LAN topology with NAT and DNS/DHCP where boxes register their own names, i.e. after spawning a new box called voyager, the existing boxes enterprise and ds9 should be able to ping it by using its hostname voyager.

Configurable Access Key

In order for any tool to talk to boxes created automatically for us, we need a passwordless SSH key pair: shared-minion-key


This is an image with eth0, expecting DHCP and running an SSH server accepting shared-minion-key on root. It only has basic hardening like fail2ban and passwordless SSH.

Effort for Ubuntu/Debian: 1-2h

Why not automate it? Because the alternatives are cumbersome with little gain since this only changes for new distro releases. For Ubuntu: 1/2 year and 3 years respectively (LTS).



  • fixed size 1 root device with LVM enabled to allow growth.


Should be faster, says Virtualbox.


Idea: Move from Base Image (1/2 year longevity) to „latest“ base image (monthly maybe) including latest Salt.

This can be run headless on CI or manually.

  • Virtualbox: clone base.ova into salt-${version}.ova

  • Virtualbox: set NAT for eth0, forward 22

  • SSH: wget -O - | sh


Don’t do this for salt-master, because either it is a long-living server or you can do it manually for this single instance.

New Node „www1“

  • Virtualbox: clone salt-latest.ova into www1

  • Virtualbox: set network to host-only, forward 22

  • SSH: set hostname, /etc/hostname and /etc/hosts

  • SSH: copy access key

  • Virtualbox: remove host-only network

  • Virtualbox: set internal network

  • NAT SSH: port-forward (iptables)

  • curl