comfy 0.2.0

data/lib/templates/docker/files/cloud.cfg

@@ -0,0 +1,109 @@
+# If this is set, 'root' will not be able to ssh in and they 
+# will get a message to login instead as the above $user (ubuntu)
+disable_root: False
+user: root
+ssh_pwauth: False
+ssh_deletekeys: True
+ssh_genkeytypes: ['rsa', 'dsa']
+ssh_svcname: ssh
+
+# This will cause the set+update hostname module to not operate (if true)
+preserve_hostname: false
+cc_ready_cmd: ['/bin/true']
+mount_default_fields: [~, ~, 'auto', 'defaults,nofail', '0', '2']
+syslog_fix_perms: ~
+manage_etc_hosts: True
+
+# Update and upgrade system on first boot
+apt_preserve_sources_list: True
+apt_update: True
+apt_upgrade: True
+package_reboot_if_required: True
+
+
+# work only with OpenNebula, use network based datasource,
+# so that we can successfully resolve IPv4 based hostname
+disable_ec2_metadata: True
+datasource_list: ['OpenNebula']
+datasource:
+  OpenNebula:
+    dsmode: net
+
+# The modules that run in the 'init' stage
+cloud_init_modules:
+ - migrator
+ - seed_random
+ - bootcmd
+ - write-files
+ - growpart
+ - resizefs
+ - set_hostname
+ - update_hostname
+ - update_etc_hosts
+ - ca-certs
+ - rsyslog
+ - users-groups
+ - ssh
+
+# The modules that run in the 'config' stage
+cloud_config_modules:
+# Emit the cloud config ready event
+# this can be used by upstart jobs for 'start on cloud-config'.
+ - emit_upstart
+ - disk_setup
+ - mounts
+ - ssh-import-id
+ - locale
+ - set-passwords
+ - grub-dpkg
+ - apt-pipelining
+ - apt-configure
+ - package-update-upgrade-install
+ - landscape
+ - timezone
+ - puppet
+ - chef
+ - salt-minion
+ - mcollective
+ - disable-ec2-metadata
+ - runcmd
+ - byobu
+
+# The modules that run in the 'final' stage
+cloud_final_modules:
+ - rightscale_userdata
+ - scripts-per-once
+ - scripts-per-boot
+ - scripts-per-instance
+ - scripts-user
+ - ssh-authkey-fingerprints
+ - keys-to-console
+ - phone-home
+ - final-message
+ - power-state-change
+
+# System and/or distro specific settings
+# (not accessible to handlers/transforms)
+system_info:
+   # This will affect which distro class gets used
+   distro: ubuntu
+   # Other config here will be given to the distro class and/or path classes
+   paths:
+      cloud_dir: /var/lib/cloud/
+      templates_dir: /etc/cloud/templates/
+      upstart_dir: /etc/init/
+   package_mirrors:
+     - arches: [i386, amd64]
+       failsafe:
+         primary: http://archive.ubuntu.com/ubuntu
+         security: http://security.ubuntu.com/ubuntu
+       search:
+         primary:
+           - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
+           - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
+         security: []
+     - arches: [armhf, armel, default]
+       failsafe:
+         primary: http://ports.ubuntu.com/ubuntu-ports
+         security: http://ports.ubuntu.com/ubuntu-ports
+   ssh_svcname: ssh

data/lib/templates/docker/files/depot.list

@@ -0,0 +1,4 @@
+# depot_all
+deb  ftp://depot1.mc.cesnet.cz/ all main
+# depot_squeeze
+deb  ftp://depot1.mc.cesnet.cz/ squeeze main

data/lib/templates/docker/files/depot_all.pref

@@ -0,0 +1,6 @@
+# depot_all
+Explanation: : depot_all
+Package: *
+Pin: origin "depot1.mc.cesnet.cz"
+Pin-Priority: 20
+

data/lib/templates/docker/files/depot_check_mk.pref

@@ -0,0 +1,5 @@
+# depot_check_mk
+Explanation: : depot_check_mk
+Package: check-mk*
+Pin: origin "depot1.mc.cesnet.cz"
+Pin-Priority: 1200

