Coder.com•4mo ago

coder agent using token auth

Hi, I'm trying to start a coder agent using libvirt/KVM (not in a public cloud) and am having some challenges getting the coder agent to authenticate to my self-hosted coderd. In my terraform I use a remote-exec provisioner to do the init, like this:

resource "libvirt_domain" "domain-ubuntu" {
...
  provisioner "remote-exec" {
    inline = [
      "bash -c 'export CODER_AGENT_TOKEN=${nonsensitive(coder_agent.main.token)}; ${coder_agent.main.init_script}'"
    ]
  }
}

resource "libvirt_domain" "domain-ubuntu" {
...
  provisioner "remote-exec" {
    inline = [
      "bash -c 'export CODER_AGENT_TOKEN=${nonsensitive(coder_agent.main.token)}; ${coder_agent.main.init_script}'"
    ]
  }
}

I verified the token is correctly passed to the agent, but the agent gets 401 errors. Poking around in the db, the token is not populated in the workspace_agents table. Interestingly, if I kill the coder agent so that terraform apply completes, then I do see an entry getting added to workspace_agents with the right auth token, and manually doing a curl using that token works, so it looks like there is some sequencing issue here? What am I doing wrong?

7 Replies

Codercord•4mo ago

<#1238862779243429970>

Category

Help needed

Product

Coder OSS (v2)

Platform

Linux

Logs

Please post any relevant logs/error messages.

Cian•4mo ago

the agent token isn't valid until the workspace build is completed and the remote-exec won't finish as that's essentially running the coder agent, so the build will never 'complete' you may want to look into making a systemd unit for the coder agent

Cian•4mo ago

https://github.com/coder/coder/blob/main/examples/templates/incus/main.tf#L179-L237 this is for a different provider, but same principle applies

GitHub

coder/examples/templates/incus/main.tf at main · coder/coder

Provision remote development environments via Terraform - coder/coder

Cian•4mo ago

write a systemd unit to start the agent, write the token to the unit env, and add a watcher so that the agent gets restarted when the token changes alternatively, if there's a way to do the remote-exec in the background that might also work

Phorcys•4mo ago

hey, you should look into using cloud-init instead of remote-exec to run the agent script if possible

Phorcys•4mo ago

see the following : - https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs/resources/cloudinit - https://github.com/phorcys420/coder-templates/blob/f45e03d66710e8c1ef1a846d895d211df6ad843b/libvirt-ubuntu/libvirt.tf#L9-27

Terraform Registry

GitHub

coder-templates/libvirt-ubuntu/libvirt.tf at f45e03d66710e8c1ef1a84...

Coder templates. Contribute to phorcys420/coder-templates development by creating an account on GitHub.

Phorcys•4mo ago

otherwise if you can't do that then remote-exec in the background should be fine

Gaming

Programming

coder agent using token auth