Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed getting the "github.com/hashicorp/azure" plugin #13028

Closed
ivia-hitachids opened this issue Jun 8, 2024 · 15 comments · Fixed by #13056
Closed

Failed getting the "github.com/hashicorp/azure" plugin #13028

ivia-hitachids opened this issue Jun 8, 2024 · 15 comments · Fixed by #13056
Labels
bug needs-reply stage/needs-investigation

Comments

@ivia-hitachids
Copy link

ivia-hitachids commented Jun 8, 2024
edited
Loading

Overview of the Issue

I am running a new pipeline in Azure DevOps and it is showing this error:

Failed getting the "github.com/hashicorp/azure" plugin:
12 errors occurred:
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.4_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.4_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.3_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.3_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.2_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.2_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.1_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.1_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.0_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.0_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.5_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.5_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.4_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.4_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.3_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.3_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.2_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.2_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.1_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.1_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.0_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.0_x5.0_linux_amd64: permission denied
	* could not install any compatible version of plugin "github.com/hashicorp/azure"
Failed getting the "github.com/hashicorp/ansible" plugin:
8 errors occurred:
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.1.1_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.1.1_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.1.0_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.1.0_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.0.4_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.0.4_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.0.3_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.0.3_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.0.2_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.0.2_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.0.1_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.0.1_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-ansible_v1.0.0_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-ansible_v1.0.0_x5.0_linux_amd64: permission denied
	* could not install any compatible version of plugin "github.com/hashicorp/ansible"


Error: Missing plugins

The following plugins are required, but not installed:

* github.com/hashicorp/azure ~> 2
* github.com/hashicorp/ansible ~> 1

Reproduction Steps

Azure cli version

azure-cli                         2.61.0

core                              2.61.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.0
azure-mgmt-resource               23.1.1

Packer version

Packer v1.11.0

Packer version

From Packer v1.11.0

Simplified Packer Template

variable "bastion-host" {
  type    = string
  default = ""
}

variable "bastion-user" {
  type    = string
  default = ""
}

variable "cli-auth" {
  type    = bool
  default = false
}

variable "client-id" {
  type    = string
  default = ""
}

variable "client-secret" {
  type    = string
  default = ""
}

variable "exclude-from-latest" {
  type    = bool
  default = false
}

variable "hardened-tag" {
  type    = string
  default = "cis"
}

variable "image-version" {
  type    = string
  default = ""
}

variable "name-prefix" {
  type    = string
  default = "test"
}

variable "os-version" {
  type    = string
  default = "u2204"
}

variable "plan-name" {
  type    = string
  default = "cis-ubuntu-linux-2204-l1"
}

variable "plan-product" {
  type    = string
  default = "cis-ubuntu-linux-2204-l1"
}

variable "plan-publisher" {
  type    = string
  default = "center-for-internet-security-inc"
}

variable "region" {
  type    = string
  default = "WestEurope"
}

variable "region-tag" {
  type    = string
  default = "euw"
}

variable "subscription-id" {
  type    = string
  default = "999-999-999"
}

variable "tenant-id" {
  type    = string
  default = ""
}

variable "vm-type" {
  type    = string
  default = ""
}

packer {
  required_plugins {
    azure = {
      source  = "github.com/hashicorp/azure"
      version = "~> 2"
    }
    ansible = {
      source  = "github.com/hashicorp/ansible"
      version = "~> 1"
    }
  }
}

# All locals variables are generated from variables that uses expressions

locals {
  managed-image-name           = "${var.name-prefix}-${var.region-tag}-${var.hardened-tag}-${var.os-version}-${var.vm-type}-image-${formatdate("YYYYMMDDhhmm", timestamp())}"
  managed-image-resource-group = "${var.name-prefix}-${var.region-tag}-build-rgc-shared"

  gallery-name                 = "teste${var.region-tag}sig001"
  image-name                   = "${var.name-prefix}-${var.region-tag}-build-base-image"
  image-resource-group         = "${var.name-prefix}-${var.region-tag}-build-rgc-shared"
}

