encrypted secondary volume question
93 views
Skip to first unread message
Derek the DevOps guy
May 25, 2018, 2:35:46 PM5/25/18
to Packer
Hi all,
I'm new to using packer. So far it looks like a wonderful tool with lots of feature. Thanks for the help with putting it altogether.
I need to create an AMI based on ubuntu 16.04 with a small non-encrypted volume and an encrypted volume data. Things work fine except the data volume is not encrypted even though I specified "encrypted: true". Do I need to encrypt the drive myself in my provision script or am I missing something? Would appreciate any and all help/pointers.
Thanks,
Derek
packer version - 1.2.2
Here's my build json.
============================================================
{
"variables": {
"aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_default_region": "{{env `AWS_DEFAULT_REGION`}}",
"aws_subnet_id": "{{env `AWS_SUBNET_ID`}}"
},
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "{{user `aws_default_region`}}",
"subnet_id": "{{user `aws_subnet_id`}}",
"associate_public_ip_address": true,
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
"root-device-type": "ebs"
},
"owners": ["099720109477"],
"most_recent": true
},
"instance_type": "t2.micro",
"ssh_username": "ubuntu",
"ami_name": "Docker EE AMI {{isotime \"2006-01-02T030406\"}}",
"ami_block_device_mappings" : [
{
"volume_type" : "gp2",
"device_name" : "/dev/xvda",
"delete_on_termination" : true,
"volume_size" : 8
},
{
"volume_type" : "gp2",
"device_name" : "/dev/xvdb",
"delete_on_termination" : false,
"encrypted" : true,
"volume_size" : 80
}
],
"launch_block_device_mappings" : [
{
"volume_type" : "gp2",
"device_name" : "/dev/xvda",
"delete_on_termination" : true,
"volume_size" : 8
},
{
"volume_type" : "gp2",
"device_name" : "/dev/xvdb",
"delete_on_termination" : false,
"encrypted" : true,
"volume_size" : 80
}
]
}],
"provisioners": [{
"type": "shell",
"inline": [
"sleep 30",
"sudo apt-get update",
"sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common",
"sudo apt-get update"
]
}]
}
"variables": {
"aws_access_key": "{{env `AWS_ACCESS_KEY_ID`}}",
"aws_secret_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
"aws_default_region": "{{env `AWS_DEFAULT_REGION`}}",
"aws_subnet_id": "{{env `AWS_SUBNET_ID`}}"
},
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "{{user `aws_default_region`}}",
"subnet_id": "{{user `aws_subnet_id`}}",
"associate_public_ip_address": true,
"source_ami_filter": {
"filters": {
"virtualization-type": "hvm",
"name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
"root-device-type": "ebs"
},
"owners": ["099720109477"],
"most_recent": true
},
"instance_type": "t2.micro",
"ssh_username": "ubuntu",
"ami_name": "Docker EE AMI {{isotime \"2006-01-02T030406\"}}",
"ami_block_device_mappings" : [
{
"volume_type" : "gp2",
"device_name" : "/dev/xvda",
"delete_on_termination" : true,
"volume_size" : 8
},
{
"volume_type" : "gp2",
"device_name" : "/dev/xvdb",
"delete_on_termination" : false,
"encrypted" : true,
"volume_size" : 80
}
],
"launch_block_device_mappings" : [
{
"volume_type" : "gp2",
"device_name" : "/dev/xvda",
"delete_on_termination" : true,
"volume_size" : 8
},
{
"volume_type" : "gp2",
"device_name" : "/dev/xvdb",
"delete_on_termination" : false,
"encrypted" : true,
"volume_size" : 80
}
]
}],
"provisioners": [{
"type": "shell",
"inline": [
"sleep 30",
"sudo apt-get update",
"sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common",
"sudo apt-get update"
]
}]
}
Rickard von Essen
May 27, 2018, 3:18:34 PM5/27/18
to packe...@googlegroups.com
You don't need booth ami_block_device_mappings and launch_block_device_mappings. This works for me and adds two EBS volumes in addition to the boot volume, one of these is encrypted with the default KMS EBS key.
