-
Notifications
You must be signed in to change notification settings - Fork 43
/
sd-sys-vms.sls
140 lines (125 loc) · 5.09 KB
/
sd-sys-vms.sls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
#
# Ensures that sys-* VMs (viz. sys-net, sys-firewall, sys-usb) use
# an up-to-date version of Fedora, in order to receive security updates.
include:
# Import the upstream Qubes-maintained default-dispvm to ensure Fedora-based
# DispVM is created
- qvm.default-dispvm
# 4.2 fedora template is fedora-NN-xfce, but let's keep the dvm names to
# follow simple - like sd-fedora-NN-dvm
{% set sd_supported_fedora_version = 'fedora-40' %}
{% set sd_fedora_base_template = sd_supported_fedora_version + '-xfce' %}
# Install latest templates required for SDW VMs.
dom0-install-fedora-template:
cmd.run:
- name: >
qvm-template info --machine-readable {{ sd_fedora_base_template }} | grep -q "installed|{{ sd_fedora_base_template }}|" || qvm-template install {{ sd_fedora_base_template }}
# Update the mgmt VM before updating the new Fedora VM. The order is required
set-fedora-template-as-default-mgmt-dvm:
cmd.run:
- name: >
qvm-shutdown --wait default-mgmt-dvm &&
qvm-prefs default-mgmt-dvm template {{ sd_fedora_base_template }}
- require:
- cmd: dom0-install-fedora-template
# If the VM has just been installed via package manager, update it immediately
update-fedora-template-if-new:
cmd.wait:
- name: qubes-vm-update --quiet --force-update --targets {{ sd_fedora_base_template }}
- require:
- cmd: dom0-install-fedora-template
# Update the mgmt-dvm setting first, to avoid problems during first update
- cmd: set-fedora-template-as-default-mgmt-dvm
- watch:
- cmd: dom0-install-fedora-template
# qvm.default-dispvm is not strictly required here, but we want it to be
# updated as soon as possible to ensure make clean completes successfully, as
# is sets the default_dispvm to the DispVM based on the wanted Fedora version.
set-fedora-default-template-version:
cmd.run:
- name: qubes-prefs default_template {{ sd_fedora_base_template }}
- require:
- cmd: dom0-install-fedora-template
- sls: qvm.default-dispvm
# On 4.1, several sys qubes are disposable by default - since we also want to
# upgrade the templates for those, we need to ensure that the respective dvms
# exist, as just installing a new template won't create a DispVM template
# automatically.
# sys-usb is also disposable by default but a special case as we want to
# customize the underlying DispVM template for usability purposes: we want to
# consistently auto-attach USB devices to our sd-devices qube
#
{% set required_dispvms = [ sd_supported_fedora_version + '-dvm' ] %}
{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %}
{% set _ = required_dispvms.append("sd-" + sd_supported_fedora_version + "-dvm") %}
{% endif %}
{% for required_dispvm in required_dispvms %}
create-{{ required_dispvm }}:
qvm.vm:
- name: {{ required_dispvm }}
- present:
- template: {{ sd_fedora_base_template }}
- label: red
- prefs:
- template: {{ sd_fedora_base_template }}
- template_for_dispvms: True
{% if required_dispvm == 'sd-' + sd_supported_fedora_version + '-dvm' %}
- netvm: ""
{% endif %}
- require:
- cmd: dom0-install-fedora-template
{% endfor %}
# Now proceed with rebooting all the sys-* VMs, since the new template is up to date.
{% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %}
{% if salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %}
# As of Qubes 4.1, certain sys-* VMs will be DispVMs by default.
{% if sys_vm == 'sys-usb' %}
# If sys-usb is disposable, we want it to use the template we just created so we
# can customize it later in the process
{% set sd_supported_fedora_template = 'sd-' + sd_supported_fedora_version + '-dvm' %}
{% else %}
{% set sd_supported_fedora_template = sd_supported_fedora_version + '-dvm' %}
{% endif %}
{% else %}
{% set sd_supported_fedora_template = sd_fedora_base_template %}
{% endif %}
{% if salt['cmd.shell']('qvm-prefs ' + sys_vm + ' template') != sd_supported_fedora_template %}
sd-{{ sys_vm }}-fedora-version-halt:
qvm.kill:
- name: {{ sys_vm }}
- require:
- cmd: dom0-install-fedora-template
sd-{{ sys_vm }}-fedora-version-halt-wait:
cmd.run:
- name: sleep 5
- require:
- cmd: dom0-install-fedora-template
sd-{{ sys_vm }}-fedora-version-update:
qvm.vm:
- name: {{ sys_vm }}
- prefs:
- template: {{ sd_supported_fedora_template }}
- require:
- cmd: sd-{{ sys_vm }}-fedora-version-halt-wait
{% if sd_supported_fedora_template.endswith("-dvm") %}
- qvm: create-{{ sd_supported_fedora_template }}
{% endif %}
# Finally, remove the old supported fedora DVM we created. We won't uninstall
# the template, in case it's being used elsewhere, but the `sd-` VMs we can
# reasonably manage (remove) ourselves.
{% if sys_vm == "sys-usb" %}
remove-sd-fedora-39-dvm:
qvm.absent:
- name: sd-fedora-39-dvm
- require:
- qvm: sd-sys-usb-fedora-version-update
{% endif %}
sd-{{ sys_vm }}-fedora-version-start:
qvm.start:
- name: {{ sys_vm }}
- require:
- qvm: sd-{{ sys_vm }}-fedora-version-update
{% endif %}
{% endfor %}