comfy 0.2.0

data/lib/templates/packer.erb

@@ -0,0 +1,93 @@
+{
+    "builders":
+    [
+    <% if @data[:formats].include?('qemu') -%>
+	{
+            "name": "comfy_<%= @data[:distribution] %>-<%= @data[:distro][:version]['major_version'] %>.<%= @data[:distro][:version]['minor_version'] %>_qemu",
+            "type": "qemu",
+            "iso_url": "<%= @data[:distro][:version]['iso_url'] %>",
+            "iso_checksum": "<%= @data[:distro][:version]['iso_checksum'] %>",
+            "iso_checksum_type": "sha256",
+            "output_directory": "<%= @data[:'output-dir'] %>/comfy_<%= @data[:distribution] %>-<%= @data[:distro][:version]['major_version'] %>.<%= @data[:distro][:version]['minor_version'] %>_qemu/",
+            "ssh_wait_timeout": "90m",
+            "shutdown_command": "shutdown -h now",
+            "format": "qcow2",
+            "disk_size": <%= @data[:size] %>,
+            "headless": <%= @data[:headless] %>,
+            "http_directory": "<%= @data[:server_dir] %>",
+            "http_port_min": 8500,
+            "http_port_max": 8550,
+            "ssh_username": "root",
+            "ssh_password": "<%= @data[:password] %>",
+            "vm_name": "comfy_<%= @data[:distribution] %>-<%= @data[:distro][:version]['major_version'] %>.<%= @data[:distro][:version]['minor_version'] %>_qemu.qcow2",
+            <% if @data[:distro]['qemu'] -%>
+	          <% @data[:distro]['qemu'].each_pair do |key, value| -%>
+	            "<%= key %>":<% if value.is_a? String -%>"<%= value %>"<% else -%><%= value %><% end -%>,
+              <% end -%>
+            <% end -%>
+            "boot_command":
+              [
+              "<esc>",
+              "<wait5>",
+              "<%= @data[:distro]['boot_command'] %>/<%= @data[:distribution] %>.cfg",
+              "<enter>"
+              ]
+        }
+    <% end -%>
+    <% if @data[:formats].include?('virtualbox') -%>
+      <% if @data[:formats].include?('qemu') -%>,<% end -%>
+      {
+            "name": "comfy_<%= @data[:distribution] %>-<%= @data[:distro][:version]['major_version'] %>.<%= @data[:distro][:version]['minor_version'] %>_virtualbox",
+            "type": "virtualbox-iso",
+            "iso_url": "<%= @data[:distro][:version]['iso_url'] %>",
+            "iso_checksum": "<%= @data[:distro][:version]['iso_checksum'] %>",
+            "iso_checksum_type": "sha256",
+            "output_directory": "<%= @data[:'output-dir'] %>/comfy_<%= @data[:distribution] %>-<%= @data[:distro][:version]['major_version'] %>.<%= @data[:distro][:version]['minor_version'] %>_virtualbox/",
+            "ssh_wait_timeout": "90m",
+            "shutdown_command": "shutdown -h now",
+            "format": "ova",
+            "disk_size": <%= @data[:size] %>,
+            "headless": <%= @data[:headless] %>,
+            "http_directory": "<%= @data[:server_dir] %>",
+            "http_port_min": 8500,
+            "http_port_max": 8550,
+            "ssh_username": "root",
+            "ssh_password": "<%= @data[:password] %>",
+            "vm_name": "comfy_<%= @data[:distribution] %>-<%= @data[:distro][:version]['major_version'] %>.<%= @data[:distro][:version]['minor_version'] %>_virtualbox",
+            <% if @data[:distro]['virtualbox'] -%>
+	          <% @data[:distro]['virtualbox'].each_pair do |key, value| -%>
+            "<%= key %>":<% if value.is_a? String -%>"<%= value %>"<% else -%><%= value %><% end -%>,
+              <% end -%>
+            <% end -%>
+            "boot_command":
+              [
+              "<esc>",
+              "<wait5>",
+              "<%= @data[:distro]['boot_command'] %>/<%= @data[:distribution] %>.cfg",
+              "<enter>"
+              ]
+        }
+    <% end -%>
+    ]<% if @data[:provisioners] -%>,
+
+    "provisioners":
+    [
+        <% @data[:provisioners][:files].each_with_index do |file,i| -%>
+        {
+            "type": "file",
+            "source": "<%= file %>",
+            "destination" : "/root/<%= file.split('/').last %>"
+        }<%if i != (@data[:provisioners][:files].size - 1) || (@data[:provisioners][:scripts] && !@data[:provisioners][:scripts].empty?) %>,
+        <% end -%>
+        <% end -%>
+
+        <% @data[:provisioners][:scripts].each_with_index do |script,i| -%>
+        {
+            "type": "shell",
+            "script": "<%= script %>"
+        }<%unless i == (@data[:provisioners][:scripts].size - 1) %>,
+        <% end -%>
+        <% end -%>
+    ]
+    <% end -%>
+}

