gaschz/ansible-qubes
1
0
Fork 0
mirror of https://github.com/Rudd-O/ansible-qubes.git synced 2025-03-01 14:22:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation improvements

Browse Source
This commit is contained in:
Manuel Amador (Rudd-O) 2016-10-12 17:27:40 +00:00
parent 8093ac554f
commit b8c11f6456
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/Remote management of Qubes OS servers.md
View File

@ -1,6 +1,6 @@
# Remote management of Qubes OS servers
This tutorial will help you combine [Qubes network server](https://github.com/Rudd-O/qubes-network-server) and Ansible to remotely manage a Qubes OS machine, and all VMs within it.
This tutorial will help you combine [Qubes network server](https://github.com/Rudd-O/qubes-network-server) and Ansible to remotely manage a Qubes OS machine, and some or all VMs within it.
## Set up the SSH access on the Qubes server
@ -22,6 +22,18 @@ exp-manager $anyvm allow
This tells Qubes OS that `exp-manager` is now authorized to run any command in any of the VMs.
**Security note**: this does mean that anyone with access to `exp-manager` can do
literally anything on any of your VMs in your Qubes OS server.
If that is not what you want, then replace `$anyvm` with the name of the VMs you would like
to manage. For example: if you would like `exp-manager` to be authorized to run commands
*only* on `exp-net`, then you can use the following policy:
```
exp-manager exp-net allow
exp-manager $anyvm deny
```
Try it out now. SSH from your manager machine into `exp-manager` and run:
```
@ -32,7 +44,8 @@ You should see `yes` followed by `exp-net` on the output side.
### If you want `exp-manager` to also run commands on `dom0`
If you expect that you will need to run commands in `dom0` from your manager machine,
If you expect that you will need to run commands in `dom0` from your manager machine
(say, to create, stop, start and modify VMs in the Qubes OS server),
then you will have to create a file `/etc/qubes-rpc/qubes.VMShell` as `root` in `dom0`,
with the contents `/bin/bash` and permission mode `0644`. Doing this will enable you
to run commands on `dom0` which you can subsequently test in `exp-manager` by running command:
@ -43,6 +56,9 @@ qvm-run dom0 'echo yes ; hostname'
like you did before.
**Security note**: this does mean that anyone with access to `exp-manager` can do
literally anything on your Qubes OS server.
## Integrate your Ansible setup
Assuming you have set up Ansible on your manager machine, [integrate