2017-02-06 09:21:00 -05:00
---
2021-03-13 13:06:18 -05:00
lang: en
2015-11-27 19:54:28 -05:00
layout: doc
2021-06-16 22:56:25 -04:00
permalink: /doc/salt/
2021-03-13 13:06:18 -05:00
ref: 185
2021-06-21 01:49:41 -04:00
title: Salt (management software)
2015-11-27 19:54:28 -05:00
---
2017-05-08 04:45:56 -04:00
Since the Qubes R3.1 release we have included the Salt (also called SaltStack)
management engine in dom0 as default (with some states already configured).
Salt allows administrators to easily configure their systems.
2021-03-13 12:03:23 -05:00
In this guide we will show how it is set up and how you can modify it for your
2017-05-08 04:45:56 -04:00
own purpose.
2015-11-27 19:54:28 -05:00
In the current form the **API is provisional** and subject to change between
*minor* releases.
2017-05-08 04:45:56 -04:00
## Understanding Salt
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
This document is not meant to be comprehensive Salt documentation; however,
2015-11-27 19:54:28 -05:00
before writing anything it is required you have at least *some* understanding of
2017-05-08 04:45:56 -04:00
basic Salt-related vocabulary.
2021-06-17 07:05:33 -04:00
For more exhaustive documentation, visit [official site ](https://docs.saltproject.io/en/latest/ ), though we
2021-03-13 12:03:23 -05:00
must warn you that it is not easy to read if you just start working with Salt
2017-05-08 04:45:56 -04:00
and know nothing.
### The Salt Architecture
Salt is a client-server model, where the server (called *master* ) manages
its clients (called *minions* ).
2021-03-13 12:03:23 -05:00
In typical situations, it is intended that the administrator interacts only
2017-05-08 04:45:56 -04:00
with the master and keeps the configurations there.
In Qubes, we don't have a master.
2024-04-14 10:06:47 -04:00
Instead we have one minion which resides in `dom0` and manages qubes from
2017-05-08 04:45:56 -04:00
there.
This setup is also supported by Salt.
2021-03-13 12:03:23 -05:00
Salt is a management engine (similar to Ansible, Puppet, and Chef), that
2017-05-08 04:45:56 -04:00
enforces a particular state of a minion system.
A *state* is an end effect *declaratively* expressed by the administrator.
This is the most important concept in the entire engine.
All configurations (i.e., the states) are written in YAML.
A *pillar* is a data back-end declared by the administrator.
2021-03-13 12:03:23 -05:00
When states become repetitive, instead of pure YAML they can be written using a
template engine (preferably Jinja2); which can use data structures specified in
2017-05-08 04:45:56 -04:00
pillars.
2021-03-13 12:03:23 -05:00
A *formula* is a ready to use, packaged solution that combines a state and a
2017-05-08 04:45:56 -04:00
pillar (possibly with some file templates and other auxiliary files).
There are many formulas made by helpful people all over the Internet.
2015-11-27 19:54:28 -05:00
A *grain* is some data that is also available in templates, but its value is not
2017-05-08 04:45:56 -04:00
directly specified by administrator.
2021-03-13 12:03:23 -05:00
For example, the distribution (e.g., `"Debian"` or `"Gentoo"` ) is a value of
the grain `"os"` . It also contains other information about the kernel,
2017-05-08 04:45:56 -04:00
hardware, etc.
A *module* is a Python extension to Salt that is responsible for actually
enforcing the state in a particular area.
It exposes some *imperative* functions for the administrator.
2021-03-13 12:03:23 -05:00
For example, there is a `system` module that has a `system.halt` function that,
2017-05-08 04:45:56 -04:00
when issued, will immediately halt a domain.
2024-04-14 10:06:47 -04:00
In salt, there are different levels of functionality.
The lowest level is a single state function, called like
this `state.single pkg.installed name=firefox-esr`
When the system compiles data from sls formulas, it generates *chunks* -
low chunks are at the bottom of the compiler . You can call them with
`state.low`
Next up is the *lowstate* level - this is the list of all low chunks in
order. - To see them you have `state.show_lowstate` , and use `state.lowstate` to apply them.
