added note on DevOps/CI with Salt and with ansible

This commit is contained in:
Oleg Artemev 2018-12-28 00:59:39 +03:00
parent 471473ea94
commit 2b60f7e39d

View File

@ -582,3 +582,10 @@ Arguably secure boot reliance on UEFI integrity is not the best design.
The relevant binaries (shim.efi, xen.efi, kernel / initramfs) are not signed by the Qubes Team and secure boot has not been tested. The relevant binaries (shim.efi, xen.efi, kernel / initramfs) are not signed by the Qubes Team and secure boot has not been tested.
Intel TXT (used in [Anti Evil Maid](/doc/anti-evil-maid/)) at least tries to avoid or limit trust in BIOS. Intel TXT (used in [Anti Evil Maid](/doc/anti-evil-maid/)) at least tries to avoid or limit trust in BIOS.
See the Heads project [[1]](https://trmm.net/Heads) [[2]](http://osresearch.net/) for a better-designed non-UEFI-based secure boot scheme with very good support for Qubes. See the Heads project [[1]](https://trmm.net/Heads) [[2]](http://osresearch.net/) for a better-designed non-UEFI-based secure boot scheme with very good support for Qubes.
### Is there a way to automate tasks like with Continuous Integration / DevOps?
Yes. Since Qubes 3.1 there is [Salt / SaltStack](/doc/salt/) support by Qubes Team.
Also there is an [external project for Qubes 3.x that uses ansible](https://github.com/Rudd-O/ansible-qubes) .
With it "you can completely script the setup and maintenance of an entire network of Qubes OS machines". Though note, that this stuff is NOT from Qubes Team and managing Dom0 from qube in Qubes 3.x is against Qubes security model (you have been warned).