-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Dec 18, 2016 at 07:13:44PM -0500, Nicklaus McClendon wrote: > I really like what has been done with Salt to extend configuration > management to each Qube, however, I prefer Ansible RedHat to Salt and > use it to manage every other machine in my fleet. It seems > would be more efficient in the long run for me to utilize Ansible > instead of Salt, to cut down on duplication of tasks. I was > hoping to get some feedback on the following model before I started > working, as to cut down on any mistakes. > > Ansible would run in dom0 or a trusted management Qube. Dom0 would be > preferable, as it could then create and destroy VMs, however this > could likely be done through a custom Qubes RPC within the management > Qube. Ansible supports a variety of "connection" types and I was > considering writing a connection type utilizing qrexec. In > this model, configuration commands would be pushed to each Qube from > dom0 (or the trusted management VM) using qrexec, and Ansible would > function more or less unaware of the change.
Take a look at https://github.com/Rudd-O/ansible-qubes > My primary question is how Qubes Salt avoids any possible attack back > from each individual Qube while still relaying state information. This is done by not parsing anything coming from VM. We use intermediate DispVM for that. The actual design is here: https://github.com/QubesOS/qubes-issues/issues/1541#issuecomment-187482786 In short, configuring a (single) VM looks like this: 1. Start DispVM, send Salt configuration there (pretty much all of it, with exception that only "pillars" related to this particular VM are sent). 2. Let Salt in that DispVM figure out what really needs to configured in target VM - it use salt-ssh over qrexec (instead of ssh) to communicate with target VM. And configure it there. 3. Return final message (just text to be logged) back to dom0. For every VM, new DispVM is used. If anything will exploit Salt while parsing anything coming from VM, it will only manage to take over that DispVM. Which have access only to this particular target VM. The only real think that may happen, is to learn about configuration targeted to other VMs. But can't modify this configuration. This intermediate DispVM is implemented only for Salt. The above linked Ansible module do not have this property. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYVzJfAAoJENuP0xzK19cseioH/0qgs/auBYj8Z4lwwQHJaHyY FOor78FvJfEdIBjq8/e/MEMFOBxM09ShLqlKw0wtjV1PD/wEhQK2hDfXGgNO9unp /uMa1/YLgP3cVuTezj1Evz1oTwQR/JoIRCWTwmshjjWfs9lPIJg4JzzS2Drc250M DoqD3CShFConkhSQBAJk5smYpcge5g61VbTLCw4KCJlmaTaS6scb3KjqLvHQn38Y ShOL+uC3lrzB77jKGBjW45++T8388KhrfSp5P3TGfqGoHEeTfyGXhj3aiVXWjROK 7c3qt3+HJPfZc0ngp/q1F0z4HM4uUlFK4svMM1rJWjLOQjJhxxurLXJFC/CXjXY= =AmmD -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161219010534.GF1409%40mail-itl. For more options, visit https://groups.google.com/d/optout.
