#packer

Discuss Packer for building AMIs and Docker Images Archive: https://archive.sweetops.com/packer/

2019-09-30

Anyone here use the checksum post processor to tag docker images with the checksum? Trying to figure this out

2019-09-18

Callum Robertson

Hey if anyone was interested, the problem was actually how Packer handles persistent consoles when it runs it’s provisioners, I had to increase the scope of the PS Drive to a global for it to persist past the instance of the scripting console.

1
1

2019-09-17

Callum Robertson

Hey @davidvasandani maybe you can help with my headache. I’m fairly new to Packer, I’ve written and aws ebs backed AMI template that runs an powershell script that connects a PS Drive to a remote file system and then runs an executable from that PSDrive, my logs says it runs the script defined in the packer template but I see no effect on the AMI once I deploy it, can you help?

Callum Robertson
Callum Robertson
Callum Robertson

I get the above output when I run the packer template, any idea on whats going on?

davidvasandani

@Callum Robertson I don’t have much experience with Packer and Windows but I will need to practice for an upcoming project. Have you attempted to run Packer in debug mode and remote into the instance to run the command before it terminates?

Callum Robertson

Yeah doing that now, also upskilling my powershell logic to have logging and debugging

Callum Robertson

(why can’t the world run on linux)

1
davidvasandani

Let us know what you find! (if anything) otherwise we can revisit and try to help you figure out.

2019-08-28

2019-08-26

Bruce

Hey everyone! I am looking for a simpler way to use packer in our circleCI workflow. I am currently using the machine execution and having to install everything on top (which is a lot of steps). Has anyone got a more elegant solution?

davidvasandani

@Bruce can you give additional details? Whats the current issue you’re facing and what is your ideal state?

Bruce

Thanks @davidvasandani. I am currently using circleCI to bake the image using machine execution (VM) which then in each step (job) I install packer, set environment variables for AWS creds, pull secrets in from SSM and then use these to build. Its a lot of steps as I found I can not group them in one as the Env to pass through. I was hoping there was an easier way etc building a docker container that can encapsulate what I need. But I haven’t tried that yet.

davidvasandani

@Bruce Sorry, you’re using Packer to build a docker image? Highly highly recommend you switch to using a Dockerfile.

davidvasandani

It will work much better in CircleCI.

davidvasandani

and for your general sanity.

Bruce

Thanks @davidvasandani I managed to get this working creating a Dockerfile to do the work with circleCI. All kicked off with a script. It was a lot simpler.

2019-08-20

Erik Osterman

Thanks for reporting back @julien M. !

2019-08-17

julien M.

hello @davidvasandani so, i have test with “vpc” var but it’s not the solution : i always have a temp AMI and after a copy of this AMI

julien M.

so i have test with your template and i this case i don’t have a copy

julien M.

so i use your template and i have made some modifications for my environment

julien M.

i think my problem come from AMI-name or Tags …. when i wil some time for testing that

julien M.

thank you for your time, with you my build job time decrease to 8min !!!

2
2

2019-08-16

davidvasandani

@julien M. any luck?

2019-08-14

julien M.

hi here, any idea about my problem ?

davidvasandani

@julien M. sorry dropped off there.

