Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-25 09:11:16 -05:00
Code Issues Packages Projects Releases Wiki Activity
qubes-doc/user/troubleshooting/salt-troubleshooting.md
marlox-ouda 96f3817f54
Create salt-troubleshooting.md 
Focus on the debugging inside the ephemeral disposable management vm.
2024-09-24 17:49:18 -04:00

3.5 KiB
Raw Blame History

lang layout permalink redirect_from ref title
en doc /doc/salt-troubleshooting/
/doc/salt/
/en/doc/salt/
1000000000000 Salt troubleshooting

For ease of Qubes Os managament and reproductible deployment, Salt allows to control states on dom0 and other vms from the dom0.

Behind the scenes

Except for dom0 where the host is controlled locally. Each vm (named minion-vm for instance) is controlled by a disposable master vm based on disposable-mgmt-vm, named disp-mgmt-minion-vm and created only for the duration of qubesctl execution.

The required files are copied from dom0 to disp-mgmt-minion-vm via qubes.Filecopy, then qubes.SaltLinuxVM and expect two lines on stdin :

minion-vm
salt-command

Usually salt-command is state.apply with the provided arguments like test=True.

Then, a fake ssh command wrapper included in qubes-mgmt-salt-vm-connector allow to run the command on the target (minion-vm) via qubes.VMShell or qubes.VMRootShell. On the management vm disp-mgmt-minion-vm, salt firstly creates /var/cache/salt/master/thin/thin.tgz and transfers it to the minion-vm to ensure destination host has the required python files.

How to debug the ephemeral disposable management vm

First, the transfered content from dom0 to the disposable management vm needs to be retrieved. To do so, it is suggested to:

  1. Call from dom0, qubesctl with requested command like qubesctl --show-output --targets minion-vm --skip-dom0 state.apply,
  2. Freeze the previous command with Ctrl+Z as soon as you see minion-vm is starting.
  3. Get the console on the disposable management vm with qvm-console-dispvm disp-mgmt-minion-vm on the dom0
  4. Type root to log as root on the console
  5. Edit in disp-mgmt-minion-vm, /etc/qubes-rpc/qubes.SaltLinuxVM and add after the line eval "dir=~$user/QubesIncoming/dom0/srv", the line qvm-copy $dir.
  6. On the dom0 resume the freezed process with fg
  7. Copy the content to another qubes vm (side-vm for instance)

Second, a debugable disposable management vm is setup. To do so, it is suggested to:

  1. Call from dom0, qubesctl with requested command like qubesctl --show-output --targets minion-vm --skip-dom0 state.apply,
  2. Freeze the previous command with Ctrl+Z as soon as you see minion-vm is starting.
  3. Copy the retrieved content from side-vm to the disposable management vm disp-mgmt-minion-vm (with qvm-copy)
  4. Get the console on the disposable management vm with qvm-console-dispvm disp-mgmt-minion-vm on the dom0
  5. Type root to log as root on the console. All following commands are done inside the console.
  6. Move the copied content to emulate a content coming from dom0: cd /home/user/QubesIncoming; mv * dom0. dom0 directory should contain a directory srv.
  7. Emulate a call to qubes.SaltLinuxVM with bash /etc/qubes-rpc/qubes.SaltLinuxVM
  8. Emulate stdin. Type the destination vm on the first line (minion-vm), the salt command on the second line (state.apply for instance) then Ctrl+D.
  9. A first execution is launched
  10. Get wrappers in the PATH with export PATH="/usr/lib/qubes-vm/connector/ssh-wrapper:$PATH" (the line is available in /etc/qubes-rpc/qubes.SaltLinuxVM`

Third, launch as many times as needed the following command to emulate a new call of master to the minion rm -r /var/cache/salt /var/tmp/.root*; salt-ssh -w minion-vm salt-command in the console.