-- Leo's gemini proxy
-- Connecting to perso.pw:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;
Author: Solène
Date: 17 June 2023
Tags: security qubesos git
In a previous article, I explained how to use Fossil version control system to version the files you may write in dom0 and sync them against a remote repository.
I figured how to synchronize a git repository between an AppVM and dom0, then from the AppVM it can be synchronized remotely if you want. This can be done using the git feature named bundle, which bundle git artifacts into a single file.
In this setup, you will create a git repository (this could be a clone of a remote repository) in an AppVM called Dev, and you will clone it from there into dom0.
Then, you will learn how to send and receive changes between the AppVM repo and the one in dom0, using git bundle.
The first step is to have git installed in your AppVM and in dom0.
For the sake of simplicity for the guide, the path `/tmp/repo/` refers to the git repository location in both dom0 and the AppVM, don't forget to adapt to your setup.
In the AppVM Dev, create a git repository using `cd /tmp/ && git init repo`. We need a first commit for the setup to work because we can't bundle commits if there is nothing. So, commit at least one file in that repo, if you have no idea, you can write a short README.md file explaining what this repository is for.
In dom0, use the following command:
qvm-run -u user --pass-io Dev "cd /tmp/repo/ && git bundle create - master" > /tmp/git.bundle cd /tmp/ && git clone -b master /tmp/git.bundle repo
Congratulations, you cloned the repository into dom0 using the bundle file, the path `/tmp/git.bundle` is important because it's automatically set as URL for the remote named "origin". If you want to manage multiple git repositories this way, you should use a different name for this exchange file for each repo.
[solene@dom0 repo]$ git remote -v origin /tmp/git.bundle (fetch) origin /tmp/git.bundle (push)
Back to the AppVM Dev, run the following command in the git repository, this will configure the bundle file to use for the remote dom0. Like previously, you can pick the name you prefer.
git remote add dom0 /tmp/dom0.bundle
Now, let's explain the workflow to exchange data between the AppVM and dom0. From here, we will only use dom0.
Create a file `push.sh` in your git repository with the content:
#!/bin/sh
REPO="/tmp/repo/"
BRANCH=master
# setup on the AppVM
# git remote add dom0 /tmp/dom0.bundle
git bundle create - origin/master..master | \
qvm-run -u user --pass-io Dev "cat > /tmp/dom0.bundle"
qvm-run -u user --pass-io Dev "cd ${REPO} && git pull -r dom0 ${BRANCH}"
Create a file `pull.sh` in your git repository with the content:
#!/bin/sh
REPO="/tmp/repo/"
BRANCH=master
# init the repo on dom0
# git clone -b ${BRANCH} /tmp/git.bundle
qvm-run -u user --pass-io Dev "cd ${REPO} && git bundle create - dom0/master..${BRANCH}" > /tmp/git.bundle
git pull -r
Make the files `push.sh` and `pull.sh` executable.
If you don't want to have the files committed in your repository, add their names to the file `.gitignore`.
Now, you are able to send changes to the AppVM repo using `./push.sh`, and receive changes using `./pull.sh`.
If needed, those scripts could be made more generic and moved in a directory in your PATH instead of being used from within the git repository.
Here are some explanations about those two scripts.
In the script `push.sh`, `git bundle` is used to send a bundle file over stdout containing artifacts from the remote AppVM last known commit up to the latest commit in the current repository, hence origin/master..master range. This data is piped into the file `/tmp/dom0.bundle` in the AppVm, and was configured earlier as a remote for the repository.
Then, the command `git pull -r dom0 master` is used to fetch the changes from the bundle, and rebase the current repository, exactly like you would do with a "real" remote over the network.
In the script `pull.sh`, we run the `git bundle` from within the AppVM Dev to generate on stdout the bundle from the last known state of dom0 up to the latest commit in the branch master, and pipe into the dom0 file `/tmp/git.bundle`, remember that this file is the remote origin in dom0's clone.
After the bundle creation, a regular `git pull -r` is used to fetch the changes, and rebase the repository.
If you use different branches, this could require adding an extra parameter to the script to make the variable BRANCH configurable.
I find this setup really elegant, the safe `qvm-run` is used to exchange static data between dom0 and the AppVM, no network is involved in the process. Now there is no reason to have dom0 configuration file not properly tracked within a version control system :)
-- Response ended
-- Page fetched on Mon May 6 07:47:03 2024