source "azure-arm" "build-vm" {
  build_resource_group_name                        = "build-rgc-packer"
  client_id                                        = var.client-id
  client_secret                                    = var.client-secret
  image_offer                                      = var.plan-product
  image_publisher                                  = var.plan-publisher
  image_sku                                        = var.plan-name
  managed_image_name                               = local.managed-image-name
  managed_image_resource_group_name                = local.managed-image-resource-group
  os_type                                          = "Linux"
  plan_info {
    plan_name                                      = var.plan-name
    plan_product                                   = var.plan-product
    plan_publisher                                 = var.plan-publisher
  }
  private_virtual_network_with_public_ip           = false
  shared_gallery_image_version_exclude_from_latest = var.exclude-from-latest
  shared_image_gallery_destination {
    gallery_name                                   = local.gallery-name
    image_name                                     = local.image-name
    image_version                                  = var.image-version
    replication_regions                            = ["westeurope", "northeurope"]
    resource_group                                 = local.image-resource-group
    subscription                                   = var.subscription-id
  }
  ssh_bastion_agent_auth                           = true
  ssh_bastion_host                                 = var.bastion-host
  ssh_bastion_port                                 = 22
  ssh_bastion_username                             = var.bastion-user
  ssh_disable_agent_forwarding                     = false
  ssh_username                                     = "packer"
  subscription_id                                  = var.subscription-id
  tenant_id                                        = var.tenant-id
  use_azure_cli_auth                               = var.cli-auth
  virtual_network_name                             = "build-vnet-001"
  virtual_network_resource_group_name              = "build-rgc-shared"
  virtual_network_subnet_name                      = "build-buildgent-sub-001"
  vm_size                                          = "Standard_DS2_v2"
}

build {
  sources = ["source.azure-arm.build-vm"]

  provisioner "ansible" {
    ansible_env_vars     = [
      "ANSIBLE_ROLES_PATH=~/.ansible/roles"
    ]
    extra_arguments      = ["--become", "--become-method=sudo"]
    galaxy_file          = "./ansible/requirements.yml"
    galaxy_force_install = "true"
    inventory_directory  = "./ansible/inventory/packer"
    playbook_file        = "./ansible/${var.vm-type}.yml"
    user                 = "packer"
  }

  provisioner "shell" {
    execute_command = "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'"
    inline          = [
      "apt-get update",
      "apt-get upgrade -y",
      "/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"]
    inline_shebang  = "/bin/sh -x"
    skip_clean      = true
  }

Azure DevOps pipeline task

- task: Bash@3
        displayName: 'Build Base Ubuntu Image'
        inputs:
          targetType: inline
          script: |
            packer init -upgrade templates/ubuntu-2204/template-base.pkr.hcl

            packer build \
            -parallel-builds=1 \
            -var "vm-type=base" \
            -var "image-version=$(GitVersion.MajorMinorPatch)" \
            -var "exclude-from-latest=$(isNotMain_Lower)" \
            -var "client-id=$(GetToken.clientId)" \
            -var "client-secret=$(GetToken.clientSecret)" \
            -var "tenant-id=$(GetToken.tenantId)" \
            $(System.DefaultWorkingDirectory)/templates/ubuntu-2204/template-base.pkr.hcl

Operating system and Environment details

Ubuntu 22.04
@lbajolet-hashicorp
Copy link
Contributor

Hi @ivia-hitachids,

The Permission denied errors hint at an environment problem more than a Packer bug, how did you install those plugins? Could you make sure that the user running the builds has the sufficient permissions to execute the binaries?

This could be an Azure Devops problem too, so I would suggest maybe discussing that with them (cc @JenGoldstrich).

@nywilken
Copy link
Contributor

As @lbajolet-hashicorp I agree that this error appears to be related to the Azure Devops not allowing users access to write to the temp directory for the machine or container running the pipeline.

Is there a directory where you can install files into?

I myself am not too familiar with the agent setup for Azure Devops but if you can write files to a directory on the agent you can override the default plugin path by the PACKER_PLUGIN_PATH environment variable in your task.