davidvasandani
{
  "variables": {
    "vpc": "{{env `BUILD_VPC_ID`}}",
    "subnet": "{{env `BUILD_SUBNET_ID`}}",
    "aws_region": "{{env `AWS_REGION`}}",
    "ami_name": "Latest-AMZN-{{isotime \"02-Jan-06 03_04_05\"}}"
  },
  "builders": [{
    "name": "AWS AMI Builder",
    "type": "amazon-ebs",
    "region": "{{user `aws_region`}}",
    "source_ami_filter": {
      "filters": {
        "virtualization-type": "hvm",
        "name": "amzn2-ami-ecs-hvm-2.0.*-x86_64-ebs",
        "root-device-type": "ebs"
      },
      "owners": ["137112412989", "591542846629", "801119661308",
        "102837901569", "013907871322", "206029621532",
        "286198878708", "443319210888"
      ],
      "most_recent": true
    },
    "instance_type": "t2.micro",
    "ssh_username": "ec2-user",
    "ami_name": "{{user `ami_name` \| clean_ami_name}}",
    "tags": {
      "Name": "{{user `ami_name`}}"
    },
    "run_tags": {
      "Name": "{{user `ami_name`}}"
    },
    "run_volume_tags": {
      "Name": "{{user `ami_name`}}"
    },
    "snapshot_tags": {
      "Name": "{{user `ami_name`}}"
    },
    "ami_description": "Amazon Linux",
    "associate_public_ip_address": "true",
    "vpc_id": "{{user `vpc`}}",
    "subnet_id": "{{user `subnet`}}"
  }],
  "provisioners": [{
      "type": "file",
      "source": "/Users/davidvasandani/.ssh/vasandani.me_rsa.pub",
      "destination": "/tmp/id_rsa.pub"
    },
    {
      "type": "shell",
      "execute_command": "echo '' \| sudo -S su - root -c '{{ .Path }}'",
      "script": "scripts/python.sh"
    },
    {
      "type": "ansible-local",
      "playbook_file": "ansible/playbook.yaml",
      "role_paths": [
        "ansible/roles/common"
      ],
      "playbook_dir": "ansible",
      "galaxy_file": "ansible/requirements.yaml"
    },
    {
      "type": "shell",
      "inline": [
        "rm .ssh/authorized_keys ; sudo rm /root/.ssh/authorized_keys"
      ]
    }
  ]
}
davidvasandani

this is my config

davidvasandani

@julien M. the difference between our configs is yours is missing "vpc_id"

davidvasandani

Can you add that to the builders section.

julien M.

oh great !!! i test this quickly

1

2019-08-06

julien M.

hello @davidvasandani, see below my packer.json :

julien M.
{
  "variables": {
    "aws_region": "{{env `PACKER_REGION`}}",
    "aws_profile": "{{env `PACKER_PROFILE`}}",
    "subnet_id": "{{env `PACKER_SUBNET_ID`}}",
    "source_ami_id": "{{env `PACKER_SOURCE_AMI_ID`}}",
    "allowed_users_to_launch": "{{env `PACKER_ALLOWED_USER`}}",
    "ami_name": "xxx-{{timestamp}}",
    "creator": "{{env `USER`}}",
    "instance_type": "t3.large",
    "encrypted": "false",
    "kms_key_id": "",
    "datadog_api_key": "{{env `DD_API_KEY`}}",
    "environment": "{{env `ENVIRONMENT`}}"
  },

  "builders": [
    {
      "type": "amazon-ebs",
      "profile": "{{user `aws_profile`}}",
      "region": "{{user `aws_region`}}",
      "associate_public_ip_address": "true",
      "ami_users": "{{ user `allowed_users_to_launch`}}",
      "source_ami": "{{user `source_ami_id`}}",
      "instance_type": "{{user `instance_type`}}",
      "ami_name": "{{user `ami_name`}}",
      "ami_description": "xxx",
      "encrypt_boot": false,
      "kms_key_id": "{{user `kms_key_id`}}",
      "ssh_username": "app",
      "ssh_private_key_file": "custom-files/ami.key",
      "subnet_id": "{{user `subnet_id`}}",
      "tags": {
        "Created": "{{timestamp}}",
        "Project": "xxx",
        "Team": "xxx",
        "Name": "packer.basic"
      }
    }
  ],

