Salt Orchestration, vol.2
50 views
Skip to first unread message
Michał "rysiek" Woźniak
Mar 17, 2020, 7:47:18 AM3/17/20
to qubes-users
Hey hey,
I started diving more deeply into Salt on QubesOS, since now I have two laptops
with very similar config. One thing I'd like to use is Salt Orchestrate runner:
https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html
My use-case is: I need to enable networking on some templates (`dom0:
qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
disable networking on those templates.
So basically, I need Salt's `require`, but working *across* minions.
Seems like it's available on R4.0. Before I dive deep into trying to get it into
a functioning state (ha!), has anyone played with it? And most importantly: how
bad of an idea is it?
Yes, I know enabling networking in templates is a Bad Idea, that's why I only
want to do it temporarily and in a well-managed way. But yes, other ideas on how
to get this code into the templates are obviously welcome too -- I considered
just putting it directly in my salt configs repo (that I then manually copy to
dom0:/srv/salt/), but why would I want code that is supposed to be only running
on TemplateVMs in dom0 at all, right?
--
rysiek
I started diving more deeply into Salt on QubesOS, since now I have two laptops
with very similar config. One thing I'd like to use is Salt Orchestrate runner:
https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html
My use-case is: I need to enable networking on some templates (`dom0:
qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
disable networking on those templates.
So basically, I need Salt's `require`, but working *across* minions.
Seems like it's available on R4.0. Before I dive deep into trying to get it into
a functioning state (ha!), has anyone played with it? And most importantly: how
bad of an idea is it?
Yes, I know enabling networking in templates is a Bad Idea, that's why I only
want to do it temporarily and in a well-managed way. But yes, other ideas on how
to get this code into the templates are obviously welcome too -- I considered
just putting it directly in my salt configs repo (that I then manually copy to
dom0:/srv/salt/), but why would I want code that is supposed to be only running
on TemplateVMs in dom0 at all, right?
--
rysiek
Wojtek Porczyk
Mar 17, 2020, 11:59:53 AM3/17/20
to Michał "rysiek" Woźniak, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, Mar 17, 2020 at 11:46:51AM +0000, Michał "rysiek" Woźniak wrote:
> Hey hey,
Hej, rysiek!
> I started diving more deeply into Salt on QubesOS, since now I have two laptops
> with very similar config. One thing I'd like to use is Salt Orchestrate runner:
> https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html
>
> My use-case is: I need to enable networking on some templates (`dom0:
> qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
> disable networking on those templates.
>
> So basically, I need Salt's `require`, but working *across* minions.
I don't think that's possible. In principle Qubes' salt integration is
salt-ssh on steroids.
Relevant qrexec:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubes.SaltLinuxVM
Launched from:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubesctl
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubessalt/__init__.py
> Seems like it's available on R4.0. Before I dive deep into trying to get it into
> a functioning state (ha!), has anyone played with it? And most importantly: how
> bad of an idea is it?
It is bad. There are multiple ways for this to fail for some very unrelated
reasons. My most-often encountered problem with salt is it sometimes fails to
start the mgmt dispvm for memory fragmentation reasons. So if this was
supported, the failure mode would be: enable network, do something, fail to
disable network.
Also remember that the error reporting is not that good, esp. for this case.
> Yes, I know enabling networking in templates is a Bad Idea, that's why I only
> want to do it temporarily and in a well-managed way. But yes, other ideas on how
> to get this code into the templates are obviously welcome too -- I considered
> just putting it directly in my salt configs repo (that I then manually copy to
> dom0:/srv/salt/), but why would I want code that is supposed to be only running
> on TemplateVMs in dom0 at all, right?
If you need *code*, you could either just push it from dom0 (since that is
where you have salt in the first place). Or, with git, you can try this:
https://github.com/woju/qubes-app-split-git.
- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEaO0VFfpr0tEF6hYkv2vZMhA6I1EFAl5w8+4ACgkQv2vZMhA6
I1GtWg/8Ce1soJZVyuqkIamiCrb/VE1YcOLNolsHsKvyxervrFVkQ0Zo1KokI03h
qTgJ0l4D6YGaSVBxJhEcPNN1lONkJ1vQkQmxWPtXMGLEpHPJYuBjDkKxHINjSRc6
mcga0xx/EqhECUgL8+Qkij6zcAyMxwiA4KxQzYetBZlPxDqjt9J9fD98sKIPFduA
tkdM38zcSv/Y1XxkGzWbW34nn5FYjJsZF0Ki/68bjiAfcBFfWa43P1YxuebLAR/7
taEWgKolole96XSD2knegOEgLxJz4JudIiYh27kYjFt2gn5GGcsPE/kzJCwDKTXi
RCzQ/r7IXNhLMVqfQVnSYIHM8vpHWt12cc8qy7BmZHgouV/Vftvw3aXj6IJEZK8v
jgIU9mAuWhpue4tsLzHwDx/aHoHft56EkgSiqxCbPN6TuH+r0+/RbDLEdhLBglZj
DI+OSgOdpeR177e+CjI6wrPEFGnsEFu6STirXb8WOIMKglbnokT2QIVr1089whIw
mkFirRLB+3dKCTMenslFDJrpg2w2RLlcwo4k44TO3wEMh9OXhfoueOHiUDAg64KF
dinXJjW5dbrZ1i8pSoCGJrSc1jisC4I3/D7a+n1wLdPvAmbO8Qcdki81vuEE6YrI
1IsxIz9k7yR9b7g/8zhiK/vkvl6xV/w3yhmMCDMczZ3RFymdiRs=
=AWuf
-----END PGP SIGNATURE-----
Hash: SHA512
On Tue, Mar 17, 2020 at 11:46:51AM +0000, Michał "rysiek" Woźniak wrote:
> Hey hey,
Hej, rysiek!
