Releases: hashicorp/packer
nightly
Nightly releases are snapshots of the development activity on the Packer project that may include new features and bug fixes scheduled for upcoming releases. These releases are made available to make it easier for users to test their existing build configurations against the latest Packer code base for potential issues or to experiment with new features, with a chance to provide feedback on ways to improve the changes before being released.
As these releases are snapshots of the latest code, you may encounter an issue compared to the latest stable release. Users are encouraged to run nightly releases in a non production environment. If you encounter an issue, please check our issue tracker to see if the issue has already been reported; if a report hasn't been made, please report it so we can review the issue and make any needed fixes.
Note: Nightly releases are only available via GitHub Releases, and artifacts are not codesigned or notarized. Distribution via other Release Channels such as the Releases Site or Homebrew is not yet supported.
v1.12.0
1.12.0 (January 22, 2025)
FEATURES:
-
core: add support for a DAG-based evaluation on locals and datasources.
A long-standing odditiy of Packer has been the order of evaluation for
locals and data sources. In previous versions of Packer, the
data sources were evaluated first, then the local variables were, making
it impossible to have a datasource that referenced a local variable as
part of its configuration.
This change introduces a Directed Acyclic Graph (DAG) to evaluate those
resources, instead of the phased approach of old, which makes the order
of evaluation not dependent on the type of resource, but instead of the
detected dependencies between them.
Note: While we are confident this should be robust enough for general
use, we do recognise that it is possible some users might encounter issues.
To give those users a way to continue using the old evaluation method, we
introduced a-use-sequential-evaluationcommand-line flag to the build,
validate, console and inspect subcommands, to force using the sequential
evaluation approach for those entities.
GH-13155 -
core/hcp: support for uploading SBOMs to HCP Packer.
Software Bill of Materials (SBOM) are a standardised way to export the various
software packages linked to an artifact. As some users have expressed a
need to produce and access those for images they build, we now add the
feature to Packer itself.
While the generation of the SBOM itself is not done directly by
Packer, instead we recommend using known scanners to produce them, we add
the capacity to upload this SBOM file to HCP Packer, and link it to a
build artifact.
GH-13171 -
core: support for alternate serialisation formats for plugin communication.
Packer relies on plugins to do most of the actual workload related to
building and provisioing artifacts, while Packer is mostly an orchestrator
for those plugins to perform their work.
This separation of concerns implies that both entities have to
communicate on multiple occasions during the course of a build.
Before v1.12.0 of Packer, and v0.6.0 of the plugin SDK, we used Gob to
do most of the serialisation for those steps.
This is however a bit of a problem recently, as go-cty, the library we
use for dynamic objects lifted from HCL templates, dropped support for
this a while back.
Therefore now, we introduce an alternative: protobuf/msgpack, which are
both usable and maintained by the projects around Packer, so we can begin
our transition away from gob with this change.
Note: as with the introduction of the DAG for locals/datasources, this
is a feature that we are reasonably confident you will not encounter bugs
with, however we cannot rule-out this possibility, therefore we introduce
a new environment variable:PACKER_FORCE_GOB, which if set to '1', forces
the use of Gob instead of protobuf/msgpack.
GH-13120
IMPROVEMENTS:
- hcl2/json: add
aws_secretsmanager_rawfuncion.
When using the AWS secretsmanager function with a non-text secret, one could
only get a secret once at a time.
This could get cumbersome if wanting to get multiple through one request,
which led people to encode their JSON/Object secrets as a big base64
encoded string that they could get once, and then manipulate through JSON
functions.
While the workaround works, it is one extra layer of manipulations to do so,
therefore a new function to always get the raw textual version of a secret
is now added to Packer.
GH-13242 - hcl2: add
alltrueandanytruefunctions.
As with Terraform, Packer now supports the HCL functionsalltrueand
anytrue, which returns whether or not a collection only consists of
truevalues, or if any is.
GH-13237 - hcl2: add
strcontainsfunction.
As with Terraform, Packer now supports the HCL functionstrcontains,
which returns whether or not a string contains a substring within it.
GH-13217
GH-13222 - datasource/http: Support other methods than GET.
The HTTP datasource used to always use GET requests for getting data
from a remote HTTP server, which was not always enough since some endpoints
may only support other methods. This change allows for most of the HTTP
methods to perform those requests.
GH-13190 - hcl2: add
base64gzipfunction.
In some cases, small blobs may need to be kept in memory, and injected in
a template somewhere else, but if the blob needs to be minimised, the
base64gzip function can be invoked to compress the blob and expose it
as a valid HCL2 string for use later.
GH-13142
BUG FIXES:
- hcl2: Fix duplicate error messages on top-level HCL violations.
A parsing quirk for HCL templates caused Packer to produce the same parsing
error multiple times if the error was caused by a top-level violation.
GH-13245 - build: Include LC_UUID in Darwin binaries.
A change in how Apple authorises a plugin to access the network caused
Packer to break on recent (14.7 and above) macOS versions, as Packer uses
the local network to communicate with plugins.
