How to better secure vagrant virtual machines and delete vagrant user

Question

I am trying to use vagrant as a way of provisioning virtual machines (setting IP addresses, resources, etc) but I am also trying to decouple vagrant's dependency on ansible i.e. I just want to use vagrant to do a one-time provision using ansible where my own authorized user is set up, secure it, and then use Ansible separately to do further provisioning on these virtual machines. Then I still want to use vagrant (maybe there's better way for this) to bring up/down/suspend/destroy virtual machines using vagrant.

This is what I have so far:

vagrant up

• Create fresh VM instance using a vagrant box

builtin provisioner BP that is run during vagrant up

• Add my new user (let's say ansibleuser)
• Add my own public key to ansibleuser's .ssh so that ansibleuser can only login via private key (and disable password login accordingly).
• Modify /etc/sudoers for passwordless sudo
• [Doesn't currently work] Delete vagrant user, and change root password to make root inaccessible

The problems

1. I can't delete the vagrant user during the BP provisioner because the provisioner is logged in as that user. I need to have a different provisioner run as a different user (ansibleuser) to delete vagrant. Is there a better way to do this with a first-and-one-time vagrant up command

2. If I do vagrant halt and then vagrant up again, the process never completes because it tries to ssh as vagrant and gets Warning: Authentication failure. Retrying... and it can't successfully "bring it up". Is there a way around that. A possible workaround would be to specify the user in config.ssh but that there would need to be some conditional check depending on when I am invoking vagrant up

How can I solve the two problems? Is there a better way to do what I am trying to accomplish? Is there a better way to provision a secure and bare bones virtual machine with ssh set up so that I can use ansible to do whatever additional provisioning I want? I really like how easy it is to configure the virtual machine using a vagrant file i.e setting up shared_folders, configuring CPU/RAM resources, creating virtual NICs.

Answer 1

Vagrant will ssh with the vagrant user to work its magic. You can specify a different user with config.ssh.username (see https://www.vagrantup.com/docs/vagrantfile/ssh_settings.html ). However it sounds like you don't want vagrant to use any user and thus there is no way around your problem.

As for your first question, you have to let vagrant finish before you destroy the vagrant user. So again there's no way around that either. :(