From the time I have started using Qubes OS,
How to remained an open question for
create and setup new AppVMs in an efficient way?
me. I was mostly using the command line tool to create any new AppVMs and then
manually setting all the properties after creation. I also did the package
installations and other setup inside of the VMs manually.
If you never heard of Qubes before, you should check it out. Qubes takes a
different approach to security, security by compartmentalization, different
applications are separated by Qubes (VMs) . The base is running Fedora and then
all other VMs are on top of Xen. It also provides a very tight integration of
the tools to give a pleasant experience.
When I asked about how people maintain different VMs or templateVMs (from which
the normal VMs spawn off), the answer was mostly bash scripts. The tools
provided by the Qubes team are friendly to scripting. Though the official way to
managing VMs is done by Salt project.
As we (at Freedom of the Press Founation) are working
towards a Qubes based desktop
SecureDrop, we also started using Salt to maintain the
states of the VMs. I personally found Salt to be very confusing and a bit
difficult to learn.
From the mailing list I also found out about
but, as I started reading the README, I figured that Salt is being used here too
in the background. That made me rethink about the Ansible as a choice to
maintain my Qubes.
Introducing Qubes Ansible
The result of those chats is Qubes
Ansible. It has a qubesos module
and a qubes connection plugin for Ansible.
I already have a PR opened to
add the connection plugin into Ansible.
The actual module will still require a lot of work to become feature complete
with the existing command line tools and also with the Salt. This project is
under active development.
Good thing is that I am getting feedback+patches from the #qubes IRC channel (on
Freenode). From the Qubes development team,
marmarek provided some real valuable input to
make the plugin easier to use.
--- - hosts: localhost connection: local tasks: - name: Make sure the development VM is present qubesos: guest: development2 state: present properties: memory: 1200 maxmem: 1400 netvm: 'sys-firewall' template: 'debian-9' label: "blue" - name: Run the VM qubesos: guest: development2 state: running
You can use the above playbook to create a
development2 AppVM with the exact
properties you want. The examples
page has all the
available options documented.
If you are using Qubes, please give it a try, and tell us how can we improve
your experience of maintaining the system with Ansible. You can provide feedback
in a Github issue or talk
directly in the #qubes IRC channel.
Source From: fedoraplanet.org.
Original article title: Kushal Das: Using Ansible to maintain your Qubes system.
This full article can be read at: Kushal Das: Using Ansible to maintain your Qubes system.