data/lib/templates/scientificlinux/files/10-ipv6.conf

@@ -0,0 +1,5 @@
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+net.ipv6.conf.eth0.disable_ipv6 = 1
+net.ipv6.conf.eth1.disable_ipv6 = 1

data/lib/templates/scientificlinux/files/cloud.cfg

@@ -0,0 +1,101 @@
+# If this is set, 'root' will not be able to ssh in and they 
+# will get a message to login instead as the above $user (ubuntu)
+disable_root: False
+user: root
+ssh_pwauth: False
+ssh_deletekeys: True
+ssh_genkeytypes: ['rsa', 'dsa']
+ssh_svcname: sshd
+
+# This will cause the set+update hostname module to not operate (if true)
+preserve_hostname: false
+cc_ready_cmd: ['/bin/true']
+mount_default_fields: [~, ~, 'auto', 'defaults,nofail', '0', '2']
+syslog_fix_perms: ~
+manage_etc_hosts: True
+
+# Update and upgrade system on first boot
+apt_preserve_sources_list: True
+package_update: True
+package_upgrade: True
+package_reboot_if_required: True
+
+# work only with OpenNebula, use network based datasource,
+# so that we can successfully resolve IPv4 based hostname
+disable_ec2_metadata: True
+datasource_list: ['OpenNebula']
+datasource:
+  OpenNebula:
+    dsmode: net
+
+# The modules that run in the 'init' stage
+cloud_init_modules:
+ - migrator
+ - seed_random
+ - bootcmd
+ - write-files
+ - growpart
+ - resizefs
+ - set_hostname
+ - update_hostname
+ - update_etc_hosts
+ - ca-certs
+ - rsyslog
+ - users-groups
+ - ssh
+
+# The modules that run in the 'config' stage
+cloud_config_modules:
+# Emit the cloud config ready event
+# this can be used by upstart jobs for 'start on cloud-config'.
+ - emit_upstart
+ - disk_setup
+ - mounts
+ - ssh-import-id
+ - locale
+ - set-passwords
+ - grub-dpkg
+ - apt-pipelining
+ - apt-configure
+ - package-update-upgrade-install
+ - landscape
+ - timezone
+ - puppet
+ - chef
+ - salt-minion
+ - mcollective
+ - disable-ec2-metadata
+ - runcmd
+ - byobu
+
+# The modules that run in the 'final' stage
+cloud_final_modules:
+ - rightscale_userdata
+ - scripts-per-once
+ - scripts-per-boot
+ - scripts-per-instance
+ - scripts-user
+ - ssh-authkey-fingerprints
+ - keys-to-console
+ - phone-home
+ - final-message
+ - power-state-change
+
+# System and/or distro specific settings
+# (not accessible to handlers/transforms)
+system_info:
+   # This will affect which distro class gets used
+   distro: rhel
+   # Other config here will be given to the distro class and/or path classes
+   paths:
+      cloud_dir: /var/lib/cloud/
+      templates_dir: /etc/cloud/templates/
+      upstart_dir: /etc/init/
+   package_mirrors:
+     - arches: [default]
+       failsafe:
+         primary: http://http.us.debian.org/debian/
+         security: http://security.debian.org/
+   ssh_svcname: sshd
+
+# vim:syntax=yaml

data/lib/templates/scientificlinux/files/fail2ban.local

@@ -0,0 +1,3 @@
+[Definition]
+
+logtarget = SYSLOG

data/lib/templates/scientificlinux/files/getty@ttyS0.service

@@ -0,0 +1,47 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Getty on %I
+Documentation=man:agetty(8) man:systemd-getty-generator(8)
+Documentation=http://0pointer.de/blog/projects/serial-console.html
+After=systemd-user-sessions.service plymouth-quit-wait.service
+After=rc-local.service
+
+# If additional gettys are spawned during boot then we should make
+# sure that this is synchronized before getty.target, even though
+# getty.target didn't actually pull it in.
+Before=getty.target
+IgnoreOnIsolate=yes
+
+# On systems without virtual consoles, don't start any getty. Note
+# that serial gettys are covered by serial-getty@.service, not this
+# unit.
+ConditionPathExists=/dev/tty0
+
+[Service]
+# the VT is cleared by TTYVTDisallocate
+ExecStart=-/sbin/agetty --autologin root --noclear %I $TERM
+Type=idle
+Restart=always
+RestartSec=0
+UtmpIdentifier=%I
+TTYPath=/dev/%I
+TTYReset=yes
+TTYVHangup=yes
+TTYVTDisallocate=yes
+KillMode=process
+IgnoreSIGPIPE=no
+SendSIGHUP=yes
+
+# Unset locale for the console getty since the console has problems
+# displaying some internationalized messages.
+Environment=LANG= LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION=
+
+[Install]
+WantedBy=getty.target
+Alias=getty@ttys0.service

