RE: Terraform with cloud-init

@m4xm0rris Xen Orchestra's web application is doing this templating on the client side (reference). Since terraform already has a nice interface for templating (using its template_file data source), you can do the substitution yourself.

Here is an example below. Note: this code is not tested but was pulled from an internal project I have.

# template_file.tpl
#cloud-config

hostname: ${name}

# any other cloud-config you need
[...]

# vm.tf
data "template_file" "cloud_config" {
  template = file("${path.module}/template_file.tpl")
  vars = {
    name = "your_hostname_value"
  }
}

resource "xenorchestra_cloud_config" "cloud_config" {
  name = "cloud_config"
  # This performs the templating
  template = data.template_file.cloud_config.rendered
}

resource "xenorchestra_vm" "vm" {
  [ ... ]
  cloud_config = xenorchestra_cloud_config.cloud_config.template
  
}

Please share your terraform code if you would like more specific advice on how to recreate exactly what you are trying to do.

@ruskofd is right. You should be able to use the cloud_network_config attribute to achieve this.

The following code is untested but should launch a vm with a static IP. Please see the xenorchestra_vm resource docs and the cloud-init networking v1 docs for more details.

resource "xenorchestra_vm" "static_ip_vm" {
....
  cloud_network_config = <<EOF
network:
version: 1
config:
  - type: physical
    name: eth0
    subnets:
      - type: static
        address: STATIC_IP/24
        gateway: GATEWAY_IP
        dns_nameservers:
          - 8.8.8.8
EOF
}

Let me know if you have any questions or issues using cloud_network_config,

As for the blog post, the VM would have been assigned an ip address via dhcp (assuming the guest OS had cloud-init installed which was true for the VM template in the blog post).

@brodiecyber no worries and I hope you are doing better and staying healthy!

Just wanted to give you an update that the terraform provider is currently testing against multiple versions of terraform (v0.14.11 and v1.6.5). The build matrix will be easy to extend to support OpenTofu testing, so we should be able to integrate that testing soon.

Hi @brodiecyber, glad to hear that Terraform has become an important part of your workflow with XO

To @olivierlambert's point, the projects needed to implement a terraform provider (terraform-plugin sdk and the terraform-plugin-framework) have not been relicensed. Unless that occurs, which I think is extremely unlikely, there will be no impact for the Xen Orchestra terraform provider. The OpenTofu team also believes that the terraform provider interface will not be changed in their FAQ:

Does OpenTofu work with all the providers Terraform works with?
OpenTofu will not have its own providers. Terraform providers have not altered their licenses, and the potential for such a change is virtually zero. OpenTofu will work with the current Terraform providers, but it will use a separate registry.

I would like to have testing coverage across OpenTofu and terraform to catch any discrepancies. There isn't a timeline for accomplishing that, but that is my current thinking.

@mlustosa apologies for the slow response on that issue. I'm hoping to around to addressing that within the next week or so and thanks for posting the workaround on the related issue.

@fred974

I just saw that terraform had a free cloud account for less that 5 users and I was thinking of registering, will it work?

Terraform cloud would work if your XO deployment was publicly accessible. I highly advise against this because if your XO deployment were compromised an attacker has access to your entire infrastructure.

If you were to do this I would make sure all of your user's have strong passwords and if Hashicorp has documented public IPs that you only open your firewall to Hashicorp's Ips. It seems from this forum post that this is only available if you on the business tier.

If I run Terraform in a VM on xcp-ng, I don't need to open any port and use Terraform localy.

Yes running it on the xcp-ng host would work, however, keeping best practices in mind I would run it on a less privileged host (laptop with vpn access, development VM). If you have others collaborating on this terraform deployment, giving access to the xcp-ng host just to use terraform seems like a heavy hammer.

Is there a simple script I can run to see if I can access the Xen Orchestra API?

nmap will be able to tell you this.

nmap -sT -P0 -p 443 xo-domain

@rochemike sorry for the late reply!

If we already have an ISO on an SR, do we even need to mount the ISO for a network build of Centos/RHEL? Isn't... shouldn't it be possible for the ISO to be mounted by the new build VM as source for creating the new VM, instead of using network build?

That is exactly what packer-plugin-xenserver#56 accomplishes.

