search

ben-grande / qusal

Salt Formulas for Qubes OS.
19 stars 7 forks source link

mgmt qube can't be used with fedora due to fedora major upgrades using new python versions #28

Closed ben-grande closed 6 months ago

ben-grande commented 7 months ago

Software version

From my research of qubes-posts, affected fedora-32, fedora-33 and now currently affects fedora-39.

Brief summary

When Fedora releases a new version, there is history of them breaking salt-ssh due to new Python versions, meaning that to target a fedora-39, you need to have the management qube based on fedora-39.

Currently, the mgmt formula creates the mgmt qube based on debian-12-minimal, it works great for fedora-38, but not for fedora-39.

Steps to reproduce

Install the mgmt formula. Try to target a fedora-39 qube.

Expected behavior

Salt works.

Actual behavior

Salt breaks due to incompatible python version and salt-ssh importing it. See linked upstream issue above.

It breaks every formula that depends on fedora templates, qubes-builder, and the template installation itself via the fedora or fedora-minimal formula, as the install.sls will want to update the package list.

Solution

Requires fedora-39-minimal and fedora-39 (full) to be installed. The global preferencemanagement_dispvm has to be set to fedora-39, then we can create a management qube based on fedora-39-minimal called dvm-mgmt-fedora or make the fedora type itself the default mgmt template dvm-mgmt, so far, this hasn't caused problems for targetting Debian with Salt as far as I could find from issues and posts.

Setting the management_dispvm to the fedora-39 (full) is inevitable during installation, as the minimal version doesn't yet have the necessary salt packages and can't be targetted without getting a working fedora version, in this case, the bloat one.

After installation, the management_dispvm can be set again to dvm-mgmt-fedora, thus having a lightweight management stack for lower resource usage, lower attack surface and faster boot time.

Leaving the global preference with the debian based qube dvm-mgmt and the fedora qubes have the qvm-prefs management_dispvm set to dvm-mgmt-fedora is not an option, we would need to query all the fedora templates and set their prefs set.

Changing the default template of the dvm-mgmt to Fedora seems to makes sense because from the available templates, it has the newest Python versions and it is required on new Fedora major upgrades while the contrary is not true, debian-11 could target debian-12. Using separate management templates can make sense in the future in case other templates starts having a default Python version newer than Fedora.

ben-grande commented 6 months ago

No using two templates because I didn't find a problem where a Fedora template couldn't target a Debian version due to mismatched Salt and dependencies version.