Vagrant Lab

Previous

🎯 Objective

Welcome to the Hardened Local Cloud Challenge. This lab moves beyond simple tutorials to test your ability to engineer a secure, automated local development environment that mimics a production-grade Cloud Instance.

You are tasked with deploying a VM using Vagrant and Cloud-Init. Unlike previous labs, no solution code is provided. You must research the configuration syntax, implement the security requirements, and prove your success using an automated validation pipeline.

Core Technologies:

  • Vagrant: Local infrastructure orchestration.
  • Cloud-Init: Industry-standard initialization for cloud-native instances.
  • UFW (Uncomplicated Firewall): Network security and traffic filtering.
  • SSH Hardening: Cryptographic authentication and daemon lockdown.

📌 Requirements

Your infrastructure must meet the following strict specifications:

1. Networking & Infrastructure

  • Base Image: Use a generic Ubuntu 24.04 box (e.g., bento/ubuntu-24.04).
  • Private Network: The VM must be assigned a static private IP address: 192.168.56.10.
  • Provider: Configuration must be compatible with VirtualBox.

2. User & Environment

  • Dedicated User: Create a user named student.
  • Privileges: The student user must have sudo capabilities.
  • Default Shell: The shell for student must be /bin/zsh.
  • Environment:
  • Install git, curl, zsh, and nginx.
  • Install Oh My Zsh for the student user (unattended installation).

3. Security Hardening

  • Firewall (UFW):
  • Default policy: Deny all incoming.
  • Allow SSH (Port 22).
  • Allow HTTP (Port 80) to serve the Nginx default page.
  • SSH Daemon Configuration:
  • No Password Authentication: Only SSH keys allowed.
  • No Root Login: Prevent direct root access via SSH.
  • Public Key: Inject your personal SSH public key for the student user.

4. Automation Strategy

  • The Vagrantfile should only handle hardware, networking, and passing the metadata.
  • All OS-level configuration (users, packages, firewall, SSH hardening, script execution) must be performed via the user-data (Cloud-Init) file.

🛠 Workflow: Research & Implement

This lab follows a professional engineering workflow:

  1. Research: Use the Cloud-Init Documentation and Vagrant Networking Docs.
  2. Draft: Create your Vagrantfile and user-data.
  3. Deploy: Run vagrant up.
  4. Debug: If it fails, inspect /var/log/cloud-init-output.log inside the VM.
  5. Validate: Run the automated script provided below.

🧪 Automated Validation Pipeline

Screenshots are not accepted for this lab. You must use the automated validation script to generate a compliance report.

Running the Validation

Log in to your VM (via vagrant ssh) and execute the following command to download and run the validation suite. You must redirect the output to validation_report.txt for submission.

# Run this inside the VM
curl -sL https://raw.githubusercontent.com/marcjazz/vmops-arena/main/validate_vagrant_lab.sh | sudo bash | tee validation_report.txt

Note: The tee command allows you to see the output in real-time while simultaneously saving it to the report file.

📤 Submission Instructions

To complete the lab, follow these steps to submit your work:

1. Repository Setup

  • Fork the original repository: VMOPS Arena.
  • Clone your fork to your local machine.
  • Create a new branch for your submission:

bash git checkout -b feature/vagrant-lab-yourname

2. Files to Commit

Ensure the following files are included in your repository:

  • Vagrantfile: Your infrastructure orchestration file.
  • cloud-init/user-data: Your Cloud-Init configuration (or whatever filename you used for provisioning).
  • validation_report.txt: The report generated by the validation script.

3. Pull Request (PR)

  • Push your branch to your fork.
  • Open a Pull Request from your feature/vagrant-lab-yourname branch to the main branch of the original marcjazz/vmops-arena repository.
  • PR Title: [Vagrant Lab] Your Name
  • Description: Briefly explain your approach, any logic behind your user-data configuration, and any challenges you faced during implementation.

⚠️ Strict Rules

  • Screenshots are NOT accepted.
  • Only the validation_report.txt generated by the script counts as proof of completion.
  • Submissions missing the required files or with incorrect PR titles may be delayed or rejected.

🏆 Grading Matrix (Hardened)

Criteria Points Description
Networking 20 VM reachable at 192.168.56.10 via private network.
Automation 20 100% of OS config is in user-data (Cloud-Init).
Security Hardening 30 UFW active, SSH passwordless, Root login disabled.
Environment 10 student user, Zsh, Oh My Zsh, and Nginx functioning.
Validation 20 Submission of a clean validation_report.txt with all [PASS] marks.

"Security is not a product, but a process. If you can't automate your hardening, you haven't mastered your infrastructure."

Automation