Skip to content

Instantly share code, notes, and snippets.

@obfusk obfusk/README.md
Last active Dec 18, 2015

Embed
What would you like to do?
vagrant base box: precise64-flx

[]: {{{1

File        : README.md
Maintainer  : Felix C. Stegerman <flx@obfusk.net>
Date        : 2013-06-12

[]: }}}1

This README describes how I created a precise64-flx vagrant base box. It is meant to be more secure and contain some useful tools.

You should still use a firewall on your host computer to prevent access to the forwarded ssh port of the VM.

This base box has 2 users: in addition to the vagrant user, there is an ubuntu user. You should login as the ubuntu user yourself, leaving the (less secure) vagrant user for vagrant only.

Host

[]: {{{1

  1. Install virtualbox and vagrant.
  2. Download ubuntu-12.04.2-server-amd64.iso.
  3. Create a VM precise64-flx with 360MB ram, a 40 GB dynamic VMDK hdd, and everything unnecessary (like audio and usb) disabled.
  4. Install ubuntu on the VM in expert mode with user ubuntu and a decent password.
  5. Create a host-only network, add a host-only network adapter to the VM (temporarily).

vm$ sudo dhclient eth0
vm$ sudo aptitude install openssh-server

host$ VM='<ip-address-of-vm>'
host$ mkdir -p ~/tmp/vagrant/precise64-flx
host$ cd ~/tmp/vagrant/precise64-flx
host$ ssh-keygen -f key -C precise64    # create keypair
host$ ssh-copy-id -i key.pub ubuntu@$VM
host$ ssh-add key
host$ ssh ubuntu@$VM

[]: }}}1

VM

Basics

[]: {{{1

$ sudo aptitude update && sudo aptitude safe-upgrade
$ sudo aptitude install virtualbox-guest-utils \
  virtualbox-guest-x11-
$ sudo aptitude install build-essential byobu curl git grc htop \
  tree vim
$ sudo aptitude install ruby1.9.1-full
$ sudo aptitude install puppet
$ sudo update-alternatives --config ruby
$ sudo update-alternatives --config editor

[]: }}}1

etckeeper

[]: {{{1

$ sudo aptitude install etckeeper
$ sudo vim /etc/etckeeper/etckeeper.conf  # VCS=git

$ cd /etc
$ sudo etckeeper init
$ sudo git status
$ sudo git commit -m init
$ sudo git gc

[]: }}}1

Utils

[]: {{{1

$ mkdir -p ~/opt/src && cd ~/opt/src
$ git clone https://gist.github.com/4260039.git sh-config
$ git clone https://github.com/obfusk/dev-misc.git

$ cd
$ ln -s opt/src/dev-misc/screenrc .screenrc_
$ ln -s opt/src/dev-misc/vimrc .vimrc
$ vim -p .bashrc .profile   # --> sh-config/ + LC_ALL=C

[]: }}}1

Config

[]: {{{1

$ byobu-select-backend && byobu-ctrl-a
$ git config --global user.name ...
$ git config --global user.email ...
$ git config --global color.ui true

[]: }}}1

SSH

[]: {{{1

$ cd /etc/ssh
$ sudo vim sshd_config  # PasswordAuthentication no
$ sudo git commit -m 'no password auth'
$ sudo service ssh restart

[]: }}}1

Vagrant user

[]: {{{1

$ sudo adduser --system --group --shell /bin/bash \
  --disabled-password vagrant
$ sudo visudo   # vagrant ALL=(ALL) NOPASSWD: ALL

$ sudo -H -u vagrant bash -l
vagrant$ mkdir ~/.ssh && vim ~/.ssh/authorized_keys # add key.pub

host$ ssh vagrant@$VM sudo echo OK

[]: }}}1

Miscellaneous

Depending on your needs, install e.g. chef as well.

Package the box

vm$ sudo aptitude clean
vm$ sudo poweroff

Now remove the temporary host-only network adapter from the VM.

host$ vagrant package --base precise64-flx \
      --vagrantfile Vagrantfile --include key,key.pub

You may not want to include the Vagrantfile and/or private key in the box. If you do include the private key, be careful with file permissions -- maybe set a umask.

Sharing the base box

[]: {{{1

If you plan to share the base box with others, you should use a dummy password and create a dummy ssh keypair when creating the base box; share the dummy keypair and password along with the base box.

Before anyone (including you) uses the base box, they should change the password and create a new keypair for themselves, then add it to ~/.ssh/authorized_keys for the ubuntu and vagrant users, replacing the dummy key.

You should probably also regenerate your ssh host keys:

vm$ sudo rm /etc/ssh/ssh_host_*key*
vm$ sudo dpkg-reconfigure openssh-server

Now you can repackage the box, if you want to use it more than once:

host$ vagrant package \
      --vagrantfile Vagrantfile --include key,key.pub

[]: }}}1

[]: ! ( vim: set tw=70 sw=2 sts=2 et fdm=marker : )

# This Vagrantfile is meant to be more secure. It shares ./shared
# instead of the current directory, which contains the Vagrantfile and
# other files that you don't want an intruder to be able to modify, to
# make it much more difficult for an intruder to break out of the VM.
# It also uses a secure private key (which the box is configured to
# use).
require 'fileutils' ; FileUtils.mkdir_p 'shared'
Vagrant::Config.run do |config|
config.vm.box = 'precise64-flx'
config.vm.customize ['modifyvm', :id, '--memory', 512]
config.ssh.private_key_path = \
File.expand_path('../key', __FILE__)
config.vm.share_folder 'v-root', '/vagrant', 'shared'
end
@noxqsgit

This comment has been minimized.

Copy link

commented Jul 11, 2013

When using multiple network interfaces, you may need to edit /etc/udev/rules.d/70-persistent-net.rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.