gaschz/ansible-qubes
1
0
Fork 0
mirror of https://github.com/Rudd-O/ansible-qubes.git synced 2025-10-31 03:28:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update documentation to catch up with Qubes 4.1 policy changes.

Browse Source
This commit is contained in:
Manuel Amador (Rudd-O) 2023-02-25 18:24:58 +00:00
parent f6dc498036
commit 782c557cb6
3 changed files with 24 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -92,18 +92,18 @@ Enabling bombshell-client access to dom0
create a file `/etc/qubes-rpc/qubes.VMshell` with mode `0755` and make create a file `/etc/qubes-rpc/qubes.VMshell` with mode `0755` and make
sure its contents say `/bin/bash`. sure its contents say `/bin/bash`.
You will then create a file `/etc/qubes-rpc/policy/qubes.VMShell` with You will then create a file `/etc/qubes/policy.d/80-ansible-qubes.policy`
mode 0664, owned by your login user, and group `qubes`. Add a policy with mode 0664, owned by `root` and group `qubes`. Add a policy
line towards the top of the file: line towards the top of the file:
``` ```
yourvm dom0 ask qubes.VMShell * controller * allow
``` ```
Where `yourvm` represents the name of the VM you will be executing Where `controller` represents the name of the VM you will be executing
`bombshell-client` against dom0 from. `bombshell-client` against `dom0` from.
That's it -- `bombshell-client` should work against dom0 now. Of course, That's it -- `bombshell-client` should work against `dom0` now. Of course,
you can adjust the policy to have it not ask — do the security math you can adjust the policy to have it not ask — do the security math
on what that implies. on what that implies.

22
doc/Enhance your Ansible with Ansible Qubes.md
View File

@ -24,13 +24,13 @@ Integrate this software into your Ansible setup (within your `managevm`) VM) by:
## Set up the policy file for `qubes.VMShell` ## Set up the policy file for `qubes.VMShell`
Edit (as `root`) the file `/etc/qubes-rpc/policy/qubes.VMShell` Edit (as `root`) the file `/etc/qubes/policy.d/80-ansible-qubes.policy`
located on the file system of your `dom0`. located on the file system of your `dom0`.
At the top of the file, add the following two lines: At the top of the file, add the following two lines:
``` ```
managevm $anyvm allow qubes.VMShell * managevm * allow
``` ```
This first line lets `managevm` execute any commands on any VM on your This first line lets `managevm` execute any commands on any VM on your
@ -41,25 +41,21 @@ security prompt to allow `qubes.VMShell` on the target VM you're managing.
Now save that file, and exit your editor. Now save that file, and exit your editor.
If your dom0 has a file `/etc/qubes-rpc/policy/qubes.VMShell`,
you can delete it now. It is obsolete.
### Optional: allow `managevm` to manage `dom0` ### Optional: allow `managevm` to manage `dom0`
Before the line you added in the previous step, add this line: The next step is to add the RPC service proper to dom0. Edit the file
```
managevm dom0 allow
```
This line lets `managevm` execute any commands in `dom0`. Be sure you
understand the security implications of such a thing.
The next step is to add the RPC service proper. Edit the file
`/etc/qubes-rpc/qubes.VMShell` to have a single line that contains: `/etc/qubes-rpc/qubes.VMShell` to have a single line that contains:
``` ```
exec bash exec bash
``` ```
That is it. `dom0` should work now. Make the file executable.
That is it. `dom0` should work now. Note you do this at your own risk.
## Test `qrun` works ## Test `qrun` works

18
doc/Remote management of Qubes OS servers.md
View File

@ -13,11 +13,11 @@ to set up a policy that allows us to remotely execute commands on any VM of the
network server, without having to be physically present to click any dialogs authorizing network server, without having to be physically present to click any dialogs authorizing
the execution of those commands. the execution of those commands.
In `dom0` of your Qubes server, edit `/etc/qubes-rpc/policy/qubes.VMShell` to add, In `dom0` of your Qubes server, edit `/etc/qubes/policy.d/80-ansible-qubes.policy` to add,
at the top of the file, a policy that looks like this: at the top of the file, a policy that looks like this:
``` ```
exp-manager $anyvm allow qubes.VMShell * managevm * allow
``` ```
This tells Qubes OS that `exp-manager` is now authorized to run any command in any of the VMs. This tells Qubes OS that `exp-manager` is now authorized to run any command in any of the VMs.
@ -25,13 +25,13 @@ This tells Qubes OS that `exp-manager` is now authorized to run any command in a
**Security note**: this does mean that anyone with access to `exp-manager` can do **Security note**: this does mean that anyone with access to `exp-manager` can do
literally anything on any of your VMs in your Qubes OS server. literally anything on any of your VMs in your Qubes OS server.
If that is not what you want, then replace `$anyvm` with the name of the VMs you would like If that is not what you want, then replace `*` after `managevm` with the name of the VMs you
to manage. For example: if you would like `exp-manager` to be authorized to run commands would like to manage. For example: if you would like `exp-manager` to be authorized to run
*only* on `exp-net`, then you can use the following policy: commands *only* on `exp-net`, then you can use the following policy:
``` ```
exp-manager exp-net allow qubes.VMShell * exp-manager exp-net allow
exp-manager $anyvm deny qubes.VMShell * exp-manager @anyvm deny
``` ```
Try it out now. SSH from your manager machine into `exp-manager` and run: Try it out now. SSH from your manager machine into `exp-manager` and run:
@ -47,7 +47,7 @@ You should see `yes` followed by `exp-net` on the output side.
If you expect that you will need to run commands in `dom0` from your manager machine If you expect that you will need to run commands in `dom0` from your manager machine
(say, to create, stop, start and modify VMs in the Qubes OS server), (say, to create, stop, start and modify VMs in the Qubes OS server),
then you will have to create a file `/etc/qubes-rpc/qubes.VMShell` as `root` in `dom0`, then you will have to create a file `/etc/qubes-rpc/qubes.VMShell` as `root` in `dom0`,
with the contents `/bin/bash` and permission mode `0644`. Doing this will enable you with the contents `/bin/bash` and permission mode `0755`. Doing this will enable you
to run commands on `dom0` which you can subsequently test in `exp-manager` by running command: to run commands on `dom0` which you can subsequently test in `exp-manager` by running command:
``` ```
@ -57,7 +57,7 @@ qvm-run dom0 'echo yes ; hostname'
like you did before. like you did before.
**Security note**: this does mean that anyone with access to `exp-manager` can do **Security note**: this does mean that anyone with access to `exp-manager` can do
literally anything on your Qubes OS server. *literally anything* on your Qubes OS server. You have been warned.
## Integrate your Ansible setup ## Integrate your Ansible setup