Target Qubes VMs with tags in Salt Pillar data

qubes-salt-pillar-tags.md

Target Qubes VMs with tags in Salt Pillar data

Qubes allows users to target VMs in top files using pillar data:

base:
  qubes:type:app:
    - match: pillar
    - a_state

But does not currently provide tags or features in pillar data.

To add tags to pillar data, copy /srv/salt/_pillar/qvm_prefs.py to /srv/salt/_pillar/qvm_tags.py. Then edit the ext_pillar function in qvm_tags.py to add a tags key to the qubes pillar dictionary and populate it with VM tags:

def ext_pillar(minion_id, pillar, *args, **kwargs):
  app = qubesadmin.Qubes()
  try:
    vm = app.domains[minion_id]
  except KeyError:
    return {}
  
  return { 'qubes': { 'tags': list(vm.tags) } }

Add the ext_pillar data source to the Salt minion configuration, /etc/salt/minion.d/qubes_ext_pillar.conf:

ext_pillar:
  ...
  - qvm_tags: []

Sync Salt modules to the Qubes Salt minion cache:

qubesctl saltutil.sync_all

Test by getting pillar items for a VM:

qubesctl --show-output --skip-dom0 --target=debian-9 pillar.items

Which should return:

debian-9:
      ----------
      ...
      qubes:
          ----------
          ...
          tags:
              - created-by-dom0
              - my-custom-tag

Target VMs with tags in top files:

base:
  qubes:tags:my-custom-tag:
    - match: pillar
    - my_custom_state

This is awesome @bcduggan, thanks for creating this gist. ✨

---

While I'm here, there is a minor typo in one of the code snippets:

- def ext_pillar(minin_id, pillar, *args, **kwargs):
+ def ext_pillar(minion_id, pillar, *args, **kwargs):

The argument is used a couple of lines below but honestly I doubt it would confuse anyone.

Thanks for the note, @gonzalo-bulnes! I updated the gist with your patch. Happy you found it useful!

Thanks @bcduggan, why don't you submit a PR upstream?