[CentOS-devel] Feedback needed: ideas for the Vagrant images

Thu Jul 7 12:53:31 UTC 2016
Laurentiu Pancescu <lpancescu at gmail.com>

Hi there,

I would appreciate some feedback on a few ideas for our Vagrant images.

Our CentOS images for Vagrant are currently not setup according to the 
upstream recommendations for base boxes, and I'd like to change that. 
[1]  Here's the list of necessary modifications:

I. root password should be 'vagrant': already filed by Lalatendu Mohanty 
as issue #30 on GitHub [2].  I should mention that Karanbir Singh has 
some reservations related to security.  However, the box already has 
passwordless sudo, and changing the root password is just a "sudo 
passwd" away (I tried, it warns about a bad password, but it accepts 
it).  Although public key auth is enabled, password-based authentication 
isn't disabled, and sshd will happily let anyone log in to any public 
box as vagrant:vagrant.  We should probably only allow local password 
logins (on the console), for both root and vagrant; not sure if the best 
way to enforce this is sshd_config or PAM.

II. use /vagrant as the sync directory: we currently use 
/home/vagrant/sync, this change is already planned for the release 
following 1606

III. "UseDNS no" in sshd_config: this would make connections via ssh faster

Additional ideas for optimization:

IV. disable requiretty in /etc/sudoers: this allows users to enable the 
pipelining feature of the Ansible provisioner, which significantly 
increases its speed (it's about 2 times faster in my tests). [3]

V. set GRUB_TIMEOUT to 1 or 0: this reduces or eliminates the waiting 
time before the default kernel is booted (the VM runs generally without 
a display, so it makes no sense to wait there)

Best regards,
Laurențiu

[1] https://www.vagrantup.com/docs/boxes/base.html
[2] https://github.com/CentOS/sig-cloud-instance-build/issues/30
[3] https://docs.ansible.com/ansible/intro_configuration.html#pipelining