Hi, could you tell me how to use this?
I’ve tried various commands, but it still doesn’t work and it’s taking too long, so I asked this question
Is it correct to git clone to /srv/user_salt?
I’ve already copied it to dom0 but I don’t know how to use it
I have no experience with that particular setup, but as someone who uses salt in dom0, I would strongly recommend you save your terminal history of everything you tried, the commands run, not their output.
Many of those commands have side effects, and it is easy to get frustrated and stuck in a bad state not realizing that something tried previously did modify the system in a way that would affect what you’re trying now.
You should really run through the examples on the Qubes docs for salt before attempting to use anything there, and even then I personally would suggest you might consider simply looking at their code to inform how you write your own salt states rather than blithely running their code.
Getting the user_salt directories working is more trouble than its worth, so if you try out any examples to prove your salt setup is functional, it is okay to create a folder for yourself under /srv/salt and keep your states and top files there.
Hopefully someone with actual experience with that particular project can help you, but I would not hold your breath if you’re hoping that this project could help you avoid needing to learn salt to use salt. Salt is unfortunately very finicky.
That said, consider actually capturing what went wrong when you followed the instructions in that project’s README.md, as no one can help you if they don’t know what commands you ran.
And I would recommend against cloning into anything under /srv as git repos contain a .git folder that salt has no business trying to serve to minions. You just need the working tree from the git repo and nothing more most likely, but again I don’t know this project or what it expects.
Welcome @0fe6db552f62d773!
After skimming through the README file: it seems to me that it gives fairly detailed instructions if you understand roughly how Salt works in Qubes OS.
If you are not familar with Salt, or with Salt in Qubes OS, I would strongly recommend you to get at least a little familiar with those before you start copying things here and there. (I’ll spare you the “executing code you don’t understand is risky bla bla bla”, but it’s true, and I’d personally consider Salt to be an advanced topic in Qubes OS.)
(On that note: the setup of Salt in Qubes OS is special enough as a setup that some aspects of the Saltstack docs may seem confusing. It does make sense, though, so it pays off to be patient!)
You’ll find several references to tutorials and notes in this forum, that were written by a number of people. Some of them will probably also join this thread (
), so I’ll let them introduce their work.
On my side, in addition to the link to the official Qubes OS documentation page that @anon9706954 posted, here are my own notes. I’ve written those as a learning practice for myself, but the first part is organised as a tutorial and you may find interesting to go through the different steps of writing a Salt state and applying it in the context of Qubes OS. My notes obviously reflect my own preferences on the topic, so I’ll encourage you to also look at other sources.
I believe that after practicing a little writting your own Salt states, the README of the project you’re looking at will make a lot more sense to you. Welcome to the journey, and don’t hesitate to keep asking questions when you hit specific roadblocks!
I don’t understand the meaning of state.sls and saltenv etc. so please tell me
[root@dom0 template-browser]# pwd
/srv/user_salt/salt-n-pepper/template-browser
[root@dom0 template-browser]# qubesctl state.sls brave-browser saltenv=user
local:
Data failed to compile:
----------
No matching sls found for 'brave-browser' in env 'user'
DOM0 configuration failed, not continuing
state.sls is an old name for the state.apply command. (It’s also known as state.highstate but state.apply has always seemed a clearer name to me.)
saltenv=user tells qubesctl to look for the brave-browser state in the user directories.
The tutorial I linked above explains when and why use both, with an example.
When I executed the tutorial command, I got this error
[root@dom0 user_salt]# qubesctl state.apply split-ssh.client.vm split-ssh.vault.vm saltenv=user
Passed invalid arguments: apply_() takes from 0 to 1 positional arguments but 2 were given.
Usage:
.. versionadded:: 2015.5.0
This function will call :mod:`state.highstate
<salt.modules.state.highstate>` or :mod:`state.sls
<salt.modules.state.sls>` based on the arguments passed to this function.
It exists as a more intuitive way of applying states.
.. rubric:: APPLYING ALL STATES CONFIGURED IN TOP.SLS (A.K.A. :ref:`HIGHSTATE <running-highstate>`)
To apply all configured states, simply run ``state.apply``:
.. code-block:: bash
salt '*' state.apply
The following additional arguments are also accepted when applying all
states configured in top.sls:
test
Run states in test-only (dry-run) mode
mock
The mock option allows for the state run to execute without actually
calling any states. This then returns a mocked return which will show
the requisite ordering as well as fully validate the state run.
.. versionadded:: 2015.8.4
pillar
Custom Pillar values, passed as a dictionary of key-value pairs
.. code-block:: bash
salt '*' state.apply stuff pillar='{"foo": "bar"}'
.. note::
Values passed this way will override Pillar values set via
``pillar_roots`` or an external Pillar source.
exclude
Exclude specific states from execution. Accepts a list of sls names, a
comma-separated string of sls names, or a list of dictionaries
containing ``sls`` or ``id`` keys. Glob-patterns may be used to match
multiple states.
.. code-block:: bash
salt '*' state.apply exclude=bar,baz
salt '*' state.apply exclude=foo*
salt '*' state.apply exclude="[{'id': 'id_to_exclude'}, {'sls': 'sls_to_exclude'}]"
queue : False
Instead of failing immediately when another state run is in progress,
a value of ``True`` will queue the new state run to begin running once
the other has finished.
This option starts a new thread for each queued state run, so use this
option sparingly.
.. versionchanged:: 3006.0
This parameter can also be set via the ``state_queue`` configuration
option. Additionally, it can now be set to an integer representing
the maximum queue size which can be attained before the state runs
will fail to be queued. This can prevent runaway conditions where
new threads are started until system performance is hampered.
localconfig
Optionally, instead of using the minion config, load minion opts from
the file specified by this argument, and then merge them with the
options from the minion config. This functionality allows for specific
states to be run with their own custom minion configuration, including
different pillars, file_roots, etc.
.. code-block:: bash
salt '*' state.apply localconfig=/path/to/minion.yml
state_events
The state_events option sends progress events as each function in
a state run completes execution.
.. versionadded:: 3006.0
.. rubric:: APPLYING INDIVIDUAL SLS FILES (A.K.A. :py:func:`STATE.SLS <salt.modules.state.sls>`)
To apply individual SLS files, pass them as a comma-separated list:
.. code-block:: bash
# Run the states configured in salt://stuff.sls (or salt://stuff/init.sls)
salt '*' state.apply stuff
# Run the states configured in salt://stuff.sls (or salt://stuff/init.sls)
# and salt://pkgs.sls (or salt://pkgs/init.sls).
salt '*' state.apply stuff,pkgs
# Run the states configured in a more deeply nested directory such as salt://my/organized/stuff.sls (or salt://my/organized/stuff/init.sls)
salt '*' state.apply my.organized.stuff
The following additional arguments are also accepted when applying
individual SLS files:
test
Run states in test-only (dry-run) mode
mock
The mock option allows for the state run to execute without actually
calling any states. This then returns a mocked return which will show
the requisite ordering as well as fully validate the state run.
.. versionadded:: 2015.8.4
pillar
Custom Pillar values, passed as a dictionary of key-value pairs
.. code-block:: bash
salt '*' state.apply stuff pillar='{"foo": "bar"}'
.. note::
Values passed this way will override Pillar values set via
``pillar_roots`` or an external Pillar source.
queue : False
Instead of failing immediately when another state run is in progress,
a value of ``True`` will queue the new state run to begin running once
the other has finished.
This option starts a new thread for each queued state run, so use this
option sparingly.
.. versionchanged:: 3006.0
This parameter can also be set via the ``state_queue`` configuration
option. Additionally, it can now be set to an integer representing
the maximum queue size which can be attained before the state runs
will fail to be queued. This can prevent runaway conditions where
new threads are started until system performance is hampered.
concurrent : False
Execute state runs concurrently instead of serially
.. warning::
This flag is potentially dangerous. It is designed for use when
multiple state runs can safely be run at the same time. Do *not*
use this flag for performance optimization.
saltenv
Specify a salt fileserver environment to be used when applying states
.. versionchanged:: 0.17.0
Argument name changed from ``env`` to ``saltenv``
.. versionchanged:: 2014.7.0
If no saltenv is specified, the minion config will be checked for an
``environment`` parameter and if found, it will be used. If none is
found, ``base`` will be used. In prior releases, the minion config
was not checked and ``base`` would always be assumed when the
saltenv was not explicitly set.
pillarenv
Specify a Pillar environment to be used when applying states. This
can also be set in the minion config file using the
:conf_minion:`pillarenv` option. When neither the
:conf_minion:`pillarenv` minion config option nor this CLI argument is
used, all Pillar environments will be merged together.
localconfig
Optionally, instead of using the minion config, load minion opts from
the file specified by this argument, and then merge them with the
options from the minion config. This functionality allows for specific
states to be run with their own custom minion configuration, including
different pillars, file_roots, etc.
