search

hashicorp / packer-plugin-amazon

Packer plugin for Amazon AMI Builder
https://www.packer.io/docs/builders/amazon
Mozilla Public License 2.0
69 stars 104 forks source link

Add support for boot_mode option for Amazon EBS builder #465

Open hegyre opened 3 months ago

hegyre commented 3 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request. If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Those PRs #131 and #340 add support for boot_mode, but only for the "Chroot" and "EBS Surrogate" builders. I would need to be able to select the boot_mode also for "EBS" builder.

Use Case(s)

CIS hardening needs to disable vfat filesystem. However, as mentionned:

Disabling the vfat module can prevent boot on UEFI systems.

I'd like to test it out by creating an AMI while booting with Legacy-bios instead of UEFI.

Potential configuration

Same as documented on the EBS Surrogate builder documentation for boot_mode and optionnaly for uefi_data. Valid options should be legacy-bios and uefi + the non-mentionned uefi-preferred from #362.

Potential References

lorengordon commented 3 months ago

Note that the EBS builder uses the CreateImage API, which does not offer any option to set the BootMode. Instead, when using CreateImage, the BootMode will be inherited from the source instance.

The chroot and ebssurrogate builders use RegisterImage, which does support the BootMode option.

hegyre commented 3 months ago

Hello, It's not for creating the image itself but for running the temporary EC2 instance.

lorengordon commented 3 months ago

Ahh, the BootMode is inherited from the selected source image. You cannot set it in the RunInstances API.

You can force BIOS mode by using a UEFI Preferred image, and selecting an older instance type, say an m4, that does not support Nitro (required for UEFI).

hegyre commented 3 months ago

Ah indeed that's unfortunate but we cannot force the boot mode on instance launch. It's always derived from the AMI.

The drawback is that we cannot test Legacy-bios on Nitro unless we copy an original AMI first and set the boot_mode, only then we can select it with Packer.

Anyway, I'll live with that. Thanks a lot for your quick reply here !

lorengordon commented 3 months ago

Yeah, the API support for BootMode is very limited. None of CreateImage, CopyImage, or RunInstances support setting the Boot Mode. It can only be set by RegisterImage. If you have access to paid AWS Support, it would probably be worth opening a feature request to enhance the API support for BootMode.

lbajolet-hashicorp commented 3 months ago

Hi @hegyre and @lorengordon,

Thanks for the discussion already here, and sorry we haven't pinged here sooner.

This looks like we can't do much on the plugin side for now, I'll leave the issue open to keep an eye on this topic, hopefully we'll have some flexibility some day to change the boot mode (though I presume this is tied to the AMI for a reason, partitioning/boot loading is very different between the two modes unfortunately). If/when it becomes an option to run instances with a different boot mode, we can update this topic!

In the meantime regarding your use case @hegyre, I believe you may be able to workaround that limitation by creating a BIOS-compatible image for Centos using the ebssurrogate builder, and use that image as the base for what you're trying to achieve? Would that work for you?

Also looking at the CIS Hardening page you've linked, it looks like this is removed from a newer version of the guidelines? Is this still something you need to do for compliance?