The new VM mounts the guest tools to the DVD - which I don't even want to use as I prefer to install a package afterwards. Is it possible to mount the RHEL/Centos ISO instead?

I believe the ISO and guest tools are treated the same -- both VBDs are attached as cds. If you can identify what is different about them in the UI or from the xe cli that would help me understand what you trying to describe.

As for what is possible, if what you want to configure is accessible via the XCP-ng / Xenserver API the packer plugin could be enhanced to perform that action. Hope this helps explain more on the potential possibilities.

@sMteX sorry for the late reply. I responded to your GitHub issue with some questions and comments.

Let's keep the discussion there, and we can summarize the conclusion here once we get to the bottom of it.

The ddelnano/packer-plugin-xenserver release v0.5.1 has been released and includes @bagas's fix for this issue.

@antoniolfdacruz glad to hear you were able to figure it out

@brodiecyber no worries and I hope you are doing better and staying healthy!

Just wanted to give you an update that the terraform provider is currently testing against multiple versions of terraform (v0.14.11 and v1.6.5). The build matrix will be easy to extend to support OpenTofu testing, so we should be able to integrate that testing soon.

@twaapo are you able to share the full error of your terraform apply command? In addition to that it would be helpful to see the TF_LOG=DEBUG terraform apply output as well.

Please be aware that you might need to sanitize the output.

Hi @brodiecyber, glad to hear that Terraform has become an important part of your workflow with XO

To @olivierlambert's point, the projects needed to implement a terraform provider (terraform-plugin sdk and the terraform-plugin-framework) have not been relicensed. Unless that occurs, which I think is extremely unlikely, there will be no impact for the Xen Orchestra terraform provider. The OpenTofu team also believes that the terraform provider interface will not be changed in their FAQ:

Does OpenTofu work with all the providers Terraform works with?
OpenTofu will not have its own providers. Terraform providers have not altered their licenses, and the potential for such a change is virtually zero. OpenTofu will work with the current Terraform providers, but it will use a separate registry.

I would like to have testing coverage across OpenTofu and terraform to catch any discrepancies. There isn't a timeline for accomplishing that, but that is my current thinking.

@Monkadelic_D thanks for that additional detail. I still feel that I'm unsure of the type of construct you are looking for. Here is an example that allows each VM to have a single private network and as many DHCP connected networks (meaning mac is provided) as needed.

# variables.tf
variable "mac_network" {
  type = string
}
# Map where key is VM hostname and value is list of MACs
variable "vm_network_macs" {
  type = map(list(string))
  default = {}
}

# terraform.tfvars
vm_network_macs = {
  "lab-vm-00" = ["0a:c3:fd:8a:6e:5b"],
  "lab-vm-01" = ["52:b2:f4:d7:d4:fe"],
  "lab-vm-02" = ["62:94:26:63:dd:a2"],
}

vm.tf
resource "xenorchestra_vm" "vm" {

  # The vm_network_macs contains a key for every VM hostname
  count = length(keys(var.vm_network_macs))
  name_label =  keys(var.vm_network_macs)[count.index]

  [ ... ]

  # This creates a network for each mac address provided
  dynamic "network" {
   for_each = lookup(var.vm_network_macs, keys(var.vm_network_macs)[count.index])
   iterator = mac_addr
   content {
    network_id = var.mac_network
    mac_address = mac_addr.value
   }
  }

  # This is the private network your VMs will be given
  network {
    network_id = data.xenorchestra_network.network.id
  }
}

Here is what the plan of that looks like:

Terraform will perform the following actions:

  # xenorchestra_vm.vm[0] will be created
  + resource "xenorchestra_vm" "vm" {

[ .. ]

      + network {
          + device         = (known after apply)
          + ipv4_addresses = (known after apply)
          + ipv6_addresses = (known after apply)
          + mac_address    = "0a:c3:fd:8a:6e:5b"
          + network_id     = "Your mac network"
        }
      + network {
          + device         = (known after apply)
          + ipv4_addresses = (known after apply)
          + ipv6_addresses = (known after apply)
          + mac_address    = (known after apply)
          + network_id     = "6c4e1cdc-9fe0-0603-e53d-4790d1fce8dd"
        }
    }

  # xenorchestra_vm.vm[1] will be created
  + resource "xenorchestra_vm" "vm" {

[ .. ]