- task: Bash@3
        displayName: 'Build Base Ubuntu Image'
        inputs:
          targetType: inline
          script: |
            export PACKER_PLUGIN_PATH=/path/to/writable/dir
            packer init -upgrade templates/ubuntu-2204/template-base.pkr.hcl

            packer build \
            -parallel-builds=1 \
            -var "vm-type=base" \
            -var "image-version=$(GitVersion.MajorMinorPatch)" \
            -var "exclude-from-latest=$(isNotMain_Lower)" \
            -var "client-id=$(GetToken.clientId)" \
            -var "client-secret=$(GetToken.clientSecret)" \
            -var "tenant-id=$(GetToken.tenantId)" \
            $(System.DefaultWorkingDirectory)/templates/ubuntu-2204/template-base.pkr.hcl

@jayfitzpatrick
Copy link

jayfitzpatrick commented Jun 10, 2024 via email

@lbajolet-hashicorp
Copy link
Contributor

Hi @jayfitzpatrick,

I wonder, do the CIS guidelines imply the host should not have /tmp executable?
The problem reported here is that the host doesn't have permissions to execute the plugins, if /tmp is not marked executable this means that you won't be able to use anything within it (on UNIX systems x on directories allow traversal, so if you don't have that, /tmp is virtually inaccessible). To be fair, if you cannot traverse /tmp you won't be able to execute anything inside it, and permission denied will be the reported error.

Now, /tmp is not where Packer stores its plugins by default (refer to our docs for information on this). If you (or the Azure devops environment) set /tmp to be the location where plugins are installed, but they cannot be executed, this is not something we can fix, plugins need to be executable, there's no way around it.

On the guest OS that'd mean you cannot use /tmp for scripts, which is another concern, but I believe you can set the remote_folder attribute (for the shell provisioner at least, no promise for other provisioners) for your scripts to upload somewhere else on the guest filesystem.

@Stromweld
Copy link

CIS guidlines state that /tmp should be a mount with mount option noexec added. This allows for files to be created and read from /tmp but not executed. It's also the same for /var/tmp. https://www.tenable.com/audits/items/CIS_Red_Hat_EL7_STIG_v2.0.0_L1_Server.audit:cb3137da1a61c8c0f01d86957ea67ada

@lbajolet-hashicorp
Copy link
Contributor

I understand the rationale here, and I misunderstood the case in my previous message, -noexec has different implications from x not being set, but my question remains: my understanding is that those constraints apply to the guest/final image, not the host, so I would think the host still is able to use /tmp to execute binaries, doesn't it?

Now to respond, plugins when they're installed are staged into /tmp before they're moved to their final destination, and we do invoke describe on them, the reason being that we want to make sure the plugin you're installing is indeed a plugin, and that the versions it advertises are the ones reported by the plugin binary itself. That's mostly to avoid problems like packer-plugin-mycloud_v1.0.0_x5.0_linux_amd64 being in effect v1.0.1 for example, that's a safety net.

We could maybe have an option for Packer to use another directory as its staging area for installing plugins, but this is not something we delivered with 1.11.0.
This is not documented as part of Packer yet, but it looks like the functions we use for getting the temporary directory allows overriding through the TMPDIR environment variable, this might be your saving grace here if the host cannot execute anything in /tmp?

I'll test that out locally, but I would suggest if this is the problem to try that. We can probably add something to our docs so users who encounter this problem have a way out.

@lbajolet-hashicorp
Copy link
Contributor

Update: I can confirm that setting TMPDIR to wherever you want will use this directory as the temporary directory for staging plugins.

$ PACKER_LOG=1 TMPDIR=./tmp_install_dir/ strace -f packer plugins install github.com/hashicorp/hashicups 2>&1 | grep openat
[...]
[pid 292938] openat(AT_FDCWD, "$HOME/.packer.d/plugins/github.com/hashicorp/hashicups/packer-plugin-hashicups_v1.0.2_x5.0_linux_amd64_SHA256SUM", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 292938] <... openat resumed>)      = -1 ENOENT (No such file or directory)
[pid 292936] openat(AT_FDCWD, "./tmp_install_dir/packer-plugin-3658171614.zip", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600 <unfinished ...>
[pid 292936] <... openat resumed>)      = 15
[pid 292936] openat(AT_FDCWD, "./tmp_install_dir/packer-plugin-3658171614.zip", O_RDONLY|O_CLOEXEC) = 16
[pid 292930] openat(AT_FDCWD, "tmp_install_dir/packer-plugin-hashicups_v1.0.2_x5.0_linux_amd64", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0755) = 17
[pid 292945] openat(AT_FDCWD, "/dev/null", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 292945] <... openat resumed>)      = 17
[pid 292946] openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY <unfinished ...>
[pid 292946] <... openat resumed>)      = 6
[pid 292946] openat(AT_FDCWD, "$HOME/dev/go/packer/tmp_install_dir/packer-plugin-hashicups_v1.0.2_x5.0_linux_amd64", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 292946] <... openat resumed>)      = 6
[pid 292930] openat(AT_FDCWD, "$HOME/.packer.d/plugins/github.com/hashicorp/hashicups/packer-plugin-hashicups_v1.0.2_x5.0_linux_amd64", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0755) = 17
[pid 292930] openat(AT_FDCWD, "$HOME/.packer.d/plugins/github.com/hashicorp/hashicups/packer-plugin-hashicups_v1.0.2_x5.0_linux_amd64_SHA256SUM", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644) = 17

