Feature/aws ami docker support #11
Conversation
To keep the packer template clear the installation of nomad and the consul was moved into a separate shell script.
Added support for Docker for the Amazon Linux and Ubuntu16 AMI creation in conjunction with the usage of the AWS ECR ( private repository ). WARNING: Using AWS credentials inside the AMI.
There was a problem hiding this comment.
Thanks for the PR. I assume your goal here is to show how to create Nomad client nodes that have Docker installed so Nomad can run Docker containers on them? If so, I think that's a great idea, but please update the appropriate READMEs with this information!
Amazon Linux with Docker support was verified, Ubuntu16 not.
Please test both. Installing Docker on Ubuntu can be a bit quirky :)
| @@ -0,0 +1,3 @@ | |||
| [default] | |||
| aws_access_key_id = TODO_ADD_YOUR_KEY_HERE | |||
| aws_secret_access_key = TODO_ADD_YOUR_SECRET_HERE | |||
There was a problem hiding this comment.
I know this is just example code, but I don't want to encourage users storing their secrets in plain text and copying them to a server. It's not a good pattern to follow. A better pattern to follow is to create an IAM role with ECR permissions and to attach that IAM role to the server (I believe the ECR cred helper supports this just fine).
There was a problem hiding this comment.
Indeed this is not the recommended production safe way. This approach was chosen for simplicity.
To adapt this to more secure way this will take some more time to update the approach and an increased configuration effort for the user. For testing nomad it might be acceptable. But nevertheless this security hole should be mentioned in the documentation.
There was a problem hiding this comment.
To adapt this to more secure way this will take some more time to update the approach and an increased configuration effort for the user
You can make it part of the example code directly! You just attach ECR permissions to the IAM role of the Nomad client servers. It's actually much easier for the user this way, and there is no security hole.
There was a problem hiding this comment.
What do you think about adding this module to do the trick?
https://github.com/cloudposse/terraform-aws-ecr
There was a problem hiding this comment.
Interesting find. It seems to do a bit more than we need though. All we really want is an IAM role to read from ECR, right?
There was a problem hiding this comment.
It depends on the scope and the predefined environment. Since this terraform module does not provide an AWS ECR preconfiguration the user is in charge to provide or create one. When you start from scratch it could be convenient to include the batteries, but it will also enlarge the example.
Maybe it is the best to remove the AWS ECR support from this PR and create a second PR. Most important at the moment is the docker support.
There was a problem hiding this comment.
Sure, handling ECR in a separate PR makes sense.
| }, | ||
| { | ||
| "ami_name": "nomad-consul-amazon-linux-{{isotime | clean_ami_name}}", | ||
| "ami_description": "An Amazon Linux AMI that has Nomad and Consul installed.", |
There was a problem hiding this comment.
The names and descriptions of both of these should be updated to indicate Docker is installed too
There was a problem hiding this comment.
| { | ||
| "type": "file", | ||
| "source": "setup_ubuntu16.sh", | ||
| "destination": "/tmp/", |
There was a problem hiding this comment.
Why use the file provisioner to copy this script rather using the script provisioner to execute it directly? Same goes for the same pattern below.
There was a problem hiding this comment.
This way was chosen since the content of the script section for packer became hardly readable. Since the script has to be execute on the machine it needs to be copied before.
Is there a more easy way to do this directly in the script section directly?
There was a problem hiding this comment.
Yes, use the script parameter: https://www.packer.io/docs/provisioners/shell.html#script
There was a problem hiding this comment.
It both uploads a script file and executes it.
There was a problem hiding this comment.
This issue was solved with commit:
.REFACTOR script usage, call the provided script directly (#632a73e)
| "only": [ | ||
| "amazon-linux-ami" | ||
| ] | ||
| }, |
There was a problem hiding this comment.
Per my comment above, this should be done using an IAM role at run time rather than hard-coded, plaintext credentials at build time.
| "type": "shell", | ||
| "environment_vars": [ "NOMAD_VERSION={{user `nomad_version`}}", | ||
| "CONSUL_VERSION={{user `consul_version`}}", | ||
| "CONSUL_MODULE_VERSION={{user `consul_module_version`}}"], |
There was a problem hiding this comment.
JSON formatting puts the square brackets on their own lines.
There was a problem hiding this comment.
|
|
||
| # NOTE: git is already preinstalled | ||
| #echo "[INFO] [${SCRIPT}] Setup git" | ||
| #sudo apt install -y git |
There was a problem hiding this comment.
This was kept for convenience since it is a real dependency it should be made visible.
There was a problem hiding this comment.
Fair enough. Could you update the comment to say "Note: git is required, but it should already be preinstalled on Ubuntu 16.0"
|
Updated initial PR request TEST comment after verification. Ubuntu16 is working as well. |
|
Sorry for the long delay in providing updates to this PR. Sadly at the moment I am to busy to work on this. I will have a look at it again in the middle of November. |
AWS ECR support was removed because it is a securtiy flaw to add the AWS credentials into the AMI directly. This feature will be reintergrated later using AWS IAM roles instead.
|
UPDATED:
|
| }, | ||
| { | ||
| "type": "file", | ||
| "source": "setup_nomad_consul.sh", |
There was a problem hiding this comment.
Why in this Packer template are you copying the script to the server and running it from /tmp, whereas in the above you are just executing it directly using the script keyword? We should stick with one approach for consistency and it seems like the latter is simpler.
| "provisioners": [ | ||
| { | ||
| "type": "shell", | ||
| "script": "setup_ubuntu16.sh", |
There was a problem hiding this comment.
Please use {{template_dir}} so the paths work, even if you're running Packer from a different folder.
| }, | ||
| { | ||
| "type": "shell", | ||
| "script": "setup_amazon-linux.sh", |
There was a problem hiding this comment.
Please use {{template_dir}} so the paths work, even if you're running Packer from a different folder.
| "CONSUL_VERSION={{user `consul_version`}}", | ||
| "CONSUL_MODULE_VERSION={{user `consul_module_version`}}" | ||
| ], | ||
| "script": "setup_nomad_consul.sh" |
There was a problem hiding this comment.
Please use {{template_dir}} so the paths work, even if you're running Packer from a different folder.
EXTENSION: AWS AMI Creation with Docker support
The current solution only allows to create AMIs with nomad and consul preinstalled, docker support is missing. This PR adds this for the already supported Amazon Linux and Ubuntu16 AMIs.
NEW: Putting Docker installation routine into the packer script.
REFACTOR: Image setup routine to make the packer script more readable
-> Extracted setup commands into separate scripts.
TEST: Amazon Linux and Ubuntu16 with Docker support were verified.