It might be tricky but possible to trigger virtualbox "send-keys" via a script using the "host-shell" provisioner in order to decrypt the machine's drive on boot, but it would be tough to know the exact timing and might require a bit of scripting to handle retries and check for SSH connectivity before the password entry script quits. I've been thinking through this for the virtualbox builder but I haven't had to put the effort into implementing it yet since our box builds are only for quickly testing our preseed/kickstarter files without having to use real hardware.
On Thursday, May 3, 2018 at 5:46:51 AM UTC-5, [email protected] wrote: > > Hi Mike, > > Looks like we have a similar issue. I can also interact manually but would > love to automate the login after first reboot with LUKS enabled. > > Did you find a solution for this? > > Thanks! > > On Saturday, January 27, 2018 at 3:02:17 AM UTC+11, [email protected] > wrote: >> >> I've managed to start to make this work, although with manual steps. The >> trick was to set headless to false and enable VNC with qemu args. So at >> least I can now enter the encryption passphrase in VNC. >> >> Steps were: >> 1. in Packer qemu json set headless to false >> 2. in Packer qemu json set the display >> >> "qemuargs": [ >> [ "-m", "{{ user `memory` }}" ], >> [ "-smp", "{{ user `cpus` }}"], >> ["-display", "vnc=1"] >> ] >> >> >> 3. once Packer running , connect with vncviewer (you can get the IP and >> port from the Packer log out output) e.g. vncviewer 127.0.0.1:48 >> >> Wondering if I can automate the passphrase entry by coping in a key file >> during kickstart (and deleting the key file and entering a new LUKS key >> slot later in build process for production machines.) Anyone know if that >> will work, or if there is a better way to encrypt the LVM? >> >> >> On Friday, 26 January 2018 12:47:38 UTC, [email protected] wrote: >>> >>> I'm trying to create a Packer workflow that will create an encrypted >>> centos based images for vagrant (qemu builder), KVM/libvirt (qemu builder), >>> Azure and AWS. I want to be able to LUKS encrypt the entire LVM in the qemu >>> based images. AWS and Azure do something else. >>> >>> With virsh based tools I can use say virt-install and give it a >>> Kickstarter file like the following: >>> >>> # Required settings >>> lang en_GB.UTF-8 >>> keyboard uk >>> rootpw vagrant >>> authconfig --enableshadow --enablemd5 >>> timezone UTC >>> >>> >>> # Optional settings >>> install >>> cdrom >>> user --name=vagrant --plaintext --password vagrant >>> unsupported_hardware >>> network --bootproto=dhcp >>> firewall --disabled >>> selinux --enforcing >>> bootloader --location=mbr >>> text >>> skipx >>> zerombr >>> clearpart --all --initlabel >>> firstboot --disabled >>> >>> >>> part /boot --fstype xfs --size=1000 >>> # the following part command fails >>> part pv.2 --size=0 --grow --encrypted --cipher="aes-xts-plain64" -- >>> passphrase=<my encryption passphrase> >>> # the following part command works as no encryption >>> #part pv.2 --size=0 --grow >>> volgroup vg00 --pesize=4096 pv.2 >>> logvol swap --vgname=vg00 --fstype swap --size=1024 --name=lv_swap >>> logvol / --vgname=vg00 --fstype xfs --size=1024 --grow --name=lv_root >>> logvol /usr --vgname=vg00 --fstype xfs --percent=10 --name=lv_usr >>> logvol /home --vgname=vg00 --fstype xfs --percent=30 --name=lv_home >>> logvol /var --vgname=vg00 --fstype xfs --percent=10 --name=lv_var >>> logvol /var/log --vgname=vg00 --fstype xfs --percent=10 --name= >>> lv_varlog >>> logvol /var/log/audit --vgname=vg00 --fstype xfs --percent=5 --name= >>> lv_varlogaudit >>> logvol /tmp --vgname=vg00 --fstype xfs --percent=8 --name=lv_tmp >>> >>> >>> reboot >>> >>> >>> If I don't use the encrypt arg in the part command the LVM is setup >>> fine, but adding in encryption stalls the packer build at connecting with >>> SSH. I assume as Anaconda finishes then reboots and there is no way to >>> enter the encryption passphrase. >>> >>> I tried to get a console to the image during build but can't find it! >>> e.g. >>> sudo virsh list --all >>> >>> does not show the image being built. >>> >>> Reading the documentation and googling around showed me no examples of >>> anyone encrypting their qemu images. >>> >>> The environment I am deploying in to can only be accessed via SSH so >>> must use the serial console, there is no X-forwarding possible. Also, the >>> VMs themselves must be encrypted, it is not acceptable to put an >>> unencrypted VM in a LUKS container on the virtualisation host. >>> >>> Is it possible to encrypt images or the LVM with Packer? Are there other >>> ways I can encrypt the packer image post build e.g. in the post section? >>> >>> Thanks. Hope someone can help, been at this 3 days and going to get my >>> butt kicked soon:-/ >>> >> -- This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list. GitHub Issues: https://github.com/mitchellh/packer/issues IRC: #packer-tool on Freenode --- You received this message because you are subscribed to the Google Groups "Packer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/8ce22a1a-53b6-46df-92b8-a30e7087d938%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
