Kushal Das: Using Ansible to maintain your Qubes system

From the time I have started using Qubes OS, How to
create and setup new AppVMs in an efficient way?
remained an open question for
me. I was mostly using the command line tool to create any new AppVMs and then
manually setting all the properties after creation. I also did the package
installations and other setup inside of the VMs manually.

If you never heard of Qubes before, you should check it out. Qubes takes a
different approach to security, security by compartmentalization, different
applications are separated by Qubes (VMs) . The base is running Fedora and then
all other VMs are on top of Xen. It also provides a very tight integration of
the tools to give a pleasant experience.

When I asked about how people maintain different VMs or templateVMs (from which
the normal VMs spawn off), the answer was mostly bash scripts. The tools
provided by the Qubes team are friendly to scripting. Though the official way to
managing VMs is done by Salt project.

As we (at Freedom of the Press Founation) are working
towards a Qubes based desktop
SecureDrop, we also started using Salt to maintain the
states of the VMs. I personally found Salt to be very confusing and a bit
difficult to learn.

From the mailing list I also found out about
but, as I started reading the README, I figured that Salt is being used here too
in the background. That made me rethink about the Ansible as a choice to
maintain my Qubes.

Last weekend I pinged Trishna for some
pointers on writing new plugins for Ansible, and
later at night I also talked with Toshio about the Ansible plugins + modules.

Introducing Qubes Ansible

The result of those chats is Qubes
. It has a qubesos module
and a qubes connection plugin for Ansible.

I already have a PR opened to
add the connection plugin into Ansible.

The actual module will still require a lot of work to become feature complete
with the existing command line tools and also with the Salt. This project is
under active development.

Good thing is that I am getting feedback+patches from the #qubes IRC channel (on
Freenode). From the Qubes development team,
marmarek provided some real valuable input to
make the plugin easier to use.

Example playbook

- hosts: localhost
  connection: local

    - name: Make sure the development VM is present
        guest: development2
        state: present
          memory: 1200
          maxmem: 1400
          netvm: 'sys-firewall'
          template: 'debian-9'
          label: "blue"

    - name: Run the VM
        guest: development2
        state: running

You can use the above playbook to create a development2 AppVM with the exact
properties you want. The examples
has all the
available options documented.

If you are using Qubes, please give it a try, and tell us how can we improve
your experience of maintaining the system with Ansible. You can provide feedback
in a Github issue or talk
directly in the #qubes IRC channel.

Source From: fedoraplanet.org.
Original article title: Kushal Das: Using Ansible to maintain your Qubes system.
This full article can be read at: Kushal Das: Using Ansible to maintain your Qubes system.


Random Article You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *