mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2024-12-27 16:19:24 -05:00
Merge pull request #179 from 100111001/100111001-Readme-Adjustments
100111001 - SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
This commit is contained in:
commit
50306112ff
@ -49,6 +49,7 @@ However, it should still work fine.
|
||||
|
||||
## Deploy
|
||||
|
||||
### Manual deployment
|
||||
If you want to deploy manually, unpack `mirage-firewall.tar.bz2` in domU. The tarball contains `vmlinuz`,
|
||||
which is the unikernel itself, plus a dummy initramfs file that Qubes requires:
|
||||
|
||||
@ -84,6 +85,9 @@ qvm-features mirage-firewall qubes-firewall 1
|
||||
qvm-features mirage-firewall no-default-kernelopts 1
|
||||
```
|
||||
|
||||
### Deployment using saltstack
|
||||
If you're familiar how to run salt states in Qubes, you can also use the script `SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls` to automatically deploy the latest version of mirage firewall in your Qubes OS. The script checks the checksum from the integration server and compares with the latest version provided in the github releases. It might be necessary to adjust the VM templates in the script which are used for downloading of the mirage unikernel. Also don't forget to change the VMs in which the uni kernel should be used or adjust the "Qubes Global Settings".
|
||||
|
||||
## Upgrading
|
||||
|
||||
To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM.
|
||||
|
103
SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
Normal file
103
SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
Normal file
@ -0,0 +1,103 @@
|
||||
# How to install the superlight mirage-firewall for Qubes OS by using saltstack
|
||||
# Tested on Qubes v4.1 and mirage v0.8.5
|
||||
# After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script e.g. by using "Qubes Global Settings"
|
||||
# inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall
|
||||
|
||||
# You might want to adjust the following 2 variables to use up-to-date templates on your qubes
|
||||
{% set DownloadVMTemplate = "fedora-38" %}
|
||||
{% set DispVM = "fedora-38-dvm" %}
|
||||
|
||||
{% set DownloadVM = "DownloadVmMirage" %}
|
||||
{% set MirageFW = "sys-mirage-fw" %}
|
||||
{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %}
|
||||
{% set Filename = "mirage-firewall.tar.bz2" %}
|
||||
{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %}
|
||||
|
||||
#download and install the latest version
|
||||
{% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %}
|
||||
|
||||
{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %}
|
||||
|
||||
create-downloader-VM:
|
||||
qvm.vm:
|
||||
- name: {{ DownloadVM }}
|
||||
- present:
|
||||
- template: {{ DownloadVMTemplate }}
|
||||
- label: red
|
||||
- prefs:
|
||||
- template: {{ DownloadVMTemplate }}
|
||||
- include-in-backups: false
|
||||
|
||||
{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %}
|
||||
|
||||
download-and-unpack-in-DownloadVM4mirage:
|
||||
cmd.run:
|
||||
- names:
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "wget " ~ DownloadBinary }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }}
|
||||
- require:
|
||||
- create-downloader-VM
|
||||
|
||||
|
||||
check-checksum-in-DownloadVM:
|
||||
cmd.run:
|
||||
- names:
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
|
||||
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
|
||||
- require:
|
||||
- download-and-unpack-in-DownloadVM4mirage
|
||||
|
||||
copy-mirage-kernel-to-dom0:
|
||||
cmd.run:
|
||||
- name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }}
|
||||
- require:
|
||||
- download-and-unpack-in-DownloadVM4mirage
|
||||
- check-checksum-in-DownloadVM
|
||||
|
||||
create-initramfs:
|
||||
cmd.run:
|
||||
- names:
|
||||
- gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }}
|
||||
- echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }}
|
||||
- require:
|
||||
- copy-mirage-kernel-to-dom0
|
||||
|
||||
create-sys-mirage-fw:
|
||||
qvm.vm:
|
||||
- name: {{ MirageFW }}
|
||||
- present:
|
||||
- class: StandaloneVM
|
||||
- label: black
|
||||
- prefs:
|
||||
- kernel: mirage-firewall
|
||||
- kernelopts:
|
||||
- include-in-backups: False
|
||||
- memory: 32
|
||||
- maxmem: 32
|
||||
- netvm: sys-net
|
||||
- provides-network: True
|
||||
- vcpus: 1
|
||||
- virt-mode: pvh
|
||||
- features:
|
||||
- enable:
|
||||
- qubes-firewall
|
||||
- no-default-kernelopts
|
||||
- require:
|
||||
- copy-mirage-kernel-to-dom0
|
||||
|
||||
|
||||
cleanup-in-DownloadVM:
|
||||
cmd.run:
|
||||
- names:
|
||||
- qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}"
|
||||
- require:
|
||||
- create-initramfs
|
||||
|
||||
remove-DownloadVM4mirage:
|
||||
qvm.absent:
|
||||
- name: {{ DownloadVM }}
|
||||
- require:
|
||||
- cleanup-in-DownloadVM
|
||||
|
||||
{% endif %}
|
Loading…
Reference in New Issue
Block a user