.. code-block:: bash
salt '*' state.apply stuff localconfig=/path/to/minion.yml
sync_mods
If specified, the desired custom module types will be synced prior to
running the SLS files:
.. code-block:: bash
salt '*' state.apply stuff sync_mods=states,modules
salt '*' state.apply stuff sync_mods=all
.. note::
This option is ignored when no SLS files are specified, as a
:ref:`highstate <running-highstate>` automatically syncs all custom
module types.
.. versionadded:: 2017.7.8,2018.3.3,2019.2.0
state_events
The state_events option sends progress events as each function in
a state run completes execution.
.. versionadded:: 3006.0
DOM0 configuration failed, not continuing
Looks like I made a typo in the tutorial! The error says I missed a comma, which means the command should be:
sudo qubesctl state.apply split-ssh.client.vm,split-ssh.vault.vm saltenv=user
# comma, not space -------------^
(You work as root so no need for sudo, I only put it because the tutorial uses it.)
Indeed you’ll soon find out I don’t apply individual states often and use so-called top files instead 
precisely because I find composing these long commands is error-prone. Confirm to me that was my mistake and I’ll correct the tutorial! 
Edit: The repository is private, but I opened an issue to track this mistake.
Edit 2: And I just checked the other commands in the tutorial: that should be the only one with that problem.
Hmm…
What does this error mean?
[root@dom0 user_salt]# qubesctl state.apply split-ssh.client.vm,split-ssh.vault.vm saltenv=user
[CRITICAL] Rendering SLS 'user:split-ssh.client.vm' failed: mapping values are not allowed in this context
local:
Data failed to compile:
----------
Rendering SLS 'user:split-ssh.client.vm' failed: mapping values are not allowed in this context
DOM0 configuration failed, not continuing
Darn, looks like this one is on me again!
The error usually indicates that the YAML is invalid for some reason. See how the second and third state’s - are not aligned on the m of qvm like in the first state?
I missed a space when indenting those. 
In both lists, the lines starting by - should have one more space before the -:
# split-ssh/vault/vm.sls
ssh-vault-present: # ①
qvm.present: # ②
- name: ssh-vault # ③
- template: fedora-32 # ④
- label: black
- mem: 400
- vcpus: 2
- ssh-vault-has-no-network-access:
- qvm.prefs: # ⑤
- - name: ssh-vault # HERE: should be indented one more space, like state above.
- - netvm: none # ⑥
- - default_dispvm: # ⑦
+ ssh-vault-has-no-network-access:
+ qvm.prefs: # ⑤
+ - name: ssh-vault # HERE: se how there is one more space before the hyphen.
+ - netvm: none # ⑥
+ - default_dispvm: # ⑦
- ssh-vault-autostarts:
- qvm.prefs:
- - name: ssh-vault
- - autostart: True # ⑧
+ ssh-vault-autostarts:
+ qvm.prefs:
+ - name: ssh-vault
+ - autostart: True # ⑧
In the YAML format (which is what .sls files typically use), the indentation has meaning, and must be kept consistent thorough the file. Two spaces, then only one space is no good. And the error messages are sometimes a bit cryptic.
Issue opened in my side to fix that one too. Thank you for reporting with full details! 
Heads up, I just checked the remaining state files, and one of them features the same mistake;
# split-ssh/policy/init.sls
- /etc/qubes-rpc/policy/qubes.SSHAgent: # ①
- file.managed: # ②
- - user: root # ③
- - group: root
- - mode: '0755'
- - makedirs: True ④
- - source: salt://split-ssh/policy/files/qubes.SSHAgent # ⑤
+ /etc/qubes-rpc/policy/qubes.SSHAgent: # ①
+ file.managed: # ②
+ - user: root # ③
+ - group: root
+ - mode: '0755'
+ - makedirs: True ④
+ - source: salt://split-ssh/policy/files/qubes.SSHAgent # ⑤
It’s only that one. (On the bright side, now you know what that error hints to!)
