In newer versions of Terraform Enterprise, it will become necessary (for v202305-1) to migrate custom build worker images to custom agent images.
Some customers will want to utilize a RHEL base rather than Ubuntu, and this is possible. Please note that creating/troubleshooting such images falls outside the scope of HashiCorp support.
Here is an example of how one could accomplish this(please note that this image assumes you have the TFC agent binary extracted into the build directory):
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
ARG PRODUCT_NAME
ARG PRODUCT_VERSION
# TARGETARCH and TARGETOS are set automatically when --platform is provided.
ARG TARGETOS TARGETARCH
# where we expect to find the built binary on the host system
ENV BIN_DIR=$BUILD_DIRECTORY
LABEL maintainer="HashiCorp Terraform Cloud Support <tf-cloud@hashicorp.support>"
LABEL "com.hashicorp.${PRODUCT_NAME}.version"="${PRODUCT_VERSION}"
LABEL name=$PRODUCT_NAME
LABEL vendor="HashiCorp"
LABEL version=$PRODUCT_VERSION
# Update the base operating system packages.
RUN microdnf --assumeyes update && \
rm --recursive --force /var/cache/yum
# Install required packages to support HTTPS requests to endpoints with certs
# signed by trusted CAs.
RUN microdnf --assumeyes install ca-certificates
# Install packages relevant to Terraform workloads and utilities
RUN microdnf --assumeyes install curl findutils iputils iproute nmap-ncat openssl psmisc sudo wget jq unzip openssh python3.8 python3-pip git python3-devel gcc && \
microdnf clean all
# Install extra utilities which help facilitate common use cases for users.
RUN pip3 install mercurial
# Include all necessary CA certificates. If required, uncomment and customize the next three lines
#ADD example-root-ca.crt /usr/share/pki/ca-trust-source/anchors
#ADD example-intermediate-ca.crt /usr/share/pki/ca-trust-source/anchors
#RUN update-ca-trust
# Create a non-root tfc-agent user for use inside the container.
RUN groupadd --system tfc-agent && useradd --system --create-home --gid tfc-agent tfc-agent
# Install the agent binaries.
RUN mkdir /home/tfc-agent/bin
COPY $BIN_DIR/tfc-agent /home/tfc-agent/bin/
COPY $BIN_DIR/tfc-agent-core /home/tfc-agent/bin/
RUN chown -R tfc-agent:tfc-agent /home/tfc-agent/bin
# Adding hooks before plan and applies. https://developer.hashicorp.com/terraform/cloud-docs/agents/hooks#supported-hooks
#ADD --chown=tfc-agent:tfc-agent hooks /home/tfc-agent/.tfc-agent/hooks
# Set the stop signal to SIGINT. This affects how Docker will signal the
# container's processes to end when 'docker stop' is invoked.
STOPSIGNAL SIGINT
# Remove the dynamic linker cache, which might allow hardened security platforms such as AKS to not error when a newly
# fetched Terraform binary attempts to utilize the cache which was not generated in the context of the container itself.
RUN rm /etc/ld.so.cache
# Remove any SUID/SGID binaries on the filesystem. For the agent use case they
# are absolutely not required and their presence could only stir up issues.
RUN find / -type f -not -path "/proc/*" \( -perm -4000 -o -perm -2000 \) -delete
# Set the user to use the non-root tfc-agent user.
USER tfc-agent
# Add the /local/bin directory to allow Nomad-driven agents to supply custom
# scripts at container launch time.
ENV PATH=$PATH:/local/bin
# Run from the user's home directory instead of from /.
WORKDIR /home/tfc-agent
ENTRYPOINT ["/home/tfc-agent/bin/tfc-agent"]
This reference image is provided without any warranty as a simple proof of concept. It is not guaranteed to function in your environment(though it worked correctly in our testing environment), and any image referencing this should be tested thoroughly prior to any implementation in a production environment.
Additional References:
Worker to agent migration documentation:
https://developer.hashicorp.com/terraform/enterprise/admin/infrastructure/worker-to-agent-migration
Building an agent custom image:
https://developer.hashicorp.com/terraform/enterprise/install/interactive/installer#agent