mirror of
https://github.com/Rudd-O/ansible-qubes.git
synced 2025-03-01 14:22:33 +01:00
Compare commits
No commits in common. "master" and "v0.0.17" have entirely different histories.
12
README.md
12
README.md
@ -92,18 +92,18 @@ Enabling bombshell-client access to dom0
|
|||||||
create a file `/etc/qubes-rpc/qubes.VMshell` with mode `0755` and make
|
create a file `/etc/qubes-rpc/qubes.VMshell` with mode `0755` and make
|
||||||
sure its contents say `/bin/bash`.
|
sure its contents say `/bin/bash`.
|
||||||
|
|
||||||
You will then create a file `/etc/qubes/policy.d/80-ansible-qubes.policy`
|
You will then create a file `/etc/qubes-rpc/policy/qubes.VMShell` with
|
||||||
with mode 0664, owned by `root` and group `qubes`. Add a policy
|
mode 0664, owned by your login user, and group `qubes`. Add a policy
|
||||||
line towards the top of the file:
|
line towards the top of the file:
|
||||||
|
|
||||||
```
|
```
|
||||||
qubes.VMShell * controller * allow
|
yourvm dom0 ask
|
||||||
```
|
```
|
||||||
|
|
||||||
Where `controller` represents the name of the VM you will be executing
|
Where `yourvm` represents the name of the VM you will be executing
|
||||||
`bombshell-client` against `dom0` from.
|
`bombshell-client` against dom0 from.
|
||||||
|
|
||||||
That's it -- `bombshell-client` should work against `dom0` now. Of course,
|
That's it -- `bombshell-client` should work against dom0 now. Of course,
|
||||||
you can adjust the policy to have it not ask — do the security math
|
you can adjust the policy to have it not ask — do the security math
|
||||||
on what that implies.
|
on what that implies.
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
%define mybuildnumber %{?build_number}%{?!build_number:1}
|
%define mybuildnumber %{?build_number}%{?!build_number:1}
|
||||||
|
|
||||||
Name: ansible-qubes
|
Name: ansible-qubes
|
||||||
Version: 0.0.21
|
Version: 0.0.17
|
||||||
Release: %{mybuildnumber}%{?dist}
|
Release: %{mybuildnumber}%{?dist}
|
||||||
Summary: Inter-VM program execution for Qubes OS AppVMs and StandaloneVMs
|
Summary: Inter-VM program execution for Qubes OS AppVMs and StandaloneVMs
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
@ -321,18 +321,12 @@ def quotedargs():
|
|||||||
return " ".join(quote(x) for x in sys.argv[1:])
|
return " ".join(quote(x) for x in sys.argv[1:])
|
||||||
|
|
||||||
|
|
||||||
def quotedargs_ellipsized(cmdlist):
|
|
||||||
text = " ".join(quote(x) for x in cmdlist)
|
|
||||||
if len(text) > 80:
|
|
||||||
text = text[:77] + "..."
