Hi Mike, Looks like we have a similar issue. I can also interact manually but would love to automate the login after first reboot with LUKS enabled.
Did you find a solution for this? Thanks! On Saturday, January 27, 2018 at 3:02:17 AM UTC+11, [email protected] wrote: > > I've managed to start to make this work, although with manual steps. The > trick was to set headless to false and enable VNC with qemu args. So at > least I can now enter the encryption passphrase in VNC. > > Steps were: > 1. in Packer qemu json set headless to false > 2. in Packer qemu json set the display > > "qemuargs": [ > [ "-m", "{{ user `memory` }}" ], > [ "-smp", "{{ user `cpus` }}"], > ["-display", "vnc=1"] > ] > > > 3. once Packer running , connect with vncviewer (you can get the IP and > port from the Packer log out output) e.g. vncviewer 127.0.0.1:48 > > Wondering if I can automate the passphrase entry by coping in a key file > during kickstart (and deleting the key file and entering a new LUKS key > slot later in build process for production machines.) Anyone know if that > will work, or if there is a better way to encrypt the LVM? > > > On Friday, 26 January 2018 12:47:38 UTC, [email protected] wrote: >> >> I'm trying to create a Packer workflow that will create an encrypted >> centos based images for vagrant (qemu builder), KVM/libvirt (qemu builder), >> Azure and AWS. I want to be able to LUKS encrypt the entire LVM in the qemu >> based images. AWS and Azure do something else. >> >> With virsh based tools I can use say virt-install and give it a >> Kickstarter file like the following: >> >> # Required settings >> lang en_GB.UTF-8 >> keyboard uk >> rootpw vagrant >> authconfig --enableshadow --enablemd5 >> timezone UTC >> >> >> # Optional settings >> install >> cdrom >> user --name=vagrant --plaintext --password vagrant >> unsupported_hardware >> network --bootproto=dhcp >> firewall --disabled >> selinux --enforcing >> bootloader --location=mbr >> text >> skipx >> zerombr >> clearpart --all --initlabel >> firstboot --disabled >> >> >> part /boot --fstype xfs --size=1000 >> # the following part command fails >> part pv.2 --size=0 --grow --encrypted --cipher="aes-xts-plain64" -- >> passphrase=<my encryption passphrase> >> # the following part command works as no encryption >> #part pv.2 --size=0 --grow >> volgroup vg00 --pesize=4096 pv.2 >> logvol swap --vgname=vg00 --fstype swap --size=1024 --name=lv_swap >> logvol / --vgname=vg00 --fstype xfs --size=1024 --grow --name=lv_root >> logvol /usr --vgname=vg00 --fstype xfs --percent=10 --name=lv_usr >> logvol /home --vgname=vg00 --fstype xfs --percent=30 --name=lv_home >> logvol /var --vgname=vg00 --fstype xfs --percent=10 --name=lv_var >> logvol /var/log --vgname=vg00 --fstype xfs --percent=10 --name= >> lv_varlog >> logvol /var/log/audit --vgname=vg00 --fstype xfs --percent=5 --name= >> lv_varlogaudit >> logvol /tmp --vgname=vg00 --fstype xfs --percent=8 --name=lv_tmp >> >> >> reboot >> >> >> If I don't use the encrypt arg in the part command the LVM is setup fine, >> but adding in encryption stalls the packer build at connecting with SSH. I >> assume as Anaconda finishes then reboots and there is no way to enter the >> encryption passphrase. >> >> I tried to get a console to the image during build but can't find it! >> e.g. >> sudo virsh list --all >> >> does not show the image being built. >> >> Reading the documentation and googling around showed me no examples of >> anyone encrypting their qemu images. >> >> The environment I am deploying in to can only be accessed via SSH so must >> use the serial console, there is no X-forwarding possible. Also, the VMs >> themselves must be encrypted, it is not acceptable to put an unencrypted VM >> in a LUKS container on the virtualisation host. >> >> Is it possible to encrypt images or the LVM with Packer? Are there other >> ways I can encrypt the packer image post build e.g. in the post section? >> >> Thanks. Hope someone can help, been at this 3 days and going to get my >> butt kicked soon:-/ >> > -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/b004891d-ef59-49d7-a908-2e0e80e5157b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
