From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:1008:1e59::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id 0KH3GOxyVWbjZAEAA41jLg (envelope-from ) for ; Tue, 28 May 2024 08:00:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id wITMEexyVWYQxgAA62LTzQ (envelope-from ) for ; Tue, 28 May 2024 08:00:12 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=GTL0ravp; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1716876012; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=9zfbEh1o0wYmlXoGKpop1cd7dYhWEvyx4b7htLvbRYs=; b=UpmXSBn7Y4Juj5CXxOI0j8/4ix2hdUE00RH9se9ABTBR1n2K58nD/gJNULpTN83sSI8wlE 0DKrln8IFys5wZQ3d8CcNoFa9GgfOXqZarnhWEVoys1YkHEneD4++3s3DWIXge6MAv/pSe zgCTnNTpBBsYUyifsKmcCYRD9ayRkTwa1fyB8GR4FYkGOMcwEKRWymEMREWB3EgXrBNovv SLvcjpEVEZbIOUP0C6OGERKrnyYuFcmC3QpEepiA7iki2Bz9xY1ADESREFrE8AoeBMVRdv 6PFxoUlgleHLoJxvIiwKyVI+xhHFa+XzsgThekKGWMfP2dM0w5eB+hPoeeXuWw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1716876012; a=rsa-sha256; cv=none; b=h348huy0wk6jpuVZjuckI9bINDc9vpQsJfJoRuwVWkBwNzB9sS/ZSe88Gya4bIXiN/RjaV Szm4Qn+ixRwwTn0k2hVoUIKVBXv2q7Shf2/t/LLLy32UuEmfsp3KrH3CIdRWcWIYOZylzz Q6KMc5oSPOE/D6j+xjapBNJikNuCHDQtsXzilMjJ3VFG6v/RLptjmggqQ7sUJFBZHhfqmM j9X75v/8R8LDyhAv1hsWbpLKV4DvfVIS/lBrx1fjWEnhOqt0lC0FYTDPMVLQVszY2hkoTC fD+kU7JcefS6l+bOvgIcV8JCMp7iuysM2RRoWWi/DaE/jvPbpa8FivpfxeMKSQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=GTL0ravp; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C9447759BA for ; Tue, 28 May 2024 08:00:11 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sBpsK-0006dY-9W; Tue, 28 May 2024 01:59:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sBpsI-0006ci-Dn for bug-guix@gnu.org; Tue, 28 May 2024 01:59:54 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sBpsH-0001Qa-Um for bug-guix@gnu.org; Tue, 28 May 2024 01:59:53 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sBpsR-0000lI-1j for bug-guix@gnu.org; Tue, 28 May 2024 02:00:03 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#71238: Installer image consistently fails to run system init due to TLS error Resent-From: adanskana@gmail.com Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 28 May 2024 06:00:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71238 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Richard Sent , 71238@debbugs.gnu.org, ekaitz@elenq.tech, lars.bilke@ufz.de, ludo@gnu.org Received: via spool by 71238-submit@debbugs.gnu.org id=B71238.17168759552837 (code B ref 71238); Tue, 28 May 2024 06:00:03 +0000 Received: (at 71238) by debbugs.gnu.org; 28 May 2024 05:59:15 +0000 Received: from localhost ([127.0.0.1]:45574 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sBpre-0000jf-Mq for submit@debbugs.gnu.org; Tue, 28 May 2024 01:59:15 -0400 Received: from mail-pf1-f176.google.com ([209.85.210.176]:53447) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sBpWc-0000Ct-75 for 71238@debbugs.gnu.org; Tue, 28 May 2024 01:37:31 -0400 Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-6f69422c090so317388b3a.2 for <71238@debbugs.gnu.org>; Mon, 27 May 2024 22:37:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716874575; x=1717479375; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:references:subject:to:from :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=9zfbEh1o0wYmlXoGKpop1cd7dYhWEvyx4b7htLvbRYs=; b=GTL0ravpg/5FEyBVQvC9RmBmv1/iVsBcd+APIP5LuVE1UWpRAiU6krpPCz7mC3/Vts N+uMmNStRHz5LuUIZhOqsHnywF1nA0Z0ppkLJv7pwN5zZjDSIm+VZICMdYCd5mYeoAjX qlh3LLvgeSI1+1U+21Roxn7Wvpv0L26wLqAVapNHQUXuD0dtgPA6CNxZOL/eh+D2+bAe qPqHy4NxqHz7EbeCIhvRrwCTeQvmO8SrTbrZjCPY72VU5FatY73wlLh2E+CQdIGnWJMu tScoZ0BwbqoZo2gohspbD1MF0cXyqHI4oZgVWue7JxyeQpwiANeeBha++ZqM4P2yz6ez Y/Ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716874575; x=1717479375; h=content-transfer-encoding:in-reply-to:references:subject:to:from :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9zfbEh1o0wYmlXoGKpop1cd7dYhWEvyx4b7htLvbRYs=; b=TqQ6JcXUd+j38yZ5fpKTFMFZ83tWSgWo5BhD+TNS1bpaslxJ+9AQx4TZpP+ufhrAsn 8qVNP+80+pHwi5jv3YeALsFIDFGMPBjqr29Q+vYPXvkVECuGCr+kZEW9cuz2JxxPk2EQ 0rHXMnb4jFB8imxXvF3WzrngfpGzk/ztWElEyrLp8YELoAhu94KuPfxisys7+94xYE3g i1VZUo5J77CGDF4XIF3qzoIbyxLOm7CND6DmnQFOXjGpH9m9YlVic/L7MKbhx0MTXfA6 xHpo3pZw40XdlkHOcQJmaEBNx2BLJNDxD+0z4ra+4gM7neWKH963BUjwB6TctSre6N9F ENsg== X-Forwarded-Encrypted: i=1; AJvYcCVJiAkWPYDQFv/0jdNNxXQ+CqTbLQcDX6b6jrp7edlzN15j0Tfy/xdI8th5EVcoj2OQ3e6INdtX8JeeZcwHpVrNzafXK04= X-Gm-Message-State: AOJu0YxTqx+QXKPd64i0ADkOwIMK6J7lBFU4kB2z5UPFTheo+LEsbZai JKqWd21qtehWm7RHw+C1e6OYqdeR1Q6VMpOj07nI/DQa+F/Z1iaf X-Google-Smtp-Source: AGHT+IHAeuTMx6dESxKShm9cD6thOQR3XdnTp5neJzgaWw73HoIGRr2h4qPmdgyB1YSa43hJFVJqgw== X-Received: by 2002:a05:6a20:6a1f:b0:1af:8fa8:3126 with SMTP id adf61e73a8af0-1b212cc7643mr12667040637.6.1716874574772; Mon, 27 May 2024 22:36:14 -0700 (PDT) Received: from [10.143.113.222] ([130.95.40.104]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1f44c97104fsm71633445ad.144.2024.05.27.22.36.