At the top level is *highstate* - this is an interpretation of **all** the data represented in YAML
in sls files. You can view it with `state.show_highstate` .
When you want to apply a configuration, you can use `qubesctl state.highstate.`
This will apply all the states you have included in highstate.
There is another function, `state.apply` ; `state.apply` has two uses.
When used on its own, it will apply *highstate* - all the configuration that has been enabled.
It can also be used to apply a specific state, like this: `state.apply browser` - this will apply the state specified in `browser.sls` .
For simplicity we will use `state.apply` through this page, when we want to apply all configured states.
2015-11-27 19:54:28 -05:00
2017-02-05 17:52:43 -05:00
### Configuration
#### States
The smallest unit of configuration is a state.
2017-05-08 04:45:56 -04:00
A state is written in YAML and looks like this:
2017-02-05 17:52:43 -05:00
2021-03-28 14:58:39 -04:00
```
stateid:
cmd.run: #this is the execution module. in this case it will execute a command on the shell
- name: echo 'hello world' #this is a parameter of the state.
```
2017-02-05 17:52:43 -05:00
2021-03-13 12:03:23 -05:00
The stateid has to be unique throughout all states running for a minion and can
2017-05-08 04:45:56 -04:00
be used to order the execution of the references state.
`cmd.run` is an execution module.
It executes a command on behalf of the administrator.
`name: echo 'hello world'` is a parameter for the execution module `cmd.run` .
The module used defines which parameters can be passed to it.
2017-02-05 17:52:43 -05:00
2021-06-17 07:05:33 -04:00
There is a list of [officially available states ](https://docs.saltproject.io/en/latest/ref/states/all/ ).
2017-02-05 17:52:43 -05:00
There are many very useful states:
2017-02-06 09:23:39 -05:00
2021-06-17 07:05:33 -04:00
- For [managing files ](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html ): Use this to create files or
2017-02-05 17:52:43 -05:00
directories and change them (append lines, replace text, set their content etc.)
2021-06-17 07:05:33 -04:00
- For [installing and uninstalling ](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.pkg.html ) packages.
- For [executing shell commands ](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.cmd.html ).
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
With these three states you can define most of the configuration of a VM.
2017-02-05 17:52:43 -05:00
2021-06-17 07:05:33 -04:00
You can also [order the execution ](https://docs.saltproject.io/en/latest/ref/states/ordering.html ) of your states:
2017-02-05 17:52:43 -05:00
2021-03-28 14:58:39 -04:00
```
D:
cmd.run:
- name: echo 1
- order: last
C:
cmd.run:
- name: echo 1
B:
cmd.run:
- name: echo 1
- require:
- cmd: A
- require_in:
- cmd:C
A:
cmd.run:
- name: echo 1
- order: 1
```
2017-02-05 17:52:43 -05:00
The order of execution will be `A, B, C, D` .
2021-03-13 12:03:23 -05:00
The official documentation has more details on the
2021-06-17 07:05:33 -04:00
[require ](https://docs.saltproject.io/en/latest/ref/states/requisites.html ) and [order ](https://docs.saltproject.io/en/latest/ref/states/ordering.html#the-order-option ) arguments.
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
#### State Files
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
When configuring a system you will write one or more state files (`*.sls`) and
put (or symlink) them into the main Salt directory `/srv/salt/` .
2021-03-13 12:03:23 -05:00
Each state file contains multiple states and should describe some unit of
2024-04-14 10:06:47 -04:00
configuration (e.g., a state file `mail.sls` could setup a qube for e-mail).
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
#### Top Files
2017-02-05 17:52:43 -05:00
2024-04-14 10:06:47 -04:00
After you have several state files, you need something to assign them to a qube.
2021-06-17 07:05:33 -04:00
This is done by `*.top` files ([official documentation](https://docs.saltproject.io/en/latest/ref/states/top.html)).
2017-02-05 17:52:43 -05:00
Their structure looks like this:
2021-03-28 14:58:39 -04:00
```
environment:
target_matching_clause:
- statefile1
- folder2.statefile2
```
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
In most cases, the environment will be called `base` .
2024-04-14 10:06:47 -04:00
The `target_matching_clause` will be used to select your minions (Templates or qubes).
It can be either the name of a qube or a regular expression.
2021-03-13 12:03:23 -05:00
If you are using a regular expressions, you need to give Salt a hint you are
2017-05-08 04:45:56 -04:00
doing so:
2017-02-05 17:52:43 -05:00
2021-03-28 14:58:39 -04:00
```
environment:
^app-(work|(?!mail).*)$:
- match: pcre
- statefile
```
2017-02-05 17:52:43 -05:00
For each target you can write a list of state files.
2021-03-13 12:03:23 -05:00
Each line is a path to a state file (without the `.sls` extension) relative to
2017-05-08 04:45:56 -04:00
the main directory.
2021-03-13 12:03:23 -05:00
Each `/` is exchanged with a `.` , so you can't reference files or directories
2017-05-08 04:45:56 -04:00
with a `.` in their name.
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
### Enabling Top Files and Applying the States
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
Now, because we use custom extensions to manage top files (instead of just
enabling them all), to enable a particular top file you should issue command:
2017-02-05 17:52:43 -05:00
2021-03-13 12:03:23 -05:00
```
$ qubesctl top.enable my-new-vm
```
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
To list all enabled top files:
2017-02-05 17:52:43 -05:00
2021-03-13 12:03:23 -05:00
```
$ qubesctl top.enabled
```
2017-02-05 17:52:43 -05:00
And to disable one:
2021-03-13 12:03:23 -05:00
```
$ qubesctl top.disable my-new-vm
```
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
To apply the states to dom0 and all VMs:
2017-02-05 17:52:43 -05:00
2021-03-13 12:03:23 -05:00
```
2022-09-04 06:40:44 -04:00
$ qubesctl --all state.apply
2021-03-13 12:03:23 -05:00
```
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
(More information on the `qubesctl` command further down.)
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
### Template Files
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
You will sometimes find yourself writing repetitive states.
To solve this, there is the ability to template files or states.
2023-04-26 12:50:14 -04:00
This is most commonly done with [Jinja ](https://palletsprojects.com/p/jinja/ ).
2021-03-13 12:03:23 -05:00
Jinja is similar to Python and in many cases behaves in a similar fashion, but
2017-05-08 04:45:56 -04:00
there are sometimes differences when, for example, you set some variable inside
a loop: the variable outside will not get changed.
Instead, to get this behavior, you would use a `do` statement.
2023-04-26 12:50:14 -04:00
So you should take a look at the [Jinja API documentation ](https://jinja.palletsprojects.com/templates/ ).
2021-03-13 12:03:23 -05:00
Documentation about using Jinja to directly call Salt functions and get data
about your system can be found in the official
2021-06-17 07:05:33 -04:00
[Salt documentation ](https://docs.saltproject.io/en/getstarted/config/jinja.html#get-data-using-salt ).
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
## Salt Configuration, QubesOS layout
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
All Salt configuration files are in the `/srv/` directory, as usual.
The main directory is `/srv/salt/` where all state files reside.
States are contained in `*.sls` files.
2021-03-13 12:03:23 -05:00
However, the states that are part of the standard Qubes distribution are mostly
2017-05-08 04:45:56 -04:00
templates and the configuration is done in pillars from formulas.
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
The formulas are in `/srv/formulas` , including stock formulas for domains in
2024-04-14 10:06:47 -04:00
`/srv/formulas/dom0/virtual-machines-formula/qvm` , which are used by first boot.
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
Because we use some code that is not found in older versions of Salt, there is
a tool called `qubesctl` that should be run instead of `salt-call --local` .
It accepts all the same arguments of the vanilla tool.
2015-11-27 19:54:28 -05:00
2024-04-14 10:06:47 -04:00
## Configuring a qube's System from Dom0
2016-04-30 21:47:32 -04:00
2024-04-14 10:06:47 -04:00
Salt can be used to configure qubes from dom0.
