From 2b60f7e39dd7960434eb2baf147919d904009983 Mon Sep 17 00:00:00 2001 From: Oleg Artemev Date: Fri, 28 Dec 2018 00:59:39 +0300 Subject: [PATCH 1/3] added note on DevOps/CI with Salt and with ansible --- about/faq.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/about/faq.md b/about/faq.md index 3afde8b2..e46a80bc 100644 --- a/about/faq.md +++ b/about/faq.md @@ -582,3 +582,10 @@ Arguably secure boot reliance on UEFI integrity is not the best design. The relevant binaries (shim.efi, xen.efi, kernel / initramfs) are not signed by the Qubes Team and secure boot has not been tested. Intel TXT (used in [Anti Evil Maid](/doc/anti-evil-maid/)) at least tries to avoid or limit trust in BIOS. See the Heads project [[1]](https://trmm.net/Heads) [[2]](http://osresearch.net/) for a better-designed non-UEFI-based secure boot scheme with very good support for Qubes. + +### Is there a way to automate tasks like with Continuous Integration / DevOps? + +Yes. Since Qubes 3.1 there is [Salt / SaltStack](/doc/salt/) support by Qubes Team. +Also there is an [external project for Qubes 3.x that uses ansible](https://github.com/Rudd-O/ansible-qubes) . +With it "you can completely script the setup and maintenance of an entire network of Qubes OS machines". Though note, that this stuff is NOT from Qubes Team and managing Dom0 from qube in Qubes 3.x is against Qubes security model (you have been warned). + From 68f3beaf5e9b5b0241ffe57c464e11856e824fce Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Sat, 29 Dec 2018 02:07:28 -0600 Subject: [PATCH 2/3] Improve language --- about/faq.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/about/faq.md b/about/faq.md index e46a80bc..6d19084b 100644 --- a/about/faq.md +++ b/about/faq.md @@ -583,9 +583,8 @@ The relevant binaries (shim.efi, xen.efi, kernel / initramfs) are not signed by Intel TXT (used in [Anti Evil Maid](/doc/anti-evil-maid/)) at least tries to avoid or limit trust in BIOS. See the Heads project [[1]](https://trmm.net/Heads) [[2]](http://osresearch.net/) for a better-designed non-UEFI-based secure boot scheme with very good support for Qubes. -### Is there a way to automate tasks like with Continuous Integration / DevOps? +### Is there a way to automate tasks for continuous integration or DevOps? -Yes. Since Qubes 3.1 there is [Salt / SaltStack](/doc/salt/) support by Qubes Team. -Also there is an [external project for Qubes 3.x that uses ansible](https://github.com/Rudd-O/ansible-qubes) . -With it "you can completely script the setup and maintenance of an entire network of Qubes OS machines". Though note, that this stuff is NOT from Qubes Team and managing Dom0 from qube in Qubes 3.x is against Qubes security model (you have been warned). +Yes, Qubes natively supports automation via [Salt (SaltStack)](/doc/salt/). +There is also the unofficial [ansible-qubes toolkit](https://github.com/Rudd-O/ansible-qubes) (which has not been reviewed or endorsed by the Qubes team). From 40c64a0dd2a27a088f437ade7772d5b4918b5e99 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Sat, 29 Dec 2018 17:32:42 -0600 Subject: [PATCH 3/3] Add explicit security warning about ansible-qubes --- about/faq.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/about/faq.md b/about/faq.md index 6d19084b..cffb36aa 100644 --- a/about/faq.md +++ b/about/faq.md @@ -586,5 +586,6 @@ See the Heads project [[1]](https://trmm.net/Heads) [[2]](http://osresearch.net/ ### Is there a way to automate tasks for continuous integration or DevOps? Yes, Qubes natively supports automation via [Salt (SaltStack)](/doc/salt/). -There is also the unofficial [ansible-qubes toolkit](https://github.com/Rudd-O/ansible-qubes) (which has not been reviewed or endorsed by the Qubes team). +There is also the unofficial [ansible-qubes toolkit](https://github.com/Rudd-O/ansible-qubes). +(**Warning:** Since this is an external project that has not been reviewed or endorsed by the Qubes team, [allowing it to manage dom0 may be a security risk](/doc/security-guidelines/#dom0-precautions).)