运行我制作的脚本后失去了对 ec2 实例的访问权限
我刚刚创建一个新实例来在 ec2 上部署 NextJS 项目,但每次运行以下脚本时,我都会失去对 ec2 实例的访问权限。任何人都可以帮我调试脚本有什么问题吗?我收到以下错误:
[email protected]: Permission denied (publickey).
这是脚本:
#!/bin/bash
# Shell Arguments
# 1. Domain name without "www" in front of it.
# 2. Path to the zip file in s3.
# 3. Name of the folder in which the website files is to be stored.
# 4. Email address that is used by certbot to create SSL certificate.
# 5. S3 Bucket name from which the zip file should be pulled from.
DOMAIN_NAME=$1
DOMAIN_NAME_WWW="www.$1"
ZIP_FILE_NAME=$2
DIR_NAME=$3
DIR=/home/ubuntu/$DIR_NAME
EMAIL=$4
AWS_S3_BUCKET=$5
cd /home/ubuntu/
echo "Updating Packages"
sudo apt -y update && sudo apt -y upgrade
echo "Installing Zip Unzip to extract the website content later"
sudo apt install zip unzip
echo "Installing AWS CLI"
sudo apt-get install awscli -y
echo "Installing Node"
curl -sL https://deb.nodesource.com/setup_14.x | sudo bash -
sudo apt-get install -y nodejs
echo "Installing Nginx"
sudo apt-get install -y nginx
echo "Installing certbot"
sudo snap install --classic certbot
echo "Installing pm2 and yarn"
sudo npm i -g yarn
sudo npm i -g pm2
echo "Creating nginx config file"
sudo curl --silent https://gist.githubusercontent.com/utkarshk384/4fb1fc782351fbf2038560e9380fdd7c/raw/4bd1ede2f2d83134edc0c885c9d56cac75b8a391/nextjs-http > nextjs-http
sed -i "10s/SERVER_NAME/$DOMAIN_NAME $DOMAIN_NAME_WWW/" ./nextjs-http
echo "Moving ngnix config file"
sudo mv nextjs-http /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-available/default
echo "Changing few settings in nginx.conf"
LINE_NUMBER=`sed -n "/sites-enabled/=" /etc/nginx/nginx.conf`
sudo sed -i "s$LINE_NUMBERs|#||" /etc/nginx/nginx.conf
sudo sed -i "s$LINE_NUMBERs|sites-enabled\/\*|sites-enabled\/nextjs-http|" /etc/nginx/nginx.conf
sudo systemctl restart nginx
echo "Setting up server for ssl certificate"
sudo ufw allow ssh
sudo ufw --force enable
sudo ufw allow 'Nginx Full'
sudo ufw status
echo "Acquiring SSL Certificate"
sudo certbot --nginx -d $DOMAIN_NAME -d $DOMAIN_NAME_WWW --agree-tos -m $EMAIL --noninteractive
echo "Preflight installation completed. Starting to build website"
echo "Creating our website folder"
if [ -d "$DIR" ]; then
echo "${DIR} is already present"
else
echo "Creating new directory at ${DIR}"
mkdir $DIR
fi
echo "Downloading Website files from S3"
aws s3 cp s3://$AWS_S3_BUCKET/$ZIP_FILE_NAME $DIR/$ZIP_FILE_NAME
unzip -o /$DIR/$ZIP_FILE_NAME -d /$DIR
rm $DIR/$ZIP_FILE_NAME
# Set it to 777 so that the folder isn't write protected.
sudo chmod -R 666 $DIR
echo "Installing packages"
cd $DIR
sudo yarn
echo "Copying .env to website folder"
sudo cp ../.env.production ./
echo "Creating build"
yarn build
echo "Starting the website"
{
pm2 stop site
pm2 start site
} || {
pm2 start yarn --name site -- start 4000
pm2 save
}
echo "Started the site and is running"
pm2 status
# echo "Freeing Port 80 if occupied by apache"
# sudo systemctl disable apache2 && sudo systemctl stop apache2
我还尝试了以下方法来解决但没有成功:
- 最初我认为 AWS-CLI 导致了问题,所以我创建了一个新实例,然后安装了 AWS-CLI 并拉取S3 存储桶中的 zip 文件。之后,我重新启动了实例,发现这并不是导致问题的原因。
- 然后,我完全运行该脚本,只是失去了对该实例的访问权限。现在,我尝试通过设置
user-data来禁用 UFW,认为这可能是这里的问题。然而,令我惊讶的是,这仍然不是问题。
我传递给实例的用户数据如下:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type:
text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
iptables -F
sudo ufw disable
service sshd restart
--//
编辑:我确实有从系统日志中获取的 SSH 主机密钥指纹和 SSH 主机密钥。如果可能的话,我想在同一实例中恢复它。
编辑 2:我在另一个脚本上一一运行了所有脚本命令,没有发现任何问题。现在,我很困惑。
I was just creating a new instance to deploy a NextJS project on ec2 but every time I run the following script I lose access to the ec2 instance. Anyone can help me debug what is wrong with the script? I receive the following error:
[email protected]: Permission denied (publickey).