Simply set the qube name as the target minion name in the top file.
You can also use the `qubes` pillar module to select qubes with a particular
2017-05-08 04:45:56 -04:00
property (see below).
If you do so, then you need to pass additional arguments to the `qubesctl` tool:
2016-04-30 21:47:32 -04:00
2021-03-28 14:58:39 -04:00
```
usage: qubesctl [-h] [--show-output] [--force-color] [--skip-dom0]
[--targets TARGETS | --templates | --app | --all]
...
positional arguments:
2022-09-04 06:40:44 -04:00
command Salt command to execute (e.g., state.apply)
2021-03-28 14:58:39 -04:00
optional arguments:
-h, --help show this help message and exit
--show-output Show output of management commands
--force-color Force color output, allow control characters from VM,
UNSAFE
--skip-dom0 Skip dom0 configuration (VM creation etc)
--targets TARGETS Coma separated list of VMs to target
--templates Target all templates
2021-06-18 04:55:53 -04:00
--app Target all app qubes
2021-06-18 05:16:40 -04:00
--all Target all non-disposables (templates and app qubes)
2021-03-28 14:58:39 -04:00
```
2016-04-30 21:47:32 -04:00
2022-09-04 06:40:44 -04:00
To apply a state to all templates, call `qubesctl --templates state.apply` .
2016-04-30 21:47:32 -04:00
2021-03-13 12:03:23 -05:00
The actual configuration is applied using `salt-ssh` (running over `qrexec`
2017-05-08 04:45:56 -04:00
instead of `ssh` ).
2024-04-14 10:06:47 -04:00
Which means you don't need to install anything special in a qube you want to
2017-05-08 04:45:56 -04:00
manage.
2024-04-14 10:06:47 -04:00
Additionally, for each target qube, `salt-ssh` is started from a temporary qube.
This way dom0 doesn't directly interact with potentially malicious target qubes;
and in the case of a compromised Salt qube, because they are temporary, the
compromise cannot spread from one qube to another.
2016-04-30 21:47:32 -04:00
2021-04-10 18:09:05 -04:00
Beginning with Qubes 4.0 and after [QSB #45 ](/news/2018/12/03/qsb-45/ ), we implemented two changes:
2018-12-03 21:11:10 -05:00
2024-04-14 10:06:47 -04:00
1. Added the `management_dispvm` qube property, which specifies the disposable
2018-12-03 21:11:10 -05:00
Template that should be used for management, such as Salt
2021-06-18 04:55:53 -04:00
configuration. App qubes inherit this property from their
2021-06-18 05:16:40 -04:00
parent templates. If the value is not set explicitly, the default
2018-12-03 21:11:10 -05:00
is taken from the global `management_dispvm` property. The
2024-04-14 10:06:47 -04:00
qube-specific property is set with the `qvm-prefs` command, while the
2018-12-03 21:11:10 -05:00
global property is set with the `qubes-prefs` command.
2021-06-18 05:04:39 -04:00
2. Created the `default-mgmt-dvm` disposable template, which is hidden from
2018-12-03 21:11:10 -05:00
the menu (to avoid accidental use), has networking disabled, and has
2024-04-14 10:06:47 -04:00
a black label (the same as templates). This qube is set as the global
2021-06-18 05:04:39 -04:00
`management_dispvm` . Keep in mind that this disposable template has full control
2024-04-14 10:06:47 -04:00
over the qubes it's used to manage.
2018-12-03 21:11:10 -05:00
2017-05-08 04:45:56 -04:00
## Writing Your Own Configurations
2015-11-27 19:54:28 -05:00
2017-05-11 04:48:59 -04:00
Let's start with a quick example:
2015-11-27 19:54:28 -05:00
2021-03-28 14:58:39 -04:00
```
my new and shiny VM:
qvm.present:
- name: salt-test # can be omitted when same as ID
- template: fedora-21
- label: yellow
- mem: 2000
- vcpus: 4
- flags:
- proxy
```
2015-11-27 19:54:28 -05:00
2024-04-14 10:06:47 -04:00
It uses the Qubes-specific `qvm.present` state, which ensures that the qube is
2017-05-08 04:45:56 -04:00
present (if not, it creates it).
