Proposal: A dedicated lxc-exec provisioner

[dontlaugh]

The lxc exec command has many powerful flags, including

• --uid and --gid to set the user and group of the subprocess on the remote container
• --cwd to set the working directory
• --env for environment variables
• ...and more

Taking advantage of these right now requires the shell-local provisioner.

Consider this configuration snippet.

locals {
  git_script = "/tmp/git-script.sh"
}

source "lxd" "arch" {
  image = "images:archlinux/cloud"
}

build {
  source "lxd.arch" {
    name         = "arch-ci"
    output_image = "arch-ci"
  }

  provisioner "file" {
    source      = "./git-script.sh"
    destination = "${local.git_script}"
  }

  provisioner "shell" {
    inline = [
      "pacman -Syyu --noconfirm",
      "pacman -Sy --noconfirm man make cmake git python python2 ninja clang lld htop jq neovim kitty-terminfo openssh",
      "useradd -m builder",
      "systemctl enable --now sshd",
    ]
  }

  provisioner "shell-local" {
    inline = [
      "lxc exec packer-arch --env HOME=/home/builder --cwd /home/builder --user 1001 --group 1001 -- mkdir /home/builder/.ssh",
      "lxc exec packer-arch --env HOME=/home/builder --cwd /home/builder --user 1001 --group 1001 -- ${local.git_script}",
    ]
  }
}

A dedicated lxc-exec provisioner would allow reducing this duplication. It would be really useful, because if you don't set these flags, you're running as root in a pretty bare process environment.

Potential configuration

provisioner "lxc-exec" {
  environment_vars = ["HOME=/home/builder"]
  user = 1000
  group = 1000
  working_directory = "/home/builder"
  inline = [
    "echo I'm run with uid 1000 from /home/builder",
  ]
}

Potential References

Potential prior art is the Puppet Bolt plugin puppetlabs/bolt#2311