/ansible-packer-vmware

Execute a CentOS VMware template creation with packer, orchestrated by Ansible.

ansible-packer-vmware

This is an example on how to create a VMware VM template (based on Centos7) with Packer, while having the whole process executed by Ansible. The Packer JSON template and Centos kickstart file are created from jinja2 templates using host variables defined in the Ansible inventory. The Centos ISO and Packer binary are downloaded from URLs, also specified in variables.

Overview

This repository consists of playbooks, one inventory, one variables file and a few roles.

Playbooks / Variables File

  • packer.yml: Main playbook to start the execution.
  • template-inventory.yml: Ansible inventory file (in YAML) describing the template and its variables as a host.
  • provision.yml: Playbook used to call roles that will provision the VM (template), this is called from Packer.
  • vmware_vars.yml: Variables file (imported with vars_files in the playbooks) with information about vCenter credentials and other relevant data. Passwords should be managed securely using Hashicorp's Vault or Ansible Vault.

Roles

  • stage-files:
    • Downloads the Centos7 ISO from the link specified in template-inventory.yml host entry (iso variable), and uploads it to the vSphere Datastore.
    • Creates the Packer JSON template and the kickstart file based on jinja2 templates and the variables in the template-inventory.yml host entry.
  • build-template:
    • Downloads and extracts the Packer binary (url specified in packer.yml).
    • Executes Packer validate
    • Executes Packer build
  • provition/initial:
    • Removes host from known_hosts and accepts new ssh fingerprints
    • Adds the user specified for the inventory host ansible_user variable, adds the authorized key and assigns it a sudo role.
  • provision/advanced:
    • You can add anything specific you need to configure in the VM, some examples are given (but commented out).
  • cleanup:
    • Removes some specific configuration from the VM as last step before Packer turns it into a template. You can add more tasks to cater your specific needs.

Basic requirements

  • Ansible 2.8 (Ansible 2.7 can also be used, but you would have to copy vsphere_file.py from Ansible 2.8)
  • unzip (used to unzip the Packer binary from the downloaded zip file)

How to use

Before Executing

Make sure to:

  • Create ssh keypair or get an existing one you already use with your VMs.
  • Change credentials, IPs and other values in:
    • vmware_vars.yml
    • templates_inventory.yml
  • Add an entry for your host in /etc/hosts so Ansible can resolve the hostname.
  • Check the packer download link (in packer.yml) to confirm it is at least 1.5.2 (otherwise the vsphere-iso builder would have to be downloaded separately).

Execute

You can initiate the whole process by running the following: ansible-playbook -i template-inventory.yml -e packer.yml

Other Important Topics

Secret Management

Do not keep secrets in plain text as it is demonstrated here (this is just an example). Passwords should be managed securely using Hashicorp's Vault, Ansible Vault or another similar tool.

Checksums

The checksums for both downloaded files (CentOS iso and Packer) are stored as variables besides the download urls. Make sure to update them in the format they're shown (algo:checksum), if they're not there or are incorrect the tasks will fail.

Debugging Packer

If the Packer build fails, you can try changing and running Packer directly like this (all files should be under /packer already, given that you ran the playbook and everything before packer validate succeeded): PACKER_LOG="1" ./packer/packer_linux_amd64 build packer/centos7-template-packer.json *Change the centos7-template to your hostname.

Packer Version

The Packer binary downloaded in this example was the current nightly release (which should become v1.5.2), but the link will change depending on when you try this. In that case, just make sure to provide the link for version 1.5.2 or newer. And check the contents of the .zip. For this specific .zip, when extracting it creates pkg/packer_linux_amd64, and that is moved by the Ansible role to packer/packer_linux_amd64. It might be that with another .zip the extracted file would be src/packer, and the tasks would need to be slightly adapted.

Passwords in Packer JSON template

Secrets (vCenter password and VM template root password) are not written to the Packer JSON template, instead they are defined as environment variables for Packer to read. This allows to source control the Packer JSON template if needed.