  "provisioners": [
    {
      "type": "file",
      "source": "../../../xxx.tgz",
      "destination": "/opt/app/xxxx.tgz"
    },
    {
      "type": "file",
      "source": "./custom-files/datadog.yaml",
      "destination": "/tmp/datadog.yaml"
    },
    {
      "type": "file",
      "source": "./custom-files/xxx.service",
      "destination": "/tmp/xxx.service"
    },
    {
      "type": "file",
      "source": "./custom-files/xxx.logrotate",
      "destination": "/tmp/xxxx.logrotate"
    },
    {
      "type": "file",
      "source": "./custom-files/datadog-ruby.yml",
      "destination": "/tmp/ruby-conf.yml"
    },
    {
      "type": "shell",
      "environment_vars": [
        "DD_API_KEY={{user `datadog_api_key`}}",
        "ENV={{user `environment`}}"
        ],
      "script": "ami-app-bootstrap.sh",
      "skip_clean": "true",
      "pause_before": "10s",
      "timeout": "10s"
    }
  ]
}

2019-08-05

davidvasandani

@julien M. mind posting the packer.json we may be able to help diagnose.

davidvasandani

Its definitely something with your config.

==> APL - AWS AMI Builder: Provisioning with shell script: /var/folders/tz/wdr45bjs0rgd12w8qv3qn3h00000gn/T/packer-shell983168744
==> APL - AWS AMI Builder: Stopping the source instance...
    APL - AWS AMI Builder: Stopping instance
==> APL - AWS AMI Builder: Waiting for the instance to stop...
==> APL - AWS AMI Builder: Creating AMI xxx-Latest-AMZN-05-Aug-19 09_45_53 from instance i-xxx
    APL - AWS AMI Builder: AMI: ami-xxx
==> APL - AWS AMI Builder: Waiting for AMI to become ready...
==> APL - AWS AMI Builder: Modifying attributes on AMI (ami-xxx)...
    APL - AWS AMI Builder: Modifying: description
==> APL - AWS AMI Builder: Modifying attributes on snapshot (snap-xxx)...
==> APL - AWS AMI Builder: Adding tags to AMI (ami-xxx)...
==> APL - AWS AMI Builder: Tagging snapshot: snap-xxx
==> APL - AWS AMI Builder: Creating AMI tags
    APL - AWS AMI Builder: Adding tag: "Name": "xxx-Latest-AMZN-05-Aug-19 09_45_53"
==> APL - AWS AMI Builder: Creating snapshot tags
    APL - AWS AMI Builder: Adding tag: "Name": "xxx-Latest-AMZN-05-Aug-19 09_45_53"
==> APL - AWS AMI Builder: Terminating the source AWS instance...
==> APL - AWS AMI Builder: Cleaning up any extra volumes...
==> APL - AWS AMI Builder: No volumes to clean up, skipping
==> APL - AWS AMI Builder: Deleting temporary security group...
==> APL - AWS AMI Builder: Deleting temporary keypair...
Build 'APL - AWS AMI Builder' finished.

2019-08-02

julien M.

yep exeactly, that’s the process : start ec2 -> execute some task -> stop ec2 -> create temp ami -> copy this ami to “final” AMI

julien M.

tou can see it in my log :

julien M.
==> amazon-ebs: Stopping the source instance...
    amazon-ebs: Stopping instance
==> amazon-ebs: Waiting for the instance to stop...
==> amazon-ebs: Creating AMI JlUwHnk from instance i-0a32e679185b6d6e0
    amazon-ebs: AMI: ami-09ebc6af6f029a3a5
==> amazon-ebs: Waiting for AMI to become ready...
==> amazon-ebs: Copying/Encrypting AMI (ami-09ebc6af6f029a3a5) to other regions...
    amazon-ebs: Copying to: eu-central-1
    amazon-ebs: Waiting for all copies to complete...
==> amazon-ebs: Modifying attributes on AMI (ami-0b1906f336702fff5)...
    amazon-ebs: Modifying: description
    amazon-ebs: Modifying: users
==> amazon-ebs: Modifying attributes on snapshot (snap-066093425d32275fd)...
==> amazon-ebs: Adding tags to AMI (ami-0b1906f336702fff5)...
==> amazon-ebs: Tagging snapshot: snap-066093425d32275fd
==> amazon-ebs: Creating AMI tags
    amazon-ebs: Adding tag: "Created": "1564649441"
    amazon-ebs: Adding tag: "Project": "lunchr-banking"
    amazon-ebs: Adding tag: "Team": "banking"
    amazon-ebs: Adding tag: "Name": "packer.basic"
==> amazon-ebs: Creating snapshot tags
==> amazon-ebs: Deregistering the AMI and deleting unencrypted temporary AMIs and snapshots
==> amazon-ebs: Deregistered AMI id: ami-09ebc6af6f029a3a5
==> amazon-ebs: Deleted snapshot: snap-028ddd3a7cb4ca49c
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
Build 'amazon-ebs' finished.

