From: "Ludovic Courtès" <ludo@gnu.org>
To: zimoun <zimon.toutoune@gmail.com>
Cc: 52517-done@debbugs.gnu.org
Subject: bug#52517: inconstency with offloading
Date: Mon, 03 Jan 2022 19:30:37 +0100 [thread overview]
Message-ID: <87k0fgfz8y.fsf@gnu.org> (raw)
In-Reply-To: <86czl8viwt.fsf@gmail.com> (zimoun's message of "Mon, 03 Jan 2022 18:16:50 +0100")
Hi,
zimoun <zimon.toutoune@gmail.com> skribis:
> On Mon, 03 Jan 2022 at 17:52, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> This is because guix-daemon spawns ‘guix offload’ as root.
>
> Yes. The issue is I cannot offload to a machine where I have an SSH
> account and where Guix is installed if the sysadmin does not configure
> correctly this /root/.ssh/.
True. That’s admittedly not as flexible as it could be.
Interestingly, GUIX_DAEMON_SOCKET=ssh://… almost achieves that.
Perhaps we could implement “user-level offloading”, probably in addition
to system-wide offloading? Food for thought…
>> diff --git a/doc/guix.texi b/doc/guix.texi
>> index 43549da388..9c1f30e83f 100644
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -1250,9 +1250,10 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
>> (systems (list "aarch64-linux"))
>> (host-key "ssh-rsa AAAAB3Nza@dots{}")
>> (user "alice")
>> - (private-key
>> - (string-append (getenv "HOME")
>> - "/.ssh/identity-for-guix"))))
>> +
>> + ;; Remember 'guix offload' is spawned by
>> + ;; 'guix-daemon' as root.
>> + (private-key "/root/.ssh/identity-for-guix")))
>
> This patch LGTM. At least, it could save time for people configuring
> offload. :-)
Alright, committing.
> I am fine to close the issue but, as I said, the fix seems to be able to
> offload without root access but just an SSH access.
Yes, we can discuss that separately.
A simple design would be to have clients install a “build handler”; when
the handler is called, it selects a machine, open a remote store
connection, copies missing inputs, starts the build, retrieves
outputs—all that from the client. Of course admins still have to
authorize keys both ways, but at least that gives more flexibility. (We
could also have a model where keys are authorized just one-way.)
Thanks,
Ludo’.
next prev parent reply other threads:[~2022-01-03 18:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-15 17:02 bug#52517: inconstency with offloading zimoun
2021-12-16 4:09 ` Maxim Cournoyer
2022-01-03 16:52 ` Ludovic Courtès
2022-01-03 17:16 ` zimoun
2022-01-03 18:30 ` Ludovic Courtès [this message]
2022-01-03 19:19 ` zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k0fgfz8y.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=52517-done@debbugs.gnu.org \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).