Salt management questions

[Johannes Graumann]

Gentlepeople,

For a while I have been managing a qubes setup using a dedicated
management VM and ansible via https://github.com/Rudd-O/ansible-qubes.
As auditing that code is beyond me and as salt is integral to qubes, I
was wondering whether that layout is currently possible using the salt
management stack, in other words: can the management stack (currently)
be used with a vm as the master to the entire system including dom0?

Sincerely, Joh

[Johannes Graumann]

I understand this may be IT-people-level stuff ..., but can anyone hint
at whether this is already possible and or where to look?

Joh

[Johannes Graumann]

Here https://www.qubes-os.org/news/2015/12/14/mgmt-stack/, Marek
Marczykowski-Górecki sais (referring to the core rewrite back then
ongoing for 4.)):
+ Then, based on this functionality, we will be able to create a
+ Management VM, which will allow secure, centralized management of
+ Qubes OS installations in an organization or company. But to do it
+ securely, we need to first finish some major rework of Qubes core
+ management code (“core3”), which is planned for Qubes 4.0. Then it
+ will be possible to implement Management VM in a way so that it will
+ have no access to user data, only ability to manage configuration of
+ (selected) VMs.
This is exactly what I want - plus limited tor/net connectivity to
track/backup my salt infrastructure in a gpg-encrypted git repo ...
Are we there yet?

Joh

[Connor Page]

Please consult
https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
https://www.qubes-os.org/news/2017/10/03/core3/
for more information about admin possibilities and how they’re supposed to work. There are simple demo examples as well.