You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to use Google Cloud Build to create Packer images, but with the machines being configured to have no external IP. The IAP options seem perfect for this, but I have yet to get a standard build to finish with those options being set. It always fails when trying to establish the SSH connection.
I have verified that it is not a permissions issue with the firewall rules or the service account IAM permissions as I can impersonate it on the CLI and there is no problem connecting through SSH to the private machines.
Reproduction Steps
Prepare a Google Cloud Build run, with the relevant steps to execute Packer with this plugin (example below).
Supply Packer with the config file described below (I do it through a cloud source repo).
Assign the proper permissions to the cloud build service account (I use a custom one). Most notable is IAP-secured Tunnel User but others will probably be required.
Configure your VPC firewall rules to allow the IAP CIDR (35.235.240.0/20) into all the instances in the VPC.
Trigger the build step and see it hang and timeout on this message: "Waiting for SSH to become available...".
Plugin and Packer version
Plugin: 1.0.13
Packer: Docker image, light-1.8.2
Simplified Packer Buildfile
Note: I have tried with a dynamic and static IAP localhost port, with no setting making a difference.
Running in Google Cloud Build. I have tried both the default worker space and private worker pools.
VM image is a lightly modified version of Debian 11.3. The firewall allows SSH (port 22) and works fine when an external IP is attached, so this is also not the issue.
Using private worker pools. This replaces IAP (ie you disable it) and makes the cloud build node apart of a private worker pool that directly has access to the local IPs of the machines that it creates. This requires some extra firewall rules, IAM permissions, peering, and private service connections.
The text was updated successfully, but these errors were encountered:
Hi @oinkbark apologies for the delayed response, and thank you for the provided logs. Looking at the logs I see the error "gcloud not found". Which means that Packer is unable to access the Google Cloud CLI gcloud.
Do you know if the host machine running the Packer build has the gcloud CLI installed?
Actually, it looks like you are running Packer as a Docker container. The Packer container does not contain the Google SDK, which would explain the gcloud not found error. I don't believe you will be able to access the installed gcloud CLI from the runner as it is outside of the Packer container. The path forward here would be to install and run Packer directly on the runner after installing the Google Cloud CLI.
I have to look into Cloud Build to understand the options for installing and running Packer. But to get this working with IAP Packer needs access to the gcloud executable.
Overview of the Issue
I am trying to use Google Cloud Build to create Packer images, but with the machines being configured to have no external IP. The IAP options seem perfect for this, but I have yet to get a standard build to finish with those options being set. It always fails when trying to establish the SSH connection.
I have verified that it is not a permissions issue with the firewall rules or the service account IAM permissions as I can impersonate it on the CLI and there is no problem connecting through SSH to the private machines.
Reproduction Steps
IAP-secured Tunnel User
but others will probably be required.Plugin and Packer version
Plugin: 1.0.13
Packer: Docker image, light-1.8.2
Simplified Packer Buildfile
Note: I have tried with a dynamic and static IAP localhost port, with no setting making a difference.
Operating system and Environment details
Log Fragments and crash.log files
These are the relevant lines from packer.log, with the entire gist still being linked:
Potential Workarounds
Internally, it appears that this plugin is using this command, which is causing the issue:
I have been able to get the build to work using these two alternatives:
The text was updated successfully, but these errors were encountered: