Using Ansible to maintain your Qubes system
From the time I have started using Qubes OS, How to create and setup new AppVMs in an efficient way?
remained an open question for
me. I was mostly using the command line tool to create any new AppVMs and then
manually setting all the properties after creation. I also did the package
installations and other setup inside of the VMs manually.
If you never heard of Qubes before, you should check it out. Qubes takes a different approach to security, security by compartmentalization, different applications are separated by Qubes (VMs) . The base is running Fedora and then all other VMs are on top of Xen. It also provides a very tight integration of the tools to give a pleasant experience.
When I asked about how people maintain different VMs or templateVMs (from which the normal VMs spawn off), the answer was mostly bash scripts. The tools provided by the Qubes team are friendly to scripting. Though the official way to managing VMs is done by Salt project.
As we (at Freedom of the Press Founation) are working towards a Qubes based desktop client for SecureDrop, we also started using Salt to maintain the states of the VMs. I personally found Salt to be very confusing and a bit difficult to learn.
From the mailing list I also found out about https://github.com/Rudd-O/ansible-qubes, but, as I started reading the README, I figured that Salt is being used here too in the background. That made me rethink about the Ansible as a choice to maintain my Qubes.
Last weekend I pinged Trishna for some pointers on writing new plugins for Ansible, and later at night I also talked with Toshio about the Ansible plugins + modules.
Introducing Qubes Ansible
The result of those chats is Qubes Ansible. It has a qubesos module and a qubes connection plugin for Ansible.
I already have a PR opened to add the connection plugin into Ansible.
The actual module will still require a lot of work to become feature complete with the existing command line tools and also with the Salt. This project is under active development.
Good thing is that I am getting feedback+patches from the #qubes IRC channel (on Freenode). From the Qubes development team, marmarek provided some real valuable input to make the plugin easier to use.
Example playbook
---
- hosts: localhost
connection: local
tasks:
- name: Make sure the development VM is present
qubesos:
guest: development2
state: present
properties:
memory: 1200
maxmem: 1400
netvm: 'sys-firewall'
template: 'debian-9'
label: "blue"
- name: Run the VM
qubesos:
guest: development2
state: running
You can use the above playbook to create a development2
AppVM with the exact
properties you want. The examples
page has all the
available options documented.
If you are using Qubes, please give it a try, and tell us how can we improve your experience of maintaining the system with Ansible. You can provide feedback in a Github issue or talk directly in the #qubes IRC channel.