Production image how to erase 'vagrant' user or any user used during image build

I aim to build a centos image to production environment using qemu build. However, every example I have seen uses vagrant user with vagrant password with sudo permissions. It puts ssh_user and ssh_password in the code and first of all in the shutdown command.

My question is what is the best way to avoid that type of proceedings and/or what is the more security way to do this.

thank you

It depends on what you are trying to achieve.

Could you please give me the options you have in mind?

If it’s just “security” for “security” sake, but you’re making it for the public, then how do they know what to log in with?

I’ve never done it before, but the first thing that comes to mind is to generating a random password.

< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c6

Then you create a secret packer-variables file.

And then put your secret passwords in there.

secret.pkr.hcl

variable "username" {
  type    = string
  default = "TZYOOj"
}

variable "password" {
  type    = string
  default = "2FlvHf"
}

Add them into the main packer config file and also pass through these variables for any provisioner file that uses them.

main.pkr.hcl

...
    ssh_username           = "${var.username}"  
    ssh_password           = "${var.password}"  
...
  provisioner "shell" {
    execute_command   = "{{ .Vars }} USERNAME=${var.username} PASSWORD=${var.password} sudo -E -S bash '{{ .Path }}'"
    expect_disconnect = true
    script            = "scripts/install-arch.sh"
  }
...

And run packer like so:

packer build -var-file="secret.pkrvars.hcl" .
1 Like

Thank you, that works for me

1 Like