start ssh early to prevent failing from number of handshakes

pulibrary · Feb 13, 2023 · c726e4c · c726e4c
1 parent dfb1aa2
commit c726e4c
Show file tree

Hide file tree

Showing 8 changed files with 253 additions and 1 deletion.
diff --git a/.tool-versions b/.tool-versions
@@ -1,4 +1,4 @@
-python 3.11.1
+python 3.11.2
 awscli 2.9.14
 packer 1.8.5
 gcloud 416.0.0

diff --git a/ubuntu/22-04-lts/http/user-data.yaml.pkrtpl.hcl b/ubuntu/22-04-lts/http/user-data.yaml.pkrtpl.hcl
@@ -1,6 +1,13 @@
 #cloud-config
 autoinstall:
   version: 1
+  early-commands:
+  # If we install the SSH server using the subiquity `ssh` configuration then port 22 gets opened up to packer _before_
+  # the requisite configuration has been done to allow Packer to SSH on to the guest O/S. This results in a failed build
+  # as Packer exceeds its SSH permitted number of SSH handshake attempts.
+  # To ensure this doesn't happen we stop the SSH service until right at the end when we re-enable it
+  # using a late-command.
+  - sudo systemctl stop ssh
   apt:
     conf: |
       Acquire {

diff --git a/ubuntu/22-04-lts/ubuntu-demo.pkr.json.pkr.hcl b/ubuntu/22-04-lts/ubuntu-demo.pkr.json.pkr.hcl
@@ -0,0 +1,35 @@
+
+source "virtualbox-iso" "autogenerated_1" {
+  boot_command             = ["<esc><wait>", "install <wait>", " auto=true", " priority=critical", " preseed/url=http://{{ .HTTPIP }}:{{ .HTTPPort }}/preseed.cfg <wait>", "<enter><wait>"]
+  boot_wait                = "10s"
+  disk_size                = "30480"
+  guest_additions_path     = "/home/vagrant/VBoxGuestAdditions.iso"
+  guest_os_type            = "Ubuntu_64"
+  hard_drive_interface     = "sata"
+  hard_drive_nonrotational = "true"
+  http_directory           = "http"
+  iso_checksum             = "sha256:10f19c5b2b8d6db711582e0e27f5116296c34fe4b313ba45f9b201a5007056cb"
+  iso_url                  = "https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso"
+  output_directory         = "output-virtualbox-iso-ubuntu22base"
+  sata_port_count          = "5"
+  shutdown_command         = "echo 'packer' | sudo -S shutdown -P now"
+  ssh_agent_auth           = true
+  ssh_username             = "pulsys"
+  ssh_wait_timeout         = "6000s"
+  vboxmanage               = [["modifyvm", "{{ .Name }}", "--memory", "8192"], ["modifyvm", "{{ .Name }}", "--cpus", "2"]]
+  vm_name                  = "ubuntu22base"
+}
+
+build {
+  sources = ["source.virtualbox-iso.autogenerated_1"]
+
+  provisioner "ansible" {
+    playbook_file = file("../ansible/site.yml")
+    user          = "pulsys"
+  }
+
+  post-processor "vagrant" {
+    keep_input_artifact = false
+    output              = "pulimage"
+  }
+}
diff --git a/ubuntu/22-04-lts/ubuntu-server-test.pkr.hcl b/ubuntu/22-04-lts/ubuntu-server-test.pkr.hcl
@@ -0,0 +1,67 @@
+packer {
+  required_plugins {
+    virtualbox = {
+      version = ">= 0.0.1"
+      source  = "github.com/hashicorp/virtualbox"
+    }
+  }
+}
+
+variable "os_username" {
+  type = string
+  default = "ansible"
+  sensitive = true
+}
+
+variable "os_password" {
+  type = string
+  default = "ansible"
+  sensitive = true
+}
+
+locals {
+  hashed_os_password = bcrypt("${var.os_password}")
+}
+
+source "virtualbox-iso" "ubuntu-22-04-live-server" {
+  boot_command = [
+    "c<wait>",
+    "linux /casper/vmlinuz --- autoinstall ds=\"nocloud-net;seedfrom=http://{{.HTTPIP}}:{{.HTTPPort}}/\"",
+    "<enter><wait>",
+    "initrd /casper/initrd",
+    "<enter><wait>",
+    "boot",
+    "<enter>"
+  ]
+  boot_wait              = "5s"
+  guest_os_type          = "ubuntu-64"
+  http_content           = {
+    "/meta-data" = file("../subiquity/http/meta-data")
+    "/user-data" = templatefile("../subiquity/http/user-data.yaml.pkrtpl.hcl", {
+      "os_username": "${var.os_username}"
+      "hashed_os_password": "${local.hashed_os_password}"
+    })
+  }
+  iso_url                = "https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso"
+  iso_checksum           = "sha256:10f19c5b2b8d6db711582e0e27f5116296c34fe4b313ba45f9b201a5007056cb"
+  memory                 = 8192
+  output_directory       = "output/ubuntu-2204-live-server-ansible"
+  shutdown_command       = "sudo shutdown -P now"
+  ssh_handshake_attempts = "20"
+  ssh_pty                = true
+  ssh_timeout            = "20m"
+  ssh_username           = "${var.os_username}"
+  ssh_password           = "${var.os_password}"
+}
+
+build {
+  sources = ["sources.virtualbox-iso.ubuntu-22-04-live-server"]
+
+  provisioner "ansible" {
+    playbook_file = file("../ansible/site.yml")
+  }
+
+  post-processor "vagrant" {
+    output = "output/ubuntu-2204-live-server-ansible.box"
+  }
+}
diff --git a/ubuntu/22-04-lts/variables.pkr.hcl b/ubuntu/22-04-lts/variables.pkr.hcl
