Fedora 24 minimal template can not be setup with salt
53 views
Skip to first unread message
qu...@posteo.de
Nov 18, 2016, 7:46:28 AM11/18/16
to qubes...@googlegroups.com
Hi,
I am planning to setup my templates with salt. I have done some
preparation some time ago but not with the Fedora 24 templates I thought
it was time to do it properly.
One of the issues is that the minimal template can not use salt by
default afaik but needs the package "qubes-mgmt-salt" which needs to be
installed manually.
When I try to do this on the Fedora 24 minimal template I get a conflict
between the packages qubes-mgmt-salt-config and salt-minion. The
conflicting files are /etc/salt and /etc/salt/minion.d. Is this known or
is there a workaround for it besides forcing the installation?
In general it would be great if you would use salt to setup the
templates, at least optionally, because then it is more transparent what
is in them, you do not need more disk space on the dvd and users can
easily customize them. This would also allow users to not backup the
templates which in my case would save almost 10 GB.
The Fedora standard image has way to many packages and also has
gstreamer-plugins-bad installed which provides atm a known remotely
exploitable security hole, at least when Chromium is used.
Thx in advance
I am planning to setup my templates with salt. I have done some
preparation some time ago but not with the Fedora 24 templates I thought
it was time to do it properly.
One of the issues is that the minimal template can not use salt by
default afaik but needs the package "qubes-mgmt-salt" which needs to be
installed manually.
When I try to do this on the Fedora 24 minimal template I get a conflict
between the packages qubes-mgmt-salt-config and salt-minion. The
conflicting files are /etc/salt and /etc/salt/minion.d. Is this known or
is there a workaround for it besides forcing the installation?
In general it would be great if you would use salt to setup the
templates, at least optionally, because then it is more transparent what
is in them, you do not need more disk space on the dvd and users can
easily customize them. This would also allow users to not backup the
templates which in my case would save almost 10 GB.
The Fedora standard image has way to many packages and also has
gstreamer-plugins-bad installed which provides atm a known remotely
exploitable security hole, at least when Chromium is used.
Thx in advance
Marek Marczykowski-Górecki
Nov 27, 2016, 9:10:00 PM11/27/16
to qu...@posteo.de, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Nov 18, 2016 at 01:46:26PM +0100, qu...@posteo.de wrote:
> Hi,
>
> I am planning to setup my templates with salt. I have done some preparation
> some time ago but not with the Fedora 24 templates I thought it was time to
> do it properly.
>
> One of the issues is that the minimal template can not use salt by default
> afaik but needs the package "qubes-mgmt-salt" which needs to be installed
> manually.
If you want to manage it from dom0, using qubesctl wrapper tool, you
don't need salt installed in target template at all. See here:
https://www.qubes-os.org/doc/salt/
> When I try to do this on the Fedora 24 minimal template I get a conflict
> between the packages qubes-mgmt-salt-config and salt-minion. The conflicting
> files are /etc/salt and /etc/salt/minion.d. Is this known or is there a
> workaround for it besides forcing the installation?
As noted above - you don't need qubes-mgmt-salt-config installed.
Neither salt-minion.
The only think you need, is qubes-mgmt-salt-vm-connector in your
_default_ template.
> In general it would be great if you would use salt to setup the templates,
> at least optionally, because then it is more transparent what is in them,
> you do not need more disk space on the dvd and users can easily customize
> them. This would also allow users to not backup the templates which in my
> case would save almost 10 GB.
Part of it makes sense. Especially managing templates to save on backup
space. This also makes it easier to migrate to new template, or recreate
it for whatever reason. I think the only currently missing piece is more
documentation on it.
But it isn't possible to directly create new template using salt - you
need something to boot in the VM first to run salt-minion there... Also
it won't save much space on DVD, as we don't want to depend on internet
access during installation.
> The Fedora standard image has way to many packages and also has
> gstreamer-plugins-bad installed which provides atm a known remotely
> exploitable security hole, at least when Chromium is used.
Standard templates are mostly default installation of given distribution
- - in case of Fedora - it's Fedora Workstation. With actually some stuff
excluded (like libreoffice, evolution) to make it smaller than the
default...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYO5HxAAoJENuP0xzK19cs8EcH/190Rjv99S9PnX88PCyrV0k5
iKxyGuAXxLi/6uXsIgTRCcnVw2QpxIK6Ih5cl05yARqELsYGLbcUUNqObOoKqnbC
DCIkpQtHZOFsIylmDIENDHKhievUTZpTLw2IV7OiBL/f5MXyasL8JPDXGGGjq4kQ
osGjYEoFmwBUTFTbBWrcsW7/b4Wl0nHqOe1a+Vxcg9A+zhwxwbk7fKxcHLyx3327
Rq7h0Vl7sfkr9u8nWr7Ptwcf8jHR7Agsmlh2F5oR83CWHNe0viuv+gzo+U1YKn8N
fEH4BxxVANtBS3dhnYL3nG43TZKxg4l05UHyt1m2+kUmhhNj21LVuydGXVc87gE=
=G4Au
-----END PGP SIGNATURE-----
Hash: SHA256
On Fri, Nov 18, 2016 at 01:46:26PM +0100, qu...@posteo.de wrote:
> Hi,
>
> I am planning to setup my templates with salt. I have done some preparation
> some time ago but not with the Fedora 24 templates I thought it was time to
> do it properly.