I see, but the indentation in my file looks correct
[root@dom0 user_salt]# cat split-ssh/client/vm.sls
ssh-client-present:
qvm.present
- name: ssh-client
- template: fedora-38-xfce
- label: blue
- mem: 400
- vcpus: 2
[root@dom0 user_salt]# cat split-ssh/vault/vm.sls
ssh-vault-present:
qvm.present:
- name: ssh-vault
- template: fedora-38-xfce
- label: black
- mem: 400
- vcpus: 2
ssh-vault-has-no-network-access:
qvm.prefs:
- name: ssh-vault
- netvm: none
- default_dispvm:
ssh-vault-autostarts:
qvm.prefs:
- name: ssh-vault
- autostart: True
[root@dom0 user_salt]# qubesctl state.apply split-ssh.client.vm,split-ssh.vault.vm saltenv=user
[CRITICAL] Rendering SLS 'user:split-ssh.client.vm' failed: mapping values are not allowed in this context
local:
Data failed to compile:
----------
Rendering SLS 'user:split-ssh.client.vm' failed: mapping values are not allowed in this context
DOM0 configuration failed, not continuing
Edit: I forgot the colon after “default_dispvm” but even if I fixed it the error still occurs
There is another missing colon after qvm.present in the client file.
And after that, if the error persists, I’d check the whitespaces: might you be mixing tabs and spaces? (YAML is finicky like that, and to be fair, that’s YAML, not Salt.)
As a troubleshooting tip: you can apply the states one by one to narrow the scope of the error:
# dom0, as root
# only one
qubesctl state.apply split-ssh.client.vm saltenv=user
# then the other
qubesctl state.apply split-ssh.vault.vm saltenv=user
(For good measure you can apply them together once they succeed individually.)
And as a step back: that’s one reason why I package my states as RPM. Once everything is is place, it’s nice not to have to type them when setting them up again after a fresh Qubes OS installation or on a new machine…
On that note, as a lighter step: working in your dom0’s home directory and creating a symlink in /srv/user_salt is a good way to make sure your personal Salt files are included in dom0 backups! (If that makes no sense, let me know!)
thx
This solved the problem
This command was executed successfully: qubesctl state.apply split-ssh.client.vm,split-ssh.vault.vm saltenv=user
Back to salt-n-pepper, I got an error
I downloaded the asc and gpg files from the Brave official website and copied them to dom0, but an error occurs
[root@dom0 user_salt]# qubesctl --skip-dom0 --target=debian-12-xfce state.apply salt-n-pepper.template-browser.brave-browser saltenv=user
debian-12-xfce: ERROR (exit code 20, details in /var/log/qubes/mgmt-debian-12-xfce.log)
[root@dom0 user_salt]# cat /var/log/qubes/mgmt-debian-12-xfce.log
2023-10-07 20:39:59,231 calling 'state.apply salt-n-pepper.template-browser.brave-browser saltenv=user'...
2023-10-07 20:40:37,399 output: debian-12-xfce:
2023-10-07 20:40:37,399 output: ----------
2023-10-07 20:40:37,399 output: ID: /usr/share/keyrings/brave-browser-archive-keyring.gpg
2023-10-07 20:40:37,399 output: Function: file.managed
2023-10-07 20:40:37,399 output: Result: False
2023-10-07 20:40:37,399 output: Comment: Source file salt://template-browser/brave-browser.gpg not found in saltenv 'user'
2023-10-07 20:40:37,399 output: Started: 20:40:31.169724
2023-10-07 20:40:37,400 output: Duration: 54.998 ms
2023-10-07 20:40:37,400 output: Changes:
2023-10-07 20:40:37,400 output: ----------
2023-10-07 20:40:37,400 output: ID: brave-browser-repo
2023-10-07 20:40:37,400 output: Function: pkgrepo.managed
2023-10-07 20:40:37,400 output: Name: deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main
2023-10-07 20:40:37,400 output: Result: True
2023-10-07 20:40:37,400 output: Comment: Package repo 'deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main' already configured
2023-10-07 20:40:37,400 output: Started: 20:40:31.254894
2023-10-07 20:40:37,400 output: Duration: 28.767 ms
2023-10-07 20:40:37,400 output: Changes:
2023-10-07 20:40:37,400 output: ----------
2023-10-07 20:40:37,400 output: ID: brave-browser-updated
2023-10-07 20:40:37,400 output: Function: pkg.uptodate
2023-10-07 20:40:37,400 output: Result: False
2023-10-07 20:40:37,400 output: Comment: W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 20:40:37,400 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 20:40:37,400 output: Started: 20:40:32.599080
2023-10-07 20:40:37,400 output: Duration: 1824.858 ms
2023-10-07 20:40:37,400 output: Changes:
2023-10-07 20:40:37,400 output: ----------
2023-10-07 20:40:37,400 output: ID: brave-browser
2023-10-07 20:40:37,400 output: Function: pkg.installed
2023-10-07 20:40:37,400 output: Result: False
2023-10-07 20:40:37,401 output: Comment: An error was encountered while installing package(s): W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 20:40:37,401 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 20:40:37,401 output: Started: 20:40:34.432053
2023-10-07 20:40:37,401 output: Duration: 2280.066 ms
2023-10-07 20:40:37,401 output: Changes:
2023-10-07 20:40:37,401 output:
2023-10-07 20:40:37,401 output: Summary for debian-12-xfce
2023-10-07 20:40:37,401 output: ------------
2023-10-07 20:40:37,401 output: Succeeded: 1
2023-10-07 20:40:37,401 output: Failed: 3
2023-10-07 20:40:37,401 output: ------------
2023-10-07 20:40:37,401 output: Total states run: 4
2023-10-07 20:40:37,401 output: Total run time: 4.189 s
2023-10-07 20:40:37,401 exit code: 20
2023-10-07 20:59:11,219 calling 'state.apply salt-n-pepper.template-browser.brave-browser saltenv=user'...
