2013-07-31 01:17:58 -04:00
|
|
|
---
|
2017-06-14 21:04:16 -04:00
|
|
|
description: |
|
2018-10-26 20:02:51 -04:00
|
|
|
The amazon-chroot Packer builder is able to create Amazon AMIs backed by an EBS
|
|
|
|
volume as the root device. For more information on the difference between
|
2017-06-14 21:04:16 -04:00
|
|
|
instance storage and EBS-backed instances, storage for the root device section
|
|
|
|
in the EC2 documentation.
|
2015-07-22 22:31:00 -04:00
|
|
|
layout: docs
|
2017-06-14 21:04:16 -04:00
|
|
|
page_title: 'Amazon chroot - Builders'
|
|
|
|
sidebar_current: 'docs-builders-amazon-chroot'
|
2016-09-04 15:15:01 -04:00
|
|
|
---
|
2013-07-31 01:17:58 -04:00
|
|
|
|
|
|
|
# AMI Builder (chroot)
|
|
|
|
|
|
|
|
Type: `amazon-chroot`
|
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
The `amazon-chroot` Packer builder is able to create Amazon AMIs backed by an
|
|
|
|
EBS volume as the root device. For more information on the difference between
|
|
|
|
instance storage and EBS-backed instances, see the ["storage for the root
|
|
|
|
device" section in the EC2
|
2016-01-14 15:31:19 -05:00
|
|
|
documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html#storage-for-the-root-device).
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
The difference between this builder and the `amazon-ebs` builder is that this
|
2018-10-26 20:02:51 -04:00
|
|
|
builder is able to build an EBS-backed AMI without launching a new EC2
|
|
|
|
instance. This can dramatically speed up AMI builds for organizations who need
|
|
|
|
the extra fast build.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2019-02-11 14:40:56 -05:00
|
|
|
\~> **This is an advanced builder** If you're just getting started with
|
2015-07-22 22:31:00 -04:00
|
|
|
Packer, we recommend starting with the [amazon-ebs
|
|
|
|
builder](/docs/builders/amazon-ebs.html), which is much easier to use.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
The builder does *not* manage AMIs. Once it creates an AMI and stores it in
|
|
|
|
your account, it is up to you to use, delete, etc., the AMI.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
|
|
|
## How Does it Work?
|
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
This builder works by creating a new EBS volume from an existing source AMI and
|
|
|
|
attaching it into an already-running EC2 instance. Once attached, a
|
2016-01-14 15:31:19 -05:00
|
|
|
[chroot](https://en.wikipedia.org/wiki/Chroot) is used to provision the system
|
2018-10-26 20:02:51 -04:00
|
|
|
within that volume. After provisioning, the volume is detached, snapshotted,
|
|
|
|
and an AMI is made.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
Using this process, minutes can be shaved off the AMI creation process because
|
|
|
|
a new EC2 instance doesn't need to be launched.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
There are some restrictions, however. The host EC2 instance where the volume is
|
|
|
|
attached to must be a similar system (generally the same OS version, kernel
|
|
|
|
versions, etc.) as the AMI being built. Additionally, this process is much more
|
2018-10-26 20:02:51 -04:00
|
|
|
expensive because the EC2 instance must be kept running persistently in order
|
|
|
|
to build AMIs, whereas the other AMI builders start instances on-demand to
|
|
|
|
build AMIs as needed.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
|
|
|
## Configuration Reference
|
|
|
|
|
|
|
|
There are many configuration options available for the builder. They are
|
|
|
|
segmented below into two categories: required and optional parameters. Within
|
|
|
|
each category, the available configuration keys are alphabetized.
|
|
|
|
|
2014-05-04 13:47:40 -04:00
|
|
|
### Required:
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `access_key` (string) - The access key used to communicate with AWS. [Learn
|
2018-10-18 19:09:49 -04:00
|
|
|
how to set this](/docs/builders/amazon.html#specifying-amazon-credentials)
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_name` (string) - The name of the resulting AMI that will appear when
|
|
|
|
managing AMIs in the AWS console or via APIs. This must be unique. To help
|
|
|
|
make this unique, use a function like `timestamp` (see [template
|
2018-10-18 19:09:49 -04:00
|
|
|
engine](/docs/templates/engine.html) for more info).
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `secret_key` (string) - The secret key used to communicate with AWS. [Learn
|
2018-10-18 19:09:49 -04:00
|
|
|
how to set this](/docs/builders/amazon.html#specifying-amazon-credentials)
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `source_ami` (string) - The source AMI whose root volume will be copied and
|
2018-10-26 20:02:51 -04:00
|
|
|
provisioned on the currently running instance. This must be an EBS-backed
|
|
|
|
AMI with a root volume snapshot that you have access to. Note: this is not
|
|
|
|
used when `from_scratch` is set to `true`.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2014-05-04 13:47:40 -04:00
|
|
|
### Optional:
|
2014-04-10 08:16:31 -04:00
|
|
|
|
2019-05-07 19:38:55 -04:00
|
|
|
- `ami_architecture` (string) - what architecture to use when registering the
|
|
|
|
final AMI; valid options are "x86_64" or "arm64". Defaults to "x86_64".
|
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `ami_description` (string) - The description to set for the resulting
|
|
|
|
AMI(s). By default this description is empty. This is a [template
|
|
|
|
engine](/docs/templates/engine.html), see [Build template
|
|
|
|
data](#build-template-data) for more information.
|
2013-08-09 01:57:22 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_groups` (array of strings) - A list of groups that have access to
|
2015-07-22 23:25:58 -04:00
|
|
|
launch the resulting AMI(s). By default no groups have permission to launch
|
|
|
|
the AMI. `all` will make the AMI publicly accessible.
|
2013-08-09 01:57:22 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_product_codes` (array of strings) - A list of product codes to
|
2018-10-26 20:02:51 -04:00
|
|
|
associate with the AMI. By default no product codes are associated with the
|
|
|
|
AMI.
|
2013-08-09 01:57:22 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_regions` (array of strings) - A list of regions to copy the AMI to.
|
2015-07-22 23:25:58 -04:00
|
|
|
Tags and attributes are copied along with the AMI. AMI copying takes time
|
|
|
|
depending on the size of the AMI, but will generally take many minutes.
|
2013-08-22 18:20:44 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_users` (array of strings) - A list of account IDs that have access to
|
2018-10-26 20:02:51 -04:00
|
|
|
launch the resulting AMI(s). By default no additional users other than the
|
|
|
|
user creating the AMI has permissions to launch it.
|
2013-08-09 01:57:22 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_virtualization_type` (string) - The type of virtualization for the AMI
|
2015-07-22 23:25:58 -04:00
|
|
|
you are building. This option is required to register HVM images. Can be
|
2018-10-18 19:09:49 -04:00
|
|
|
`paravirtual` (default) or `hvm`.
|
2014-05-04 13:47:40 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `chroot_mounts` (array of array of strings) - This is a list of devices to
|
|
|
|
mount into the chroot environment. This configuration parameter requires
|
|
|
|
some additional documentation which is in the [Chroot
|
|
|
|
Mounts](#Chroot%20Mounts) section. Please read that section for more
|
|
|
|
information on how to use this.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `command_wrapper` (string) - How to run shell commands. This defaults to
|
2016-09-04 15:15:01 -04:00
|
|
|
`{{.Command}}`. This may be useful to set if you want to set environmental
|
|
|
|
variables or perhaps run it with `sudo` or so on. This is a configuration
|
2018-10-26 20:02:51 -04:00
|
|
|
template where the `.Command` variable is replaced with the command to be
|
|
|
|
run. Defaults to `{{.Command}}`.
|
2014-05-04 13:47:40 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `copy_files` (array of strings) - Paths to files on the running EC2
|
|
|
|
instance that will be copied into the chroot environment prior to
|
|
|
|
provisioning. Defaults to `/etc/resolv.conf` so that DNS lookups work. Pass
|
|
|
|
an empty list to skip copying `/etc/resolv.conf`. You may need to do this
|
|
|
|
if you're building an image that uses systemd.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-10-16 16:27:26 -04:00
|
|
|
- `custom_endpoint_ec2` (string) - This option is useful if you use a cloud
|
|
|
|
provider whose API is compatible with aws EC2. Specify another endpoint
|
|
|
|
like this `https://ec2.custom.endpoint.com`.
|
2017-05-17 13:33:57 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `decode_authorization_messages` (boolean) - Enable automatic decoding of
|
|
|
|
any encoded authorization (error) messages using the
|
|
|
|
`sts:DecodeAuthorizationMessage` API. Note: requires that the effective
|
|
|
|
user/role have permissions to `sts:DecodeAuthorizationMessage` on resource
|
|
|
|
`*`. Default `false`.
|
2017-10-02 16:12:42 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `device_path` (string) - The path to the device where the root volume of
|
|
|
|
the source AMI will be attached. This defaults to "" (empty string), which
|
2015-07-22 23:25:58 -04:00
|
|
|
forces Packer to find an open device automatically.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `ena_support` (boolean) - Enable enhanced networking (ENA but not
|
|
|
|
SriovNetSupport) on HVM-compatible AMIs. If set, add
|
|
|
|
`ec2:ModifyInstanceAttribute` to your AWS IAM policy. If false, this will
|
|
|
|
disable enhanced networking in the final AMI as opposed to passing the
|
|
|
|
setting through unchanged from the source. Note: you must make sure
|
|
|
|
enhanced networking is enabled on your instance. See [Amazon's
|
|
|
|
documentation on enabling enhanced
|
2018-10-18 06:42:08 -04:00
|
|
|
networking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html#enabling_enhanced_networking).
|
2017-08-29 12:36:06 -04:00
|
|
|
|
2019-05-07 19:38:55 -04:00
|
|
|
- `encrypt_boot` (boolean) - Whether or not to encrypt the resulting AMI when
|
|
|
|
copying a provisioned instance to an AMI. By default, Packer will keep the
|
2018-11-26 05:33:44 -05:00
|
|
|
encryption setting to what it was in the source image. Setting `false` will
|
|
|
|
result in an unencrypted image, and `true` will result in an encrypted one.
|
2018-10-23 11:56:15 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `force_deregister` (boolean) - Force Packer to first deregister an existing
|
2016-10-26 23:36:35 -04:00
|
|
|
AMI if one with the same name already exists. Default `false`.
|
2015-06-15 11:01:32 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `force_delete_snapshot` (boolean) - Force Packer to delete snapshots
|
|
|
|
associated with AMIs, which have been deregistered by `force_deregister`.
|
|
|
|
Default `false`.
|
2017-02-26 20:49:33 -05:00
|
|
|
|
2019-02-11 14:40:56 -05:00
|
|
|
- `insecure_skip_tls_verify` (boolean) - This allows skipping TLS
|
|
|
|
verification of the AWS EC2 endpoint. The default is `false`.
|
2017-10-31 19:32:03 -04:00
|
|
|
|
2019-05-29 09:10:00 -04:00
|
|
|
- `kms_key_id` (string) - ID, alias or ARN of the KMS key to use for boot
|
|
|
|
volume encryption. This only applies to the main `region`, other regions
|
|
|
|
where the AMI will be copied will be encrypted by the default EBS KMS key.
|
|
|
|
For valid formats see *KmsKeyId* in the [AWS API docs -
|
|
|
|
CopyImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html).
|
|
|
|
This field is validated by Packer, when using an alias, you will have to
|
|
|
|
prefix `kms_key_id` with `alias/`.
|
2017-02-26 20:54:42 -05:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `from_scratch` (boolean) - Build a new volume instead of starting from an
|
2018-10-26 20:02:51 -04:00
|
|
|
existing AMI root volume snapshot. Default `false`. If `true`, `source_ami`
|
|
|
|
is no longer used and the following options become required:
|
2016-09-04 15:15:01 -04:00
|
|
|
`ami_virtualization_type`, `pre_mount_commands` and `root_volume_size`. The
|
2016-09-03 15:06:40 -04:00
|
|
|
below options are also required in this mode only:
|
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `ami_block_device_mappings` (array of block device mappings) - Add one or
|
2018-10-26 20:02:51 -04:00
|
|
|
more [block device
|
|
|
|
mappings](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html)
|
2017-01-18 00:32:18 -05:00
|
|
|
to the AMI. These will be attached when booting a new instance from your
|
2019-03-11 14:40:49 -04:00
|
|
|
AMI. If this field is populated, and you are building from an existing source image,
|
|
|
|
the block device mappings in the source image will be overwritten. This means you
|
|
|
|
must have a block device mapping entry for your root volume, `root_volume_size `,
|
|
|
|
and `root_device_name`. `Your options here may vary depending on the type of VM
|
|
|
|
you use. The block device mappings allow for the following configuration:
|
2016-10-26 23:36:35 -04:00
|
|
|
|
2019-05-17 16:48:49 -04:00
|
|
|
<%= partial "partials/builders/aws-common-block-device-a-i" %>
|
2016-11-15 22:55:59 -05:00
|
|
|
|
2018-01-12 17:48:18 -05:00
|
|
|
- `kms_key_id` (string) - The ARN for the KMS encryption key. When
|
2018-10-26 20:02:51 -04:00
|
|
|
specifying `kms_key_id`, `encrypted` needs to be set to `true`. For
|
|
|
|
valid formats see *KmsKeyId* in the [AWS API docs -
|
|
|
|
CopyImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html).
|
2018-01-12 17:48:18 -05:00
|
|
|
|
2019-05-17 16:48:49 -04:00
|
|
|
<%= partial "partials/builders/aws-common-block-device-i-v" %>
|
2018-10-26 20:02:51 -04:00
|
|
|
|
|
|
|
- `region_kms_key_ids` (map of strings) - a map of regions to copy the ami
|
|
|
|
to, along with the custom kms key id (alias or arn) to use for encryption
|
|
|
|
for that region. Keys must match the regions provided in `ami_regions`. If
|
|
|
|
you just want to encrypt using a default ID, you can stick with
|
|
|
|
`kms_key_id` and `ami_regions`. If you want a region to be encrypted with
|
|
|
|
that region's default key ID, you can use an empty string `""` instead of a
|
|
|
|
key id in this map. (e.g. `"us-east-1": ""`) However, you cannot use
|
|
|
|
default key IDs if you are using this in conjunction with `snapshot_users`
|
|
|
|
-- in that situation you must use custom keys. For valid formats see
|
|
|
|
*KmsKeyId* in the [AWS API docs -
|
|
|
|
CopyImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html).
|
2017-06-01 12:28:17 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `root_device_name` (string) - The root device name. For example, `xvda`.
|
2016-09-03 15:06:40 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `mfa_code` (string) - The MFA
|
|
|
|
[TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)
|
|
|
|
code. This should probably be a user variable since it changes all the
|
|
|
|
time.
|
2017-06-12 20:16:27 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `mount_path` (string) - The path where the volume will be mounted. This is
|
2015-07-22 23:25:58 -04:00
|
|
|
where the chroot environment will be. This defaults to
|
2018-10-26 20:02:51 -04:00
|
|
|
`/mnt/packer-amazon-chroot-volumes/{{.Device}}`. This is a configuration
|
|
|
|
template where the `.Device` variable is replaced with the name of the
|
|
|
|
device where the volume is attached.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `mount_partition` (string) - The partition number containing the /
|
|
|
|
partition. By default this is the first partition of the volume, (for
|
2018-04-25 13:47:52 -04:00
|
|
|
example, `xvda1`) but you can designate the entire block device by setting
|
|
|
|
`"mount_partition": "0"` in your config, which will mount `xvda` instead.
|
2016-01-06 14:35:01 -05:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `mount_options` (array of strings) - Options to supply the `mount` command
|
2015-07-22 23:25:58 -04:00
|
|
|
when mounting devices. Each option will be prefixed with `-o` and supplied
|
|
|
|
to the `mount` command ran by Packer. Because this command is ran in a
|
2017-10-04 17:25:31 -04:00
|
|
|
shell, user discretion is advised. See [this manual page for the mount
|
2015-07-22 23:25:58 -04:00
|
|
|
command](http://linuxcommand.org/man_pages/mount8.html) for valid file
|
2018-10-18 19:09:49 -04:00
|
|
|
system specific options.
|
2015-06-23 12:31:43 -04:00
|
|
|
|
2018-05-23 12:58:15 -04:00
|
|
|
- `nvme_device_path` (string) - When we call the mount command (by default
|
|
|
|
`mount -o device dir`), the string provided in `nvme_mount_path` will
|
|
|
|
replace `device` in that command. When this option is not set, `device` in
|
|
|
|
that command will be something like `/dev/sdf1`, mirroring the attached
|
|
|
|
device name. This assumption works for most instances but will fail with c5
|
|
|
|
and m5 instances. In order to use the chroot builder with c5 and m5
|
2018-05-23 16:34:56 -04:00
|
|
|
instances, you must manually set `nvme_device_path` and `device_path`.
|
2018-05-23 12:58:15 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `pre_mount_commands` (array of strings) - A series of commands to execute
|
2016-09-04 15:15:01 -04:00
|
|
|
after attaching the root volume and before mounting the chroot. This is not
|
|
|
|
required unless using `from_scratch`. If so, this should include any
|
|
|
|
partitioning and filesystem creation commands. The path to the device is
|
2016-09-03 15:06:40 -04:00
|
|
|
provided by `{{.Device}}`.
|
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `profile` (string) - The profile to use in the shared credentials file for
|
2017-06-14 19:45:18 -04:00
|
|
|
AWS. See Amazon's documentation on [specifying
|
|
|
|
profiles](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-profiles)
|
|
|
|
for more details.
|
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `post_mount_commands` (array of strings) - As `pre_mount_commands`, but the
|
2016-09-03 15:06:40 -04:00
|
|
|
commands are executed after mounting the root device and before the extra
|
2016-09-04 15:15:01 -04:00
|
|
|
mount and copy steps. The device and mount path are provided by
|
2016-09-03 15:06:40 -04:00
|
|
|
`{{.Device}}` and `{{.MountPath}}`.
|
|
|
|
|
2017-10-16 14:23:33 -04:00
|
|
|
- `root_volume_size` (number) - The size of the root volume in GB for the
|
2016-10-27 00:20:45 -04:00
|
|
|
chroot environment and the resulting AMI. Default size is the snapshot size
|
2018-10-26 20:02:51 -04:00
|
|
|
of the `source_ami` unless `from_scratch` is `true`, in which case this
|
|
|
|
field must be defined.
|
2015-06-23 11:52:42 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `root_volume_type` (string) - The type of EBS volume for the chroot
|
|
|
|
environment and resulting AMI. The default value is the type of the
|
|
|
|
`source_ami`, unless `from_scratch` is `true`, in which case the default
|
|
|
|
value is `gp2`. You can only specify `io1` if building based on top of a
|
|
|
|
`source_ami` which is also `io1`.
|
2018-09-04 20:01:54 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `root_volume_tags` (object of key/value strings) - Tags to apply to the
|
|
|
|
volumes that are *launched*. This is a [template
|
|
|
|
engine](/docs/templates/engine.html), see [Build template
|
|
|
|
data](#build-template-data) for more information.
|
2018-07-20 02:04:49 -04:00
|
|
|
|
2018-10-18 19:09:49 -04:00
|
|
|
- `skip_region_validation` (boolean) - Set to `true` if you want to skip
|
2016-10-26 23:36:35 -04:00
|
|
|
validation of the `ami_regions` configuration option. Default `false`.
|
2016-06-06 14:45:22 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `snapshot_tags` (object of key/value strings) - Tags to apply to snapshot.
|
2017-01-10 08:47:53 -05:00
|
|
|
They will override AMI tags if already applied to snapshot. This is a
|
2018-10-26 20:02:51 -04:00
|
|
|
[template engine](/docs/templates/engine.html), see [Build template
|
|
|
|
data](#build-template-data) for more information.
|
2016-12-02 03:49:21 -05:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `snapshot_groups` (array of strings) - A list of groups that have access to
|
2018-10-26 20:02:51 -04:00
|
|
|
create volumes from the snapshot(s). By default no groups have permission
|
|
|
|
to create volumes from the snapshot(s). `all` will make the snapshot
|
|
|
|
publicly accessible.
|
2016-12-02 03:49:21 -05:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `snapshot_users` (array of strings) - A list of account IDs that have
|
|
|
|
access to create volumes from the snapshot(s). By default no additional
|
|
|
|
users other than the user creating the AMI has permissions to create
|
|
|
|
volumes from the backing snapshot(s).
|
2016-12-02 03:49:21 -05:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `source_ami_filter` (object) - Filters used to populate the `source_ami`
|
|
|
|
field. Example:
|
2016-11-30 06:32:46 -05:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
``` json
|
2016-10-01 18:27:48 -04:00
|
|
|
"source_ami_filter": {
|
2017-03-25 18:13:52 -04:00
|
|
|
"filters": {
|
|
|
|
"virtualization-type": "hvm",
|
2017-09-05 20:20:48 -04:00
|
|
|
"name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
|
2017-03-25 18:13:52 -04:00
|
|
|
"root-device-type": "ebs"
|
|
|
|
},
|
|
|
|
"owners": ["099720109477"],
|
|
|
|
"most_recent": true
|
2016-10-01 18:27:48 -04:00
|
|
|
}
|
|
|
|
```
|
2016-11-30 06:32:46 -05:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
This selects the most recent Ubuntu 16.04 HVM EBS AMI from Canonical. NOTE:
|
|
|
|
This will fail unless *exactly* one AMI is returned. In the above example,
|
|
|
|
`most_recent` will cause this to succeed by selecting the newest image.
|
2016-10-01 18:27:48 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `filters` (map of strings) - filters used to select a `source_ami`.
|
2018-10-26 20:02:51 -04:00
|
|
|
NOTE: This will fail unless *exactly* one AMI is returned. Any filter
|
|
|
|
described in the docs for
|
|
|
|
[DescribeImages](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html)
|
2017-06-14 21:04:16 -04:00
|
|
|
is valid.
|
2016-10-01 18:27:48 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `owners` (array of strings) - Filters the images by their owner. You
|
|
|
|
may specify one or more AWS account IDs, "self" (which will use the
|
|
|
|
account whose credentials you are using to run Packer), or an AWS owner
|
|
|
|
alias: for example, "amazon", "aws-marketplace", or "microsoft". This
|
|
|
|
option is required for security reasons.
|
2016-10-01 18:27:48 -04:00
|
|
|
|
2018-10-18 19:09:49 -04:00
|
|
|
- `most_recent` (boolean) - Selects the newest created image when `true`.
|
2017-06-14 21:04:16 -04:00
|
|
|
This is most useful for selecting a daily distro build.
|
2016-10-01 18:27:48 -04:00
|
|
|
|
2018-02-13 19:48:39 -05:00
|
|
|
You may set this in place of `source_ami` or in conjunction with it. If you
|
2018-10-26 20:02:51 -04:00
|
|
|
set this in conjunction with `source_ami`, the `source_ami` will be added
|
|
|
|
to the filter. The provided `source_ami` must meet all of the filtering
|
|
|
|
criteria provided in `source_ami_filter`; this pins the AMI returned by the
|
|
|
|
filter, but will cause Packer to fail if the `source_ami` does not exist.
|
|
|
|
|
|
|
|
- `sriov_support` (boolean) - Enable enhanced networking (SriovNetSupport but
|
|
|
|
not ENA) on HVM-compatible AMIs. If `true`, add
|
|
|
|
`ec2:ModifyInstanceAttribute` to your AWS IAM policy. Note: you must make
|
|
|
|
sure enhanced networking is enabled on your instance. See [Amazon's
|
|
|
|
documentation on enabling enhanced
|
|
|
|
networking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html#enabling_enhanced_networking).
|
2017-08-29 12:36:06 -04:00
|
|
|
Default `false`.
|
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `tags` (object of key/value strings) - Tags applied to the AMI. This is a
|
2018-10-26 20:02:51 -04:00
|
|
|
[template engine](/docs/templates/engine.html), see [Build template
|
|
|
|
data](#build-template-data) for more information.
|
2017-01-10 08:47:53 -05:00
|
|
|
|
2019-02-11 14:40:56 -05:00
|
|
|
- `vault_aws_engine` (object) - Get credentials from Hashicorp Vault's aws
|
|
|
|
secrets engine. You must already have created a role to use. For more
|
|
|
|
information about generating credentials via the Vault engine, see the
|
|
|
|
[Vault
|
|
|
|
docs.](https://www.vaultproject.io/api/secret/aws/index.html#generate-credentials)
|
|
|
|
If you set this flag, you must also set the below options:
|
|
|
|
- `name` (string) - Required. Specifies the name of the role to generate
|
|
|
|
credentials against. This is part of the request URL.
|
|
|
|
- `engine_name` (string) - The name of the aws secrets engine. In the
|
|
|
|
Vault docs, this is normally referred to as "aws", and Packer will
|
|
|
|
default to "aws" if `engine_name` is not set.
|
|
|
|
- `role_arn` (string)- The ARN of the role to assume if credential\_type
|
|
|
|
on the Vault role is assumed\_role. Must match one of the allowed role
|
|
|
|
ARNs in the Vault role. Optional if the Vault role only allows a single
|
|
|
|
AWS role ARN; required otherwise.
|
|
|
|
- `ttl` (string) - Specifies the TTL for the use of the STS token. This
|
|
|
|
is specified as a string with a duration suffix. Valid only when
|
|
|
|
credential\_type is assumed\_role or federation\_token. When not
|
|
|
|
specified, the default\_sts\_ttl set for the role will be used. If that
|
|
|
|
is also not set, then the default value of 3600s will be used. AWS
|
|
|
|
places limits on the maximum TTL allowed. See the AWS documentation on
|
|
|
|
the DurationSeconds parameter for AssumeRole (for assumed\_role
|
|
|
|
credential types) and GetFederationToken (for federation\_token
|
|
|
|
credential types) for more details.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
`json { "vault_aws_engine": { "name": "myrole", "role_arn": "myarn", "ttl": "3600s" } }`
|
2019-02-05 17:19:24 -05:00
|
|
|
|
2013-07-31 01:17:58 -04:00
|
|
|
## Basic Example
|
|
|
|
|
|
|
|
Here is a basic example. It is completely valid except for the access keys:
|
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
``` json
|
2013-07-31 01:17:58 -04:00
|
|
|
{
|
|
|
|
"type": "amazon-chroot",
|
|
|
|
"access_key": "YOUR KEY HERE",
|
|
|
|
"secret_key": "YOUR SECRET KEY HERE",
|
|
|
|
"source_ami": "ami-e81d5881",
|
2013-08-08 19:59:42 -04:00
|
|
|
"ami_name": "packer-amazon-chroot {{timestamp}}"
|
2013-07-31 01:17:58 -04:00
|
|
|
}
|
2014-10-20 13:55:16 -04:00
|
|
|
```
|
2013-07-31 01:17:58 -04:00
|
|
|
|
|
|
|
## Chroot Mounts
|
|
|
|
|
2016-10-15 08:42:36 -04:00
|
|
|
The `chroot_mounts` configuration can be used to mount specific devices within
|
2015-07-22 22:31:00 -04:00
|
|
|
the chroot. By default, the following additional mounts are added into the
|
|
|
|
chroot by Packer:
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- `/proc` (proc)
|
|
|
|
- `/sys` (sysfs)
|
|
|
|
- `/dev` (bind to real `/dev`)
|
|
|
|
- `/dev/pts` (devpts)
|
|
|
|
- `/proc/sys/fs/binfmt_misc` (binfmt\_misc)
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
These default mounts are usually good enough for anyone and are sane defaults.
|
|
|
|
However, if you want to change or add the mount points, you may using the
|
2016-10-15 08:42:36 -04:00
|
|
|
`chroot_mounts` configuration. Here is an example configuration which only
|
2018-02-06 21:58:54 -05:00
|
|
|
mounts `/proc` and `/dev`:
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
``` json
|
2013-07-31 01:17:58 -04:00
|
|
|
{
|
|
|
|
"chroot_mounts": [
|
|
|
|
["proc", "proc", "/proc"],
|
|
|
|
["bind", "/dev", "/dev"]
|
|
|
|
]
|
|
|
|
}
|
2014-10-20 13:55:16 -04:00
|
|
|
```
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
`chroot_mounts` is a list of a 3-tuples of strings. The three components of the
|
|
|
|
3-tuple, in order, are:
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- The filesystem type. If this is "bind", then Packer will properly bind the
|
2015-07-22 23:25:58 -04:00
|
|
|
filesystem to another mount point.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- The source device.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
- The mount directory.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
|
|
|
## Parallelism
|
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
A quick note on parallelism: it is perfectly safe to run multiple *separate*
|
|
|
|
Packer processes with the `amazon-chroot` builder on the same EC2 instance. In
|
|
|
|
fact, this is recommended as a way to push the most performance out of your AMI
|
|
|
|
builds.
|
2013-07-31 01:17:58 -04:00
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
Packer properly obtains a process lock for the parallelism-sensitive parts of
|
|
|
|
its internals such as finding an available device.
|
2013-09-25 01:09:10 -04:00
|
|
|
|
2013-11-22 01:11:40 -05:00
|
|
|
## Gotchas
|
|
|
|
|
2018-05-23 12:58:15 -04:00
|
|
|
### Unmounting the Filesystem
|
2018-10-26 20:02:51 -04:00
|
|
|
|
2013-11-22 01:11:40 -05:00
|
|
|
One of the difficulties with using the chroot builder is that your provisioning
|
2018-10-26 20:02:51 -04:00
|
|
|
scripts must not leave any processes running or packer will be unable to
|
|
|
|
unmount the filesystem.
|
2013-11-22 01:11:40 -05:00
|
|
|
|
2015-07-22 22:31:00 -04:00
|
|
|
For debian based distributions you can setup a
|
|
|
|
[policy-rc.d](http://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt)
|
|
|
|
file which will prevent packages installed by your provisioners from starting
|
|
|
|
services:
|
2013-11-22 01:11:40 -05:00
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
``` json
|
2013-11-22 01:11:40 -05:00
|
|
|
{
|
|
|
|
"type": "shell",
|
|
|
|
"inline": [
|
|
|
|
"echo '#!/bin/sh' > /usr/sbin/policy-rc.d",
|
|
|
|
"echo 'exit 101' >> /usr/sbin/policy-rc.d",
|
|
|
|
"chmod a+x /usr/sbin/policy-rc.d"
|
|
|
|
]
|
|
|
|
},
|
2014-10-20 13:55:16 -04:00
|
|
|
|
|
|
|
// ...
|
|
|
|
|
2013-11-22 01:11:40 -05:00
|
|
|
{
|
|
|
|
"type": "shell",
|
|
|
|
"inline": [
|
|
|
|
"rm -f /usr/sbin/policy-rc.d"
|
|
|
|
]
|
|
|
|
}
|
2014-10-20 13:55:16 -04:00
|
|
|
```
|
2016-09-03 15:06:40 -04:00
|
|
|
|
2019-01-03 13:21:41 -05:00
|
|
|
### Ansible provisioner
|
|
|
|
|
2019-02-11 14:40:56 -05:00
|
|
|
Running ansible against `amazon-chroot` requires changing the Ansible
|
|
|
|
connection to chroot and running Ansible as root/sudo.
|
2019-01-03 13:21:41 -05:00
|
|
|
|
2018-05-23 12:58:15 -04:00
|
|
|
### Using Instances with NVMe block devices.
|
2018-10-26 20:02:51 -04:00
|
|
|
|
2018-05-23 12:58:15 -04:00
|
|
|
In C5, C5d, M5, and i3.metal instances, EBS volumes are exposed as NVMe block
|
2018-10-26 20:02:51 -04:00
|
|
|
devices
|
|
|
|
[reference](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html).
|
2018-05-23 12:58:15 -04:00
|
|
|
In order to correctly mount these devices, you have to do some extra legwork,
|
|
|
|
involving the `nvme_device_path` option above. Read that for more information.
