Baking an image in Oracle OCI

Hi All,
I am trying to bake an image using packer in Oracle OCI. Now, I am able to spin the instance using the base image, but not able to connect to it using ssh.
The reason is by default to Network Security Group is associated to a compute instance in our subnet.
I am now trying to associate a NSG while spinning the instance. I tried out using user_data_file to create a vnic, but failed to get the result.
It would be very helpful if someone could help me to associate a NSG to the instance in OCI.
My build template looks like following.
{
“description” : “XXXX Packer Template”,
“min_packer_version” : “1.5.5”,
“variables” : {
“ssh_username”: “xxx”,
“shape” : “VM.Standard2.1”,
“use_private_ip” : “true”,
“access_cfg_file” : “~/.oci/config”,
“access_cfg_file_account” : “DEFAULT”,
“pass_phrase” : “{{env PASS_PHRASE}}”
},
“builders”: [
{
“type”: “oracle-oci”,
“pass_phrase” : “{{user pass_phrase}}”,
“communicator”: “ssh”,
“access_cfg_file” : “{{user access_cfg_file}}”,
“access_cfg_file_account” : “{{user access_cfg_file_account}}”,
“availability_domain”: “{{user availability_domain}}”,
“base_image_ocid” : “{{user base_image_ocid}}”,
“compartment_ocid” : “{{user compartment_ocid}}”,
“shape” : “{{user shape}}”,
“subnet_ocid” : “{{user subnet_ocid}}”,
“image_name”: “{{user image_name}}-{{user image_version}}-{{timestamp}}”,
“use_private_ip” : “{{user use_private_ip}}”,
“ssh_username”: “{{user ssh_username}}”,
“region”: “us-phoenix-1”
}
],

“provisioners”: [
{
“type”: “shell”,
“inline”: [“sleep 1000000”, “sudo mkdir -p /apps/xxx”, “sudo mkdir -p /apps/consul”]
}
]

Hi,

so this means that you removed the default security list? Because with it, SSH would work.

Anyway, you can only add a VM to a NSG after the VM has been created and the VNIC exists with an IP assigned. So, in your inline-script, you would need to install oci-cli, upload your .oci/config for it, and use it to add the system to the NSG. This requires a bit of scripting, since you need to retrieve OCIDs via the REST API for this.

The probably easier approach would probably be a wrapper script which simply opens SSH in the corresponding Security List, starts Packer, and closes SSH again. Since Packer uses DHCP, you MUST grant access on the subnet level and not via NSG which operate on a higher layer.

Hope this helps,

Ralf