2015-11-27 19:54:28 -05:00
2024-04-14 10:06:47 -04:00
- The `name` flag informs Salt that the qube should be named `salt-test` (not
2017-05-08 04:45:56 -04:00
`my new and shiny VM` ).
2024-04-14 10:06:47 -04:00
- The `template` flag informs Salt which template should be used for the qube.
- The `label` flag informs Salt what color the qube should be.
- The `mem` flag informs Salt how much RAM should be allocated to the qube.
2021-03-13 12:03:23 -05:00
- The `vcpus` flag informs Salt how many Virtual CPUs should be allocated to the
2024-04-14 10:06:47 -04:00
qube
- The `proxy` flag informs Salt that the qube should be a ProxyVM.
2017-05-08 04:45:56 -04:00
2021-03-13 12:03:23 -05:00
As you will notice, the options are the same (or very similar) to those used in
2017-05-08 04:45:56 -04:00
`qvm-prefs` .
This should be put in `/srv/salt/my-new-vm.sls` or another `.sls` file.
A separate `*.top` file should be also written:
2015-11-27 19:54:28 -05:00
2021-03-28 14:58:39 -04:00
```
base:
dom0:
- my-new-vm
```
2015-11-27 19:54:28 -05:00
2021-03-13 12:03:23 -05:00
**Note** The third line should contain the name of the previous state file,
2017-05-08 04:45:56 -04:00
without the `.sls` extension.
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
To enable the particular top file you should issue the command:
2015-11-27 19:54:28 -05:00
2021-03-13 12:03:23 -05:00
```
$ qubesctl top.enable my-new-vm
```
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
To apply the state:
2015-11-27 19:54:28 -05:00
2021-03-13 12:03:23 -05:00
```
2022-09-04 06:40:44 -04:00
$ qubesctl state.apply
2021-03-13 12:03:23 -05:00
```
2015-11-27 19:54:28 -05:00
2024-04-14 10:06:47 -04:00
### Example of Configuring Templates from Dom0
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
Lets make sure that the `mc` package is installed in all templates.
2021-03-13 12:03:23 -05:00
Similar to the previous example, you need to create a state file
2017-05-08 04:45:56 -04:00
(`/srv/salt/mc-everywhere.sls`):
2016-04-30 21:47:32 -04:00
2021-03-28 14:58:39 -04:00
```
mc:
pkg.installed: []
```
2016-04-30 21:47:32 -04:00
2017-05-08 04:45:56 -04:00
Then the appropriate top file (`/srv/salt/mc-everywhere.top`):
2016-04-30 21:47:32 -04:00
2021-03-28 14:58:39 -04:00
```
base:
qubes:type:template:
- match: pillar
- mc-everywhere
```
2016-04-30 21:47:32 -04:00
2017-05-08 04:45:56 -04:00
Now you need to enable the top file:
2016-04-30 21:47:32 -04:00
2021-03-13 12:03:23 -05:00
```
$ qubesctl top.enable mc-everywhere
```
2016-04-30 21:47:32 -04:00
And apply the configuration:
2021-03-13 12:03:23 -05:00
```
2022-09-04 06:40:44 -04:00
$ qubesctl --all state.apply
2021-03-13 12:03:23 -05:00
```
2016-04-30 21:47:32 -04:00
2017-05-08 04:45:56 -04:00
## All Qubes-specific States
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
### `qvm.present`
2017-02-05 17:52:43 -05:00
2024-04-14 10:06:47 -04:00
As in the example above, it creates a qube and sets its properties.
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
### `qvm.prefs`
2015-11-27 19:54:28 -05:00
2024-04-14 10:06:47 -04:00
You can set properties of an existing qube:
2015-11-27 19:54:28 -05:00
2021-03-28 14:58:39 -04:00
```
my preferences:
qvm.prefs:
- name: salt-test2
- netvm: sys-firewall
```
2015-11-27 19:54:28 -05:00
2024-04-14 10:06:47 -04:00
***Note*** The `name:` option will not change the name of a qube, it will only
be used to match a qube to apply the configurations to it.
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
### `qvm.service`
2015-11-27 19:54:28 -05:00
2021-03-28 14:58:39 -04:00
```
2024-04-14 10:06:47 -04:00
services in my qube:
2021-03-28 14:58:39 -04:00
qvm.service:
- name: salt-test3
- enable:
- service1
- service2
- disable:
- service3
- service4
- default:
- service5
```
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
This enables, disables, or sets to default, services as in `qvm-service` .
2015-11-27 19:54:28 -05:00
2017-05-08 04:45:56 -04:00
### `qvm.running`
2017-02-05 17:52:43 -05:00
2024-04-14 10:06:47 -04:00
Ensures the specified qube is running:
2015-11-27 19:54:28 -05:00
2021-03-28 14:58:39 -04:00
```
2024-04-14 10:06:47 -04:00
qube is running:
2021-03-28 14:58:39 -04:00
qvm.running:
- name: salt-test4
```
2015-11-27 19:54:28 -05:00
2018-06-16 15:44:00 -04:00
## Virtual Machine Formulae
2024-04-14 10:06:47 -04:00
You can use these formulae to download, install, and configure qubes in Qubes.
These formulae use pillar data to define default qube names and configuration details.
2018-06-16 15:44:00 -04:00
The default settings can be overridden in the pillar data located in:
2021-03-13 12:03:23 -05:00
2018-06-16 15:44:00 -04:00
```
/srv/pillar/base/qvm/init.sls
```
2021-03-13 12:03:23 -05:00
2018-06-16 15:44:00 -04:00
In dom0, you can apply a single state with `sudo qubesctl state.sls STATE_NAME` .
2024-04-14 10:06:47 -04:00
For example, `sudo qubesctl state.sls qvm.personal` will create a `personal` qube (if it does not already exist) with all its dependencies (template, `sys-firewall` , and `sys-net` ).
2018-06-16 15:44:00 -04:00
### Available states
#### `qvm.sys-net`
System NetVM
#### `qvm.sys-usb`
2024-04-14 10:06:47 -04:00
System USB qube
2018-06-16 15:44:00 -04:00
2022-03-14 14:43:42 -04:00
#### `qvm.sys-net-as-usbvm`
2018-06-16 15:44:00 -04:00
2024-04-14 10:06:47 -04:00
System USB qube bundled into NetVM. Do not enable together with `qvm.sys-usb` .
2018-06-16 15:44:00 -04:00
#### `qvm.usb-keyboard`
2024-04-14 10:06:47 -04:00
Enable USB keyboard together with USB qube, including for early system boot (for LUKS passhprase).
This state implicitly creates a USB qube (`qvm.sys-usb` state), if not already done.
2018-06-16 15:44:00 -04:00
#### `qvm.sys-firewall`
System firewall ProxyVM
#### `qvm.sys-whonix`
Whonix gateway ProxyVM
#### `qvm.personal`
2021-06-18 04:55:53 -04:00
Personal app qube
2018-06-16 15:44:00 -04:00
#### `qvm.work`
2021-06-18 04:55:53 -04:00
Work app qube
2018-06-16 15:44:00 -04:00
#### `qvm.untrusted`
2021-06-18 04:55:53 -04:00
Untrusted app qube
2018-06-16 15:44:00 -04:00
#### `qvm.vault`
2021-06-18 04:55:53 -04:00
Vault app qube with no NetVM enabled.
2018-06-16 15:44:00 -04:00
#### `qvm.default-dispvm`
2021-06-18 05:04:39 -04:00
Default disposable template - fedora-26-dvm app qube
2018-06-16 15:44:00 -04:00
#### `qvm.anon-whonix`
2021-06-18 04:55:53 -04:00
Whonix workstation app qube.
2018-06-16 15:44:00 -04:00
#### `qvm.whonix-ws-dvm`
2021-06-18 05:04:39 -04:00
Whonix workstation app qube for Whonix disposables.
