Why keep the boxes fresh?

When you run "vagrant box add ..." you are downloading a copy of the box and saving it on your local disc.  But as we all know, operating systems need security and other patches on a regular basis.  Vagrant is a little different:

  • You can limit the vulnerability in general by only running the Virtual instances when needed, and regularly throwing them away.
  • You can limit the vulnerability of your long-term Vagrant instances by configuring them with "private_network" only, and relying on NAT to fetch stuff from the outside.
  • You can run "yum update" or "apt-get upgrade" regularly to pull in system updates.

However, the last point is the reason that a stale Vagrant box is a bad thing.  The first time you do an update / upgrade on a Vagrant image created from an stale box, it will try to pull a large number of updates.  This will take a long time, and could use a significant amount of your network quota (assuming that is an issue.)

On the other hand, if you can get hold of a fresh Vagrant box, then the first update / upgrade is quick.  But obviously, there is a trade-off between the time / cost of doing the upgrade versus the time / cost of downloading a fresh Vagrant box.

How do you update a Vagrant box?

There is (currently) no automated mechanism in the "vagrant" command for checking that your box is fresh, or updating it.  However, if you look in the file "~/.vagrant.d/<box>/<provider>/info.json", you can find:

  • the URL you loaded the box from, and
  • the date that you downloaded it.

So what you can do is this:

  1. Use your web browser to determine if the downloadable has been changed since you last downloaded.
  2. If it has, then you can use the following command to update your local copy of a box:

    vagrant box add --force <name> <url>

Where can you get Vagrant boxes from?

There is no coherent answer to this at the moment, however this page on the Vagrant maintainer's main wiki lists the following options:

  • Standard Ubuntu boxes provided by the Vagrant project can be downloaded from links on that page.
  • There is a catalogue of publicly available boxes.  (Use at your own risk ...)
  • Canonical now publish up-to-date Vagrant boxes for Ubuntu via their Cloud Images site.