Packer: How to use packer (shell provisioner) when behind corporate proxy?

Thanks for the report, and sorry you're running into problems with this.

This is tricky because there is no global proxy setting in go. As such, any time we implicitly create an HTTP connection in a third-party library, we rely on that library using the proxy-friendly constructor for the HTTP connection. If the third-party library doesn't use a proxy connection Packer can't support proxies in that code path.

If you can post something in your config that shows the code paths you're hitting it may be possible to audit these and add or upstream a fixes for any missing proxy calls, but this is likely not a quick turn-around solution for you.

It might be easier to setup a VPN or SSH tunnel so you can tunnel past the proxy, or try running packer inside your hosting platform (for example, run packer in EC2 if you are using AWS) so it runs outside your proxy / firewall environment.

Hey,

Wanted to provide a brief description of a method I use to make packer work behind a proxy.

1. Fire up an T2 instance using Amazon EC2
2. Configure SSH to subvert your local proxy using corkscrew

cat <<EOF >> ~/.ssh/config
Host <local-hosts>
  ProxyCommand none

Host *
  ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p
EOF

1. Create an SSH Tunnel to the EC2 instance by doing the following.

ssh -L 2222:localhost:22 <user>@<ec2-public-ip>

1. Add some lines to your builder section

...
"communicator": "ssh",
"ssh_bastion_username": "<user>",
"ssh_bastion_host":"localhost",
"ssh_bastion_port":"2222",
"ssh_bastion_private_key_file": "<path-to-ec2-keys>"
...

1. Re-run the build.

Thanks,
Spenser

Thanks @Spenser309, for this writeup. I'm trying to configure a system and don't fully understand the ssh_bastion_private_key_file declaration. Is this stuff documented somewhere in greater detail? Is that supposed to be, say, the private key that the bastion server is authenticated against?

Edit:
For future folks, I found this, but I had an issue where my bastion wasn't allowed to ssh to anything other than a specific set of IPs... still in the same boat.

Does anyone know how to get the IP address of the server that packer is trying to connect to?

@IRobL We don't currently expose that information, though there's been some discussion.

One thing you could do is ask your cloud provider for the instance IP. For example, on amazon, you could get the ip address with aws ec2 describe-instances and filter by a tag you set on the run instance.

I believe the bastion settings resolves this.

I would encourage taking this discussion to the mailing list, since there are a number of different solutions to this problem https://groups.google.com/forum/#!forum/packer-tool

If there's something specific we should add to packer to facilitate a use-case that's not supported, then please open a new issue

If it helps, I ran into a slightly different situation, where we need both proxy support and a bastion host accessible through that proxy in order to access EC2 instances on private subnets, however as of version 1.3.4, Packer will not allow both those settings to be configured simultaneously for some reason...

$ packer build -debug sample.json
Debug mode enabled. Builds will not be parallelized.
amazon-ebs output will be in this color.

1 error(s) occurred:

* please specify either ssh_bastion_host or ssh_proxy_host, not both

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.