      + network {
          + device         = (known after apply)
          + ipv4_addresses = (known after apply)
          + ipv6_addresses = (known after apply)
          + mac_address    = "52:b2:f4:d7:d4:fe"
          + network_id     = "Your mac network"
        }
      + network {
          + device         = (known after apply)
          + ipv4_addresses = (known after apply)
          + ipv6_addresses = (known after apply)
          + mac_address    = (known after apply)
          + network_id     = "6c4e1cdc-9fe0-0603-e53d-4790d1fce8dd"
        }
    }

  # xenorchestra_vm.vm[2] will be created
  + resource "xenorchestra_vm" "vm" {
 
[ ... ]

      + network {
          + device         = (known after apply)
          + ipv4_addresses = (known after apply)
          + ipv6_addresses = (known after apply)
          + mac_address    = "62:94:26:63:dd:a2"
          + network_id     = "Your mac network"
        }
      + network {
          + device         = (known after apply)
          + ipv4_addresses = (known after apply)
          + ipv6_addresses = (known after apply)
          + mac_address    = (known after apply)
          + network_id     = "6c4e1cdc-9fe0-0603-e53d-4790d1fce8dd"
        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

If that isn't what you are looking for, I hope that it helps to spark additional inspiration from what you've tried already.

@Monkadelic_D I'm still not understanding how you determine which VMs need network interfaces with one of these existing DHCP MAC assignments.

Could you provide an example that includes a DHCP server and its MAC assignments, XCP network(s), VMs and what interfaces you expect them to have?

@Monkadelic_D can you explain how these MAC addresses will be assigned? Will you have a static list of addresses per network?

If you provide an example, I can modify the example to accommodate that if I see a solution.

Hey @Monkadelic_D, this is possible with a count'ed network data source and a dynamic block for dynamically creating the xenorchestra_vm network blocks.

Here is an example that should show off what you are trying to do:

data "xenorchestra_pool" "pool" {
  name_label = "Your pool name"
}

data "xenorchestra_network" "networks" {
  count = length(var.networks)
  name_label  = element(var.networks, count.index)
  pool_id = data.xenorchestra_pool.pool.id
}

resource "xenorchestra_vm" "vm" {

  # Fill in required arguments here

  dynamic "network" {
        for_each = data.xenorchestra_network.networks[*].id
        content {
          network_id = network.value
        }
  }
}

I verified that this creates the correct plan when the networks variable is changed.

@mlustosa apologies for the slow response on that issue. I'm hoping to around to addressing that within the next week or so and thanks for posting the workaround on the related issue.

@rochemike sorry for the late reply!

If we already have an ISO on an SR, do we even need to mount the ISO for a network build of Centos/RHEL? Isn't... shouldn't it be possible for the ISO to be mounted by the new build VM as source for creating the new VM, instead of using network build?

That is exactly what packer-plugin-xenserver#56 accomplishes.

The new VM mounts the guest tools to the DVD - which I don't even want to use as I prefer to install a package afterwards. Is it possible to mount the RHEL/Centos ISO instead?

I believe the ISO and guest tools are treated the same -- both VBDs are attached as cds. If you can identify what is different about them in the UI or from the xe cli that would help me understand what you trying to describe.

As for what is possible, if what you want to configure is accessible via the XCP-ng / Xenserver API the packer plugin could be enhanced to perform that action. Hope this helps explain more on the potential possibilities.

Hi @slynch, I unfortunately don't have any experience with Talos Linux. It seems like a very promising project.

Creating packer images with the xenserver packer plugin is OS dependent. The Ubuntu and CentOS examples provided in the repo use autoinstallation and kickstart respectively.

Is Talos Linux based on an existing distro that has an existing unattended / automatic install solution? I think the key to accomplishing this is using an off the shelf auto install tool or finding something that will work for Talos.

Talos's nocloud data source will likely be part of this solution, however, for the existing examples it's just a means for configuring the auto install tool for the target distro.

There are two platforms they support that they document using Packer - Hetzner and Upcloud - but I can't figure out how to use that knowledge to get this to work with packer-plugin-xenserver.

While I'm not familiar with the the Hetzner and Upcloud packer plugins, it seems there "examples" are essentially booting a VM and then dd'ing the raw.xz file over top of a disk device. So unfortunately I don't think those examples will be useful for implementing this with the xenserver packer plugin.