`salt`: How to execute an `*.sls` **only** in qubes/AppWMs that have a NetVM?

User Support
1

Can anyone point out how to either:

  1. write a jinja {% if ... %} statement that prevents execution of (parts of) a *.sls in Qubes/AppWMs that do not have a NetVM set (think vault) or
  2. already restrict targeting of the corresponding *.sls in the *.top to Qubes/AppWMs having a NetWM.

Thank you for any pointers.

2

That’s a great question.

  1. Qubes has assorted grains that you can view using e.g.
    ``qubesctl --skip-dom0 --targets=test --show-output grains.itemsThere are a variety ofgw` related grains. Where there is no NetVM, the
    gateway is False, so you can use them in a jinja statement like this:
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

{% if grains['nodename'] != 'dom0' %}

{% if grains['ip_gw'] is false %}
/home/user/netvm_test_no:
  file.managed
{% else %}
/home/user/netvm_test_yes:
  file.managed
{% endif %}

{% endif %}
  1. It isn’t easy(possible?) to sensibly target qubes by grains.
    Fortunately there is a pillar that you can use, documented here
    Use this in a top file - it isnt possible, I think, to use a wild card,
    as that targets all qubes,but you are not likely to have many
    network providing qubes:
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

base:
  qubes:netvm:sys-firewall
    - match: pillar
    - test.target

Enable that top file and run highstate with state apply

  1. You can also, (and I do this a lot) build the targets list on the
    fly like this:
    qubesctl --skip-dom0 --show-output --targets=$(qvm-ls -O NAME,CLASS,NETVM|grep AppVM|grep -v ' -'|cut -f1 -d\ |tr '\n' ,) state.apply test.target
    Not many people know that you can feed qvm-ls any Qubes
    preferences. For netvm there is already the keywork GATEWAY, which gives
    the IP address, but you can use NETVM to get name. In either case a qube
    with no netvm will show - in the output.
    qvm-ls -O NAME,CLASS,GATEWAY shows list with name,klass,netvm
    We grep for AppVM to get non template qubes, and then exclude those
    without a netvm set by grep -v ' -'.
    Finally we cut to get just the names, and convert the line output
    into a comma separated list. qubesctl does not care if there is hanging
    comma at end of list.
    Manipulating the output of qvm-ls like this is useful and fast.
I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.
3 Likes
3

Thank you for your incredibly deep insight and willingness to share in an utterly didactic manner.