|
|
||||||
return text
|
|
||||||
|
|
||||||
def main_master():
|
def main_master():
|
||||||
set_proc_name("bombshell-client (master) %s" % quotedargs())
|
set_proc_name("bombshell-client (master) %s" % quotedargs())
|
||||||
global logging
|
global logging
|
||||||
logging = LoggingEmu("master")
|
logging = LoggingEmu("master")
|
||||||
|
|
||||||
logging.info("Started with arguments: %s", quotedargs_ellipsized(sys.argv[1:]))
|
logging.info("Started with arguments: %s", sys.argv[1:])
|
||||||
|
|
||||||
global debug_enabled
|
global debug_enabled
|
||||||
args = sys.argv[1:]
|
args = sys.argv[1:]
|
||||||
@ -425,7 +419,7 @@ def main_remote():
|
|||||||
global logging
|
global logging
|
||||||
logging = LoggingEmu("remote")
|
logging = LoggingEmu("remote")
|
||||||
|
|
||||||
logging.info("Started with arguments: %s", quotedargs_ellipsized(sys.argv[1:]))
|
logging.info("Started with arguments: %s", sys.argv[1:])
|
||||||
|
|
||||||
global debug_enabled
|
global debug_enabled
|
||||||
if "-d" in sys.argv[1:]:
|
if "-d" in sys.argv[1:]:
|
||||||
@ -474,11 +468,10 @@ def main_remote():
|
|||||||
muxer.name = "remote multiplexer"
|
muxer.name = "remote multiplexer"
|
||||||
muxer.start()
|
muxer.start()
|
||||||
|
|
||||||
nicecmd_ellipsized = quotedargs_ellipsized(cmd)
|
logging.info("Started %s", nicecmd)
|
||||||
logging.info("Started %s", nicecmd_ellipsized)
|
|
||||||
|
|
||||||
retval = p.wait()
|
retval = p.wait()
|
||||||
logging.info("Return code %s for %s", retval, nicecmd_ellipsized)
|
logging.info("Return code %s for %s", retval, nicecmd)
|
||||||
muxer.join()
|
muxer.join()
|
||||||
logging.info("Ending bombshell")
|
logging.info("Ending bombshell")
|
||||||
return retval
|
return retval
|
||||||
|
@ -1 +1 @@
|
|||||||
["RELEASE": "q4.2 38 39"]
|
["RELEASE": "q4.1 36"]
|
||||||
|
@ -24,13 +24,13 @@ Integrate this software into your Ansible setup (within your `managevm`) VM) by:
|
|||||||
|
|
||||||
## Set up the policy file for `qubes.VMShell`
|
## Set up the policy file for `qubes.VMShell`
|
||||||
|
|
||||||
Edit (as `root`) the file `/etc/qubes/policy.d/80-ansible-qubes.policy`
|
Edit (as `root`) the file `/etc/qubes-rpc/policy/qubes.VMShell`
|
||||||
located on the file system of your `dom0`.
|
located on the file system of your `dom0`.
|
||||||
|
|
||||||
At the top of the file, add the following two lines:
|
At the top of the file, add the following two lines:
|
||||||
|
|
||||||
```
|
```
|
||||||
qubes.VMShell * managevm * allow
|
managevm $anyvm allow
|
||||||
```
|
```
|
||||||
|
|
||||||
This first line lets `managevm` execute any commands on any VM on your
|
This first line lets `managevm` execute any commands on any VM on your
|
||||||
@ -41,21 +41,25 @@ security prompt to allow `qubes.VMShell` on the target VM you're managing.
|
|||||||
|
|
||||||
Now save that file, and exit your editor.
|
Now save that file, and exit your editor.
|
||||||
|
|
||||||
If your dom0 has a file `/etc/qubes-rpc/policy/qubes.VMShell`,
|
|
||||||
you can delete it now. It is obsolete.
|
|
||||||
|
|
||||||
### Optional: allow `managevm` to manage `dom0`
|
### Optional: allow `managevm` to manage `dom0`
|
||||||
|
|
||||||
The next step is to add the RPC service proper to dom0. Edit the file
|
Before the line you added in the previous step, add this line:
|
||||||
|
|
||||||
|
```
|
||||||
|
managevm dom0 allow
|
||||||
|
```
|
||||||
|
|
||||||
|
This line lets `managevm` execute any commands in `dom0`. Be sure you
|
||||||
|
understand the security implications of such a thing.
|
||||||
|
|
||||||
|
The next step is to add the RPC service proper. Edit the file
|
||||||
`/etc/qubes-rpc/qubes.VMShell` to have a single line that contains:
|
`/etc/qubes-rpc/qubes.VMShell` to have a single line that contains:
|
||||||
|
|
||||||
```
|
```
|
||||||
exec bash
|
exec bash
|
||||||
```
|
```
|
||||||
|
|
||||||
Make the file executable.
|
That is it. `dom0` should work now.
|
||||||
|
|
||||||
That is it. `dom0` should work now. Note you do this at your own risk.
