packer build in a container...? πŸ›³οΈπŸ€”

packer build in a container...? πŸ›³οΈπŸ€”

tl;dr: I was able to run a packer build command, for my packer-kali_linux project, inside of a Fedora toolbox container which I had installed HashiCorp's packer and qemu/kvm...and that is just the start of the inception... πŸ™ƒπŸ˜…

So...I a weird individual... πŸ˜… my normal setup for my "desktop" is my razer laptop ( Ubuntu Mate base w/KDE as main desktop ( I can explain in another post why I do that ( please comment on this blog post if you want me to do one ) ) ) which I have hooked up to a eGPU. Β From there I use PCIe pass-through on a VM, which means that my 2 external monitors get used by the VM instead of my laptop. That is why, in the picture below, I can have Windows running with those 2 monitors and still have my KMatu (KDE + Mate + ubuntu) laptop below.

playing WoW on a friends servers

So, if I want to do any work I don't actually do anything directly on laptop. Instead I run a libvirt/qemu/kvm ( now referenced as "the libvirt stack" ) VM and, when I am not playing games, use a libvirt linux vm to connect over ssh to my desktop with X2go.  That then goes full screen across my 2 monitors and it is essentially like I have a full blown linux desktop on my real desktop tower with an AMD Ryzen 2700x and 32Gb of RAM.  It looks just like the windows vm above, but just optimized for getting things done 😁.

Recently I have been having an issue with my desktop, and it isn't powering on... 😒. I haven't had time to troubleshoot the issue, so I needed a quick solution so I can keep working on things till I have more time.  Since the only other device I have ( personally ) is my laptop, then it will have to work on that.

I have been looking at Fedora Silverblue ( specifically the Kinoite edition, because I love the KDE desktop ), because of it's new modern approach to keeping things isolated/clean on you machine. One of the things that I could not live without though was some type of hypervisor ( the libvirt stack or VirtualBox are my main ones ) and HashiCorp's Vagrant. Anyone that knows me, knows that I love using vagrant. I even use it for doing my pentesting at work.

I didn't know how things were going to play with this new paradigm though, but I figured I would give it a shot. So, next I created a PCI passthrough VM for Fedora Silverblue/Kinoite, and started to figure out if this setup worked for me.

Fortunately the libvirt stack pretty much worked right out of the box. I did a quick search before doing anything and thought that I might have trouble because of this discussion, but I just install the packages ( command below ) and everything worked.

rpm-ostree install bridge-utils libvirt qemu-kvm virt-install virt-manager virt-viewer

While I installed those package I believe you can just install these and everything should work as well, but I added some of those for extra features ( i.e. bridge-utils )

rpm-ostree install libvirt virt-{manager,install}
# the above expands out to these packages: libvirt virt-manager virt-install

So, based on the everything above I think I will install these next time.

rpm-ostree install libvirt virt-{manager,install} bridge-utils

I don't know how much work it will be for VirtualBox, based on this discussion it shouldn't be too hard or it should be getting easier since people are talking about it, but the link referencing the discussion should help you out if you want to try it.

Next was to install vagrant. I tried installing HashiCorp's official repos with the vagrant-libvirt package in Fedora's repos, but that didn't work out. So, instead I just ran the command below and everything seemed to work out of the box ( just like libvirt ).

rpm-ostree install vagrant vagrant-libvirt

So, if you haven't picked up on this yet...yes I am running the libvirt stack inside of my Fedora Kinoite vm 😁. If you would like to know more about how this is possible you can read here.

After I had all this up and running I wanted to do some dev work on my packer-kali_linux project, which as you can imagine requires a VM so I can do the automated install. Β This presented an interesting question to me...

If I want to keep my "normal" OS "clean" I shouldn't install HashiCorp's tools on my "normal" OS. Β So, how should I build the VMs?

One thing that Silverblue touts is their toolbox containers ( linked at the top of the article ), and these are essentially docker containers with a LOT of extra permissions/capabilities added + mount points to the host OS + a lot of other niceties. You essentially get a container that feels like your host OS, and that is where they say you should install everything. That way you aren't muddying up your host OS with a bunch of tools, but you still get all the niceties of accessing things on your host as if you aren't in a container. Here are the commands I ran to create and get inside of "ops" ( or operations ( like system admin stuff ) ) toolbox container.

toolbox create ops
toolbox enter ops

After that I installed HashiCorp's repos and installed packer.

sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/rhel/hashicorp.repo
# setting the release version to RHEL 8, because they don't have a Fedora repo to my knowledge
sudo sed -i.orig 's/\$releasever/8/g' /etc/yum.repos.d/hashicorp.repo

sudo dnf install -y packer

After a few error messages later and some fiddling around I also found out that I needed to install these packages as well.

 sudo dnf install -y qemu-kvm qemu-img

After all of that I was able to run any packer command I wanted, and I didn't have any issues at all.

packer validate -only=qemu -var-file=variables-min.json kali-template.json
packer build -only=qemu -var-file=variables-min.json kali-template.json

Here is a quick demo video showing how I start from the host, and end up launching the libvirt stack's packer build command. Which then pop's up a window showing the kali initial install.

One thing I just want to make clear here is that I didn't go 3 layers deep for my virtualization ( even though it might have sounded like it ). The Fedora toolbox container was used inside of my Silverblue first layer VM which spawned the second layer of VM, which is effecivtly "baremetal" on the Fedora SilverBlue VM just like how I talked about my packer kali linux dev vm. Β Below is a picture to help you visualize the setup.

While I haven't tried other hypervisor, I would imagine as long as you had access to the right networking & container permissions ( + whatever kernel modules you needed ), then you should be able to run those too inside of containers. I just thought that this was pretty cool, but let me know if you have any questions 😁


Shout out to bluelotus03 for making the video for this blog post! 😁


Also, for all of those technically and nit picky enough to try and say something about it, yes... I know that the packer command at the end is technically only using qemu to run and build the packer image... πŸ˜…