Open emkll opened 5 years ago
Is this issue fully superseded by packaging work that's part of template consolidation (#471)?
To my eye, yes, it is. However, there are still a few scripts in dom0 that really should be bundled up in the RPM, to my eye, although perhaps that's best rephrased in a new issue.
Ongoing and planned work on provisioning improvements will catch the stragglers here. Leaving open for now.
Posting some notes so we can decide next steps. To recap, packaging files rather than updating them via salt will make it easier to reason about system status, perform migrations, depend less on Salt, etc.
And many files are already managed by packages in both dom0 and in VMs (the workstation-config
debian package for VMs, the workstation-dom0-config rpm for dom0).
Looking at this, I think there are a few quick wins and a few discussion points.
Quick wins:
Discussion
blockreplace
in existing qubes system files to preference managing our own files instead (true for: template / repo configuration, RPC policies), but b) if we must modify system files, maybe have those changes bundled up into the config package instead of done via salt
I think for that last point there would be some unavoidable Salt additions. At the very least we need to install our release pubkey and set up the repo. It looks like the steps would be:
So the setup/config for the template is still Salt. We could just do the key and repo and move the rest into a debian -config package, maybe.
I think https://github.com/freedomofpress/securedrop-workstation/pull/1043 addresses the last bit of this?
Yeah - I came here to say we should close this and/or remove it from the board :) Any followup tasks will have their own specific tickets.
We use Salt to move certain configuration files to VMs when invoking Make commands in dom0. These files include files used for mime associations and default behavior for opening, but also Python scripts (in the case of sd-export):
We should distribute these using .deb packages to ensure we are in a position to easily and automatically update them, without invoking any dom0 Make commands, nor requiring to update the securedrop-workstation source code.