2023-10-07 21:00:05,364 output: debian-12-xfce:
2023-10-07 21:00:05,364 output: ----------
2023-10-07 21:00:05,364 output: ID: /usr/share/keyrings/brave-browser-archive-keyring.gpg
2023-10-07 21:00:05,364 output: Function: file.managed
2023-10-07 21:00:05,364 output: Result: False
2023-10-07 21:00:05,364 output: Comment: Source file salt://template-browser/brave-browser.gpg not found in saltenv 'user'
2023-10-07 21:00:05,364 output: Started: 20:59:43.873633
2023-10-07 21:00:05,364 output: Duration: 83.546 ms
2023-10-07 21:00:05,364 output: Changes:
2023-10-07 21:00:05,364 output: ----------
2023-10-07 21:00:05,364 output: ID: brave-browser-repo
2023-10-07 21:00:05,365 output: Function: pkgrepo.managed
2023-10-07 21:00:05,365 output: Name: deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main
2023-10-07 21:00:05,365 output: Result: True
2023-10-07 21:00:05,365 output: Comment: Package repo 'deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main' already configured
2023-10-07 21:00:05,365 output: Started: 20:59:44.000852
2023-10-07 21:00:05,365 output: Duration: 32.524 ms
2023-10-07 21:00:05,365 output: Changes:
2023-10-07 21:00:05,365 output: ----------
2023-10-07 21:00:05,365 output: ID: brave-browser-updated
2023-10-07 21:00:05,365 output: Function: pkg.uptodate
2023-10-07 21:00:05,365 output: Result: False
2023-10-07 21:00:05,365 output: Comment: W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 21:00:05,365 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 21:00:05,365 output: Started: 20:59:45.420931
2023-10-07 21:00:05,365 output: Duration: 17132.615 ms
2023-10-07 21:00:05,365 output: Changes:
2023-10-07 21:00:05,365 output: ----------
2023-10-07 21:00:05,365 output: ID: brave-browser
2023-10-07 21:00:05,365 output: Function: pkg.installed
2023-10-07 21:00:05,365 output: Result: False
2023-10-07 21:00:05,365 output: Comment: An error was encountered while installing package(s): W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 21:00:05,365 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 21:00:05,365 output: Started: 21:00:02.564680
2023-10-07 21:00:05,365 output: Duration: 2201.56 ms
2023-10-07 21:00:05,365 output: Changes:
2023-10-07 21:00:05,365 output:
2023-10-07 21:00:05,365 output: Summary for debian-12-xfce
2023-10-07 21:00:05,365 output: ------------
2023-10-07 21:00:05,365 output: Succeeded: 1
2023-10-07 21:00:05,365 output: Failed: 3
2023-10-07 21:00:05,365 output: ------------
2023-10-07 21:00:05,365 output: Total states run: 4
2023-10-07 21:00:05,365 output: Total run time: 19.450 s
2023-10-07 21:00:05,365 exit code: 20
2023-10-07 21:01:28,799 calling 'state.apply salt-n-pepper.template-browser.brave-browser saltenv=user'...
