[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: [qubes-devel] Re: Salt dom0 -> VM management
From: "Manuel Amador (Rudd-O)" <rudd-o () rudd-o ! com>
Date: 2015-12-26 4:43:37
Message-ID: 567E1AF9.4050109 () rudd-o ! com
[Download RAW message or body]
On 12/25/2015 12:40 PM, Marek Marczykowski-Górecki wrote:
> On Fri, Dec 25, 2015 at 03:58:47AM -0800, Jason M wrote:
> > BTW, going to play around with bombshell next week :)
>
> That would be probably the easiest thing to do, but not sure if the most
> secure. I think the way to go, would be to package states/formulas/etc
> from dom0, send them to the VM using _simple_ mechanism
> (qvm-copy-to-vm?), then execute states there.
What I have here is simpler and I recommend you do this.
I have a VM that manages all other VMs, and dom0. That is the most
trusted VM, and nothing goes into it that is not typed by me (except, of
course, responses from managed VMs).
That machine has an Ansible setup, complete with bombshell support and
the Qubes connection plugin for Ansible.
From that Ansible setup, I generate Salt formulas to enable in dom0
(because why not reuse what works?) but all of the other VMs are managed
directly by Ansible playbooks. All Ansible modules spit back JSON to
the ansible-playbook process, so it's relatively safe. Stuff goes out,
not in.
This also completely avoids having to install *any* sort of software on
dom0 (or, for that purpose, the dom0s VMs themselves) to manage it.
--
Rudd-O
http://rudd-o.com/
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/567E1AF9.4050109%40rudd-o.com. For more \
options, visit https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic