Packer: How to Build a Golden Image behind Corporate Proxy

Packer is a powerful tool to build a golden image for multiple platforms. All the configurations are scripted therefore you can embrace Infrastructure-as-a-Code practice. And the best thing, it is FREE!

Sharing is caring!

Introduction

Last week, I was trying to build an Amazon Machine Image golden image for some project needs. I decided to use Packer because I want to embrace Infrastructure-as-a-Code. Also, it is free and can create golden images for multiple platforms. So, why would I turn somewhere else?

As a disclaimer, I created an AWS AMI. Therefore, I am sorry if you find the article heavy on AWS :). But trust me, I intend to make this more generics. Worth noting that all the Linux distro selection, software, and else are for article purposes only.

Use Case

Let’s say the use case is only to install OpenJDK in your corporate Centos7 based AMI. Should be pretty straightforward, shouldn’t it? Just take the base image, provision it then builds a new golden image.

packer {
required_plugins {
amazon = {
version = ">= 0.0.2"
source = "github.com/hashicorp/amazon"
}
}
}
source "amazon-ebs" "centos7" {
ami_name = "packer-centos7-aws"
instance_type = "t2.micro"
region = "ap-southeast-1"
associate_public_ip_address = true
source_ami_filter {
filters = {
name = "your-company-base-centos7-image*"
architecture = "x86_64"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["XXXXXXXX"]
}
ssh_username = "centos"
}
build {
name = "packer-centos7-aws"
sources = [
"source.amazon-ebs.centos7"
]
provisioner "shell" {
environment_vars = [
"https_proxy=http://yourproxyserver:port",
]
inline = [
"echo update yum",
"sudo yum update -y",
"echo Installing JDK",
"sudo yum install -y java-11-openjdk-devel",
]
}
}

Challenges

Most of the time, every corporate has its proxy server. So you cannot connect directly to the internet without entering the proxy server. Of course, this is a good thing to provide a valuable layer of security. I am not against it, but sometimes it can be a headache to configure your infrastructure. Especially when you are learning a new provisioning tool, occasionally the error is unclear and makes you wonder. In the end, it just needs to connect to the proxy server.

Behind Proxy

Based on the previous snippet, when you build your image, you will get network errors when execute yum update -y. It is because the yum cannot connect to the proxy, even though we already mentioned the variables in the environments sections.

I still don’t get why the https_proxy variable does not work when we put it in environment sections. Anyone can help me to understand it?

When I learned that the proxy variable did not work, the simplest thing is to configure the proxy in /etc/yum.conf. So I go with a very simple approach under the inline section:

inline = [
"sudo echo proxy='http://yourproxyserver:port' >> /etc/yum.conf",
# and the rest
]

Unfortunately, it is not that simple. By adding this line, I got the permission denied writing into /etc/yum.conf file. Yep, even with the sudo command in the beginning.

After several trials and errors, I found that my previous approach is almost successful. But the last piece is I need to execute with bash -c command. Then viola, the yum is now working and the image is finally built!

inline = [
"sudo bash -c \"echo proxy='http://yourproxyserver:port' >> /etc/yum.conf\"",
# and the rest
]

Conclusion

I admit this seems trivia. My initial estimation was only taken a couple of hours to finish the task. But sometimes the simple thing is not as easy as it seems. Well, my initial estimation was wrong . Anyway, I got this one working. So a happy weekend for me :).

Author: ru rocker

I have been a professional software developer since 2004. Java, Python, NodeJS, and Go-lang are my favorite programming languages. I also have an interest in DevOps. I hold professional certifications: SCJP, SCWCD, PSM 1, AWS Solution Architect Associate, and AWS Solution Architect Professional.

Leave a Reply

Your email address will not be published. Required fields are marked *