I've managed to start to make this work, although with manual steps. The
trick was to set headless to false and enable VNC with qemu args. So at
least I can now enter the encryption passphrase in VNC.
Steps were:
1. in Packer qemu json set headless to false
2. in Packer qemu json set the display
"qemuargs": [
[ "-m", "{{ user `memory` }}" ],
[ "-smp", "{{ user `cpus` }}"],
["-display", "vnc=1"]
]
3. once Packer running , connect with vncviewer (you can get the IP and
port from the Packer log out output) e.g. vncviewer 127.0.0.1:48
Wondering if I can automate the passphrase entry by coping in a key file
during kickstart (and deleting the key file and entering a new LUKS key
slot later in build process for production machines.) Anyone know if that
will work, or if there is a better way to encrypt the LVM?
On Friday, 26 January 2018 12:47:38 UTC, [email protected] wrote:
>
> I'm trying to create a Packer workflow that will create an encrypted
> centos based images for vagrant (qemu builder), KVM/libvirt (qemu builder),
> Azure and AWS. I want to be able to LUKS encrypt the entire LVM in the qemu
> based images. AWS and Azure do something else.
>
> With virsh based tools I can use say virt-install and give it a
> Kickstarter file like the following:
>
> # Required settings
> lang en_GB.UTF-8
> keyboard uk
> rootpw vagrant
> authconfig --enableshadow --enablemd5
> timezone UTC
>
>
> # Optional settings
> install
> cdrom
> user --name=vagrant --plaintext --password vagrant
> unsupported_hardware
> network --bootproto=dhcp
> firewall --disabled
> selinux --enforcing
> bootloader --location=mbr
> text
> skipx
> zerombr
> clearpart --all --initlabel
> firstboot --disabled
>
>
> part /boot --fstype xfs --size=1000
> # the following part command fails
> part pv.2 --size=0 --grow --encrypted --cipher="aes-xts-plain64" --
> passphrase=<my encryption passphrase>
> # the following part command works as no encryption
> #part pv.2 --size=0 --grow
> volgroup vg00 --pesize=4096 pv.2
> logvol swap --vgname=vg00 --fstype swap --size=1024 --name=lv_swap
> logvol / --vgname=vg00 --fstype xfs --size=1024 --grow --name=lv_root
> logvol /usr --vgname=vg00 --fstype xfs --percent=10 --name=lv_usr
> logvol /home --vgname=vg00 --fstype xfs --percent=30 --name=lv_home
> logvol /var --vgname=vg00 --fstype xfs --percent=10 --name=lv_var
> logvol /var/log --vgname=vg00 --fstype xfs --percent=10 --name=lv_varlog
> logvol /var/log/audit --vgname=vg00 --fstype xfs --percent=5 --name=
> lv_varlogaudit
> logvol /tmp --vgname=vg00 --fstype xfs --percent=8 --name=lv_tmp
>
>
> reboot
>
>
> If I don't use the encrypt arg in the part command the LVM is setup fine,
> but adding in encryption stalls the packer build at connecting with SSH. I
> assume as Anaconda finishes then reboots and there is no way to enter the
> encryption passphrase.
>
> I tried to get a console to the image during build but can't find it! e.g.
> sudo virsh list --all
>
> does not show the image being built.
>
> Reading the documentation and googling around showed me no examples of
> anyone encrypting their qemu images.
>
> The environment I am deploying in to can only be accessed via SSH so must
> use the serial console, there is no X-forwarding possible. Also, the VMs
> themselves must be encrypted, it is not acceptable to put an unencrypted VM
> in a LUKS container on the virtualisation host.
>
> Is it possible to encrypt images or the LVM with Packer? Are there other
> ways I can encrypt the packer image post build e.g. in the post section?
>
> Thanks. Hope someone can help, been at this 3 days and going to get my
> butt kicked soon:-/
>
--
This mailing list is governed under the HashiCorp Community Guidelines -
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of
those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups
"Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/packer-tool/5800dbb9-2b3b-4033-84f9-9cf69839fb16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
