bin/bash
# Specify the cluster that the container instance should register into
cluster=your_cluster_name
# Write the cluster configuration variable to the ecs.config file
# (add any other configuration variables here also)
echo ECS_CLUSTER=$cluster >> /etc/ecs/ecs.config
# Install the AWS CLI and the jq JSON parser
yum install -y aws-cli jq
--==BOUNDARY==
Content-Type: text/upstart-job; charset="us-ascii"
#upstart-job
description "Amazon EC2 Container Service (start task on instance boot)"
author "Amazon Web Services"
start on started ecs
script
exec 2>>/var/log/ecs/ecs-start-task.log
set -x
until curl -s http://localhost:51678/v1/metadata
do
sleep 1
done
# Grab the container instance ARN and AWS region from instance metadata
instance_arn=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F/ 'print $NF' )
cluster=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .Cluster' | awk -F/ 'print $NF' )
region=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F: 'print $4')
# Specify the task definition to run at launch
task_definition=my_task_def
# Run the AWS CLI start-task command to start your task on this container instance
aws ecs start-task --cluster $cluster --task-definition $task_definition --container-instances $instance_arn --started-by $instance_arn --region $region
end script
--==BOUNDARY==--
【问题讨论】:
我在您的 CloudFormation 模板中看不到任何安全组。除非您打开端口 22,否则您无法通过 SSH 连接到 EC2 实例。请参阅 docs.aws.amazon.com/AWSEC2/latest/UserGuide/… 和 docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/…。 更新了模板。我添加了在启动堆栈时向公共(0.0.0.0/0)开放端口 22 的安全组。有趣的是,当我通过向导(管理控制台)启动实例时,它运行良好。我想我在云形成模板的用户数据中遗漏了一些东西 从模板中剥离用户数据,看看您是否可以让基本的 SSH 到 EC2 正常工作。问题可能不是用户数据。在重新引入用户数据之前修复它。 【参考方案1】:您需要按照上面的 jarmod 的建议在您的形成模板中指定密钥文件和安全组。
【讨论】:
从 cloudformation 文档开始,它不是必需的。无论如何我已经在模板中给出了安全组。以上是关于无法使用 CloudFormation 模板通过 SSH 连接到 EC2 实例的主要内容,如果未能解决你的问题,请参考以下文章
无法通过 cloudformation 创建具有自动缩放功能的 AWS EMR
无法在 Cloudformation 模板中定义 Cloudwatch 警报的数学表达式
如何使用 cloudformation 模板创建 cloudwatch 事件?