How to effect logout/login for i.e. Linux group modification

[Brett Russ]

I've been struggling to get a group modification (via 'lgroupmod') for the user packer is using to login to an AWS instance to take effect for later provisioning. I've made the group mod in one shell provisioner and expected it to take effect in later shell provisioners, because I thought each unique shell block would initiate a new ssh and login, thus making the change take effect.

Here's the simplified JSON test case:

{
    "builders": [{
        "type":                  "amazon-ebs",
        "access_key":            "{{user `aws_access_key`}}",
        "secret_key":            "{{user `aws_secret_key`}}",
        "region":                "{{user `aws_region`}}",
        "source_ami":            "{{user `aws_source_ami`}}",
        "instance_type":         "{{user `aws_instance_type`}}",
        "ssh_username":          "{{user `aws_ssh_username`}}",
        "ssh_keypair_name":      "{{user `aws_deploy_key`}}",
        "ssh_private_key_file":  "{{user `ssh_key_file`}}",
        "ami_name":              "{{user `aws_ami_name`}}",
        "subnet_id":             "{{user `aws_subnet_id`}}",
        "vpc_id":                "{{user `aws_vpc_id`}}",
        "security_group_id":     "{{user `aws_security_group`}}",
        "ssh_pty":               "true",

        "launch_block_device_mappings": [{
            "device_name":           "/dev/sda1",
            "volume_size":           "100",
            "delete_on_termination": "true"
        }]
    }],

    "provisioners": [
    {
        "type": "shell",
        "inline": [
            "sudo groupadd testgroup 2>&1 | tee -a /tmp/tg.out",
            "sudo lgroupmod -M centos testgroup 2>&1 | tee -a /tmp/tg.out"
        ]
    },
    {
        "type": "shell",
        "inline_shebang": "/usr/bin/bash -lex",
        "inline": [
            "grep testgroup /etc/group 2>&1 | tee -a /tmp/tg.out",
            "groups 2>&1 | tee -a /tmp/tg.out"
        ]
    }
    ]
}

The output in /tmp/tg.out of running the above (which is all from the second shell) is:

[centos@ip-10-100-26-228 ~]$ cat /tmp/tg.out
testgroup:x:1001:centos
centos adm wheel systemd-journal

As shown, the key problem here is the centos user, which is used by packer to login to the instance, never has its group membership in 'testgroup' established for the life of the packer builder.

I've tried putting the second shell calls in other scripts with '#!/usr/bin/bash -l' to invoke a login shell, I've tried doing it with the provisioner's shebang argument as above, but nothing seems to actually cause a new/fresh ssh login that would show the group membership.

I have full output captured if it's useful but at this point maybe it's not needed if I'm missing something essential or perhaps this isn't possible with packer?

I've looked at related conversations without seeing a clear answer:
https://groups.google.com/forum/#!searchin/packer-tool/login/packer-tool/tbETccmKk-A/Vj06LvOpbnsJ
https://groups.google.com/forum/#!topic/packer-tool/hWKdjEj4izo

Thanks in advance,
Brett

[Brett Russ]

On Tuesday, January 12, 2016 at 6:20:34 PM UTC-5, Brett Russ wrote:

I've tried putting the second shell calls in other scripts with '#!/usr/bin/bash -l' to invoke a login shell, I've tried doing it with the provisioner's shebang argument as above, but nothing seems to actually cause a new/fresh ssh login that would show the group membership.

Also I've tried:

1. Putting 'exec sudo su -l $USER' to force a passwordless relogin after the lgroupmod but the exec seemed to break Packer's connection with the instance.
2. Disabling the ssh_pty builder option in case that was somehow related but that broke sudo usage (b/c requiretty is set for sudo).

[Alvaro Miranda Aguilera]

Hello,

The ssh session i believe is reused, so the best will be do a reboot.

I have added 2 lines, 1 for reboot, other for pause_before

I can understand the reboot is not required or may sound like too much, so you could potentially try `exit` at the end of the first block and see if that works.

    "provisioners": [
    {
        "type": "shell",
        "inline": [
            "sudo groupadd testgroup 2>&1 | tee -a /tmp/tg.out",
            "sudo lgroupmod -M centos testgroup 2>&1 | tee -a /tmp/tg.out",

            "sudo reboot"
        ]
    },

    {
        "type": "shell",

        "pause_before": "5s",

        "inline": [
            "grep testgroup /etc/group 2>&1 | tee -a /tmp/tg.out",
            "groups 2>&1 | tee -a /tmp/tg.out"
        ]
    }
    ]

Alvaro.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/8e3ae0ce-7d0d-4ba8-bc06-f4a120abd513%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Brett Russ]

On Thursday, January 14, 2016 at 12:29:57 AM UTC-5, Alvaro Miranda Aguilera wrote:

The ssh session i believe is reused, so the best will be do a reboot.

I can understand the reboot is not required or may sound like too much, so you could potentially try `exit` at the end of the first block and see if that works.

Thank you! This heavy hammer solved the problem. I'm surprised there isn't an option to force a new ssh/shell to be used.
-Brett

[Mike Lippert]

I had the same question about logout/login to get new group credentials for the user.

I can certainly go the reboot route, but this was asked over 4 years ago, and it's the only discussion about this I was able to find so I thought I'd check if anything had changed.

Thanks

[dragon788]

You can technically use `newgrp groupName` but that spawns an additional subshell rather than modifying your current shell, so it doesn't work for everything, and if you have other processes that were running from the main shell process they won't get the new membership either.

[Mike Lippert]

Thanks for another possible workaround, and for the update that there hasn't been any facility added to the Packer shell provisioner to logout and log back in since this question was first asked and answered in 2016.