Re: [qubes-users] saltstack: user specific pillars in qubes

unman · September 7, 2020, 12:07am

Have you enabled the pillar in /srv/salt/user_pillar/top.sls?

Example:

In /srv/salt/user_pillar/top.sls I have a stanza:
user:
'target':
- get

In /srv/salt/user_pillar/get.sls, I set the pillar:
host: www.qubes-os.org

Then I have the state and top files, get.sls and get.top:
get file:
cmd.run:
- name: wget {{pillar['host'] }}

base:
target:
- get

qubesctl --skip-dom0 --targets=target state.apply get

Pete · September 13, 2020, 9:31am

Have you enabled the pillar in /srv/salt/user_pillar/top.sls?

Example:

In /srv/salt/user_pillar/top.sls I have a stanza:
user:
   'target':
     - get

In /srv/salt/user_pillar/get.sls, I set the pillar:
host: www.qubes-os.org

Then I have the state and top files, get.sls and get.top:
get file:
   cmd.run:
     - name: wget {{pillar['host'] }}

base:
   target:
     - get

qubesctl --skip-dom0 --targets=target state.apply get

First of all I'd like to thank you for your answer unman.

I've tried your example (and after modifying it to be able to run it) I get exact the same error as before.

Here's the setup:

Have you enabled the pillar in /srv/salt/user_pillar/top.sls?

As far as I know, I have only to enable state.top files. But I have a file like you suggest located in /srv/salt/user_pillar/:

In /srv/salt/user_pillar/top.sls I have a stanza:
user:
'target':
- get

Ok!

In /srv/salt/user_pillar/get.sls, I set the pillar:
host: www.qubes-os.org

Ok!

/srv/salt/user_salt/get.sls
get file:
cmd.run:
- name: wget {{pillar['host'] }}

Ok!

/srv/salt/user_salt/get.top
base:
target:
- user_salt.get

This one I had to modify as the get.sls is located in "/srv/salt/user_salt/". Above is already the modified version (user_salt is prefixed). I also enabled this top file by executing:
sudo qubesctl top.enable user_salt.get

Now, let's run this:

qubesctl --skip-dom0 --targets=target state.apply get

When I'm executing this, I get the error logged in /var/log/qubes/mgmt-target.log:
calling 'state.apply'...
2020-09-13 10:08:14,729 output: target:
2020-09-13 10:08:14,730 output: - Rendering SLS 'base:user_salt.get' failed: Jinja variable 'salt.utils.context.NamespacedDictWrapper object' has no attribute 'host'

When I'm executing this (additional parameter --pillar-root=/srv/salt/user_pillar/):
sudo qubesctl --skip-dom0 --targets=target state.apply --pillar-root=/srv/salt/user_pillar/

The result is the same as I described before:
target: ERROR (exception list index out of range)

I also tried to modify the pillar top file to meet the different location:

In /srv/salt/user_pillar/top.sls I have a stanza:
user:
'target':
- user_pillar.get

But this haven't changed the results.

Any further suggestions to investigate are highly appreciated.

Best. P.

unman · September 13, 2020, 2:18pm

OK, it might have been better if you had NOT modified my example, as you
should then have been able to verify that user pillars can be referenced
in this way.
I always find it better to take one small step at a time when
troubleshooting or trying to learn something new.

In the new case, you are using the user environment. I would try the
following:
/srv/salt/user_salt/get.top
user:
target:
- get

/srv/salt/user_salt/get.sls
get file:
cmd.run:
- name: wget {{pillar['host'] }}

qubesctl --skip-dom0 --targets=target state.apply saltenv=user get

You might like to look at:
https://docs.saltstack.com/en/latest/ref/states/top.html#environments

New environments can be defined in
`/etc/salt/minions.d/f_defaults.conf`, but I rarely do this in Qubes.

Pete · September 13, 2020, 4:57pm

OK, it might have been better if you had NOT modified my example, as you
should then have been able to verify that user pillars can be referenced
in this way.
I always find it better to take one small step at a time when
troubleshooting or trying to learn something new.

In the new case, you are using the user environment. I would try the
following:
/srv/salt/user_salt/get.top
user:
    target:
      - get

/srv/salt/user_salt/get.sls
get file:
    cmd.run:
      - name: wget {{pillar['host'] }}

qubesctl --skip-dom0 --targets=target state.apply saltenv=user get

You might like to look at:
The Top File

New environments can be defined in
`/etc/salt/minions.d/f_defaults.conf`, but I rarely do this in Qubes.

unman, as always you pointed me into the right direction. The whole reason it was not working as I missed up with the directories.

Instead of using:
/srv/user_salt

I was using:
/srv/salt/user_salt

That's why your first example didn't work in my environment and I had to adjust it.

Now everything is running perfectly with user defined pillars!

Thank you very much!

tripleh · October 20, 2020, 4:22pm

I also got this running, thanks!

However when I run

qubesctl --all --show-output state.highstate saltenv=user

I get for my states:
State 'qvm.present' was not found in SLS 'mysls'
Reason: 'qvm.present' is not available.

I guess the custom qvm.* states are not available in the /srv/user_salt folder, but only in /srv/salt?

Is there any way to make them available in /srv/user_salt as well?

Side Note: I ran `qubesctl --show-output state.sls qubes.user-dirs` to obtain the folders.

tripleh · October 20, 2020, 7:06pm

P.S.: I also noticed that right after I did
sudo qubesctl --all --show-output state.highstate saltenv=user
I get

sudo qubesctl top.enabled
[CRITICAL] Specified ext_pillar interface qvm_prefs is unavailable
'top.enabled' is not available.
DOM0 configuration failed, not continuing

(It did work right before.) It doesn't change after a reboot, only reinstalling the salt packages helps.
I guess that's not normal?

tripleh · October 21, 2020, 3:12pm

For reference I got it running with symlinks this way:

#!/bin/bash