2018-06-16 15:44:00 -04:00
#### `qvm.updates-via-whonix`
Setup UpdatesProxy to route all templates updates through Tor (sys-whonix here).
#### `qvm.template-fedora-21`
2021-06-18 05:16:40 -04:00
Fedora-21 template
2018-06-16 15:44:00 -04:00
#### `qvm.template-fedora-21-minimal`
2021-06-18 05:16:40 -04:00
Fedora-21 minimal template
2018-06-16 15:44:00 -04:00
#### `qvm.template-debian-7`
2021-06-18 05:16:40 -04:00
Debian 7 (wheezy) template
2018-06-16 15:44:00 -04:00
#### `qvm.template-debian-8`
2021-06-18 05:16:40 -04:00
Debian 8 (jessie) template
2018-06-16 15:44:00 -04:00
#### `qvm.template-whonix-gw`
2021-06-18 05:16:40 -04:00
Whonix Gateway template
2018-06-16 15:44:00 -04:00
#### `qvm.template-whonix-ws`
2021-06-18 05:16:40 -04:00
Whonix Workstation template
2018-06-16 15:44:00 -04:00
2020-10-16 05:46:46 -04:00
#### `update.qubes-dom0`
2021-05-06 09:32:46 -04:00
Updates dom0. Example (executed in dom0):
2021-05-06 09:30:53 -04:00
```
2021-05-06 09:32:46 -04:00
$ sudo qubesctl --show-output state.sls update.qubes-dom0
2021-05-06 09:30:53 -04:00
```
2020-10-16 05:46:46 -04:00
#### `update.qubes-vm`
2021-06-18 05:16:40 -04:00
Updates domUs. Example to update all templates (executed in dom0):
2020-10-16 05:46:46 -04:00
2021-03-13 12:03:23 -05:00
```
2021-05-06 09:32:46 -04:00
$ sudo qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
2021-03-13 12:03:23 -05:00
```
2020-10-16 05:46:46 -04:00
Useful options:
2021-03-13 12:03:23 -05:00
- `--max-concurrency` --- Limits how many templates are updated at the same time.
Adjust to your available RAM.
The default is 4, and the GUI updater sets it to 1.
2024-04-14 10:06:47 -04:00
- `--targets=vm1,vm2,...` --- Limit to specific qubes, instead of all of them.
2021-03-13 12:03:23 -05:00
(Use instead of `--templates` or `--standalones` .)
- `--show-output` --- Show an update summary instead of just OK/FAIL.
2020-10-16 05:46:46 -04:00
For other options, see `qubesctl --help` .
2018-06-16 15:44:00 -04:00
2017-05-08 04:45:56 -04:00
## The `qubes` Pillar Module
2016-04-30 21:47:32 -04:00
2021-03-13 12:03:23 -05:00
Additional pillar data is available to ease targeting configurations (for example all templates).
2018-06-16 15:44:00 -04:00
**Note:** This list is subject to change in future releases.
2016-04-30 21:47:32 -04:00
2024-05-15 17:59:30 -04:00
### `qubes:features`
Features the qube has. Only some values are included:
- `service.*` - services enabled or disabled in the qube
- `vm-config.*` - features also exposed to qubesdb
### `qubes:tags`
Tags the qube has.
2017-05-08 04:45:56 -04:00
### `qubes:type`
2016-04-30 21:47:32 -04:00
2024-04-14 10:06:47 -04:00
qube type. Possible values:
2016-04-30 21:47:32 -04:00
2024-04-14 10:06:47 -04:00
- `admin` - Administration qube (`dom0`)
2021-06-18 05:16:40 -04:00
- `template` - template
2024-04-14 10:06:47 -04:00
- `standalone` - Standalone qube
2021-06-18 04:55:53 -04:00
- `app` - Template based app qube
2016-04-30 21:47:32 -04:00
2017-05-08 04:45:56 -04:00
### `qubes:template`
2016-04-30 21:47:32 -04:00
2024-04-14 10:06:47 -04:00
Template name on which a given qube is based (if any).