> I started diving more deeply into Salt on QubesOS, since now I have two laptops
> with very similar config. One thing I'd like to use is Salt Orchestrate runner:
> https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html
>
> My use-case is: I need to enable networking on some templates (`dom0:
> qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
> disable networking on those templates.
>
> So basically, I need Salt's `require`, but working *across* minions.
salt-ssh on steroids.
Relevant qrexec:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubes.SaltLinuxVM
Launched from:
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubesctl
https://github.com/QubesOS/qubes-mgmt-salt/blob/master/qubessalt/__init__.py
> Seems like it's available on R4.0. Before I dive deep into trying to get it into
> a functioning state (ha!), has anyone played with it? And most importantly: how
> bad of an idea is it?
reasons. My most-often encountered problem with salt is it sometimes fails to
start the mgmt dispvm for memory fragmentation reasons. So if this was
supported, the failure mode would be: enable network, do something, fail to
disable network.
Also remember that the error reporting is not that good, esp. for this case.
> Yes, I know enabling networking in templates is a Bad Idea, that's why I only
> want to do it temporarily and in a well-managed way. But yes, other ideas on how
> to get this code into the templates are obviously welcome too -- I considered
> just putting it directly in my salt configs repo (that I then manually copy to
> dom0:/srv/salt/), but why would I want code that is supposed to be only running
> on TemplateVMs in dom0 at all, right?
where you have salt in the first place). Or, with git, you can try this:
https://github.com/woju/qubes-app-split-git.
- --
pozdrawiam / best regards _.-._
Wojtek Porczyk .-^' '^-.
Invisible Things Lab |'-.-^-.-'|
| | | |
I do not fear computers, | '-.-' |
I fear lack of them. '-._ : ,-'
-- Isaac Asimov `^-^-_>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEaO0VFfpr0tEF6hYkv2vZMhA6I1EFAl5w8+4ACgkQv2vZMhA6
I1GtWg/8Ce1soJZVyuqkIamiCrb/VE1YcOLNolsHsKvyxervrFVkQ0Zo1KokI03h
qTgJ0l4D6YGaSVBxJhEcPNN1lONkJ1vQkQmxWPtXMGLEpHPJYuBjDkKxHINjSRc6
mcga0xx/EqhECUgL8+Qkij6zcAyMxwiA4KxQzYetBZlPxDqjt9J9fD98sKIPFduA
tkdM38zcSv/Y1XxkGzWbW34nn5FYjJsZF0Ki/68bjiAfcBFfWa43P1YxuebLAR/7
taEWgKolole96XSD2knegOEgLxJz4JudIiYh27kYjFt2gn5GGcsPE/kzJCwDKTXi
RCzQ/r7IXNhLMVqfQVnSYIHM8vpHWt12cc8qy7BmZHgouV/Vftvw3aXj6IJEZK8v
jgIU9mAuWhpue4tsLzHwDx/aHoHft56EkgSiqxCbPN6TuH+r0+/RbDLEdhLBglZj
DI+OSgOdpeR177e+CjI6wrPEFGnsEFu6STirXb8WOIMKglbnokT2QIVr1089whIw
mkFirRLB+3dKCTMenslFDJrpg2w2RLlcwo4k44TO3wEMh9OXhfoueOHiUDAg64KF
dinXJjW5dbrZ1i8pSoCGJrSc1jisC4I3/D7a+n1wLdPvAmbO8Qcdki81vuEE6YrI
1IsxIz9k7yR9b7g/8zhiK/vkvl6xV/w3yhmMCDMczZ3RFymdiRs=
=AWuf
-----END PGP SIGNATURE-----
unman
Mar 17, 2020, 12:15:25 PM3/17/20
to qubes-users
across minions, because there's only one minion in Qubes implementation.
In your case, I'd propose an alternative. Provision a "git" qube to do
the pull, and then copy the repo in to template where you will.
Reply all
Reply to author
Forward
0 new messages