Official Vagrant images for CentOS Linux 6 and CentOS Linux 7 for x86_64 are now available for download, featuring updated packages to 28 July 2016 and the following improvements:
- Follow upstream Vagrant recommendations:
- The default Vagrant sync directory is set to
/vagrant sshdDNS lookups are disabled by default- The root password is set to
vagrant
- The default Vagrant sync directory is set to
- The GRUB timeout is set to just 1 second, to decrease the boot time
- [security]:
sshdpassword authentication is now disabled (thevagrantuser is configured with the publicly-known passwordvagrantand passwordless sudo, making it trivial for third-parties to gain administrative access viasshif password authentication is enabled). You can still login asrootorvagrantby entering the password on the console, if needed. We recommend re-creating all Vagrant boxes that were configured with private or public networking in the Vagrantfile.
Known Issues
- The VirtualBox Guest Additions are not preinstalled, and there are currently no concrete plans of adding them. They are only needed for VirtualBox shared folders (host-only networking and forwarded ports work properly without the Guest Additions). We recommend using NFS instead of VirtualBox shared folders if possible, since the latter are significantly slower and files can be corrupted or not properly updated when
sendfileis enabled. If you still want to install the Guest Additions, you can try either vbguest or, if you already use Ansible, take a look at https://github.com/lpancescu/cloud-instance-starter-kit for an example of automatic installation. - The default sync directory is configured to use rsync. This might cause
vagrant upto fail on Windows, where rsync is not installed by default. As a workaround, Windows users can either install rsync via Cygwin or MSYS, or disable the sync directory by adding the lineconfig.vm.synced_folder ".", "/vagrant", disabled: trueto the Vagrantfile. - Vagrant 1.8.5 sets the permissions on
~vagrant/.ssh/authorized_keysto 0644 (world-readable) when replacing the insecure public key with a newly generated one. Sincesshdwill only accept keys readable just by their owner,vagrant upreturns an error, since it cannot connect with the new key and it already removed the insecure key. This is Vagrant bug #7610, which affects all Linux distributions (not just CentOS); you can either downgrade to Vagrant 1.8.4 or wait for 1.8.6 to be released.
Downloads
Only x86_64 images are currently available, for Vagrant’s libvirt and VirtualBox providers.
First-time users can download the official images from Hashicorp’s Atlas. You can use vagrant box add centos/6 for CentOS Linux 6, or vagrant box add centos/7 for CentOS Linux 7.
Existing users can upgrade their boxes directly by Vagrant, e.g. vagrant box update --box centos/7, but the changes will only apply to newly created instances.
Feedback
If you encounter any unexpected issues with the Vagrant images, feel free to ask on the centos-devel mailing list, or in #centos-devel on Freenode.
Acknowledgements
We would like to thank Nico Kadel-Garcia for his valuable insight on preventing sshd from performing reverse DNS lookups.
So when this happened with the latest release "sshd password authentication is now disabled" this is not the default of how CentOS7 is setup. I had create an out of band management network where Vagrant stiches together the VMs. Now I can't use Ansible from that oob network since it can't login the first time to install SSH keys. Why did this change?
Vagrant supports not only boxes that are inaccessible from outside (e.g. behind NAT), but also private and public networking. In the last two cases, having password authentication enabled allows anyone who is able to access the IP of a box to fully take control over it as root (the 'vagrant' password is publicly known, and the account has full sudo rights without a password). This is also why Vagrant 1.7 started to replace the insecure public key with a newly generated one. The default CentOS installation assumes the user provides a unique strong password during installation, therefore leaving password authentication enabled is ok; when the password is publicly known, like on Vagrant boxes, that's a bad idea.
Some ideas for your situation: you could specify the correct identity file via ssh_config (eventually with a wildcard configuration if you are using the same key for all the boxes), and eventually use ssh-agent if your keys are encrypted. You could also use Ansible instead, by initialising the ansible_ssh_private_key_file variable for each host in the inventory file (this is probably the best approach if you have a dynamic inventory). If you prefer to write your own keys via provisioning, configure Vagrant not to replace the insecure private key (config.insert_key=false) and use that for the initial login.
Latest box doesn't work. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The easiest way is to just let Vagrant handle all the details - 'vagrant ssh' will create a SSH session to the box, no questions asked. If you want to invoke ssh directly, i.e. not through vagrant, you have to specify the correct identity file, e.g. 'ssh -i .vagrant/machines/default/virtualbox/private_key -l vagrant 127.0.0.1 -p 2222' (assuming your box is named "default"). You can also create a ssh_config file, to avoid typing such a long command every time ('vagrant ssh-config' will print a valid configuration file for your setup).
I get the Permission denied error even when doing a simple 'vagrant ssh'.
Please make sure you aren't using Vagrant 1.8.5, which is the current version (use 'vagrant version' to display both the installed and the latest available version). With Vagrant 1.8.4, 'vagrant init centos/7 && vagrant up && vagrant ssh' works fine - just checked. Please see the last item in the 'Known Issues' above - without any information about your host OS or Vagrant version, I can only guess what's wrong.
If you are still encountering problems, please ask in #centos on IRC: someone will probably be able to help you step by step (WordPress comments are not a suitable support channel).
None of these are working for me. I cannot vagrant ssh into my new machine.
I ran into the same issue. The combo that is working is Vagrant 1.8.4 and Virtual Box 5.0.x. I haven't tried Vagrant 1.8.5 with VB 5.0.x (may be some other day) 🙂
By any chance, is there a corresponding Kickstart file shared that can be used to (re)build the same CentOS images available for download? It would be very helpful for making additional adjustments to the image if/when needed.
I was finally able to DL the centos/7 box and saw it does have the complete Kickstart file built during the build. As such, please disregard my question 😉
Good Job)))
It would be really nice to have a vmware_desktop version available as well.
How do you recommend those using packer virtualbox-ovf builder to ssh now as these sshd changes break builds now?
So might have answered this for myself finally, but for those who're using virtualbox-ovf builder they should use the vagrant insecure key instead of password authentication.
I've never used Packer, but I would recommend setting its ssh_private_key_file option to Vagrant's insecure private key (e.g. "~/.vagrant.d/insecure_private_key"), instead of using ssh_password like the examples in the Packer documentation.