我希望我的EC2实例具有基于IAM的权限,但不希望该实例上的Docker容器具有相同的权限。我认为阻止访问魔术IP应该足够了169.254.169.254。运行是否足够:
iptables -I DOCKER -s 169.254.169.254 -j DROP
我还需要使用--icc=false或配置我的docker守护进程--iptables=false吗?
我想构建一个具有两个块设备的 AMI,这两个块设备在配置期间进行修改。当我使用 packer 创建 AMI 时,它似乎没有拍摄块设备的新快照。有没有办法强制这个?
我的模板是
{
"builders": [{
"type": "amazon-ebs",
"region": "us-east-1",
"source_ami": "ami-08842d60",
"instance_type": "m4.2xlarge",
"security_group_id": "<redacted>",
"subnet_id" : "<redacted>",
"ssh_username": "ec2-user",
"ssh_pty": true,
"ami_name": "testing {{timestamp}}",
"ami_block_device_mappings": [{
"device_name": "/dev/sdf",
"volume_type": "gp2",
"volume_size": 100,
"delete_on_termination": true,
"encrypted": true
}, {
"device_name": "/dev/sdg",
"volume_type": "gp2",
"volume_size": 100,
"delete_on_termination": true,
"encrypted": true
}]
}]
}