|
|
||||||
|
|
||||||
|
|
||||||
## Test `qrun` works
|
## Test `qrun` works
|
||||||
|
@ -13,11 +13,11 @@ to set up a policy that allows us to remotely execute commands on any VM of the
|
|||||||
network server, without having to be physically present to click any dialogs authorizing
|
network server, without having to be physically present to click any dialogs authorizing
|
||||||
the execution of those commands.
|
the execution of those commands.
|
||||||
|
|
||||||
In `dom0` of your Qubes server, edit `/etc/qubes/policy.d/80-ansible-qubes.policy` to add,
|
In `dom0` of your Qubes server, edit `/etc/qubes-rpc/policy/qubes.VMShell` to add,
|
||||||
at the top of the file, a policy that looks like this:
|
at the top of the file, a policy that looks like this:
|
||||||
|
|
||||||
```
|
```
|
||||||
qubes.VMShell * managevm * allow
|
exp-manager $anyvm allow
|
||||||
```
|
```
|
||||||
|
|
||||||
This tells Qubes OS that `exp-manager` is now authorized to run any command in any of the VMs.
|
This tells Qubes OS that `exp-manager` is now authorized to run any command in any of the VMs.
|
||||||
@ -25,13 +25,13 @@ This tells Qubes OS that `exp-manager` is now authorized to run any command in a
|
|||||||
**Security note**: this does mean that anyone with access to `exp-manager` can do
|
**Security note**: this does mean that anyone with access to `exp-manager` can do
|
||||||
literally anything on any of your VMs in your Qubes OS server.
|
literally anything on any of your VMs in your Qubes OS server.
|
||||||
|
|
||||||
If that is not what you want, then replace `*` after `managevm` with the name of the VMs you
|
If that is not what you want, then replace `$anyvm` with the name of the VMs you would like
|
||||||
would like to manage. For example: if you would like `exp-manager` to be authorized to run
|
to manage. For example: if you would like `exp-manager` to be authorized to run commands
|
||||||
commands *only* on `exp-net`, then you can use the following policy:
|
*only* on `exp-net`, then you can use the following policy:
|
||||||
|
|
||||||
```
|
```
|
||||||
qubes.VMShell * exp-manager exp-net allow
|
exp-manager exp-net allow
|
||||||
qubes.VMShell * exp-manager @anyvm deny
|
exp-manager $anyvm deny
|
||||||
```
|
```
|
||||||
|
|
||||||
Try it out now. SSH from your manager machine into `exp-manager` and run:
|
Try it out now. SSH from your manager machine into `exp-manager` and run:
|
||||||
@ -47,7 +47,7 @@ You should see `yes` followed by `exp-net` on the output side.
|
|||||||
If you expect that you will need to run commands in `dom0` from your manager machine
|
If you expect that you will need to run commands in `dom0` from your manager machine
|
||||||
(say, to create, stop, start and modify VMs in the Qubes OS server),
|
(say, to create, stop, start and modify VMs in the Qubes OS server),
|
||||||
then you will have to create a file `/etc/qubes-rpc/qubes.VMShell` as `root` in `dom0`,
|
then you will have to create a file `/etc/qubes-rpc/qubes.VMShell` as `root` in `dom0`,
|
||||||
with the contents `/bin/bash` and permission mode `0755`. Doing this will enable you
|
with the contents `/bin/bash` and permission mode `0644`. Doing this will enable you
|
||||||
to run commands on `dom0` which you can subsequently test in `exp-manager` by running command:
|
to run commands on `dom0` which you can subsequently test in `exp-manager` by running command:
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -57,7 +57,7 @@ qvm-run dom0 'echo yes ; hostname'
|
|||||||
like you did before.
|
like you did before.
|
||||||
|
|
||||||
**Security note**: this does mean that anyone with access to `exp-manager` can do
|
**Security note**: this does mean that anyone with access to `exp-manager` can do
|
||||||
*literally anything* on your Qubes OS server. You have been warned.
|
literally anything on your Qubes OS server.
|
||||||
|
|
||||||
## Integrate your Ansible setup
|
## Integrate your Ansible setup
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user