data/lib/templates/docker/files/docker.list

@@ -0,0 +1 @@
+deb https://apt.dockerproject.org/repo ubuntu-trusty main

data/lib/templates/docker/files/fail2ban.local

@@ -0,0 +1,3 @@
+[Definition]
+
+logtarget = SYSLOG

data/lib/templates/docker/files/grub

@@ -0,0 +1,34 @@
+# If you change this file, run 'update-grub' afterwards to update
+# /boot/grub/grub.cfg.
+# For full documentation of the options in this file, see:
+#   info -f grub -n 'Simple configuration'
+
+GRUB_DEFAULT=0
+GRUB_HIDDEN_TIMEOUT=0
+GRUB_HIDDEN_TIMEOUT_QUIET=true
+GRUB_TIMEOUT=10
+GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+#GRUB_CMDLINE_LINUX_DEFAULT="splash quiet"
+GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
+
+# Uncomment to enable BadRAM filtering, modify to suit your needs
+# This works with Linux (no patch required) and with any kernel that obtains
+# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
+#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
+
+# Uncomment to disable graphical terminal (grub-pc only)
+GRUB_TERMINAL=serial
+GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
+# The resolution used on graphical terminal
+# note that you can use only modes which your graphic card supports via VBE
+# you can see them in real GRUB with the command `vbeinfo'
+#GRUB_GFXMODE=640x480
+
+# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
+#GRUB_DISABLE_LINUX_UUID=true
+
+# Uncomment to disable generation of recovery mode menu entries
+#GRUB_DISABLE_RECOVERY="true"
+
+# Uncomment to get a beep at grub start
+#GRUB_INIT_TUNE="480 440 1"

data/lib/templates/docker/files/interfaces

@@ -0,0 +1,15 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+allow-hotplug eth0
+iface eth0 inet dhcp
+
+# The secondary network interface
+allow-hotplug eth1
+iface eth1 inet dhcp
+

data/lib/templates/docker/files/iptables-multiport.local

@@ -0,0 +1,6 @@
+[Definition]
+
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j REJECT
+
+actionunban = iptables -D fail2ban-<name> -s <ip> -j REJECT
+

data/lib/templates/docker/files/jail.local

@@ -0,0 +1,17 @@
+[DEFAULT]
+
+# Seznam vygenerovany skriptem /software/meta-admin/scripts/get_nodes_ips
+# Vygeneruje pouze C site, tzn. je tam o nekolik set hostu vic nez ve skutecnosti
+
+ignoreip = 127.0.0.1 147.228.1.0/24 147.251.17.0/24 147.228.240.0/24 147.228.241.0/24 147.231.11.0/24 147.231.18.0/24 147.251.11.0/24 147.251.252.0/24 147.251.254.0/24 147.251.3.0/24 147.251.84.0/24 147.251.9.0/24 195.113.0.0/24 195.113.123.0/24 195.113.209.0/24 195.113.214.0/24 78.128.210.0/24
+
+[ssh]
+
+enabled = true
+port    = ssh
+filter  = sshd
+logpath  = /var/log/auth.log
+maxretry = 100
+findtime = 86400
+bantime  = 1209600
+

