#packer (2018-11)

packer

Discuss Packer for building AMIs and Docker Images Archive: https://archive.sweetops.com/packer/

2018-11-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:08:14 PM

@Erik Osterman (Cloud Posse) has joined the channel

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:08:15 PM

@Erik Osterman (Cloud Posse) set the channel purpose: Discuss Packer for building AMIs and Docker Images

rohit avatar
rohit
08:08:15 PM

@rohit has joined the channel

tamsky avatar
tamsky
08:08:15 PM

@tamsky has joined the channel

catdevman avatar
catdevman
08:08:15 PM

@catdevman has joined the channel

rohit.verma avatar
rohit.verma
08:08:15 PM

@rohit.verma has joined the channel

rohit avatar
rohit

so i am just thinking about creating a custom ami off of redhat ami in aws using packer

tamsky avatar
tamsky

rohit avatar
rohit

anything i should know before i go down that path ?

tamsky avatar
tamsky

I’m not a huge fan of humans reading or writing json; I use a python tool that generates ephemeral packer.json files from version-controlled packer.yaml https://gist.github.com/tamsky/c7df19684e5605023f2e biggest additional feature that tool has is: it supports !include which encourages good re-use of code.

rohit avatar
rohit

what happens when you say !include ?

davidvasandani avatar
davidvasandani
08:23:30 PM

@davidvasandani has joined the channel

joshmyers avatar
joshmyers
08:31:07 PM

@joshmyers has joined the channel

joshmyers avatar
joshmyers

@rohit what are you wanting to accomplish?

jsanchez avatar
jsanchez
09:01:55 PM

@jsanchez has joined the channel

rohit avatar
rohit

@joshmyers we are planning to encrypt our root volume and by default it is not

rohit avatar
rohit

so we are planning to create a custom ami off of redhat ami and also apply yum updates, install aws cli, chef-client so that when there is an autoscaling event it doesn’t take lot of time

rohit avatar
rohit

so we are planning to solve 2 problems with this solution

joshmyers avatar
joshmyers

are going you going build in one account and distribute to others, or build in all accounts and regions?

joshmyers avatar
joshmyers

Have done :point_up_2: before and it was a royal PITA (namely because of some of the IAM policies we had in place)

joshmyers avatar
joshmyers

AMIs are region and account specific as are the KMS keys that are used

joshmyers avatar
joshmyers

At the time we had to write a wrapper script with packer to: provision new AMI and bootstrap, take that underlying EBS volume and create a new AMI out of that

joshmyers avatar
joshmyers

with a custom KMS key to allow for cross account policies

joshmyers avatar
joshmyers

(you couldn’t share a default KMS key across accounts AFAICR)

joshmyers avatar
joshmyers

I believe that this has been built natively into packer now though, not digged to see what it is doing under the covers

joshmyers avatar
joshmyers

Note that shunting AMIs around is slooooowww

joshmyers avatar
joshmyers

are you planning on doing this for each Chef role you have? There is overhead in managing all those AMIs (pruning script or the like)

joshmyers avatar
joshmyers

how do your cookbooks end up on the instances in the ASG?

rohit avatar
rohit

this will be for one aws account but in multiple regions

rohit avatar
rohit

we would only install chef-client but the cookbook will end up later when the ami is used in a launch template

rohit avatar
rohit

makes sense ?

joshmyers avatar
joshmyers

Yeah, you want to block for the entire first chef run on a node before it is provisioned

joshmyers avatar
joshmyers

You are going to have to shunt AMIs around regions

joshmyers avatar
joshmyers

How long does your Chef bootstrap run take?

rohit avatar
rohit

chef bootstrap currently takes somewhere aroung 8-10 mins

rohit avatar
rohit

because the user data includes yum updates, instaling awscli, installing chef-client

rohit avatar
rohit

by creating the custom ami we are planning to reduce this time

rohit avatar
rohit

now that you know my usecase, is there an example that you could recommend ?

joshmyers avatar
joshmyers

well, if you are going down this route, may as well do a first chef run during packer build, right?

joshmyers avatar
joshmyers

Even if you don’t do it for each role you have, there is a lot common base across all I’m sure.

joshmyers avatar
joshmyers

Can take an initial chef run from 10mins to 1 min or so

joshmyers avatar
joshmyers

Basically updates and anything on top of base

rohit avatar
rohit

no, we don’t want to do that because then we will have to create an AMI for each app

joshmyers avatar
joshmyers

how much do you care about it being the exact same artefact in different regions/accounts vs building in each

joshmyers avatar
joshmyers

each app or each role?

joshmyers avatar
joshmyers

even if you do base, the common denominator between all your roles will shave some time off that first run

joshmyers avatar
joshmyers

Also not suggesting baking apps into the AMI

joshmyers avatar
joshmyers

or do you use Chef runs for app deployments?

rohit avatar
rohit

we use chef run for app deployments

joshmyers avatar
joshmyers

You may want to split that out.

rohit avatar
rohit

we use chef to pull/extract artifact from artifactory

joshmyers avatar
joshmyers

OK, I’d look into benefits of splitting out that deployment process

joshmyers avatar
joshmyers

do a base role during packer build and have cloud-init pull in the extra role to add on?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:20:23 PM

@Erik Osterman (Cloud Posse) set the channel topic: packer

tamsky avatar
tamsky


do a base role during packer build and have cloud-init pull in the extra role to add on?

I’ve typically followed this pattern as well, @rohit – a base image, also built by packer, that other app-specific images use as their source_ami when they get built in packer.

    keyboard_arrow_up