-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Apr 08, 2025 at 06:18:05PM +0000, 'Zaz Brown' via qubes-devel wrote:
> I'm working to make SALT more accessible
> ([#8218](https://github.com/QubesOS/qubes-issues/issues/8218)) and ensure
> user SALT states are backed up by default
> ([#8853](https://github.com/QubesOS/qubes-issues/issues/8853)).
>
> It seems the user environment was introduced 10 years ago somewhere around
> [qubes-mgmt-salt commit 1890a4e7ec77009b81faecaa25606dfee2e7633e by
> nrgaway](https://github.com/QubesOS/qubes-mgmt-salt/commit/1890a4e7ec77009b81faecaa25606dfee2e7633e).
> Having another env seems to add subtle complexity. What is the advantage to
> having a user env instead of just a user directory in the base env?
Mostly not having to worry about conflicts with standard formulas
(virtual-machines and few more in more specialized cases), and all the
automation to manage merged top file (qubesctl top.{enable,disable}).
I don't think it's a huge concern, maybe avoiding the few names used
there is still easier than dealing with two envs?
> I wouldn't suggest we add multiple file_roots to the base env, because you
> then have the potential of [colliding subdirectory names causing
> confusion](https://docs.saltproject.io/en/latest/ref/configuration/master.html#file-roots).
> But why not add a /srv/salt/user/ directory? The only downside I see there
> would be that users would have to prefix their states with user.
Actually, there are already multiple file_roots for the base env, see
/etc/salt/minion.d/*.conf. Adding another one should be fine IMO.
Anyway, I'd rather avoid /srv/salt specifically, as this one is covered
by the magic top management (see /srv/salt/top.sls), not exactly a thing
for manual user changes.
> Also, I have found debugging SALT to be a nightmare, with critical errors
> hidden under DEBUG. Is this something Qubes-specific? E.g. because there is
> output in a management disp VM that I am not seeing? If so, what is the
> easiest way to debug SALT scripts in Qubes?
That's kinda my experience too, also outside of qubes. If something
breaks, I usually add `-l all` and then search through pages and pages
of output...
As for dispvm, yes, there are also cases where some output may not be
retrieved, I think internally salt makes some call with `-l quiet` or
such. I don't think I needed such logs often, but when I do, I
usually comment out `dispvm.kill()` line in qubessalt/__init__.py and
then call relevant salt-ssh command manually (as seen in
/etc/qubes-rpc/qubes.SaltLinuxVM). Far from ideal...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmf3HIEACgkQ24/THMrX
1yzBrggAh1ye0txzUxp1cT+dLKwSQ+tKD/hu5BaRnnobise58Vv0/GJnXGkitbpn
3gxIzc4WVFLyM4QeXFvvpMimw6qNEqxtYAXlcNCpLpsIQeaXv34ie1o8+g7kXX4m
Ig9NPUjJ2RGenx3MJvhDlDq+Tu9QH9vTnwpWSMzmAtVGVCe9ad2OhFk1UPZWfLN9
7tJ4FZaWJwzn4qiXbL9O3fT9gYcRB2N3QbYqyFdM8q7DUEupwhc7LRtuMgY6IPhh
2aH8ieSlVE985s+fgGZedjpd0JPAkOvFomgM9eWFUYIQhJv5BijWExJj0D4vReLt
9kE75rV8biGqtDB6H+ICXqj6RLbnuw==
=o15z
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/qubes-devel/Z_ccgYlvaME-RuST%40mail-itl.