The fix is to include an additional UUID into the metadata of the produced
binary, so it is authorised by macOS to use the local network, which prompts
an update to the version of Go used for building Packer (1.22.9), as it is
when this addition is supported by an LDFLAG.
GH-13214 - hcl2: Don't error on empty bucker slug.
As reported by members of our community, using a hcp_packer_registry
block without a bucket slug, even if provided by external means, would cause
Packer to fail with an invalid bucket slug error. This is most definitely
a bug, which is addressed in this release.
GH-13210 - hcp: fix bug when trying to extract HEAD SHA from empty Git repo.
GH-13165
SECURITY:
- Bump to go-crypto v0.31.0
GH-13233
NOTES:
v1.12.0-alpha1
version: cut packer 1.12.0-alpha1
v1.11.2
1.11.2 (July 30, 2024)
FEATURES
- core/hcp: export Packer options, OS, CI and VCS metadata for a build.
Following up on the introduction of metadata for builds in Packer 1.11.0,
this version introduces more metadata. In addition to the version of Packer
core, and the plugins used, we now capture CI-specific environment variables
(gitlab-ci and github-actions for now), Git-specific information, OS details
like architecture and kernel version, and the command-line options passed
to packer build.
v1.11.1
1.11.1 (July 1, 2024)
NOTES:
- Future Scaffolding: This release contains additional changes that allow
Packer core to validate access a HCP Packer bucket before trying to
publish to it. If the bucket does not exist and the associated service
principle does not have permission to create the bucket Packer will fail
the build.GH-13059
SECURITY:
- core: Bump github.com/hashicorp/go-retryablehttp to address
CVE-2024-6104.GH-13081
IMPROVEMENTS:
- core/hcl2: The issue is that local variables in templates are evaluated in a
non-deterministic order, leading to inconsistent behavior. To fix this,
local variables will now build a list of direct dependencies, similar to
datasources, and evaluate these dependencies recursively. A caveat is that
there's a recursion cap of 10 to prevent infinite recursion; if this limit
is reached, an error is returned, prompting the user to fix their template.
GH-13039 - core: bump github.com/hashicorp/hcp-sdk-go from 0.96.0 to 0.99.0
GH-13063 - core: bump github.com/hashicorp/packer-plugin-sdk from 0.5.3 to 0.5.4
GH-13061
BUG FIXES:
- core/hcp: Change UpsertBucket to call GetBucket to address unauthorized error
from ustream API.
GH-13059
v1.11.0
1.11.0 (2024-05-31)
NOTES:
-
A LICENSE.txt file has been added to the Packer release artifacts.
GH-12931
GH-12940 -
Breaking Change: Support for loading single-component plugins has been removed from Packer. GH-12785
-
Breaking Change: Support for loading plugin binaries following
the naming convention of packer-plugin-name has been dropped. Packer will now only load
plugins stored under the Packer plugin directory using the expected namespaced
directory and CHECKSUM files. This change drops support for loading plugin
binaries in Packer's executable directory or a template's current working
directory. GH-12828
/Users/dev/.packer.d/plugins
└── github.com
└── hashicorp
└── happycloud
├── packer-plugin-happycloud_v0.0.1_x5.0_darwin_arm64
└── packer-plugin-happycloud_v0.0.1_x5.0_darwin_arm64_SHA256SUMFEATURES:
- core: Add
-ignore-prerelease-pluginsflag to disable the use of development
plugin binaries for thebuildandvalidatecommands development plugin
binaries. GH-12828
GH-12882 - Packer users can now track Packer version and plugin versions used for each
build artifact in HCP Packer.
GH-12866 - hcl2: add textencodebase64 and textdecodebase64 funcs
For feature parity with Terraform, and since having access to strings
encoded in something that is not UTF-8 is required in some cases, we add
both the textencodebase64 and textdecodebase64 functions to HCL2 templates.
Please note these functions return base64 encoded byte slices because of how
cty/hcl defines strings (NFC normalised, UTF-8 encoded).
GH-12997
SECURITY:
- Bump github.com/go-jose/go-jose/v3 to address GHSA-c5q2-7r4c-mv6g.
GH-12880 - Bump golang.org/x/net to v0.24.0 to address GO-2024-2687.
GH-12924
IMPROVEMENTS:
- core: Bump github.com/hashicorp/hcp-sdk-go from 0.90.0 to 0.96.0.
GH-12935
GH-12942
GH-12960
GH-12979 - core: Bump github.com/hashicorp/packer-plugin-sdk from 0.5.2 to 0.5.3
GH-12932 - core: Bump go-getter/v2 from 2.2.1 to v2.2.2
GH-12988 - datasource/http: don't error on 2xx code
Previous versions of Packer only supported 200 as a success case for the http
datasource. This change makes any status code from 200 to 299 successful.
GH-12989 - core: Move to predictable plugin loading schema - Packer will now only load
plugins stored under the Packer plugin directory using the expected namespaced
directory and CHECKSUM files.
GH-12828 - core: Remove support loading single-component plugins.
GH-12785 - core: Rename internal
packer plugincommand topacker executeto avoid user confusion with
the plugins subcommand.
