Skip to main content

Where HashiCorp’s Atlas External Vagrant Box Images Actually Hosted

Technical
Author
Kuan-Yi Li
Table of Contents

To vigilant users, authenticity matters. Aside from checking hashes of images, you might also want to know where the box images you use in Vagrant are downloaded from. However, this information is not explicitly provided on HashiCorp’s Vagrant Cloud. Here is how you can uncover this information….

How-To
#

Take box centos/7 as an example. From its information page you just got an " Externally hosted (cloud.centos.org)" label, no complete URL. In order to get the actual location of the image, the following script is used:

wget --quiet --output-document=- "https://vagrantcloud.com/centos/7" | python -m json.tool | less --chop-long-lines

In the output, you’ll see URLs to box images. At the time of writing, the default box image URL for VirtualBox provider is https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box. Choose whichever image URL depending on the version and provider you’re interested, then you can further run:

wget --server-response --spider "https://vagrantcloud.com/centos/boxes/7/versions/1802.01/providers/virtualbox.box"

In this example, you’ll find it redirects you to https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1802_01.VirtualBox.box, which is an image published on official CentOS website.

Reference
#