@@ -3,3 +3,15 @@ variable "ssh_password" {
   default = "ubuntu"
   sensitive = true
 }
+
+variable "initial_os_username" {
+  type = "string"
+  default = "pulsys"
+  sensitive = true
+}
+
+variable "initial_os_password" {
+  type = "string"
+  default = "pulsys"
+  sensitive = true
+}
diff --git a/ubuntu/ansible/vagrant-ubuntu-22-guest-additions.yml b/ubuntu/ansible/vagrant-ubuntu-22-guest-additions.yml
@@ -0,0 +1,43 @@
+---
+- hosts: all
+  become: yes
+  vars:
+    mountDir: /vbox
+
+  tasks:
+  - name: create a temporary mount point for vbox guest additions  
+    file:
+      path: "{{ mountDir }}"
+      state: directory
+
+  # as per `guest_additions_path` in Packer's configuration file
+  - name: mount guest additions ISO read-only
+    mount:
+      path: "{{ mountDir }}"
+      src: /home/vagrant/VBoxGuestAdditions.iso
+      fstype: iso9660
+      opts: ro
+      state: mounted
+
+  # in case running kernel modules are detected using `failed_when` can prevent an error
+  - name: execute guest additions script
+    command: "{{ mountDir }}/VBoxLinuxAdditions.run"
+    register: modules
+    failed_when: 
+    - modules.rc != 0
+    - modules.rc != 2
+
+  - name: unmount guest additions ISO
+    mount:
+      path: "{{ mountDir }}"
+      state: absent
+
+  - name: remove the temporary mount point  
+    file:
+      path: "{{ mountDir }}"
+      state: absent
+
+  - name: upgrade all packages
+    apt:
+      name: '*'
+      state: latest
diff --git a/ubuntu/subiquity/http/meta-data b/ubuntu/subiquity/http/meta-data
diff --git a/ubuntu/subiquity/http/user-data.yaml.pkrtpl.hcl b/ubuntu/subiquity/http/user-data.yaml.pkrtpl.hcl
@@ -0,0 +1,88 @@
+#cloud-config
+autoinstall:
+  version: 1
+  early-commands:
+  # If we install the SSH server using the subiquity `ssh` configuration then port 22 gets opened up to packer _before_
+  # the requisite configuration has been done to allow Packer to SSH on to the guest O/S. This results in a failed build
+  # as Packer exceeds its SSH permitted number of SSH handshake attempts.
+  #
+  # To ensure this doesn't happen we stop the SSH service until right at the end when we re-enable it
+  # using a late-command.
+    #- sudo iptables -I INPUT -p tcp --dport 22 -j DROP
+    - sudo systemctl stop ssh
+  locale: en_US
+  refresh-installer:
+    update: yes
+  keyboard:
+    layout: en
+  #network:
+  #  network:
+  #    version: 2
+  #    ethernets:
+  #      ens33:
+  #        dhcp4: true
+  storage:
+    layout:
+      name: lvm
+  ssh:
+    allow-pw: true
+    install-server: yes
+  user-data:
+    disable_root: false
+    users:
+      -
+        name: ${os_username}
+        passwd: ${hashed_os_password}
+        groups: [ adm, cdrom, dip, plugdev, lxd, sudo ]
+        lock-passwd: false
+        sudo: ALL=(ALL) NOPASSWD:ALL
+        shell: /bin/bash
+    #  write_files:
+    #    -   path: /etc/ssh/sshd_config
+    #        content: |
+    #          Port 22
+    #          Protocol 2
+    #          HostKey /etc/ssh/ssh_host_rsa_key
+    #          HostKey /etc/ssh/ssh_host_dsa_key
+    #          HostKey /etc/ssh/ssh_host_ecdsa_key
+    #          HostKey /etc/ssh/ssh_host_ed25519_key
+    #          UsePrivilegeSeparation yes
+    #          KeyRegenerationInterval 3600
+    #          ServerKeyBits 1024
+    #          SyslogFacility AUTH
+    #          LogLevel INFO
+    #          LoginGraceTime 120
+    #          PermitRootLogin yes
+    #          StrictModes no
+    #          RSAAuthentication yes
+    #          PubkeyAuthentication no
+    #          IgnoreRhosts yes
+    #          RhostsRSAAuthentication no
+    #          HostbasedAuthentication no
+    #          PermitEmptyPasswords no
+    #          ChallengeResponseAuthentication no
+    #          X11Forwarding yes
+    #          X11DisplayOffset 10
+    #          PrintMotd no
+    #          PrintLastLog yes
+    #          TCPKeepAlive yes
+    #          AcceptEnv LANG LC_*
+    #          Subsystem sftp /usr/lib/openssh/sftp-server
+    #          UsePAM yes
+    #          AllowUsers pulsys
+  packages:
+    - apt-transport-https
+    - sudo
+    - openssh-server
+    - wget
+    - curl
+    - python3
+    - python3-pip
+    - open-vm-tools-dev
+  late-commands:
+    - sed -i -e 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/g' /target/etc/ssh/sshd_config
+29  - sed -i -e 's/^#\?PermitRootLogin.*/PermitRootLogin yes/g' /target/etc/ssh/sshd_config
+    - echo 'pulsys ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/pulsys
+32  - curtin in-target --target=/target -- apt-get update
+33  - curtin in-target --target=/target -- apt-get upgrade --yes
+    - sudo systemctl start ssh