`

julien M.

the “temp” AMI log :

==> amazon-ebs: Waiting for the instance to stop...
==> amazon-ebs: Creating AMI JlUwHnk from instance i-0a32e679185b6d6e0
    amazon-ebs: AMI: ami-09ebc6af6f029a3a5
==> amazon-ebs: Waiting for AMI to become ready.. 

`

julien M.

and the copy of this “temp” AMI to “final” AMI :

==> amazon-ebs: Copying/Encrypting AMI (ami-09ebc6af6f029a3a5) to other regions...
    amazon-ebs: Copying to: eu-central-1
    amazon-ebs: Waiting for all copies to complete...
==> amazon-ebs: Modifying attributes on AMI (ami-0b1906f336702fff5)...
    amazon-ebs: Modifying: description
    amazon-ebs: Modifying: users
==> amazon-ebs: Modifying attributes on snapshot (snap-066093425d32275fd)...
==> amazon-ebs: Adding tags to AMI (ami-0b1906f336702fff5)...
==> amazon-ebs: Tagging snapshot: snap-066093425d32275fd
julien M.

but i don’t understand this step … why a copy of the first ami …

julien M.

especially that the AMI I need is already in the right region

2019-08-01

julien M.

Hello here, i have a question about packer :

From what I understand about packer is that it creates a temporary AMI from the EC2 that packer has booted and then this temporary AMI is copied … except that currently I only work in one AWS region and so I do not need it to create a copy in the same region as the temporary AMI. Is there a way to not copy the MAI and use the 1st AMI? Because the copy operation takes a lot of time at AWS.

davidvasandani

@julien M. I don’t think it creates a temp AMI. It starts, provisions, and stops an instance before creating an AMI of the stopped instance.

2019-03-22

Steven
01:34:15 PM

@Steven has joined the channel

2019-03-20

Tim Malone
10:46:22 PM

@Tim Malone has joined the channel

2019-03-04

aknysh
04:08:36 PM

@aknysh has joined the channel

2019-02-28

oscarsullivan_old
08:08:42 AM

@oscarsullivan_old has joined the channel

2019-02-23

07:52:38 PM

@ has joined the channel

2019-02-20

thirstydeveloper
06:18:26 PM

@thirstydeveloper has joined the channel

2019-02-14

Erik Osterman
05:21:23 AM

@Erik Osterman set the channel purpose: Discuss Packer for building AMIs and Docker Images Archive: https://archive.sweetops.com/packer/

2019-02-13

platinumnj
04:33:35 AM

@platinumnj has joined the channel

2019-02-12

iautom8things
10:07:56 PM

@iautom8things has joined the channel

2018-12-12

09:11:43 PM

@ has joined the channel

2018-12-08

richwine
02:04:50 PM

@richwine has joined the channel

2018-12-05

11:45:30 AM

@ has joined the channel

2018-12-01

mallen
09:47:30 AM

@mallen has joined the channel

2018-11-30

Erik Osterman
08:08:14 PM

@Erik Osterman has joined the channel

Erik Osterman
08:08:15 PM

@Erik Osterman set the channel purpose: Discuss Packer for building AMIs and Docker Images

rohit
08:08:15 PM

@rohit has joined the channel

tamsky
08:08:15 PM

@tamsky has joined the channel

catdevman
08:08:15 PM

@catdevman has joined the channel

08:08:15 PM

@ has joined the channel

rohit

so i am just thinking about creating a custom ami off of redhat ami in aws using packer

tamsky

rohit

anything i should know before i go down that path ?