Here is the script:
#!/bin/bash
# Shell Arguments
# 1. Domain name without "www" in front of it.
# 2. Path to the zip file in s3.
# 3. Name of the folder in which the website files is to be stored.
# 4. Email address that is used by certbot to create SSL certificate.
# 5. S3 Bucket name from which the zip file should be pulled from.
DOMAIN_NAME=$1
DOMAIN_NAME_WWW="www.$1"
ZIP_FILE_NAME=$2
DIR_NAME=$3
DIR=/home/ubuntu/$DIR_NAME
EMAIL=$4
AWS_S3_BUCKET=$5
cd /home/ubuntu/
echo "Updating Packages"
sudo apt -y update && sudo apt -y upgrade
echo "Installing Zip Unzip to extract the website content later"
sudo apt install zip unzip
echo "Installing AWS CLI"
sudo apt-get install awscli -y
echo "Installing Node"
curl -sL https://deb.nodesource.com/setup_14.x | sudo bash -
sudo apt-get install -y nodejs
echo "Installing Nginx"
sudo apt-get install -y nginx
echo "Installing certbot"
sudo snap install --classic certbot
echo "Installing pm2 and yarn"
sudo npm i -g yarn
sudo npm i -g pm2
echo "Creating nginx config file"
sudo curl --silent https://gist.githubusercontent.com/utkarshk384/4fb1fc782351fbf2038560e9380fdd7c/raw/4bd1ede2f2d83134edc0c885c9d56cac75b8a391/nextjs-http > nextjs-http
sed -i "10s/SERVER_NAME/$DOMAIN_NAME $DOMAIN_NAME_WWW/" ./nextjs-http
echo "Moving ngnix config file"
sudo mv nextjs-http /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-available/default
echo "Changing few settings in nginx.conf"
LINE_NUMBER=`sed -n "/sites-enabled/=" /etc/nginx/nginx.conf`
sudo sed -i "s$LINE_NUMBERs|#||" /etc/nginx/nginx.conf
sudo sed -i "s$LINE_NUMBERs|sites-enabled\/\*|sites-enabled\/nextjs-http|" /etc/nginx/nginx.conf
sudo systemctl restart nginx
echo "Setting up server for ssl certificate"
sudo ufw allow ssh
sudo ufw --force enable
sudo ufw allow 'Nginx Full'
sudo ufw status
echo "Acquiring SSL Certificate"
sudo certbot --nginx -d $DOMAIN_NAME -d $DOMAIN_NAME_WWW --agree-tos -m $EMAIL --noninteractive
echo "Preflight installation completed. Starting to build website"
echo "Creating our website folder"
if [ -d "$DIR" ]; then
echo "${DIR} is already present"
else
echo "Creating new directory at ${DIR}"
mkdir $DIR
fi
echo "Downloading Website files from S3"
aws s3 cp s3://$AWS_S3_BUCKET/$ZIP_FILE_NAME $DIR/$ZIP_FILE_NAME
unzip -o /$DIR/$ZIP_FILE_NAME -d /$DIR
rm $DIR/$ZIP_FILE_NAME
# Set it to 777 so that the folder isn't write protected.
sudo chmod -R 666 $DIR
echo "Installing packages"
cd $DIR
sudo yarn
echo "Copying .env to website folder"
sudo cp ../.env.production ./
echo "Creating build"
yarn build
echo "Starting the website"
{
pm2 stop site
pm2 start site
} || {
pm2 start yarn --name site -- start 4000
pm2 save
}
echo "Started the site and is running"
pm2 status
# echo "Freeing Port 80 if occupied by apache"
# sudo systemctl disable apache2 && sudo systemctl stop apache2
I also tried the following methods to resolve but didn't succeed:
- Initially I thought AWS-CLI was causing the issue so, I created a new instance and then installed AWS-CLI and pulled the zip file from S3 bucket. After that, I restarted the instance and found out that wasn't causing the issue.
- I then ran the script fully to just lose access to the instance. Now, I tried disabling UFW by setting
user-datathinking that might be the issue here. However, to my surprise that still wasn't the problem.
The user-data that I passed to the instance is as follows:
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type:
text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
iptables -F
sudo ufw disable
service sshd restart
--//
Edit: I do have SSH Host KEY Fingerprints and SSH HOST KEY that I got from the system log. If possible I'd like to recover it in the same instance.
Edit 2: I ran all the script commands one by one on another script and I found no issues. Now, I am seriously confused.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
建议使用
set -x和set +x进行调试以查找攻击性命令。并将输出重定向/存储到日志文件中。建议替换以下行(只是为了安全起见,没有令人反感的空格):
建议
检查
ufw命令。如果有任何通讯重置导致您断开连接。确保您当前的连接是端口 22 上的ssh。如果不是,请确保当前端口在ufw中也已打开Suggesting to debug with
set -xandset +xto find the offensive command. And redirect/store the output into a log file.Suggesting to replace the following lines (just to be on the safe side there is no offensive whitespaces):
With
Suggesting to check
ufwcommands. If there is any communication reset that disconnects you. Make sure your current connection issshon port 22. If not make sure the current port is open as well inufw