The same without TMPDIR=./tmp_install_dir will use /tmp instead.

@Stromweld
Copy link

my understanding is that those constraints apply to the guest/final image, not the host, so I would think the host still is able to use /tmp to execute binaries, doesn't it?

Not if the host is a CIS hardened system that is doing the build.

@lbajolet-hashicorp
Copy link
Contributor

Yep that's fair. In this case, setting TMPDIR would be the workaround, assuming this does work as I understand it (my local experiment seems to corroborate it).
I'll defer on @jayfitzpatrick and @ivia-hitachids to confirm this does work, and we can update the docs to make this an official workaround.

@ivia-hitachids
Copy link
Author

ivia-hitachids commented Jun 11, 2024
edited
Loading

@lbajolet-hashicorp

I tried to run the Azure DevOps pipeline with this task here:

      - task: Bash@3
        displayName: 'Build Base Ubuntu Image'
        inputs:
          targetType: inline
          script: |
            PACKER_LOG=1 TMPDIR=$TempDirectory strace -f packer plugins install github.com/hashicorp/azure 2>&1 | grep openat
            PACKER_LOG=1 TMPDIR=$TempDirectory strace -f packer plugins install github.com/hashicorp/ansible 2>&1 | grep openat
            packer init -upgrade templates/ubuntu-2204/template-base.pkr.hcl

            packer build \
            -parallel-builds=1 \
            -var "vm-type=base" \
            -var "image-version=$(GitVersion.MajorMinorPatch)" \
            -var "exclude-from-latest=$(isNotMain_Lower)" \
            -var "client-id=$(GetToken.clientId)" \
            -var "client-secret=$(GetToken.clientSecret)" \
            -var "tenant-id=$(GetToken.tenantId)" \
            $(System.DefaultWorkingDirectory)/templates/ubuntu-2204/template-base.pkr.hcl
        env:
          TempDirectory: ${Agent.TempDirectory}

However, it is showing this error:

openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY) = 3
[pid  6713] openat(AT_FDCWD, "/usr/bin/packer", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid  6713] <... openat resumed>)       = 3
[pid  6713] openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
[pid  6713] openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
[pid  6713] openat(AT_FDCWD, "/dev/tty", O_RDONLY|O_CLOEXEC) = -1 ENXIO (No such device or address)
[pid  6713] openat(AT_FDCWD, "${Agent.TempDirectory}/packer-log857492168", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600 <unfinished ...>
[pid  6713] <... openat resumed>)       = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY) = 3
[pid  6724] openat(AT_FDCWD, "/usr/bin/packer", O_RDONLY|O_CLOEXEC) = 3
[pid  6724] openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid  6724] <... openat resumed>)       = 3
[pid  6724] openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid  6724] <... openat resumed>)       = 3
[pid  6724] openat(AT_FDCWD, "/dev/tty", O_RDONLY|O_CLOEXEC) = -1 ENXIO (No such device or address)
[pid  6724] openat(AT_FDCWD, "${Agent.TempDirectory}/packer-log2033539327", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600 <unfinished ...>
[pid  6724] <... openat resumed>)       = -1 ENOENT (No such file or directory)

Failed getting the "github.com/hashicorp/azure" plugin:
12 errors occurred:
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.4_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.4_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.3_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.3_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.2_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.2_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.1_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.1_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.1.0_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.1.0_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.5_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.5_x5.0_linux_amd64: permission denied
	* Continuing to next available version: failed to describe plugin binary "/tmp/packer-plugin-azure_v2.0.4_x5.0_linux_amd64": fork/exec /tmp/packer-plugin-azure_v2.0.4_x5.0_linux_amd64: permission denied

