Hi All, I have been experimenting with using salt to configure a full Qubes system with standalone vms running docker for development and automated setup of a kali template based off of the debian template based on the procedure in the docs.
In my trials (mostly wins) I have found a few issues and also just missing parts that make management difficult. After I finish a run (or two) of "qubesctl --all state.highstate" using my qubes salt configuration (https://github.com/Nekroze/qubes-salt) I can no longer update dom0 or send files from one VM to another (other then from dom0 out to a vm) as I just get the error: Data vchan connection failed I have not been able to find any information on common causes for this error, the best I can find while searching is the source code that prints the error. I've tried disabling a bunch of the tops to reduce what is changing but it just keeps happening. This is the 4th time I have re-installed qubes 3.2-rc2 because of this error when trying to use salt. I am unsure as to what information is required for this kind of error hence reporting here before I start an issue on github, any advice on logs to provide or steps to try would be welcome. There are also a handful of other problems smaller problems I have encountered while trying to configure everything I need with salt. For example the fedora-23-minimal templates are unmanageable via salt, all of the internal VM salt configuration just doesn't work on on them from my experiments. Additionally it seems that package management control over dom0 fails when sys-whonix is the updateVM, this forces all salt updates over sys-firewall for setup and it seems updating Whonix templates this way presents an error (that they are not running with a whonix-gw based netVM) as they are included in states that affect all templates. Sadly due to the previously mentioned vchan issue I am unable to grab the exact error message at the moment but I will try and get it later today when I might have time to do another re-install. Its great when everything goes well but when there is an issue there is no summary from the VM's configuration changes like dom0 has. At best it would be nice to see things like the versions that changed in the VM's when an update works, but when something goes wrong, not having this means I have to step through the procedure to find out what failed which means I have to do it manually anyways. This seems to happen even when qubesctl says the vm was OK but I find the a package was not installed at all and must have errored, again doing it manually I was able to see the error and resolve a trivial cache issue preventing the install. When using the qvm.create state, it is clear from using Qubes for a bit that it maps to the similarly named cli tool however preferences specified in the qvm.create state, being only run if the vm exists at all, require secondary qvm.prefs of the same or similar preferences to ensure that those states remain the same. From my understanding part of configuration management like this is not just to provision but to ensure the configuration conforms to the state specifications, this just feels very clumsy to have to do twice, perhaps templating can help here but I am just starting the make a dent in learning how to use templating for salt. There are some aspects of configuring the dom0 experience in Qubes that does not seem to be possible from salt. For example there is no way to specify which applications are available in the menu for an appVM, From what I can see no way to toggle the dynamic memory management switch from salt, nor a way to add firewall rules to the Qubes manager firewall list via states. There are great tools for provisioning the cluster of VM's but it doesn't tie into the user experience for Qubes requiring more manual configuration. I would like to formalize these into issues on GitHub but just wanted to discuss if there was more information I need or some issues are already resolved in the next version. I am unsure as to which way I should split these into issues if at all and would appreciate any advice. All in all though, the salt stuff is great when it works but the missing or broken parts make it hard to justify at present. My apologies for the long post. Thank you for your time, Taylor Lawson -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e40da471-2123-4a27-98a6-b5b7e761c075%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