2023-10-07 21:02:08,100 output: debian-12-xfce:
2023-10-07 21:02:08,101 output: ----------
2023-10-07 21:02:08,101 output: ID: /usr/share/keyrings/brave-browser-archive-keyring.gpg
2023-10-07 21:02:08,101 output: Function: file.managed
2023-10-07 21:02:08,101 output: Result: False
2023-10-07 21:02:08,101 output: Comment: Source file salt://template-browser/brave-browser.gpg not found in saltenv 'user'
2023-10-07 21:02:08,101 output: Started: 21:02:01.714447
2023-10-07 21:02:08,101 output: Duration: 54.366 ms
2023-10-07 21:02:08,101 output: Changes:
2023-10-07 21:02:08,101 output: ----------
2023-10-07 21:02:08,101 output: ID: brave-browser-repo
2023-10-07 21:02:08,101 output: Function: pkgrepo.managed
2023-10-07 21:02:08,101 output: Name: deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main
2023-10-07 21:02:08,101 output: Result: True
2023-10-07 21:02:08,101 output: Comment: Package repo 'deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main' already configured
2023-10-07 21:02:08,101 output: Started: 21:02:01.800066
2023-10-07 21:02:08,101 output: Duration: 30.37 ms
2023-10-07 21:02:08,101 output: Changes:
2023-10-07 21:02:08,101 output: ----------
2023-10-07 21:02:08,101 output: ID: brave-browser-updated
2023-10-07 21:02:08,101 output: Function: pkg.uptodate
2023-10-07 21:02:08,101 output: Result: False
2023-10-07 21:02:08,102 output: Comment: W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 21:02:08,102 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 21:02:08,102 output: Started: 21:02:03.438283
2023-10-07 21:02:08,102 output: Duration: 2108.427 ms
2023-10-07 21:02:08,102 output: Changes:
2023-10-07 21:02:08,102 output: ----------
2023-10-07 21:02:08,102 output: ID: brave-browser
2023-10-07 21:02:08,102 output: Function: pkg.installed
2023-10-07 21:02:08,102 output: Result: False
2023-10-07 21:02:08,102 output: Comment: An error was encountered while installing package(s): W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 21:02:08,102 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 21:02:08,102 output: Started: 21:02:05.555341
2023-10-07 21:02:08,102 output: Duration: 1909.001 ms
2023-10-07 21:02:08,102 output: Changes:
2023-10-07 21:02:08,102 output:
2023-10-07 21:02:08,102 output: Summary for debian-12-xfce
2023-10-07 21:02:08,102 output: ------------
2023-10-07 21:02:08,102 output: Succeeded: 1
2023-10-07 21:02:08,102 output: Failed: 3
2023-10-07 21:02:08,102 output: ------------
2023-10-07 21:02:08,102 output: Total states run: 4
2023-10-07 21:02:08,102 output: Total run time: 4.102 s
2023-10-07 21:02:08,103 exit code: 20
[root@dom0 user_salt]# rm /var/log/qubes/mgmt-debian-12-xfce.log -rf
[root@dom0 user_salt]# cat /var/log/qubes/mgmt-debian-12-xfce.log
cat: /var/log/qubes/mgmt-debian-12-xfce.log: No such file or directory
[root@dom0 user_salt]# qubesctl --skip-dom0 --target=debian-12-xfce state.apply salt-n-pepper.template-browser.brave-browser saltenv=user
debian-12-xfce: ERROR (exit code 20, details in /var/log/qubes/mgmt-debian-12-xfce.log)
[root@dom0 user_salt]# cat /var/log/qubes/mgmt-debian-12-xfce.log
2023-10-07 21:09:53,111 calling 'state.apply salt-n-pepper.template-browser.brave-browser saltenv=user'...