data/lib/templates/docker/files/krb5.conf

@@ -0,0 +1,181 @@
+[libdefaults]
+        default_realm = META 
+        forwardable = yes
+        forward = yes
+        encrypt = yes
+        srv_lookup = no
+        srv_try_txt = no
+        no-addresses = yes
+	allow_weak_crypto = true
+
+[realms]
+    ICS.MUNI.CZ = {
+	    kdc = kdccesnet.ics.muni.cz
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.meta.zcu.cz
+            admin_server = kdc1.cesnet.cz
+            kpasswd_server = kdc1.cesnet.cz
+    }
+    META = {
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.meta.zcu.cz
+            kdc = sal.ruk.cuni.cz:89
+	    kdc = jerry.ruk.cuni.cz
+            admin_server = kdc1.cesnet.cz
+            kpasswd_server = kdc1.cesnet.cz
+	    krb525_server = kdccesnet.ics.muni.cz
+	    krb525_server = kdc1.cesnet.cz 
+	    krb525_server = kdccesnet.meta.zcu.cz 
+    }
+    ZCU.CZ = {
+            kdc = kerberos1.zcu.cz
+            kdc = kerberos2.zcu.cz
+            kdc = kerberos3.zcu.cz
+            admin_server = kerberos-adm.zcu.cz
+            kpasswd_server = kerberos-adm.zcu.cz
+    }
+    RUK.CUNI.CZ = {
+            kdc = sal.ruk.cuni.cz
+            kdc = jerry.ruk.cuni.cz:89
+            admin_server = sal.ruk.cuni.cz
+            kpasswd_server = sal.ruk.cuni.cz
+	    krb524_server = sal.ruk.cuni.cz
+	    krb524_server = jerry.ruk.cuni.cz:89
+    }
+    IS.MUNI.CZ = {
+            kdc = ariadna.fi.muni.cz
+    }
+    SITOLA.FI.MUNI.CZ = {
+            kdc = hendrak.fi.muni.cz
+            kdc = oberon.fi.muni.cz
+            admin_server = oberon.fi.muni.cz
+            kpasswd_server = oberon.fi.muni.cz
+    }
+    ADMIN.META = {
+            kdc = kdccesnet.ics.muni.cz
+            admin_server = kdccesnet.ics.muni.cz
+            kpasswd_server = kdccesnet.ics.muni.cz
+    }
+    ASR.ICS.MUNI.CZ = {
+            kdc = bombur.ics.muni.cz
+            admin_server = bombur.ics.muni.cz
+            kpasswd_server = bombur.ics.muni.cz
+    }
+    EINFRA = {
+            kdc = kdc1.cesnet.cz
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+	    admin_server = kdc1.cesnet.cz
+    }
+    EINFRA-SERVICES = {
+            kdc = kdc1.cesnet.cz
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+   	    admin_server = kdc1.cesnet.cz
+    }
+    EGI = {
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+	    admin_server = kdc1.cesnet.cz
+    }
+    SAGRID = {
+            kdc = kdc1.cesnet.cz
+            admin_server = kdc1.cesnet.cz
+    }
+    ELIXIR-EUROPE.ORG = {
+            kdc = kdc1.cesnet.cz
+            admin_server = kdc1.cesnet.cz
+    }
+
+[capaths]
+        RUK.CUNI.CZ = {
+                EINFRA-SERVICES = META
+                ZCU.CZ = META
+        }
+        ZCU.CZ = {
+                EINFRA-SERVICES = META
+                RUK.CUNI.CZ = META
+        }
+        ICS.MUNI.CZ = {
+                  EINFRA-SERVICES = META
+        }
+        EINFRA = {
+                ICS.MUNI.CZ = META
+        }
+        EINFRA-SERVICES = {
+                ICS.MUNI.CZ = META
+                RUK.CUNI.CZ = META
+                ZCU.CZ = META
+        }
+
+[domain_realm]
+        sirion.ics.muni.cz = META
+        erebor.ics.muni.cz = META
+        acharon.ruk.cuni.cz = META
+	androth.zcu.cz = ICS.MUNI.CZ
+        .fi.muni.cz = SITOLA.FI.MUNI.CZ
+        .ics.muni.cz = ICS.MUNI.CZ
+        .cesnet.cz = ICS.MUNI.CZ
+        .zcu.cz = ZCU.CZ
+        .ruk.cuni.cz = RUK.CUNI.CZ
+	.medigrid.cz = ICS.MUNI.CZ
+	.video.muni.cz = ICS.MUNI.CZ
+	.ncbr.muni.cz = ICS.MUNI.CZ
+	.prf.jcu.cz = ICS.MUNI.CZ
+	.feec.vutbr.cz = ICS.MUNI.CZ
+	atlases.muni.cz = ICS.MUNI.CZ
+	.egi.eu = META
+	.fzu.cz = META
+	.cerit-sc.cz = ICS.MUNI.CZ
+	kdc1.cesnet.cz = EINFRA-SERVICES
+	.du1.cesnet.cz = EINFRA-SERVICES
+	.du2.cesnet.cz = EINFRA-SERVICES
+	.du3.cesnet.cz = EINFRA-SERVICES
+	ui2.grid.cesnet.cz = EINFRA-SERVICES
+	ui1.egee.cesnet.cz = EINFRA-SERVICES
+	ui1.grid.cesnet.cz = EINFRA-SERVICES
+	.metacentrum.cz = ICS.MUNI.CZ
+	.ueb.cas.cz = ICS.MUNI.CZ
+	.meta.zcu.cz = META
+	.ukb.muni.cz = ICS.MUNI.CZ
+	.ceitec.muni.cz = EINFRA-SERVICES
+
+[appdefaults]
+    krb4_get_tickets = no
+    krb4_convert = no
+    krb4_convert_524 = no
+    pam = {
+        debug = false
+        forwardable = true
+        afs_cells = ics.muni.cz
+        minimum_uid=100
+        addressless = true
+#Debian
+        realm = META
+        validate = true
+#SuSE
+        ticket_lifetime = 36000
+        renew_lifetime = 36000
+        proxiable = false
+        retain_after_close = false
+        try_first_pass = true
+        external=true
+        force_creds = true
+    }
+    libkafs = {
+    	ZCU.CZ = {
+		afs-use-524 = 2b
+	}
+    	ICS.MUNI.CZ = {
+		afs-use-524 = 2b
+	}
+	RUK.CUNI.CZ = {
+		afs-use-524 = 2b
+	}
+   }
+
+[kadmin]
+	default_keys = v5 v4
+

