hashicorp
packer qemu build with ansible as provisioner fails to connect
This issue was originally opened by @Doni7722 as hashicorp/packer#10592. It was migrated here as a result of the Packer plugin split. The original body of the issue is below.
Overview of the Issue
I'm using qemu as the builder and ansible as provisioner. The templates will be created from ISO and packer creates a temporary SSH key, which will be used by Ansible to connect. That's not working any longer. First issue: I can see that the generated Key in /temp/ansisible-keyXXXX is empty and second issue: I can't see any difference in "use_proxy:true" or "use_proxy:false".
Reproduction Steps
1: packer build with qemu 2: create a template from ISO where you connect over username / password 3: ansible as provisioner who should use temporary ssh key 4: ansible is unable to connect (permission denied)
Packer version
1.6.6
Simplified Packer Buildfile
{
"builders": [
{
"accelerator": "kvm",
"boot_command": [
"<up><tab> inst.text inst.ks=hd:fd0:/CentOS-7-x86_64-cloud.cfg <enter><wait>"
],
"boot_wait": "20s",
"communicator": "ssh",
"cpus": 1,
"disk_interface": "virtio-scsi",
"disk_size": "20480M",
"floppy_files": [
"templates/ks/CentOS/7/CentOS-7-x86_64-cloud.cfg"
],
"format": "qcow2",
"headless": false,
"iso_checksum": "{{user `iso_checksum_type`}}:{{user `iso_centos7_checksum`}}",
"iso_url": "{{user `iso_centos7_url`}}",
"memory": 2048,
"net_device": "virtio-net",
"output_directory": "templates/kvm/centos7/template",
"shutdown_command": "shutdown --poweroff now",
"ssh_password": "{{user `vm_root_pw`}}",
"ssh_timeout": "15m",
"ssh_username": "root",
"ssh_clear_authorized_keys": true,
"type": "qemu",
"vm_name": "packer_kvm_centos7"
}
],
"provisioners": [
{
"host_alias": "packer-template",
"playbook_file": "templates/kvm/centos7/playbooks/main.yml",
"type": "ansible",
"use_proxy": false,
"extra_arguments": [ "-vvvv" ]
},
{
"expect_disconnect": true,
"inline": [
"reboot"
],
"start_retry_timeout": "30m",
"type": "shell"
}
]
}
Operating system and Environment details
building machine: fedora 33 with packer 1.6.6 & ansible 2.9.17 building template: CentOS 7 from ISO
Log Fragments and crash.log files
here the logs: https://gist.github.com/Doni7722/666afd5fa7fd364850c0be2835d8d3ae
Thanks for your feedback @whoiscnu !
I personally have no understanding how Cloudfare/Let's Encrypt can be properly configured in Azure. Tipically for IBM Cloud / AWS providers we'd need a DNS management service behind the Let's Encrypt cluster issuer to manage the CName entries and the registered domain, like Cloud Internet Services for IBM Cloud and Route 53 for AWS. It seems for Azure, it is this AzureDNS that would need to have a webhook to MAS cluster issuer?
@alequint @durera @swallacertp do you know of any plans to support such capability for Azure anytime soon? I know we have plans to support Route53, but not sure about Azure's plans.
@andrercm We are looking at this from the MAS hyperscaler team but do not have concrete plans yet. I will check with the team and see where this stands and update here.
Thanks @swallacertp , for now i'll label this as low priority until changes in the plan.
Hello All,
Thanks for your email.
I was able to setup LetsEncrypt using installer from passport advantage and changing the cert manager configuration stopping the operator.
Ansible collection at the moment don’t support AzureDNS as I verify.
It will be interesting when the product is rolled out in ARO as the support needs to be in place for AzureDNS then. Also there is an Azure marketplace deploy of MAS which ideally must be using AzureDNS aswell .
Regards Srinivasa
On Thu, 23 Mar 2023 at 9:36 am, andrercm @.***> wrote:
Thanks for your feedback @whoiscnu https://github.com/whoiscnu !
I personally have no understanding how Cloudfare/Let's Encrypt can be properly configured in Azure. Tipically for IBM Cloud / AWS providers we'd need a DNS management service behind the Let's Encrypt cluster issuer to manage the CName entries and the registered domain, like Cloud Internet Services for IBM Cloud and Route 53 for AWS. It seems for Azure, it is this AzureDNS that would need to have a webhook to MAS cluster issuer?
@alequint https://github.com/alequint @durera https://github.com/durera @swallacertp https://github.com/swallacertp do you know of any plans to support such capability for Azure anytime soon? I know we have plans to support Route53, but not sure about Azure's plans.
— Reply to this email directly, view it on GitHub https://github.com/ibm-mas/ansible-devops/issues/701#issuecomment-1480345163, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE5UE5XOZ75QD2P35C6GLLTW5N5FVANCNFSM6AAAAAAV4P7EHM . You are receiving this because you were mentioned.Message ID: @.***>
-- LIFE IS BEAUTIFUL
@swallacertp , As we facilitate environment for public events or demos, we are interested in knowing plans for PublicCA cert as default...
- When will MAS on AWS BYOL will start using LetsEncrypt?
- When will MAS on Azure BYOL will start using LetsEncrypt?
@maulik-modi22 The plan is to release documentation on configuring LetsEncrypt with MAS BYOL on AWS in the upcoming release which is targeted for mid June 2023. Will update on Azure plans. This is the planned date so it is subject to change. Confirming the plans for Azure and will update once I have that.
@swallacertp , Checking back again if there's any update on incorporating it in AWS and Azure BYOL Automation?
@maulik-modi22 The BYOL/PAID offerings have documented the use of Let's Encrypt but this is post deployment. It is not in the plan to add this to the template and automation at this time. You can open an Idea for the BYOL option for consideration in future plans.