LAN topology with NAT and DNS/DHCP where boxes register their own names, i.e. after spawning a new box called voyager, the existing boxes enterprise and ds9 should be able to ping it by using its hostname voyager.


Host system should have a simple REST API around VBoxManage that is exposed for the salt-master which would function as a provider for salt-cloud.

Configurable Access Key#

In order for any tool to talk to boxes created automatically for us, we need a passwordless SSH key pair: shared-minion-key


This is an image with eth0, expecting DHCP and running an SSH server accepting shared-minion-key on root. It only has basic hardening like fail2ban and passwordless SSH.

Effort for Ubuntu/Debian: 1-2h

Why not automate it? Because the alternatives are cumbersome with little gain since this only changes for new distro releases. For Ubuntu: 1/2 year and 3 years respectively (LTS).



  • fixed size [1] root device with LVM enabled to allow growth.


Idea: Move from Base Image (1/2 year longevity) to “latest” base image (monthly maybe) including latest Salt.

This can be run headless on CI or manually.

  • Virtualbox: clone base.ova into salt-${version}.ova

  • Virtualbox: set NAT for eth0, forward 22

  • SSH: wget -O - | sh


Don’t do this for salt-master, because either it is a long-living server or you can do it manually for this single instance.

New Node “www1”#

  • Virtualbox: clone salt-latest.ova into www1

  • Virtualbox: set network to host-only, forward 22

  • SSH: set hostname, /etc/hostname and /etc/hosts

  • SSH: copy access key

  • Virtualbox: remove host-only network

  • Virtualbox: set internal network

  • NAT SSH: port-forward (iptables)

  • curl