GH-12865 - core: Packer now considers development binaries when evaluating plugin
version constraints. This work allows users to use binaries with versions
reported as "x.y.z-dev" to be used with the Packerrequired_plugins
block. GH-12828 - core: Packer now supports local paths to plugins for the
packer plugins remove
command. This addition makes it possible to pipe commands like
packer plugins installedwith it for speedy cleanup of installed plugins.
GH-12886 - core: Relax Packer source address URIs within the
required_pluginsblock to
support the installation of local plugin binary using a custom or internal
source address (e.g. mycompany.com/plugins/happyorg/happycloud). Remote
installation usingpacker initorpacker plugins installdoes not
support non-GitHub source URIs. Users using alternative hosts must
install plugins manually usingpacker plugins install --path.
GH-12911, [GH-12962] (#12962) - core: Remote plugins installed containing an internal version number that
differs from the version number within the binary name can lead to
confusion when tracking Packer plugin version information. To help track
such discrepancies in the plugin version,packer initandpacker plugin installhave been updated to reject installation of such plugins.
1.0.0-dev). Users are encouraged to notify plugin maintainers of any
version mismatches.
GH-12915, GH-12953, GH-12972 - core: don't load plugins with metadata in name
To avoid confusion with multiple plugins that report the same effective version,
plugins installed need to have no metadata in their name.
When installed through Packer commands, the metadata is scrubbed from the name of the
installed plugin binary, but manually it may still be possible, so we enforce
that scrubbing at load-time as well.
GH-12980 - core: Error when multiple paths are specified for PACKER_PLUGIN_PATH
Since Packer 1.11 removed the capability for PACKER_PLUGIN_PATH to specify
multiple directories separated by:or;(depending on the platform), we
are explicitly erroring when this is discovered, with suggestions as to how
to fix the problem.
GH-12967 - core: Version metadata support for plugins. Plugins may now formally have metadata
in their versions, Packer supports it, and applies the semver recommendations on
them, i.e. they are ignored for comparison/sorting purposes, but allowed for
adding extra information about a plugin.
GH-12888
Given the specified version constraint only versions greater than or equal to 1.1.0 will be considered.
amazon = {
source = "github.com/hashicorp/amazon"
version = ">= 1.1.0"
}If a development binary is installed, Packer will use it if:
- It is the highest compatible version installed.
- There is no final plugin version with the same version number installed alongside it.
/Users/dev/.packer.d/plugins
└─ github.com
└─ hashicorp
└── amazon
├── packer-plugin-amazon_v1.1.0_x5.0_darwin_arm64
├── packer-plugin-amazon_v1.1.0_x5.0_darwin_arm64_SHA256SUM
├── packer-plugin-amazon_v1.1.1-dev_x5.0_darwin_arm64
└── packer-plugin-amazon_v1.1.1-dev_x5.0_darwin_arm64_SHA256SUMVersion 1.1.1-dev of the Amazon plugin will match the specified version constraint and be used for executing the Packer build.
If, however, a 1.1.1 release version of the plugin is available, it will have precedence over the development binary.
/Users/dev/.packer.d/plugins
└─ github.com
└─ hashicorp
└── amazon
├── packer-plugin-amazon_v1.1.1-dev_x5.0_darwin_arm64
├── packer-plugin-amazon_v1.1.1-dev_x5.0_darwin_arm64_SHA256SUM
├── packer-plugin-amazon_v1.1.1_x5.0_darwin_arm64
└── packer-plugin-amazon_v1.1.1_x5.0_darwin_arm64_SHA256SUMBUG FIXES:
- core: fix plugin version ordering to not be lexicographic. This fixes an issue
with how plugins are discovered by Packer, and ensures proper version ordering.
This means that with this change, versions that are semantically greater,
but lexicographically inferior will be loaded.
Ex: 1.0.9 vs. 1.0.10;1.0.9 > 1.0.10lexicographically, but semantically
1.0.10 > 1.0.9 - core/hcp: fix potential race condition when storing plugin details to the HCP
Packer metadata storage map.
GH-12936 - core: fix plugin listing on Windows
This fix addresses bugs present in the alpha releases of 1.11, where
the discovery of Windows binaries were not matching against the
filename extension (.exe).
GH-12981
v1.11.0-beta
version: tag version as 1.11.0-beta
v1.10.3
1.10.3 (April 22, 2024)
NOTES
- A LICENSE.txt file has been added to the Packer release artifacts.
12981
FEATURES
- Packer users can now track Packer version and plugin versions used for each
build artifact in HCP Packer.
GH-12891
GH-12910
GH-12923
GH-12926
SECURITY
- Bump github.com/go-jose/go-jose/v3 to address GHSA-c5q2-7r4c-mv6g.
GH-12928 - Bump golang.org/x/net to v0.24.0 to address GO-2024-2687.
GH-12924
BUG FIXES
- cmd/fmt: Display information error when Packer
fmtfails due to HCL2
parsing error. GH-12870
v1.11.0-alpha2
version: bump to v1.11.0-alpha2
v1.11.0-alpha
Bump github.com/go-jose/go-jose/v3 to address CVE-2024-28180