data/lib/templates/docker/files/meta-misc.list

@@ -0,0 +1,2 @@
+## CERIT-SC's meta-misc repository
+deb http://apt.cerit-sc.cz/meta_misc/ wheezy main

data/lib/templates/docker/files/modules

@@ -0,0 +1,15 @@
+# List of modules that you want to include in your initramfs.
+# They will be loaded at boot time in the order below.
+#
+# Syntax:  module_name [args ...]
+#
+# You must run update-initramfs(8) to effect this change.
+#
+# Examples:
+#
+# raid1
+# sd_mod
+xen-blkfront
+xen-netfront
+xen-kbdfront
+

data/lib/templates/docker/files/ntp.conf

@@ -0,0 +1,61 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+server tik.cesnet.cz
+server tak.cesnet.cz
+server ntp.muni.cz
+server time.fi.muni.cz
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+#server 0.debian.pool.ntp.org iburst
+#server 1.debian.pool.ntp.org iburst
+#server 2.debian.pool.ntp.org iburst
+#server 3.debian.pool.ntp.org iburst
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+
+# Try to avoid NTP amplification attacks
+disable monitor

data/lib/templates/docker/files/sshd_config

@@ -0,0 +1,131 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+AddressFamily inet
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile      .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox          # Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 30
+ClientAliveCountMax 5
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server

data/lib/templates/docker/files/ttyS0.conf

@@ -0,0 +1,11 @@
+# ttyS0 - getty
+#
+# This service maintains a getty on ttyS0 from the point the system is
+# started until it is shut down again.
+
+start on stopped rc or RUNLEVEL=[12345]
+stop on runlevel [!12345]
+
+respawn
+exec /sbin/getty --autologin root -L 115200 ttyS0 vt102
+

data/lib/templates/docker/scripts/init.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+apt-get update
+
+apt-get --assume-yes install qemu-guest-agent
+apt-key add /root/RPM-GPG-KEY-CERIT-SC.cfg
+rm -f /root/RPM-GPG-KEY-CERIT-SC.cfg
+apt-key add /root/DEPOT-GPG-KEY.cfg
+rm -f /root/DEPOT-GPG-KEY.cfg
+mv /root/meta-misc.list /etc/apt/sources.list.d/meta-misc.list
+mv /root/depot.list /etc/apt/sources.list.d/depot.list
+mv /root/depot_all.pref /etc/apt/preferences.d/depot_all.pref
+mv /root/depot_check_mk.pref /etc/apt/preferences.d/depot_check_mk.pref
+
+# Docker repositories
+apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
+mv /root/docker.list /etc/apt/sources.list.d/docker.list
+
+apt-get update
+apt-get --assume-yes upgrade
+apt-get --assume-yes install cloud-init
+DEBIAN_FRONTEND=noninteractive apt-get --assume-yes install -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" heimdal-clients libpam-heimdal
+apt-get --assume-yes install vim git fail2ban ntp
+
+# Docker packages
+apt-get --assume-yes install linux-image-extra-$(uname -r)
+apt-get --assume-yes install docker-engine
+
+mv /root/ntp.conf /etc/ntf.conf
+mv /root/cloud.cfg /etc/cloud/cloud.cfg
+mv /root/krb5.conf /etc/krb5.conf
+mv /root/sshd_config /etc/ssh/sshd_config
+mv /root/interfaces /etc/network/interfaces
+mv /root/10-ipv6.conf /etc/sysctl.d/10-ipv6.conf
+mv /root/ttyS0.conf /etc/init/ttyS0.conf
+mv /root/grub /etc/default/grub
+mv /root/modules /etc/initramfs-tools/modules
+
+update-grub
+start ttyS0
+
+# fail2ban
+mv /root/iptables-multiport.local /etc/fail2ban/action.d/iptables-multiport.local
+mv /root/jail.local /etc/fail2ban/jail.local
+mv /root/fail2ban.local /etc/fail2ban/fail2ban.local
+
+# check-mk-agent
+apt-get --assume-yes install check-mk-agent check-mk-agent-meta-key
+apt-get --assume-yes install check-mk-agent-meta-checks
+
+# pakiti-2-client
+dpkg -i pakiti_2.1.5-2_all.deb
+rm -f pakiti_2.1.5-2_all.deb
+
+# Docker configuration
+groupadd docker
+
+ln -s /dev/null /etc/udev/rules.d/75-persistent-net-generator.rules
+
+update-initramfs -v -u -k `uname -r`
+
+passwd -d root
+
+rm -f ~/.bash_history
+rm -f /var/log/cloud-init*