Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial support for Qubes 4.1 #751

Merged
merged 7 commits into from
May 3, 2022
Merged

Initial support for Qubes 4.1 #751

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
12e0544
First shot at getting SDW to install on R4.1
eaon Jan 13, 2022
9f6176a
Support DispVMs for sys VMs in Qubes 4.1
Jan 13, 2022
0d30617
Separate RPC policies 4.0/4.1
Mar 15, 2022
d4760c7
Removes duplicate rpm config from sys-firewall
Mar 29, 2022
b58c57f
Unbreak in-place upgrade failure due to missing qvm-template metadata
eloquence Apr 18, 2022
fc08acc
Fix requisite module oversight
eaon Apr 21, 2022
bb637dd
Update default sys-usb InputMouse policy for tests
eaon Apr 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Unbreak in-place upgrade failure due to missing qvm-template metadata 
QubesOS/qubes-issues#7436 is expected
to fully resolve. Switching to running qvm-template manually resolves
the issue in the meantime. Because anon-whonix also calls the Salt
state, removing it for now (we run it mainly to ensure that Whonix
is up-to-date, which won't be an issue until the next Debian
stable release).
  • Loading branch information
@eloquence
eloquence committed Apr 19, 2022
commit b58c57f22129d40174f18767d8c0120b86d14700
15 changes: 3 additions & 12 deletions dom0/sd-dom0-files.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,6 @@
# over time. These scripts should be ported to an RPM package.
##

include:
# Import the upstream Qubes-maintained anon-whonix settings.
# The anon-whoni config pulls in sys-whonix and sys-firewall,
# as well as ensures the latest versions of Whonix are installed.
- qvm.anon-whonix

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}

Expand Down Expand Up @@ -82,8 +76,9 @@ dom0-remove-securedrop-workstation-stretch-template:

dom0-install-securedrop-workstation-template:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this entire block will need to be in a conditional, since pkg.installed is the required syntax for 4.0, and qvm.template_installted is required for 4.1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Going to stop before I get too far into all the 4.0/4.1 compatibility notes since we'll have to figure out how we want to organize that)

{% if grains['osrelease'] == '4.1' %}
qvm.template_installed:
- name: securedrop-workstation-buster
cmd.run:
- name: >
qvm-template install securedrop-workstation-buster
{% else %}
Copy link
Member

@eloquence eloquence Mar 31, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Would it maybe be better to use{% elif grains['osrelease'] == '4.0' %} here and in subsequent similar statements? I'm sure we'll be removing this conditional logic pretty soon, but it seems best to be always explicit about the version-based branching.

pkg.installed:
- pkgs:
Expand Down Expand Up @@ -129,16 +124,12 @@ dom0-enabled-apparmor-on-whonix-gw-template:
- name: whonix-gw-16
- prefs:
- kernelopts: "nopat apparmor=1 security=apparmor"
- require:
- sls: qvm.anon-whonix

dom0-enabled-apparmor-on-whonix-ws-template:
qvm.vm:
- name: whonix-ws-16
- prefs:
- kernelopts: "nopat apparmor=1 security=apparmor"
- require:
- sls: qvm.anon-whonix

dom0-create-opt-securedrop-directory:
file.directory:
Expand Down
15 changes: 8 additions & 7 deletions dom0/sd-sys-vms.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@ include:
# Install latest templates required for SDW VMs.
dom0-install-fedora-template:
{% if grains['osrelease'] == '4.1' %}
qvm.template_installed:
- name: {{ sd_supported_fedora_version }}
cmd.run:
- name: >
qvm-template install fedora-34
{% else %}
pkg.installed:
- pkgs:
Expand All @@ -32,7 +33,7 @@ set-fedora-template-as-default-mgmt-dvm:
qvm-prefs default-mgmt-dvm template {{ sd_supported_fedora_version }}
- require:
{% if grains['osrelease'] == '4.1' %}
- qvm: dom0-install-fedora-template
- cmd: dom0-install-fedora-template
{% else %}
- pkg: dom0-install-fedora-template
{% endif %}
Expand All @@ -43,15 +44,15 @@ update-fedora-template-if-new:
- name: sudo qubesctl --skip-dom0 --targets {{ sd_supported_fedora_version }} state.sls update.qubes-vm
- require:
{% if grains['osrelease'] == '4.1' %}
- qvm: dom0-install-fedora-template
- cmd: dom0-install-fedora-template
{% else %}
- pkg: dom0-install-fedora-template
{% endif %}
# Update the mgmt-dvm setting first, to avoid problems during first update
- cmd: set-fedora-template-as-default-mgmt-dvm
- watch:
{% if grains['osrelease'] == '4.1' %}
- qvm: dom0-install-fedora-template
- cmd: dom0-install-fedora-template
{% else %}
- pkg: dom0-install-fedora-template
{% endif %}
Expand All @@ -64,7 +65,7 @@ set-fedora-default-template-version:
- name: qubes-prefs default_template {{ sd_supported_fedora_version }}
- require:
{% if grains['osrelease'] == '4.1' %}
- qvm: dom0-install-fedora-template
- cmd: dom0-install-fedora-template
{% else %}
- pkg: dom0-install-fedora-template
{% endif %}
Expand All @@ -86,7 +87,7 @@ sd-{{ sys_vm }}-fedora-version-halt:
- name: {{ sys_vm }}
- require:
{% if grains['osrelease'] == '4.1' %}
- qvm: dom0-install-fedora-template
- cmd: dom0-install-fedora-template
{% else %}
- pkg: dom0-install-fedora-template
{% endif %}
Expand Down
7 changes: 0 additions & 7 deletions dom0/sd-sys-whonix-vms.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

include:
# Import the upstream Qubes-maintained anon-whonix settings.
# The anon-whonix config pulls in sys-whonix and sys-firewall,
# as well as ensures the latest versions of Whonix are installed.
- qvm.anon-whonix
- sd-upgrade-templates

# The Qubes logic is too polite about enforcing template
Expand All @@ -17,13 +13,10 @@ sys-whonix-template-config:
- prefs:
- template: whonix-gw-16
- require:
- sls: qvm.anon-whonix
- sls: sd-upgrade-templates

anon-whonix-template-config:
qvm.vm:
- name: anon-whonix
- prefs:
- template: whonix-ws-16
- require:
- sls: qvm.anon-whonix
5 changes: 0 additions & 5 deletions dom0/sd-whonix.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,6 @@
##

include:
# Import the upstream Qubes-maintained anon-whonix settings.
# The anon-whonix config pulls in sys-whonix and sys-firewall,
# as well as ensures the latest versions of Whonix are installed.
- qvm.anon-whonix
- sd-upgrade-templates

sd-whonix:
Expand All @@ -35,5 +31,4 @@ sd-whonix:
- sd-workstation
- sd-buster
- require:
- sls: qvm.anon-whonix
- sls: sd-upgrade-templates
2 changes: 1 addition & 1 deletion dom0/sd-workstation-template.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ sd-workstation-template:
- service.paxctld
- require:
{% if grains['osrelease'] == '4.1' %}
- qvm: dom0-install-securedrop-workstation-template
- cmd: dom0-install-securedrop-workstation-template
{% else %}
- pkg: dom0-install-securedrop-workstation-template
{% endif %}
Expand Down