Copying QVM Features in Salt Pillar: any reason not to do that?

I’ve set up packaging for the qvm-features-in-pillar formula! :slightly_smiling_face: And I forgot adding a direct link in the README :woman_shrugging: next time.

The packages are not reproducible, so I don’t really recommend anyone to get the package that I’ve published for my own use, because there is little way to confirm it’s been built from the source you see in GitHub (unless maybe if you’re very familiar with the internal structure of an RPM package and can make sense of a diffoscope report, at this point I can’t.)

However, with the setup done, creating the packages yourself can be as straightforward as (eighteen steps follow :sweat_smile:):

  1. clone the repo
  2. there are a few dependencies to make sure are there (see pre-requisites in README)
  3. add a signed tag so that the packaging tooling can verify the integrity of the sources (you’ll see mine gb_8e1f8f82 there, so it’s all about creating a similar one locally that’s signed with a key you control, see below for how to do that)
  4. set a few (simple) environment variables (same README)
  5. run make packages

If you want to test the package in a dispVM:

  • make sure RPM knows about the signing (public) key for the purpose of verifying signatures: sudo rpm --import <mykey.gpg>
  • install the package you’ve just built: sudo dnf install ./qubes-mgmt-salt-user-qvm-features-in-pillar-1.0.0-1.noarch.rpm
  • confirm that /srv was populated as expected

Once in dom0, don’t forget that:

  • user directories are assumed to be enabled (see below if needed)
  • the package installation will overwrite /srv/user_salt/qvm-features-in-pillar
  • top files need to be enabled, this one is no exception: sudo qubesctl top.enable qvm-features-in-pillar

Useful references:

2 Likes