>
> One of the issues is that the minimal template can not use salt by default
> afaik but needs the package "qubes-mgmt-salt" which needs to be installed
> manually.
don't need salt installed in target template at all. See here:
https://www.qubes-os.org/doc/salt/
> When I try to do this on the Fedora 24 minimal template I get a conflict
> between the packages qubes-mgmt-salt-config and salt-minion. The conflicting
> files are /etc/salt and /etc/salt/minion.d. Is this known or is there a
> workaround for it besides forcing the installation?
Neither salt-minion.
The only think you need, is qubes-mgmt-salt-vm-connector in your
_default_ template.
> In general it would be great if you would use salt to setup the templates,
> at least optionally, because then it is more transparent what is in them,
> you do not need more disk space on the dvd and users can easily customize
> them. This would also allow users to not backup the templates which in my
> case would save almost 10 GB.
space. This also makes it easier to migrate to new template, or recreate
it for whatever reason. I think the only currently missing piece is more
documentation on it.
But it isn't possible to directly create new template using salt - you
need something to boot in the VM first to run salt-minion there... Also
it won't save much space on DVD, as we don't want to depend on internet
access during installation.
> The Fedora standard image has way to many packages and also has
> gstreamer-plugins-bad installed which provides atm a known remotely
> exploitable security hole, at least when Chromium is used.
- - in case of Fedora - it's Fedora Workstation. With actually some stuff
excluded (like libreoffice, evolution) to make it smaller than the
default...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYO5HxAAoJENuP0xzK19cs8EcH/190Rjv99S9PnX88PCyrV0k5
iKxyGuAXxLi/6uXsIgTRCcnVw2QpxIK6Ih5cl05yARqELsYGLbcUUNqObOoKqnbC
DCIkpQtHZOFsIylmDIENDHKhievUTZpTLw2IV7OiBL/f5MXyasL8JPDXGGGjq4kQ
osGjYEoFmwBUTFTbBWrcsW7/b4Wl0nHqOe1a+Vxcg9A+zhwxwbk7fKxcHLyx3327
Rq7h0Vl7sfkr9u8nWr7Ptwcf8jHR7Agsmlh2F5oR83CWHNe0viuv+gzo+U1YKn8N
fEH4BxxVANtBS3dhnYL3nG43TZKxg4l05UHyt1m2+kUmhhNj21LVuydGXVc87gE=
=G4Au
-----END PGP SIGNATURE-----
qu...@posteo.de
Jan 13, 2017, 11:23:46 AM1/13/17
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi,
so I have installed the fedora-24-minimal-template package in Dom0, in
the template I have installed the package
"qubes-mgmt-salt-vm-connector".
But everytime I run `qubesctl --template state.highstate` to install the
packages the template is started but the packages are not installed. I
did not find a conclusive error in the logs.
The template is cloned though, so the configuration is activated. Do I
miss any package or configuration?
I am using the following configuration:
Top file:
######
base:
dom0:
- vms.fedora-basic.qvm
fedora-24-basic:
- vms.fedora-basic.internal
SLS files:
#######
qvm.sls:
#######
fedora-24-basic:
qvm.clone:
- source: fedora-24-minimal
internal.sls:
#########
qubes-template-fedora-24-basic:
pkg.installed:
- pkgs:
- NetworkManager
- gnome-keyring
<more packages>
Thx in advance
the template I have installed the package
"qubes-mgmt-salt-vm-connector".
But everytime I run `qubesctl --template state.highstate` to install the
packages the template is started but the packages are not installed. I
did not find a conclusive error in the logs.
The template is cloned though, so the configuration is activated. Do I
miss any package or configuration?
I am using the following configuration:
Top file:
######
base:
dom0:
- vms.fedora-basic.qvm
fedora-24-basic:
- vms.fedora-basic.internal
SLS files:
#######
qvm.sls:
#######
fedora-24-basic:
qvm.clone:
- source: fedora-24-minimal
internal.sls:
#########
qubes-template-fedora-24-basic:
pkg.installed:
- pkgs:
- NetworkManager
- gnome-keyring
<more packages>
Thx in advance
Reply all
Reply to author
Forward
0 new messages