diff --git a/README.md b/README.md index a24f6cd..6adf62f 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ However, it should still work fine. ## Deploy +### Manual deployment If you want to deploy manually, unpack `mirage-firewall.tar.bz2` in domU. The tarball contains `vmlinuz`, which is the unikernel itself, plus a dummy initramfs file that Qubes requires: @@ -84,6 +85,9 @@ qvm-features mirage-firewall qubes-firewall 1 qvm-features mirage-firewall no-default-kernelopts 1 ``` +### Deployment using saltstack +If you're familiar how to run salt states in Qubes, you can also use the script `SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls` to automatically deploy the latest version of mirage firewall in your Qubes OS. The script checks the checksum from the integration server and compares with the latest version provided in the github releases. It might be necessary to adjust the VM templates in the script which are used for downloading of the mirage unikernel. Also don't forget to change the VMs in which the uni kernel should be used or adjust the "Qubes Global Settings". + ## Upgrading To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM. diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls new file mode 100644 index 0000000..ec3a486 --- /dev/null +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -0,0 +1,103 @@ +# How to install the superlight mirage-firewall for Qubes OS by using saltstack +# Tested on Qubes v4.1 and mirage v0.8.5 +# After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script e.g. by using "Qubes Global Settings" +# inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall + +# You might want to adjust the following 2 variables to use up-to-date templates on your qubes +{% set DownloadVMTemplate = "fedora-38" %} +{% set DispVM = "fedora-38-dvm" %} + +{% set DownloadVM = "DownloadVmMirage" %} +{% set MirageFW = "sys-mirage-fw" %} +{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %} +{% set Filename = "mirage-firewall.tar.bz2" %} +{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %} + +#download and install the latest version +{% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %} + +{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %} + +create-downloader-VM: + qvm.vm: + - name: {{ DownloadVM }} + - present: + - template: {{ DownloadVMTemplate }} + - label: red + - prefs: + - template: {{ DownloadVMTemplate }} + - include-in-backups: false + +{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %} + +download-and-unpack-in-DownloadVM4mirage: + cmd.run: + - names: + - qvm-run --pass-io {{ DownloadVM }} {{ "wget " ~ DownloadBinary }} + - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }} + - require: + - create-downloader-VM + + +check-checksum-in-DownloadVM: + cmd.run: + - names: + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img + - require: + - download-and-unpack-in-DownloadVM4mirage + +copy-mirage-kernel-to-dom0: + cmd.run: + - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }} + - require: + - download-and-unpack-in-DownloadVM4mirage + - check-checksum-in-DownloadVM + +create-initramfs: + cmd.run: + - names: + - gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }} + - echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }} + - require: + - copy-mirage-kernel-to-dom0 + +create-sys-mirage-fw: + qvm.vm: + - name: {{ MirageFW }} + - present: + - class: StandaloneVM + - label: black + - prefs: + - kernel: mirage-firewall + - kernelopts: + - include-in-backups: False + - memory: 32 + - maxmem: 32 + - netvm: sys-net + - provides-network: True + - vcpus: 1 + - virt-mode: pvh + - features: + - enable: + - qubes-firewall + - no-default-kernelopts + - require: + - copy-mirage-kernel-to-dom0 + + +cleanup-in-DownloadVM: + cmd.run: + - names: + - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}" + - require: + - create-initramfs + +remove-DownloadVM4mirage: + qvm.absent: + - name: {{ DownloadVM }} + - require: + - cleanup-in-DownloadVM + +{% endif %}