The in-progress Vagrant AWS has a lot of promise, especially for devops. The ability to test your Puppet or Chef scripts on an EC2 instance using Vagrant is very tempting. Unfortunately, it’s not yet quite stable enough to rely on, in my experience. Some errors seem to happen sporadically. Most are related to ssh, although running ssh manually works fine (either vagrant ssh or ssh user@host).

Sometimes, something as simple as mkdir fails without reason:

The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

mkdir -p '/vagrant'

Other times, rsync completes, but then it immediately terminates the instance:

[default] Rsyncing folder: /home/ben/aws-sandbox/ => /vagrant
[default] Terminating the instance...

I’m still hopeful that it can be useful to us in the future. Like I said, there’s a lot of promise in this young project.

At any rate, we took some time to research how to get SSH agent forwarding working, which is valuable for us when remote pairing. We were getting stuck with errors like this:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

It turns out that vagrant itself ignores anything but identity files, which was key to getting agent forwarding to work. This can be inspected using vagrant ssh-config

It turns out that lib/vagrant/util/ssh.rb can be modified like so:

--- a/lib/vagrant/util/ssh.rb
+++ b/lib/vagrant/util/ssh.rb
@@ -108,7 +108,7 @@ module Vagrant
         # IdentitiesOnly option. Also, we don't enable it in plain mode so
         # that SSH properly searches our identities and tries to do it itself.
         if !Platform.solaris? && !plain_mode
-          command_options += ["-o", "IdentitiesOnly=yes"]
+          command_options += ["-o", "IdentitiesOnly=no"]

         # If we're not in plain mode, attach the private key path.

There’s a related change that can be made to make vagrant ssh-config match, but it seems to be cosmetic:

--- a/templates/commands/ssh_config/config.erb
+++ b/templates/commands/ssh_config/config.erb
@@ -6,7 +6,7 @@ Host <%= host_key %>
   StrictHostKeyChecking no
   PasswordAuthentication no
   IdentityFile "<%= private_key_path %>"
-  IdentitiesOnly yes
+  IdentitiesOnly no
   LogLevel FATAL
 <% if forward_agent -%>
   ForwardAgent yes

That was enough to get our SSH agent forwarding to work. These changes make sense in the context of AWS, but probably not in Vagrant at large. I’m tempted to make a pull request, but the above changes are a little half baked – and vagrant-aws still needs some fine tuning before the change can really be tested.