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 May 2024 22:36:14 -0700 (PDT) Message-ID: Date: Tue, 28 May 2024 05:36:09 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 From: adanskana@gmail.com References: <87plt692ky.fsf@freakingpenguin.com> <87a5ka8y5e.fsf@freakingpenguin.com> <87y17u7dfu.fsf@freakingpenguin.com> In-Reply-To: <87y17u7dfu.fsf@freakingpenguin.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 28 May 2024 01:59:13 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -2.25 X-Spam-Score: -2.25 X-Migadu-Queue-Id: C9447759BA X-Migadu-Scanner: mx11.migadu.com X-TUID: 4WUVz2pMGXC1 Hi Richard On 5/28/24 4:44 AM, Richard Sent wrote: > Richard Sent writes: > > > What the heck is going on here? Those two images are wildly different > > and are downloading wildly different sets of substitutes. > > Bad news. I connected my device to a different network with just an > ordinary consumer router and the installation succeeded (using the guix > 00384aed media). Ordinary my devices are behind a opnsense router with a > /very/ lightly-customized firewall. To me, this means there are three > possibilities, none of which is particularly comforting: > > 1. There was a transient network issue for ~3 hours when I attempted to > install Guix ~4 times using different installation media that caused a > specific TLS handshake to fail. > > 2. A specific TLS handshake Guix undertakes during the installation > process fails to pass one of the built-in firewall rules shipped with > opnsense. > > 3. Some other odd aspect of my network messes things up for a specific > TLS handshake. > > My money is on 2 given how this is a seemingly common issue on > enterprise networks [1] and the rules I have added seem irrelevant. (I'd > rather not talk openly about my firewall rules in an archived public > forum, but can discuss off-list). However, there is another comment in > that thread that says IT didn't notice any firewall blocking. > > >> Sometimes, usually when I'm on an enterprise network like my > >> university's of library's wifi, the `guix substitute` process dies > >> with a "TLS error in procedure 'write_to_session_record_port': Error > >> in the push function" error message. My connection is rock-solid > >> otherwise, and sometimes it doesn't happen at all. I was actually going to reopen this issue, as I'm still encountering this bug in the exact same scenarios. Nothing has changed at all. > > I get the same error on guix pull almost always when I am on my > > enterprise network. Re-running guix pull a second time also almost > > always then runs fine. I checked with our IT: nothing suspicious on > > the network, i.e. no firewall blocking. > > Running Guix pull to work around the problem is great...... unless > you're trying to install Guix via the guided installer! :) In my case it > also wasn't guix pull that was failing. > > I want to emphasize that the error occured in the same phase of the > installer every time, it was not the first handshake, no other machine > has ever had this issue, and the installer was (3/4 times) on a commit > that should include the fix described in [1]. > > I'm happy to assist with debugging this, although I'm not some TLS > networking genius so trying to solve it outright is probably beyond me. > I'd also LOVE to hear if other people using a largely stock opnsense or > other firewall software encountered this issue, particularly with the > installation media. Same, I'm happy to assist. The test that Ludo' provided to try and reproduce the bug doesn't work as referenced in previous emails. Is there some way I can attatch a debugger to a guile process running `guix upgrade` or something like that? > > At some point I'll attempt to gradually "de-enterprise" parts of my > network and see exactly when (if ever) the problem is resolved. Due to > the nature of the problem, reliably reproducing it in the future will be > a challenge. > > CC'ing people involved in [1] because this is just so weird and I don't > want it to be consigned to the dustbins of history. I don't think we > heard anyone with the issue explicitly say the fix resolved or at least > mitigated the problem. Thanks for CC'ing me. Yes, the problem was never resolved. For someone just upgrading their system, it's annoying, but can be mitigated pretty easily. For someone trying to install Guix, on the other hand, this is a intensely annoying problem. After my exams are finished in a couple weeks I want to try and fix this problem and also upgrade GRUB to fix issues with it recognising ext4 partitons with certain features enabled properly. > > [1]: https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00150.html > > Anyway, please let me know how I can help. If someone could help me attaching some sort of debugger, I can reproduce the error fairly easily on my uni's wifi if I do a `guix gc -d 2w && guix upgrade && sudo guix system reconfigure config.scm`. The sheer number of substitutes downloaded seems to be enough for it to happen at least once. Warmly, Ada