data/lib/templates/scientificlinux/files/grub

@@ -0,0 +1,10 @@
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+GRUB_TERMINAL_OUTPUT="console"
+GRUB_CMDLINE_LINUX="vconsole.keymap=us crashkernel=auto  vconsole.font=latarcyrheb-sun16 rhgb quiet net.ifnames=0 biosdevname=0 console=tty0 console=ttys0,115200n8"
+GRUB_DISABLE_RECOVERY="true"
+GRUB_TERMINAL="serial"
+GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
+

data/lib/templates/scientificlinux/files/iptables-multiport.local

@@ -0,0 +1,6 @@
+[Definition]
+
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j REJECT
+
+actionunban = iptables -D fail2ban-<name> -s <ip> -j REJECT
+

data/lib/templates/scientificlinux/files/jail.local

@@ -0,0 +1,17 @@
+[DEFAULT]
+
+# Seznam vygenerovany skriptem /software/meta-admin/scripts/get_nodes_ips
+# Vygeneruje pouze C site, tzn. je tam o nekolik set hostu vic nez ve skutecnosti
+
+ignoreip = 127.0.0.1 147.228.1.0/24 147.251.17.0/24 147.228.240.0/24 147.228.241.0/24 147.231.11.0/24 147.231.18.0/24 147.251.11.0/24 147.251.252.0/24 147.251.254.0/24 147.251.3.0/24 147.251.84.0/24 147.251.9.0/24 195.113.0.0/24 195.113.123.0/24 195.113.209.0/24 195.113.214.0/24 78.128.210.0/24
+
+[ssh]
+
+enabled = true
+port    = ssh
+filter  = sshd
+logpath  = /var/log/auth.log
+maxretry = 100
+findtime = 86400
+bantime  = 1209600
+