2016-04-30 21:47:32 -04:00
2017-05-08 04:45:56 -04:00
### `qubes:netvm`
2016-04-30 21:47:32 -04:00
2024-04-14 10:06:47 -04:00
qube which provides network to the given qube
2016-04-30 21:47:32 -04:00
2017-02-05 17:52:43 -05:00
## Debugging
2024-04-14 10:06:47 -04:00
The output for each qube is logged in `/var/log/qubes/mgmt-VM_NAME.log` .
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
If the log does not contain useful information:
2022-09-04 06:40:44 -04:00
1. Run `sudo qubesctl --skip-dom0 --target=VM_NAME state.apply`
2024-04-14 10:06:47 -04:00
2. When your qube is being started (yellow) press Ctrl-z on qubesctl.
3. Open terminal in disp-mgmt-qube_NAME.
2021-03-13 12:03:23 -05:00
4. Look at /etc/qubes-rpc/qubes.SaltLinuxVM - this is what is
2024-04-14 10:06:47 -04:00
executed in the management qube.
2017-02-05 17:52:43 -05:00
5. Get the last two lines:
2021-03-13 12:03:23 -05:00
```shell_session
2017-05-08 04:45:56 -04:00
$ export PATH="/usr/lib/qubes-vm-connector/ssh-wrapper:$PATH"
$ salt-ssh "$target_vm" $salt_command
2021-03-13 12:03:23 -05:00
```
2017-02-05 17:52:43 -05:00
2022-09-04 06:40:44 -04:00
Adjust $target_vm (VM_NAME) and $salt_command (state.apply).
2017-02-05 17:52:43 -05:00
6. Execute them, fix problems, repeat.
2017-05-08 04:45:56 -04:00
## Known Pitfalls
2017-02-06 09:34:48 -05:00
2017-02-05 17:52:43 -05:00
### Using fedora-24-minimal
2017-05-08 04:45:56 -04:00
The fedora-24-minimal package is missing the `sudo` package.
2017-02-05 17:52:43 -05:00
You can install it via:
2021-03-13 12:03:23 -05:00
```shell_session
$ qvm-run -p -u root fedora-24-minimal-template 'dnf install -y sudo'
```
2017-05-08 04:45:56 -04:00
The `-p` will cause the execution to wait until the package is installed.
2017-05-08 23:03:18 -04:00
Having the `-p` flag is important when using a state with `cmd.run` .
2017-05-08 04:45:56 -04:00
### Disk Quota Exceeded (When Installing Templates)
2017-02-05 17:52:43 -05:00
If you install multiple templates you may encounter this error.
2017-05-08 04:45:56 -04:00
The solution is to shut down the updateVM between each install:
2017-02-05 17:52:43 -05:00
2021-03-28 14:58:39 -04:00
```
install template and shutdown updateVM:
cmd.run:
- name: sudo qubes-dom0-update -y fedora-24; qvm-shutdown {% raw %}{{ salt.cmd.run(qubes-prefs updateVM) }}{% endraw %}
```
2017-02-05 17:52:43 -05:00
2017-05-08 04:45:56 -04:00
## Further Reading
2015-11-29 09:14:16 -05:00
2021-06-17 07:05:33 -04:00
- [Salt documentation ](https://docs.saltproject.io/en/latest/ )
- [Salt states ](https://docs.saltproject.io/en/latest/ref/states/all/ ) ([files](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html), [commands ](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.cmd.html ),
[packages ](https://docs.saltproject.io/en/latest/ref/states/all/salt.states.pkg.html ), [ordering ](https://docs.saltproject.io/en/latest/ref/states/ordering.html ))
- [Top files ](https://docs.saltproject.io/en/latest/ref/states/top.html )
2023-04-26 12:50:14 -04:00
- [Jinja templates ](https://palletsprojects.com/p/jinja/ )
2021-04-10 18:09:05 -04:00
- [Qubes specific modules ](https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/blob/master/README.rst )
2024-04-14 10:06:47 -04:00
- [Formulas for default Qubes qubes ](https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/tree/master/qvm )