tamsky

I’m not a huge fan of humans reading or writing json; I use a python tool that generates ephemeral packer.json files from version-controlled packer.yaml https://gist.github.com/tamsky/c7df19684e5605023f2e biggest additional feature that tool has is: it supports !include which encourages good re-use of code.

rohit

what happens when you say !include ?

davidvasandani
08:23:30 PM

@davidvasandani has joined the channel

joshmyers
08:31:07 PM

@joshmyers has joined the channel

joshmyers

@rohit what are you wanting to accomplish?

jsanchez
09:01:55 PM

@jsanchez has joined the channel

rohit

@joshmyers we are planning to encrypt our root volume and by default it is not

rohit

so we are planning to create a custom ami off of redhat ami and also apply yum updates, install aws cli, chef-client so that when there is an autoscaling event it doesn’t take lot of time

rohit

so we are planning to solve 2 problems with this solution

joshmyers

are going you going build in one account and distribute to others, or build in all accounts and regions?

joshmyers

Have done before and it was a royal PITA (namely because of some of the IAM policies we had in place)

joshmyers

AMIs are region and account specific as are the KMS keys that are used

joshmyers

At the time we had to write a wrapper script with packer to: provision new AMI and bootstrap, take that underlying EBS volume and create a new AMI out of that

joshmyers

with a custom KMS key to allow for cross account policies

joshmyers

(you couldn’t share a default KMS key across accounts AFAICR)

joshmyers

I believe that this has been built natively into packer now though, not digged to see what it is doing under the covers

joshmyers

Note that shunting AMIs around is slooooowww

joshmyers

are you planning on doing this for each Chef role you have? There is overhead in managing all those AMIs (pruning script or the like)

joshmyers

how do your cookbooks end up on the instances in the ASG?

rohit

this will be for one aws account but in multiple regions

rohit

we would only install chef-client but the cookbook will end up later when the ami is used in a launch template

rohit

makes sense ?

joshmyers

Yeah, you want to block for the entire first chef run on a node before it is provisioned

joshmyers

You are going to have to shunt AMIs around regions

joshmyers

How long does your Chef bootstrap run take?

rohit

chef bootstrap currently takes somewhere aroung 8-10 mins

rohit

because the user data includes yum updates, instaling awscli, installing chef-client

rohit

by creating the custom ami we are planning to reduce this time

rohit

now that you know my usecase, is there an example that you could recommend ?

joshmyers

well, if you are going down this route, may as well do a first chef run during packer build, right?

joshmyers

Even if you don’t do it for each role you have, there is a lot common base across all I’m sure.

joshmyers

Can take an initial chef run from 10mins to 1 min or so

joshmyers

Basically updates and anything on top of base

rohit

no, we don’t want to do that because then we will have to create an AMI for each app

joshmyers

how much do you care about it being the exact same artefact in different regions/accounts vs building in each

joshmyers

each app or each role?

joshmyers

even if you do base, the common denominator between all your roles will shave some time off that first run

joshmyers

Also not suggesting baking apps into the AMI

joshmyers

or do you use Chef runs for app deployments?

rohit

we use chef run for app deployments

joshmyers

You may want to split that out.

rohit

we use chef to pull/extract artifact from artifactory

joshmyers

OK, I’d look into benefits of splitting out that deployment process

joshmyers

do a base role during packer build and have cloud-init pull in the extra role to add on?

Erik Osterman
11:20:23 PM

@Erik Osterman set the channel topic:

tamsky


do a base role during packer build and have cloud-init pull in the extra role to add on?

I’ve typically followed this pattern as well, @rohit – a base image, also built by packer, that other app-specific images use as their source_ami when they get built in packer.

    keyboard_arrow_up