data/lib/templates/scientificlinux/files/krb5.conf

@@ -0,0 +1,181 @@
+[libdefaults]
+        default_realm = META 
+        forwardable = yes
+        forward = yes
+        encrypt = yes
+        srv_lookup = no
+        srv_try_txt = no
+        no-addresses = yes
+	allow_weak_crypto = true
+
+[realms]
+    ICS.MUNI.CZ = {
+	    kdc = kdccesnet.ics.muni.cz
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.meta.zcu.cz
+            admin_server = kdc1.cesnet.cz
+            kpasswd_server = kdc1.cesnet.cz
+    }
+    META = {
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.meta.zcu.cz
+            kdc = sal.ruk.cuni.cz:89
+	    kdc = jerry.ruk.cuni.cz
+            admin_server = kdc1.cesnet.cz
+            kpasswd_server = kdc1.cesnet.cz
+	    krb525_server = kdccesnet.ics.muni.cz
+	    krb525_server = kdc1.cesnet.cz 
+	    krb525_server = kdccesnet.meta.zcu.cz 
+    }
+    ZCU.CZ = {
+            kdc = kerberos1.zcu.cz
+            kdc = kerberos2.zcu.cz
+            kdc = kerberos3.zcu.cz
+            admin_server = kerberos-adm.zcu.cz
+            kpasswd_server = kerberos-adm.zcu.cz
+    }
+    RUK.CUNI.CZ = {
+            kdc = sal.ruk.cuni.cz
+            kdc = jerry.ruk.cuni.cz:89
+            admin_server = sal.ruk.cuni.cz
+            kpasswd_server = sal.ruk.cuni.cz
+	    krb524_server = sal.ruk.cuni.cz
+	    krb524_server = jerry.ruk.cuni.cz:89
+    }
+    IS.MUNI.CZ = {
+            kdc = ariadna.fi.muni.cz
+    }
+    SITOLA.FI.MUNI.CZ = {
+            kdc = hendrak.fi.muni.cz
+            kdc = oberon.fi.muni.cz
+            admin_server = oberon.fi.muni.cz
+            kpasswd_server = oberon.fi.muni.cz
+    }
+    ADMIN.META = {
+            kdc = kdccesnet.ics.muni.cz
+            admin_server = kdccesnet.ics.muni.cz
+            kpasswd_server = kdccesnet.ics.muni.cz
+    }
+    ASR.ICS.MUNI.CZ = {
+            kdc = bombur.ics.muni.cz
+            admin_server = bombur.ics.muni.cz
+            kpasswd_server = bombur.ics.muni.cz
+    }
+    EINFRA = {
+            kdc = kdc1.cesnet.cz
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+	    admin_server = kdc1.cesnet.cz
+    }
+    EINFRA-SERVICES = {
+            kdc = kdc1.cesnet.cz
+            kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+   	    admin_server = kdc1.cesnet.cz
+    }
+    EGI = {
+	    kdc = kdc1.cesnet.cz
+	    kdc = kdccesnet.ics.muni.cz
+	    kdc = kdccesnet.meta.zcu.cz
+	    admin_server = kdc1.cesnet.cz
+    }
+    SAGRID = {
+            kdc = kdc1.cesnet.cz
+            admin_server = kdc1.cesnet.cz
+    }
+    ELIXIR-EUROPE.ORG = {
+            kdc = kdc1.cesnet.cz
+            admin_server = kdc1.cesnet.cz
+    }
+
+[capaths]
+        RUK.CUNI.CZ = {
+                EINFRA-SERVICES = META
+                ZCU.CZ = META
+        }
+        ZCU.CZ = {
+                EINFRA-SERVICES = META
+                RUK.CUNI.CZ = META
+        }
+        ICS.MUNI.CZ = {
+                  EINFRA-SERVICES = META
+        }
+        EINFRA = {
+                ICS.MUNI.CZ = META
+        }
+        EINFRA-SERVICES = {
+                ICS.MUNI.CZ = META
+                RUK.CUNI.CZ = META
+                ZCU.CZ = META
+        }
+
+[domain_realm]
+        sirion.ics.muni.cz = META
+        erebor.ics.muni.cz = META
+        acharon.ruk.cuni.cz = META
+	androth.zcu.cz = ICS.MUNI.CZ
+        .fi.muni.cz = SITOLA.FI.MUNI.CZ
+        .ics.muni.cz = ICS.MUNI.CZ
+        .cesnet.cz = ICS.MUNI.CZ
+        .zcu.cz = ZCU.CZ
+        .ruk.cuni.cz = RUK.CUNI.CZ
+	.medigrid.cz = ICS.MUNI.CZ
+	.video.muni.cz = ICS.MUNI.CZ
+	.ncbr.muni.cz = ICS.MUNI.CZ
+	.prf.jcu.cz = ICS.MUNI.CZ
+	.feec.vutbr.cz = ICS.MUNI.CZ
+	atlases.muni.cz = ICS.MUNI.CZ
+	.egi.eu = META
+	.fzu.cz = META
+	.cerit-sc.cz = ICS.MUNI.CZ
+	kdc1.cesnet.cz = EINFRA-SERVICES
+	.du1.cesnet.cz = EINFRA-SERVICES
+	.du2.cesnet.cz = EINFRA-SERVICES
+	.du3.cesnet.cz = EINFRA-SERVICES
+	ui2.grid.cesnet.cz = EINFRA-SERVICES
+	ui1.egee.cesnet.cz = EINFRA-SERVICES
+	ui1.grid.cesnet.cz = EINFRA-SERVICES
+	.metacentrum.cz = ICS.MUNI.CZ
+	.ueb.cas.cz = ICS.MUNI.CZ
+	.meta.zcu.cz = META
+	.ukb.muni.cz = ICS.MUNI.CZ
+	.ceitec.muni.cz = EINFRA-SERVICES
+
+[appdefaults]
+    krb4_get_tickets = no
+    krb4_convert = no
+    krb4_convert_524 = no
+    pam = {
+        debug = false
+        forwardable = true
+        afs_cells = ics.muni.cz
+        minimum_uid=100
+        addressless = true
+#Debian
+        realm = META
+        validate = true
+#SuSE
+        ticket_lifetime = 36000
+        renew_lifetime = 36000
+        proxiable = false
+        retain_after_close = false
+        try_first_pass = true
+        external=true
+        force_creds = true
+    }
+    libkafs = {
+    	ZCU.CZ = {
+		afs-use-524 = 2b
+	}
+    	ICS.MUNI.CZ = {
+		afs-use-524 = 2b
+	}
+	RUK.CUNI.CZ = {
+		afs-use-524 = 2b
+	}
+   }
+
+[kadmin]
+	default_keys = v5 v4
+

data/lib/templates/scientificlinux/files/ntp.conf

@@ -0,0 +1,61 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+
+# Enable this if you want statistics to be logged.
+statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+server tik.cesnet.cz
+server tak.cesnet.cz
+server ntp.muni.cz
+server time.fi.muni.cz
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+#server 0.debian.pool.ntp.org iburst
+#server 1.debian.pool.ntp.org iburst
+#server 2.debian.pool.ntp.org iburst
+#server 3.debian.pool.ntp.org iburst
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines.  Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+
+# Try to avoid NTP amplification attacks
+disable monitor

data/lib/templates/scientificlinux/files/sshd_config

@@ -0,0 +1,150 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+AddressFamily inet
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 30
+ClientAliveCountMax 5
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

data/lib/templates/scientificlinux/files/xen-domU.conf

@@ -0,0 +1 @@
+add_drivers+="xen-blkfront xen-netfront xen-kbdfront"