-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Jul 01, 2018 at 03:06:06PM -0400, Jean-Philippe Ouellet wrote:
> Previously...
>
https://groups.google.com/d/topic/qubes-devel/VimLbPHwJRw/discussion
> > Let me be the first to admit that salt appears difficult to understand at
> > first. Their documentation drives me up the wall. It strikes me as the kind
> > of project that gained followers early when it was still easy to grasp, then
> > built up an obscurantist mindset.
>
>
https://github.com/QubesOS/qubes-issues/issues/1983
> > I've been trying to learn saltstack for a few weeks now, but the
> > documentation is outright novice-hostile. It spouts off about advanced
> > options in the second or third paragraphs of each topic and rarely
> > returns to Earth.
>
> I'm curious how many people actually use Salt to manage their Qubes
> machines. If you do, I want to hear your thoughts on it.
I do, to some extend (templates only). And I feel your pain. Salt is
definitely not easy thing to learn. When you get it, it's quite
useable, but I wouldn't call it comfortable.
> Over the past few years my main daily Qubes system has grown to ~150
> VMs, and over 20 templates. In an effort to keep things clean, I don't
> upgrade my templates across fedora / debian versions, but instead
> regularly create fresh clean templates with only the intended packages
> and local config explicitly desired.
Initially I have upgraded templates, but since about R3.0 I use fresh
templates as you do. Initially I did this with just a text file listing
packages to be installed + tar archive with few configs I've extracted
over /etc. But now I use salt for this.
I don't do that with AppVMs on my main system, at least not yet.
I do that also for test machines, which I reinstall quite frequently. I
have a set of salt configs for installing extra software in templates,
required to run all the tests, configure dom0 to my liking, copy helper
scripts where needed, add my local repositories etc.
And also to install updates in dom0 and all templates at once.
> Every time my templates go EOL and its time to bump them to new
> versions I say to myself "okay, this time I'm going to learn salt and
> do my template management the official Qubes way". But, each time I
> try, I get annoyed at Salt's learning curve, annoyed at the upstream
> docs, annoyed at how they've reinvented their own terminology for
> every simple thing, and annoyed at subtle differences in behavior
> documented upstream and behavior as integrated in Qubes. Then, I
> invariably start digging into the implementation and Qubes' existing
> use of salt as an example to learn from, get annoyed at how many
> layers of abstraction there are, annoyed at how every part of the
> documentation already assumes familiarity with the entire rest of
> stack, and conclude it's more painful to use than it's worth.
I think the major pain points of Salt are:
- completely different terminology you need to learn (state, formula,
pillar, grain, top, ...)
- top files - the fact you define in separate places _what_ to do and
_where_ to do - this makes it hard to grasp the whole picture
IMO the second thing is a bigger problem than the first one. But when
you get initial thing working, adding more states (one more package, one
more config file etc) is straightforward. You can find some basic
example on
https://www.qubes-os.org/doc/salt/
When you look at documentation, focus on "Configuration management"
section on
docs.saltstack.com, specifically "state modules". Salt in
theory can to much more, but other things are far less useful on Qubes.
Personally I mostly use "pkg" module (for package management) and "file"
module (setting config files, either as a whole, or individual
settings).
When I look at it now, Ansible is probably much easier to learn. And if
you like, you can use it, with some limitations, using:
https://github.com/Rudd-O/ansible-qubes
> Also, I've on occasion had to set up a number of Qubes machines for
> use in various organization-managed settings. This should be the
> perfect use case for Salt, but each time I spend a number of hours
> trying before finally resorting back to simple shell scripts which end
> up being 1) maintainable by others without too much trouble and 2)
> just as idempotent as salt aims to be with its declarative nature but
> without requiring so much abstraction. It's hard to see the benefit.
Of course you can do all of this with own scripts. You know, Salt is
also a bunch of python code ;) For me, the 2) point above is an
important reason to use Salt. How many times you forgot -n option to
ln -sf and ended up with a symlink inside a linked directory, instead of
updating the symlink? With Salt I'm pretty sure I'll get the state I've
described regardless what was there initially (unless I opt for cmd.run
state, which I try to avoid whenever possible...).
> Digging into the implementations of things to figure out how they work
> is second nature to me, but salt has been particularly unpleasant to
> adopt. The only other users of Salt on Qubes I'm aware of are Whonix
> and SecureDrop-Workstation (authors found in commit logs of both
> CC'd), and Qubes itself. I'd love to hear how other peoples'
> experience compares.
There is one more:
https://github.com/inversepath/qubes-qrexec-to-tcp
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAls5asUACgkQ24/THMrX
1ywsfQf/e8gwUegan+mFGclXf6bZBY7ybd6IG6cyq+77uU4GNKIgqyJfBpZ6vgIx
mOrCa6OgHmecvFTkpE/RZkrv3o9AAgoLoSG4AgFBc9BH4+RYqyMX/AcFzKm2lIU2
Q9IWPRNf6l/fai9MkG6YQUs/nBM6gPgrkwzO95zWNzUcx2Fx85wwy/fCDS+bbWrI
avWydfXBf0sK6wo2thDkZL1W+hwrhOYx866CWgqnzHc4qt9Hyz3GninXeKL48Z7d
vYu95INd0UMjlVtbcDaSET6+FOAl58sRtqO0wiAaHD6zkioHX8yWwxqS1m3jO6YD
72dScce6a7NDhEOLHYTIikHVLyrf9A==
=eBD6
-----END PGP SIGNATURE-----