07. 07. 2022 Lorenzo Candeago DevOps

How to Test an ISO with Packer and Change the Root Password at Boot

In a previous blogpost, we showed how to test an ISO using Packer, an open source software tool for creating machine images for multiple platforms.

One of the issues we faced was due to a security requirement we have: that the ISO we ship must have its password already expired so that when NetEye is installed using the ISO, the system forces the user to change the default password to be able to log in.

This caused us a bit of trouble with continuous integration: Packer needs a way to log in to the VM after the ISO is installed in order to run the provisioner scripts, but this isn’t possible before the password has been changed, since we need the user to be logged in when running the provisioner scripts.

One possible workaround we thought of was to create two identical ISOs, one with the password expired and a second one without the password expired for testing purposes. However this would require doubling the space we needed as well as running twice each time the ISO is generated, which is inefficient.

After some thinking we found this workaround, which although sub-optimal, works for our requirements:

{
  "builders": [
    {
      "boot_command": [
        "<enter><wait1200>",
        "root<enter><wait3>",
        "{{user `old_ssh_pass`}}<enter><wait3>",
        "{{user `old_ssh_pass`}}<enter><wait3>",
        "{{user `new_ssh_pass`}}<enter><wait3>",
        "{{user `new_ssh_pass`}}<enter><wait3>"
      ],
...
    "variables": {
        "old_ssh_pass": "xxx",
        "new_ssh_pass": "zzz"
    }
}

As you can see, instead of running the command after logging in as a user, we provide it as a boot command which is executed by Packer and simulates the input using VNC on the machine before invoking the provisioner scripts.

Lets break down the boot_command script:

    "<enter><wait1200>"

The first enter selects the first entry from the boot menu and starts the installation. We then wait for 1200 seconds (20 minutes) to be sure that the ISO installation has finished.

    "root<enter><wait3>",
    "{{user `old_ssh_pass`}}<enter><wait3>",

The next commands just type in the user (root) and the expired SSH password.

    "{{user `old_ssh_pass`}}<enter><wait3>",
    "{{user `new_ssh_pass`}}<enter><wait3>",
    "{{user `new_ssh_pass`}}<enter><wait3>"

Once logged in, the old SSH password is requested once more, and then the new SSH password twice, the second time for password confirmation.

Lorenzo Candeago

Lorenzo Candeago

DevOps Engineer at Würth Phoenix

Author

Lorenzo Candeago

DevOps Engineer at Würth Phoenix

Leave a Reply

Your email address will not be published.

Archive