On Thu, 2019-07-18 at 12:49 +0200, Johannes Graumann wrote: > On Thu, 2019-07-18 at 07:51 +0530, Kushal Das wrote: > > On Thu, Jul 18, 2019 at 12:44 AM Johannes Graumann > > <[email protected]> wrote: > > > On Wed, 2019-07-17 at 18:56 +0530, Kushal Das wrote: > > > > On Tue, Jul 16, 2019 at 11:26 PM <[email protected]> > > > > wrote: > > > > > On Tuesday, July 16, 2019 at 10:35:11 AM UTC-4, unman wrote: > > > > > > I really do recommend using qubesctl for almost all system > > > > > > configuration. If only because it makes recovery so much > > > > > > easier. > > > > > > I see people saying "keep a list of packages you've > > > > > > installed" - > > > > > > if you > > > > > > keep state and use salt you can rebuild your system > > > > > > (almost) > > > > > > completely > > > > > > automatically. > > > > > > > > > > Do you happen to have some example "personalized" salt > > > > > scripts > > > > > you > > > > > use (or a pointer to where someone has posted some)? > > > > > > > > > > I was planning to put together some bash scripts to push > > > > > configuration into my templates (90% repo adjustments and > > > > > specific > > > > > packages to download), but your comment above is intriguing. > > > > > > > > > There is also https://qubes-ansible.readthedocs.io/en/latest/ > > > > if > > > > you > > > > like Ansible. > > > What's the relationship/comparison to > > > https://github.com/Rudd-O/ansible-qubes? > > > > https://qubes-ansible.readthedocs.io/en/latest/ is a pure Python > > implementation > > and does not use Salt anywhere. Also, the plugin is already merged > > in > > upstream > > Ansible project. > > That is cool. Is it using the same security mechanisms that salt in > Qubes utilizes (like executing in a dispVM)?
Can you comment of whether the ansible implementation is using (or can be made to do so) something equivalent to what is described for salt in https://github.com/QubesOS/qubes-issues/issues/1541#issuecomment- 187482786 : 1) For every VM managed by Salt (from dom0): - Start target VM. - Have dom0 to create DispVM. - Send all the Salt configuration there. - Grant it qubes.VMShell access to that selected VM only - Run salt-ssh (over qrexec) from the DispVM, targeting that single VM. Do not filter return channel there - so for example all the grains will be available to salt-ssh during state rendering. - Collect output back to dom0 (success/failure flag, optionally logging full output to some file) - Destroy DispVM - Shutdown target VM (opt-out? only when wasn't running at the start?). Joh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/61d3460c782eafc6eb8fe5230a1df1ebb025fb11.camel%40graumannschaft.org.