{
"provisioners" : [
{
"type" : "shell",
"inline" : [
"sudo apt-get update",
"sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common",
"sudo apt-get update"
]
}
],
"builders" : [
{
"type" : "amazon-ebs",
"ami_name" : "Docker EE AMI {{isotime \"2006-01-02T030406\"}}",
"ssh_username" : "ubuntu",
"source_ami_filter" : {
"filters" : {
"name" : "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
"root-device-type" : "ebs",
"virtualization-type" : "hvm"
},
"most_recent" : true,
"owners" : [
"099720109477"
]
},
"associate_public_ip_address" : true,
"subnet_id" : "{{user `aws_subnet_id`}}",
"instance_type" : "t2.micro",
"launch_block_device_mappings" : [
{
"delete_on_termination" : true,
"volume_size" : 8,
"volume_type" : "gp2",
"device_name" : "/dev/xvda"
},
{
"volume_size" : 8,
"delete_on_termination" : false,
"volume_type" : "gp2",
"encrypted" : true,
"device_name" : "/dev/xvdb"
}
]
}
],
"variables" : {
"aws_subnet_id" : "{{env `AWS_SUBNET_ID`}}"
}
}
Inspection of the resulting AMI:
$ AWS_PROFILE=packer-demo AWS_DEFAULT_REGION=eu-west-1 aws ec2 describe-images --image-ids ami-04cfc168ea949abe8 --query "Images[].BlockDeviceMappings"
[
[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"Encrypted": false,
"DeleteOnTermination": true,
"SnapshotId": "snap-03e9353df32e489e5",
"VolumeSize": 8,
"VolumeType": "gp2"
}
},
{
"DeviceName": "/dev/xvda",
"Ebs": {
"Encrypted": false,
"DeleteOnTermination": true,
"SnapshotId": "snap-04cd6188c33186e0d",
"VolumeSize": 8,
"VolumeType": "gp2"
}
},
{
"DeviceName": "/dev/xvdb",
"Ebs": {
"Encrypted": true,
"DeleteOnTermination": false,
"SnapshotId": "snap-08c1bf4f0537bed46",
"VolumeSize": 8,
"VolumeType": "gp2"
}
},
{
"DeviceName": "/dev/sdb",
"VirtualName": "ephemeral0"
},
{
"DeviceName": "/dev/sdc",
"VirtualName": "ephemeral1"
}
]
]
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/e432820d-443a-4f36-9c6f-b6172b88a8ca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Derek the DevOps guy
May 29, 2018, 5:15:15 PM5/29/18
to Packer
Hi Rickard,
Thanks for the help.
I was able to do a build with your script and obtain the same results with the aws ec2 describe-image command.
However, when I launch a VM using the AMI, I don't see the encrypted volume mounted. I'm trying to figure out how to have it come up with the volume mounted and ready to go. Here's what I'm finding:
ubuntu@ip-10-0-44-64:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 488M 0 488M 0% /dev
tmpfs 100M 3.0M 97M 3% /run
/dev/xvda1 7.7G 1019M 6.7G 13% /
tmpfs 496M 0 496M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 496M 0 496M 0% /sys/fs/cgroup
tmpfs 100M 0 100M 0% /run/user/1000
ubuntu@ip-10-0-44-64:~$ dmesg | grep xvd
from /dev/hd[a-d] to /dev/xvd[a-d]
[ 4.602437] blkfront: xvda: barrier or flush: disabled; persistent grants: disabled; indirect descriptors: enabled;
[ 4.679728] xvda: xvda1
[ 5.146870] blkfront: xvdb: barrier or flush: disabled; persistent grants: disabled; indirect descriptors: enabled;
[ 15.926559] EXT4-fs (xvda1): mounted filesystem with ordered data mode. Opts: (null)
[ 18.770055] EXT4-fs (xvda1): re-mounted. Opts: discard
ubuntu@ip-10-0-44-64:~$ sudo lsblk
sudo: unable to resolve host ip-10-0-44-64
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdb 202:16 0 8G 0 disk
ubuntu@ip-10-0-44-64:~$
Filesystem Size Used Avail Use% Mounted on
udev 488M 0 488M 0% /dev
tmpfs 100M 3.0M 97M 3% /run
/dev/xvda1 7.7G 1019M 6.7G 13% /
tmpfs 496M 0 496M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 496M 0 496M 0% /sys/fs/cgroup
tmpfs 100M 0 100M 0% /run/user/1000
ubuntu@ip-10-0-44-64:~$ dmesg | grep xvd
from /dev/hd[a-d] to /dev/xvd[a-d]
[ 4.602437] blkfront: xvda: barrier or flush: disabled; persistent grants: disabled; indirect descriptors: enabled;
[ 4.679728] xvda: xvda1
[ 5.146870] blkfront: xvdb: barrier or flush: disabled; persistent grants: disabled; indirect descriptors: enabled;
[ 15.926559] EXT4-fs (xvda1): mounted filesystem with ordered data mode. Opts: (null)
[ 18.770055] EXT4-fs (xvda1): re-mounted. Opts: discard
ubuntu@ip-10-0-44-64:~$ sudo lsblk
sudo: unable to resolve host ip-10-0-44-64
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
xvda 202:0 0 8G 0 disk
└─xvda1 202:1 0 8G 0 part /
xvdb 202:16 0 8G 0 disk
ubuntu@ip-10-0-44-64:~$
Derek
Rickard von Essen
May 30, 2018, 4:14:17 AM5/30/18
to packe...@googlegroups.com
I think you need to format the EBS and create a entry in fstab either at image build (with Packer) or at instance launch (when you use the image to launch an instance). You can do the former in provisioning in Packer or you could do both with cloud-init, see http://cloudinit.readthedocs.io/en/latest/topics/examples.html#disk-setup
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/d4e366af-8df0-43a1-9320-ea7410ab1a44%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages