Packer: Ansible chroot communicator must be run as root

Created on 6 Jun 2018 · 6Comments · Source: hashicorp/packer

Affected version: Packer 1.2.4
Host platform: Ubuntu 16.04 LTS, Jenkins slave
Builder: amazon-chroot
Provisioner: ansible with Ansible v2.5.4.0

Packer's documentation for using the Ansible chroot communicator provides an example configuration that did not work for me, when used in conjunction with the amazon-chroot builder.

ansible-playbook needs to be run as root in order to access the chroot.

I found it was not possible to set the "command" option of the ansible provisioner to sudo -E ansible-playbook or sudo -E /usr/bin/ansible-playbook. This caused a file not found error in our environment, although your mileage may vary.

To get this working, I needed to:

Manually construct the inventory file
Create a small bash script sudo-ansible-playbook.sh to do the privilege escalation

So an example working configuration would be:

{
  "builders": [
    {
      "type": "amazon-chroot",
      "name": "example-build",
      "command_wrapper": "sudo {{.Command}}",
      "mount_path": "/mnt/packer-amazon-chroot-volumes/{{build_name}}",
      "region": "us-east-1",
      "source_ami": "ami-123456"
    }
  ],
  "provisioners": [
    {
      "type": "ansible",
      "ansible_env_vars": [
        "ANSIBLE_FORCE_COLOR=1",
        "PYTHONUNBUFFERED=1",
        "ANSIBLE_LOCAL_TEMP=/tmp/ansible",
        "ANSIBLE_REMOTE_TEMP=/tmp/ansible-managed",
        "ANSIBLE_ROLES_PATH={{template_dir}}/ansible/galaxy_roles:/etc/ansible/roles"
      ],
      "command": "{{template_dir}}/sudo-ansible-playbook.sh",
      "inventory_file": "{{template_dir}}/inventory.ini",
      "playbook_file": "{{template_dir}}/ansible/playbook.yml"
      "extra_arguments": [
        "--limit={{build_name}}",
        "-vvv"
      ]
    }
  ]
}

The sudo-ansible-playbook.sh script contains:

#!/usr/bin/env bash
sudo -E ansible-playbook "$@"
exit $?

And the inventory file would look something like the following, where the build name has been used as the Ansible host alias:

example-build ansible_connection=chroot ansible_host=/mnt/packer-amazon-chroot-volumes/example-build

[group1]
example-build

[group2]
example-build

A small change to the documentation, to mention the use of sudo, would help others to avoid or work around this problem.

It also seems a bit unnecessary to create the bash script; I'd prefer if it were possible to specify "command": "sudo -E ansible-playbook" in the provisioner configuration.

buildeamazon community-supported plugin docs need-more-info provisioneansible-remote

Source

SteveTalbot

Most helpful comment

@SwampDragons: It would have helped me if it said something like:

Building within a chroot (e.g. amazon-chroot) requires changing the Ansible connection to chroot and running Ansible as root/sudo.

SteveTalbot on 2 Jan 2019

❤2 👍2

All 6 comments

But you have to run packer as root to run amazon-chroot?

EDIT: Not entirely true, you can use command_wrapper to sudo. But in your example you don't.

rickard-von-essen on 6 Jun 2018

@rickard-von-essen: Sorry, you're right, you do need command_wrapper to sudo the builder. My fault for trying to reuse the example from the Packer documentation. I'll edit my original post to add the command_wrapper.

As I mentioned in #6347, I've set up a Git repo containing all the files I used to demonstrate the issue to myself before raising the bug tickets, and I've posted a gist of the output and log. These contain more detail than I could feasibly include here.

SteveTalbot on 6 Jun 2018

Anyhow it would be good if this would be better documented.

rickard-von-essen on 7 Jun 2018

Do you think you could give me an example of how to better document this in a way that would have helped you?

SwampDragons on 11 Dec 2018

@SwampDragons: It would have helped me if it said something like:

Building within a chroot (e.g. amazon-chroot) requires changing the Ansible connection to chroot and running Ansible as root/sudo.

SteveTalbot on 2 Jan 2019

❤2 👍2

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.