In newer versions of Terraform Enterprise, it will become necessary (for v202305-1) to migrate custom build worker images to custom agent images.
Some customers will want to utilize a RHEL base rather than Ubuntu, and this is possible. Please note that creating/troubleshooting such images falls outside the scope of HashiCorp support.
Here is an example of how one could accomplish this(please note that this image assumes you have the TFC agent binary extracted into the build directory):
# TARGETARCH and TARGETOS are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH
# where we expect to find the built binary on the host system
LABEL maintainer="HashiCorp Terraform Cloud Support <email@example.com>"
# Update the base operating system packages.
RUN microdnf --assumeyes update && \
rm --recursive --force /var/cache/yum
# Install required packages to support HTTPS requests to endpoints with certs
# signed by trusted CAs.
RUN microdnf --assumeyes install ca-certificates
# Install packages relevant to Terraform workloads and utilities
RUN microdnf --assumeyes install curl findutils iputils iproute nmap-ncat openssl psmisc sudo wget jq unzip openssh python3.8 python3-pip git python3-devel gcc && \
microdnf clean all
# Install extra utilities which help facilitate common use cases for users.
RUN pip3 install mercurial
# Include all necessary CA certificates. If required, uncomment and customize the next three lines
#ADD example-root-ca.crt /usr/share/pki/ca-trust-source/anchors
#ADD example-intermediate-ca.crt /usr/share/pki/ca-trust-source/anchors
# Create a non-root tfc-agent user for use inside the container.
RUN groupadd --system tfc-agent && useradd --system --create-home --gid tfc-agent tfc-agent
# Install the agent binaries.
RUN mkdir /home/tfc-agent/bin
COPY $BIN_DIR/tfc-agent /home/tfc-agent/bin/
COPY $BIN_DIR/tfc-agent-core /home/tfc-agent/bin/
RUN chown -R tfc-agent:tfc-agent /home/tfc-agent/bin
# Adding hooks before plan and applies. https://developer.hashicorp.com/terraform/cloud-docs/agents/hooks#supported-hooks
#ADD --chown=tfc-agent:tfc-agent hooks /home/tfc-agent/.tfc-agent/hooks
# Set the stop signal to SIGINT. This affects how Docker will signal the
# container's processes to end when 'docker stop' is invoked.
# Remove the dynamic linker cache, which might allow hardened security platforms such as AKS to not error when a newly
# fetched Terraform binary attempts to utilize the cache which was not generated in the context of the container itself.
RUN rm /etc/ld.so.cache
# Remove any SUID/SGID binaries on the filesystem. For the agent use case they
# are absolutely not required and their presence could only stir up issues.
RUN find / -type f -not -path "/proc/*" \( -perm -4000 -o -perm -2000 \) -delete
# Set the user to use the non-root tfc-agent user.
# Add the /local/bin directory to allow Nomad-driven agents to supply custom
# scripts at container launch time.
# Run from the user's home directory instead of from /.
This reference image is provided without any warranty as a simple proof of concept. It is not guaranteed to function in your environment(though it worked correctly in our testing environment), and any image referencing this should be tested thoroughly prior to any implementation in a production environment.
Worker to agent migration documentation:
Building an agent custom image: