Salt: downloading in one qube for use in another

nexus · July 28, 2024, 12:46pm

I am trying to automate the setting up of as much as possible of my qubes config as I can using salt. A problem I’ve run into is that there are some 3rd-party proprietary softwares that I’d like to use which are not found in package managers. I would ideally like to install these in a template and then derive app VMs from that template, however the template does not have internet access per default.

One path could be to give internet access to the template temporarily, however I’m interested in the idea of having a downloader qube that downloads things and then gives them to other qubes. The issue I found trying to do this is two-fold:

There is no way to syncronize state between different VMs using require. I would like to download the file in one VM, then move it, and then I’d like the other VM run the state which installs the file.
There is no way to non-interactively move files between VMs. qvm-move requires user input (as it should) but I can’t think of a workaround. I can’t even use qvm-move-to-vm in dom0 as then the file needs to be in dom0.

What do you guys use to solve this problem and similar problems?

gonzalo-bulnes · July 28, 2024, 2:10pm

Certainly not elegant, but on one hand require can be used to check for the presence of the downloaded file before attempting the installation.

On the other hand, a Salt state can trigger the download and copy of one file into another VM.

On the first run, that could complete, but depending on the order in which VM states are applied, the check+installation state in the second VM would fail if that VM is processed first. (That’s the not elegant part.) A second run would succeed though.

Another, more complex but arguably more elegant way could be to set flags in an admin VM to keep track of the progress of the steps (was the file downloaded and copied in the first VM? Is it time to install it in the second?).

You’ll find in this forum lengthy discussions about the inconvenience of synchronizing states across different VMs and controlling the order in which states are applied. (Mainly because dom0 states are applied first.)

nexus · July 28, 2024, 4:59pm

I see, that is unfortunate.

unman · July 29, 2024, 3:04pm

It’s almost never necessary to do this, because you can (ab)use the
update proxy in most case.

You can require on the existence of the file transferred from the
downloader in /home/user//QubesIncoming/downloader.
Run a dom0 state to change policy:

temporary_policy:
  - file.prepend:
    - name: /etc/qubes/policy.d/30-user.policy:
    - text: qubes.Filecopy  * downloader  receiver allow

After the successful install use file.line or file.replace to remove that policy:

remove_policy:
  file.line:
    - name: /etc/qubes/policy.d/30-user.policy:
    - match: downloader  receiver allow
    - mode: delete

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.