search

hashicorp / vagrant

Vagrant is a tool for building and distributing development environments.
https://www.vagrantup.com
Other
26.2k stars 4.43k forks source link

Suggestion for Vagrant Cloud (https://app.vagrantup.com) Display more box metainfos #9618

Open dragetd opened 6 years ago

dragetd commented 6 years ago

In productive environments it is better to build your own boxes. But for quick tests and simpler setups, people mainly rely on the boxes provided by the vagrant cloud.

Those boxes are sometimes updated, tho the pages describing the boxes have no information whatsoever about the update. It would be nice to see a lot more metainfos about the box on this page for a more educated decision.

For example bento's boxes use the description field to dump some infos: https://app.vagrantup.com/bento/boxes/ubuntu-16.04 Those could be partially read from the box or be part of the submitted data when uploading a box and then displayed nicely on the page. There could be a preview of the content of the box (extracting infos from the actual disk images [like {dynamic}size parameters, partition layout etc.]). Also it would be nice who the author is. Like these 'generic' images: https://app.vagrantup.com/generic/boxes/debian8 - it would be nice to know who is building them.

Finally if uploaders of boxes were asked to provide a short changelog, then this could be an extra field next to the description.

Tied together with #9617 this would raise the usability and trust of Vagrant Cloud considerably. :-)

chriswayg commented 6 years ago

I fully agree with your suggestions. I mostly use Bento boxes for this reason, as they are well documented and I avoid undocumented boxes with anonymous authors, such as 'generic', which strangely has hundreds of thousands of downloads. Are people not concerned about the security implications?

I try to only use boxes which have Packer source code on GitHub. Boxes with source code should be made easily discoverable with a search filter on Vagrant Cloud and should be prioritized in the listings.

(Docker Hub has these kind of features and therefore most Docker images come with source code, whereas most Vagrant Cloud boxes are lacking this.)

ladar commented 5 years ago

I maintain the generic boxes, and the configs are on GitHub.

ladar commented 5 years ago

You can also try running vagrant box list -i which provides additional info (at least with the boxes I build):

[ladar@darla test]$ vagrant box list -i
generic/alpine38 (virtualbox, 1.9.2)
  - Author: Ladar Levison
  - Website: https://roboxes.org/
  - Repository: https://github.com/lavabit/robox/
  - Description: Basic virtual machine images, for a variety of operating systems/hypervisors, and ready to serve as base bxoes.
dragetd commented 5 years ago

I very much appreciate the effort and by going to the username 'generic' I did find roboxes.org. Thank you very much for those images!

But why can't the images have these infos (and link to the git repo from which they are created) right on the page of the box? Having some metadata-fields and/or verification mechanisms would help a lot.

I like the analogy to docker. Eventho I do not agree with everything in the Docker-world, on Dockerhub you can have official or verified images. Official ones are checked or built by members of the docker community and verified ones are checked to be actually authored by the project owners. Both get automatic security testing and similar things.

Hashicorp could verify users or do automatic security scans. Even more awesome would be images that are actually built by hashicorp from a verified git repository.

(edit: Actually, I recognized the name just now… hell, the first 'thank you' does not do justice to how much I appreciate all you do for the internet!)

ladar commented 5 years ago

But why can't the images have these infos (and link to the git repo from which they are created) right on the page of the box? Having some metadata-fields and/or verification mechanisms would help a lot.

I link the roboxes.org page because someday I hope to have more content there. Specifically, links to OVA versions of the boxes, a Vagrantfile/Dockerfile generator, and possibly tutorials, etc. That said, I'd like to add upload/version specific metadata, but it would need to be automated, and I'm not sure of a good way to do that. Simply pulling the git log won't work, because that could include changes which don't apply to a specific distro.

Hashicorp could verify users or do automatic security scans.

I've been working on something like this, out of curiosity, but haven't managed to get all the kinks worked out yet.

Even more awesome would be images that are actually built by hashicorp from a verified git repository.

Knowing how much work it takes, I understand why they don't.

Actually, I recognized the name just now… hell, the first 'thank you' does not do justice to how much I appreciate all you do for the internet!

Your welcome.

FranklinYu commented 4 years ago

As a low hanging fruit, how about simply displaying the description in the box page, in addition to the “search result” page? For example when users search for the aforementioned generic/debian8, they can see a nice description. In contrast, when they actually click into the box page, the description isn’t there.

Implementation should be really simple; if Vagrant Cloud were open-sourced I would even create a Pull Request for that.