2023-10-07 21:10:31,862 output: debian-12-xfce:
2023-10-07 21:10:31,862 output: ----------
2023-10-07 21:10:31,862 output: ID: /usr/share/keyrings/brave-browser-archive-keyring.gpg
2023-10-07 21:10:31,862 output: Function: file.managed
2023-10-07 21:10:31,862 output: Result: False
2023-10-07 21:10:31,862 output: Comment: Source file salt://template-browser/brave-browser.gpg not found in saltenv 'user'
2023-10-07 21:10:31,862 output: Started: 21:10:24.233882
2023-10-07 21:10:31,862 output: Duration: 87.414 ms
2023-10-07 21:10:31,862 output: Changes:
2023-10-07 21:10:31,862 output: ----------
2023-10-07 21:10:31,862 output: ID: brave-browser-repo
2023-10-07 21:10:31,862 output: Function: pkgrepo.managed
2023-10-07 21:10:31,862 output: Name: deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main
2023-10-07 21:10:31,862 output: Result: True
2023-10-07 21:10:31,862 output: Comment: Package repo 'deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main' already configured
2023-10-07 21:10:31,862 output: Started: 21:10:24.366840
2023-10-07 21:10:31,862 output: Duration: 57.366 ms
2023-10-07 21:10:31,862 output: Changes:
2023-10-07 21:10:31,862 output: ----------
2023-10-07 21:10:31,862 output: ID: brave-browser-updated
2023-10-07 21:10:31,862 output: Function: pkg.uptodate
2023-10-07 21:10:31,862 output: Result: False
2023-10-07 21:10:31,862 output: Comment: W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 21:10:31,862 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 21:10:31,862 output: Started: 21:10:26.444005
2023-10-07 21:10:31,862 output: Duration: 2270.436 ms
2023-10-07 21:10:31,862 output: Changes:
2023-10-07 21:10:31,862 output: ----------
2023-10-07 21:10:31,862 output: ID: brave-browser
2023-10-07 21:10:31,862 output: Function: pkg.installed
2023-10-07 21:10:31,862 output: Result: False
2023-10-07 21:10:31,862 output: Comment: An error was encountered while installing package(s): W: GPG error: https://brave-browser-apt-release.s3.brave.com stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A8580BDC82D3DC6C
2023-10-07 21:10:31,862 output: E: The repository 'https://brave-browser-apt-release.s3.brave.com stable InRelease' is not signed.
2023-10-07 21:10:31,862 output: Started: 21:10:28.719014
2023-10-07 21:10:31,862 output: Duration: 2619.767 ms
2023-10-07 21:10:31,862 output: Changes:
2023-10-07 21:10:31,862 output:
2023-10-07 21:10:31,862 output: Summary for debian-12-xfce
2023-10-07 21:10:31,862 output: ------------
2023-10-07 21:10:31,862 output: Succeeded: 1
2023-10-07 21:10:31,862 output: Failed: 3
2023-10-07 21:10:31,863 output: ------------
2023-10-07 21:10:31,863 output: Total states run: 4
2023-10-07 21:10:31,863 output: Total run time: 5.035 s
2023-10-07 21:10:31,863 exit code: 20
This is the most significant failure. (Note that you’ve got multiple runs in your log, only the last is relevant usually.)
The keyring brave-browser.gpg is not where the state says it should be salt://template-browser/brave-browser.gpg, so it cannot be copied to /usr/share/keyrings/brave-browser-archive-keyring.gpg (so Salt fails to apply that state) and it does not get where DNF expects it to be (so the repo signature verifications fail down the line).
The other errors are a consequence of that. Notice they’re all same. For example:
Knowing that, comes the question where is salt://template-browser/brave-browser.gpg supposed to be?
In the user environment, on a typical setup, that would be:
/srv/user_salt/template-browser/brave-browser.gpg
Is that where you copied that file?
Note: If tree is available in your dom0,
sudo tree /srv/user_salt can be a good way to visualize the layout of your Salt states.
Note 2: There are examples of file.managed in the tutorial too!, which use that salt://... path, etc.
Given this command, I’d expect the keyring file to be in:
/srv/user_salt/salt-n-pepper/template-browser/brave-browser.gpg
# look ---------------
And I’d expect correspondingly:
salt://salt-n-pepper/template-browser/brave-browser.gpg
# -------------
Now I’d also expect the person who wrote salt-n-pepper had the setup working as it is, so I’m probably missing something.
Well it looks like salt-n-pepper dir is user_salt dir
[root@dom0 user_salt]# cp -r salt-n-pepper/template-browser template-browser
[root@dom0 user_salt]# qubesctl --skip-dom0 --target=debian-12-xfce state.apply template-browser.brave-browser saltenv=user
debian-12-xfce: OK
I tried copying the template-browser dir before rewriting brave-browser.sls and it was successful
--skip-dom0 is necessary, right?
BTW I made a mistake in the target, so I reinstalled the template
And how can I run qubesctl --skip-dom0 --target=debian-12-xfce state.apply salt-n-pepper.template-browser.brave-browser saltenv=user without running this cp command or editing brave-browser.sls ?