@ivia-hitachids
Copy link
Author 

- task: Bash@3
        displayName: 'Build Base Ubuntu Image'
        inputs:
          targetType: inline
          script: |
            export PACKER_PLUGIN_PATH=/path/to/writable/dir
            packer init -upgrade templates/ubuntu-2204/template-base.pkr.hcl

            packer build \
            -parallel-builds=1 \
            -var "vm-type=base" \
            -var "image-version=$(GitVersion.MajorMinorPatch)" \
            -var "exclude-from-latest=$(isNotMain_Lower)" \
            -var "client-id=$(GetToken.clientId)" \
            -var "client-secret=$(GetToken.clientSecret)" \
            -var "tenant-id=$(GetToken.tenantId)" \
            $(System.DefaultWorkingDirectory)/templates/ubuntu-2204/template-base.pkr.hcl

Hi @nywilken

I tried to run with your suggestion, however, continues showing the errors.

      - task: Bash@3
        displayName: 'Build Base Ubuntu Image'
        inputs:
          targetType: inline
          script: |
            export PACKER_PLUGIN_PATH=$TempDirectory
            packer init -upgrade templates/ubuntu-2204/template-base.pkr.hcl

            packer build \
            -parallel-builds=1 \
            -var "vm-type=base" \
            -var "image-version=$(GitVersion.MajorMinorPatch)" \
            -var "exclude-from-latest=$(isNotMain_Lower)" \
            -var "client-id=$(GetToken.clientId)" \
            -var "client-secret=$(GetToken.clientSecret)" \
            -var "tenant-id=$(GetToken.tenantId)" \
            $(System.DefaultWorkingDirectory)/templates/ubuntu-2204/template-base.pkr.hcl
        env:
          TempDirectory: ${Agent.TempDirectory}

@lbajolet-hashicorp
Copy link
Contributor

Could you clarify what ${Agent.TempDirectory} is? Judging by the logs it seems that it's passed verbatim (though it could also be some processing done with the logs, not sure, you'll need to check that on your side). The fact that openat returns ENOENT likely means that the directory does not exist, and in this case it is expected that it fails.

If it defaults to /tmp, you will still have the same problem, you will need to give it another value, one of an existing directory on which you have permission to write/execute (one that must NOT be mounted with -noexec).

You also don't need to run the commands with strace -f, that was just for the sake of the example, to highlight the syscalls being done, and that they did not attempt to execute anything from /tmp/*.

@ivia-hitachids
Copy link
Author

@lbajolet-hashicorp

I changed my tasks as below and it works fine. Regarding definition about $(Agent.BuildDirectory) is a temporary directory in Azure DevOps Pipeline (https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#agent-variables-devops-services)

      - task: Bash@3
        displayName: 'Build Base Ubuntu Image'
        inputs:
          targetType: inline
          script: |
            PACKER_LOG=1 TMPDIR=$(Agent.BuildDirectory) packer plugins install github.com/hashicorp/azure 2>&1 | grep openat
            PACKER_LOG=1 TMPDIR=$(Agent.BuildDirectory) packer plugins install github.com/hashicorp/ansible 2>&1 | grep openat
            packer init -upgrade templates/ubuntu-2204/template-base.pkr.hcl

            packer build \
            -parallel-builds=1 \
            -var "vm-type=base" \
            -var "image-version=$(GitVersion.MajorMinorPatch)" \
            -var "exclude-from-latest=$(isNotMain_Lower)" \
            -var "client-id=$(GetToken.clientId)" \
            -var "client-secret=$(GetToken.clientSecret)" \
            -var "tenant-id=$(GetToken.tenantId)" \
            $(System.DefaultWorkingDirectory)/templates/ubuntu-2204/template-base.pkr.hcl

@nywilken nywilken mentioned this issue Jun 17, 2024
Merged
@nywilken
Copy link
Contributor

@ivia-hitachids thanks for following up on this and reporting your findings. I believe others will run into this issue. I opened a PR to document the reliance of TMPDIR for plugin installation.

This was referenced Jun 17, 2024
Merged
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug needs-reply stage/needs-investigation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Document use of TMPDIR required for remote plugin installation hashicorp/packer
5 participants
@nywilken @Stromweld @jayfitzpatrick @lbajolet-hashicorp @ivia-hitachids