|
|
|
|
|
|
|
|
A working example for mounting an NVMe device is below:
|
|
|
|
|
|
|
|
{
|
2018-10-26 20:02:51 -04:00
|
|
|
"variables": {
|
|
|
|
"region" : "us-east-2"
|
2018-05-23 12:58:15 -04:00
|
|
|
},
|
2018-10-26 20:02:51 -04:00
|
|
|
"builders": [
|
|
|
|
{
|
|
|
|
"type": "amazon-chroot",
|
|
|
|
"region": "{{user `region`}}",
|
|
|
|
"source_ami_filter": {
|
|
|
|
"filters": {
|
|
|
|
"virtualization-type": "hvm",
|
|
|
|
"name": "amzn-ami-hvm-*",
|
|
|
|
"root-device-type": "ebs"
|
|
|
|
},
|
|
|
|
"owners": ["137112412989"],
|
|
|
|
"most_recent": true
|
|
|
|
},
|
|
|
|
"ena_support": true,
|
|
|
|
"ami_name": "amazon-chroot-test-{{timestamp}}",
|
|
|
|
"nvme_device_path": "/dev/nvme1n1p",
|
|
|
|
"device_path": "/dev/sdf"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
|
|
|
|
"provisioners": [
|
|
|
|
{
|
|
|
|
"type": "shell",
|
|
|
|
"inline": ["echo Test > /tmp/test.txt"]
|
|
|
|
}
|
|
|
|
]
|
2018-05-23 12:58:15 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
Note that in the `nvme_device_path` you must end with the `p`; if you try to
|
2018-10-18 19:09:49 -04:00
|
|
|
define the partition in this path (e.g. `nvme_device_path`: `/dev/nvme1n1p1`)
|
2018-05-23 12:58:15 -04:00
|
|
|
and haven't also set the `"mount_partition": 0`, a `1` will be appended to the
|
|
|
|
`nvme_device_path` and Packer will fail.
|
|
|
|
|
2016-09-04 15:15:01 -04:00
|
|
|
## Building From Scratch
|
2016-09-03 15:06:40 -04:00
|
|
|
|
2016-09-04 15:15:01 -04:00
|
|
|
This example demonstrates the essentials of building an image from scratch. A
|
2016-09-03 15:06:40 -04:00
|
|
|
15G gp2 (SSD) device is created (overriding the default of standard/magnetic).
|
|
|
|
The device setup commands partition the device with one partition for use as an
|
2016-09-04 15:15:01 -04:00
|
|
|
HVM image and format it ext4. This builder block should be followed by
|
2016-09-03 15:06:40 -04:00
|
|
|
provisioning commands to install the os and bootloader.
|
|
|
|
|
2017-06-14 21:04:16 -04:00
|
|
|
``` json
|
2016-09-03 15:06:40 -04:00
|
|
|
{
|
|
|
|
"type": "amazon-chroot",
|
2017-03-18 20:37:02 -04:00
|
|
|
"ami_name": "packer-from-scratch {{timestamp}}",
|
2016-09-03 15:06:40 -04:00
|
|
|
"from_scratch": true,
|
|
|
|
"ami_virtualization_type": "hvm",
|
2017-02-22 13:32:49 -05:00
|
|
|
"pre_mount_commands": [
|
2016-09-04 15:15:01 -04:00
|
|
|
"parted {{.Device}} mklabel msdos mkpart primary 1M 100% set 1 boot on print",
|
2016-09-03 15:06:40 -04:00
|
|
|
"mkfs.ext4 {{.Device}}1"
|
|
|
|
],
|
|
|
|
"root_volume_size": 15,
|
|
|
|
"root_device_name": "xvda",
|
|
|
|
"ami_block_device_mappings": [
|
|
|
|
{
|
|
|
|
"device_name": "xvda",
|
|
|
|
"delete_on_termination": true,
|
|
|
|
"volume_type": "gp2"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
```
|
2018-04-02 13:32:14 -04:00
|
|
|
|
|
|
|
## Build template data
|
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
In configuration directives marked as a template engine above, the following
|
|
|
|
variables are available:
|
2018-04-02 13:32:14 -04:00
|
|
|
|
2018-10-26 20:02:51 -04:00
|
|
|
- `BuildRegion` - The region (for example `eu-central-1`) where Packer is
|
|
|
|
building the AMI.
|
|
|
|
- `SourceAMI` - The source AMI ID (for example `ami-a2412fcd`) used to build
|
|
|
|
the AMI.
|
|
|
|
- `SourceAMIName` - The source AMI Name (for example
|
|
|
|
`ubuntu/images/ebs-ssd/ubuntu-xenial-16.04-amd64-server-20180306`) used to
|
|
|
|
build the AMI.
|
|
|
|
- `SourceAMITags` - The source AMI Tags, as a `map[string]string` object.
|