Updated CentOS Vagrant Images Available (v1607.01)
Wednesday, 10, August 2016 Laurențiu Păncescu announcement 15 Comments

Official Vagrant images for CentOS Linux 6 and CentOS Linux 7 for x86_64 are now available for download, featuring updated packages to 28 July 2016 and the following improvements:

  • Follow upstream Vagrant recommendations:
    • The default Vagrant sync directory is set to /vagrant
    • sshd DNS lookups are disabled by default
    • The root password is set to vagrant
  • The GRUB timeout is set to just 1 second, to decrease the boot time
  • [security]: sshd password authentication is now disabled (the vagrant user is configured with the publicly-known password vagrant and passwordless sudo, making it trivial for third-parties to gain administrative access via ssh if password authentication is enabled). You can still login as root or vagrant by entering the password on the console, if needed. We recommend re-creating all Vagrant boxes that were configured with private or public networking in the Vagrantfile.

Known Issues

  • The VirtualBox Guest Additions are not preinstalled, and there are currently no concrete plans of adding them. They are only needed for VirtualBox shared folders (host-only networking and forwarded ports work properly without the Guest Additions). We recommend using NFS instead of VirtualBox shared folders if possible, since the latter are significantly slower and files can be corrupted or not properly updated when sendfile is enabled. If you still want to install the Guest Additions, you can try either vbguest or, if you already use Ansible, take a look at https://github.com/lpancescu/cloud-instance-starter-kit for an example of automatic installation.
  • The default sync directory is configured to use rsync. This might cause vagrant up to fail on Windows, where rsync is not installed by default. As a workaround, Windows users can either install rsync via Cygwin or MSYS, or disable the sync directory by adding the line config.vm.synced_folder ".", "/vagrant", disabled: true to the Vagrantfile.
  • Vagrant 1.8.5 sets the permissions on ~vagrant/.ssh/authorized_keys to 0644 (world-readable) when replacing the insecure public key with a newly generated one. Since sshd will only accept keys readable just by their owner, vagrant up returns an error, since it cannot connect with the new key and it already removed the insecure key. This is Vagrant bug #7610, which affects all Linux distributions (not just CentOS); you can either downgrade to Vagrant 1.8.4 or wait for 1.8.6 to be released.

Downloads

Only x86_64 images are currently available, for Vagrant’s libvirt and VirtualBox providers.

First-time users can download the official images from Hashicorp’s Atlas. You can use vagrant box add centos/6 for CentOS Linux 6, or vagrant box add centos/7 for CentOS Linux 7.

Existing users can upgrade their boxes directly by Vagrant, e.g. vagrant box update --box centos/7, but the changes will only apply to newly created instances.

Feedback

If you encounter any unexpected issues with the Vagrant images, feel free to ask on the centos-devel mailing list, or in #centos-devel on Freenode.

Acknowledgements

We would like to thank Nico Kadel-Garcia for his valuable insight on preventing sshd from performing reverse DNS lookups.

15 thoughts on "Updated CentOS Vagrant Images Available (v1607.01)"
  • Sean Cavanaugh says:

    So when this happened with the latest release "sshd password authentication is now disabled" this is not the default of how CentOS7 is setup. I had create an out of band management network where Vagrant stiches together the VMs. Now I can't use Ansible from that oob network since it can't login the first time to install SSH keys. Why did this change?

    • Laurențiu Păncescu says:

      Vagrant supports not only boxes that are inaccessible from outside (e.g. behind NAT), but also private and public networking. In the last two cases, having password authentication enabled allows anyone who is able to access the IP of a box to fully take control over it as root (the 'vagrant' password is publicly known, and the account has full sudo rights without a password). This is also why Vagrant 1.7 started to replace the insecure public key with a newly generated one. The default CentOS installation assumes the user provides a unique strong password during installation, therefore leaving password authentication enabled is ok; when the password is publicly known, like on Vagrant boxes, that's a bad idea.

      Some ideas for your situation: you could specify the correct identity file via ssh_config (eventually with a wildcard configuration if you are using the same key for all the boxes), and eventually use ssh-agent if your keys are encrypted. You could also use Ansible instead, by initialising the ansible_ssh_private_key_file variable for each host in the inventory file (this is probably the best approach if you have a dynamic inventory). If you prefer to write your own keys via provisioning, configure Vagrant not to replace the insecure private key (config.insert_key=false) and use that for the initial login.

  • David Vazquez says:

    Latest box doesn't work. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

    • Laurențiu Păncescu says:

      The easiest way is to just let Vagrant handle all the details - 'vagrant ssh' will create a SSH session to the box, no questions asked. If you want to invoke ssh directly, i.e. not through vagrant, you have to specify the correct identity file, e.g. 'ssh -i .vagrant/machines/default/virtualbox/private_key -l vagrant 127.0.0.1 -p 2222' (assuming your box is named "default"). You can also create a ssh_config file, to avoid typing such a long command every time ('vagrant ssh-config' will print a valid configuration file for your setup).

      • Manny says:

        I get the Permission denied error even when doing a simple 'vagrant ssh'.

        • Laurențiu Păncescu says:

          Please make sure you aren't using Vagrant 1.8.5, which is the current version (use 'vagrant version' to display both the installed and the latest available version). With Vagrant 1.8.4, 'vagrant init centos/7 && vagrant up && vagrant ssh' works fine - just checked. Please see the last item in the 'Known Issues' above - without any information about your host OS or Vagrant version, I can only guess what's wrong.

          If you are still encountering problems, please ask in #centos on IRC: someone will probably be able to help you step by step (WordPress comments are not a suitable support channel).

      • Lawrence Fritts says:

        None of these are working for me. I cannot vagrant ssh into my new machine.

        • Sourabh says:

          I ran into the same issue. The combo that is working is Vagrant 1.8.4 and Virtual Box 5.0.x. I haven't tried Vagrant 1.8.5 with VB 5.0.x (may be some other day) 🙂

  • dmas says:

    By any chance, is there a corresponding Kickstart file shared that can be used to (re)build the same CentOS images available for download? It would be very helpful for making additional adjustments to the image if/when needed.

    • dmas says:

      I was finally able to DL the centos/7 box and saw it does have the complete Kickstart file built during the build. As such, please disregard my question 😉

  • Marina says:

    Good Job)))

  • Dave Vigil says:

    It would be really nice to have a vmware_desktop version available as well.

  • Andy Feller says:

    How do you recommend those using packer virtualbox-ovf builder to ssh now as these sshd changes break builds now?

    • Andy Feller says:

      So might have answered this for myself finally, but for those who're using virtualbox-ovf builder they should use the vagrant insecure key instead of password authentication.

    • Laurențiu Păncescu says:

      I've never used Packer, but I would recommend setting its ssh_private_key_file option to Vagrant's insecure private key (e.g. "~/.vagrant.d/insecure_private_key"), instead of using ssh_password like the examples in the Packer documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *