From: ludo@gnu.org (Ludovic Courtès)
To: "Thompson, David" <dthompson2@worcester.edu>
Cc: Guix-devel <guix-devel@gnu.org>
Subject: Re: Status of "GuixOps"?
Date: Fri, 06 Oct 2017 15:18:28 +0200 [thread overview]
Message-ID: <877ew8pg7v.fsf@gnu.org> (raw)
In-Reply-To: <CAJ=RwfbFFL89_Jvs8w50mHh_3Ks2_kbbckBXuRvb8szGdUHs5g@mail.gmail.com> (David Thompson's message of "Fri, 22 Sep 2017 11:50:53 -0400")
Hi!
"Thompson, David" <dthompson2@worcester.edu> skribis:
> On Sun, Sep 17, 2017 at 2:34 PM, Hartmut Goebel
> <h.goebel@crazy-compilers.com> wrote:
[...]
>> Q1: I did not follow the development closely, but I seem to recall that
>> there is some guix sub-command for configuring a remote system. But
>> grepping the manual for "remote", I did not find it, neither one of the
>> commands did attract me. How is it called?
>
> I haven't tried it but I think Ludo said that it was going to be a
> flag to 'guix system'. Has that code been merged? Not being able to
> easily connect to a remote daemon is what blocked me when I first
> tried writing 'guix deploy'.
The idea that I had in mind is to support:
guix system reconfigure --target=host.example.org config.scm
which would build locally and send the new system (or build it directly
on the target), and then run remotely the effectful bits of
‘reconfigure’: running activation scripts, upgrading Shepherd services.
To get there, the idea I have is to:
1. Isolate the effectful bits in (guix scripts system) and wrap them
in gexps.
2. Provide ‘eval-gexp’ (which would combine ‘build-derivations’ and
‘eval’) and ‘eval-gexp-remotely’ (likewise, but it would use
Guile-SSH’s ‘node-eval’ to evaluate the gexp remotely.)
3. Change (guix scripts system) to use ‘eval-gexp’ or
‘eval-gexp-remotely’ depending on whether --target was found.
This is just a subset of the functionality in you envision for ‘guix
deploy’, David, but it’s a good building block and useful in its own.
> I don't think that is the best approach, or at least it should not be
> an approach that GuixSD users *have to* use. I use Chef at work, and
> the equivalent technology there is called "encrypted data bags"
> (terrible name, I know). They are a pain and thus we do not manage
> secrets with it. You're right, everything in the store is
> world-readable, therefore you should never store secrets there. The
> most important thing to know is that secrets are stateful, which
> contrasts with many things in Guix that are stateless. Secrets can't
> be configured at build-time, it has to be done at runtime. So how do
> we get secrets onto machines? I think this is a job for GuixSD system
> services. Let's take for example a web application that connects to a
> MariaDB database. When the web application service starts, it will
> fetch the database password from the secret store and initialize the
> application with it by whatever means is supported (command line flag,
> environment variable, etc.). The secrets store could be a local
> GPG-encrypted file (getting the decryption key onto the machine is
> non-trivial, of course) or an external service. To give you an idea
> of the possibilities available when it comes to secrets management,
> I'll give a more complex example. All of my experience with this is
> with Amazon web services, so if you don't know AWS stuff you can skip
> this part but I'll describe it anyway for people that might be
> interested: EC2 instances are assigned an IAM role that allows them to
> decrypt a set of secrets that have been encrypted using a KMS key.
> The encrypted secrets happen to be stored in a DynamoDB table. A
> command line tool for fetching the secrets is installed on the
> instances and is integrated into the application startup processes
> that need secrets. When we want to rotate a key, we replace the
> DynamoDB record with a new one and restart the relevant services.
> Whether the secrets are stored in an encrypted file on each machine or
> in some external database, the basic process is the same: applications
> will receive their secrets when they are started, not when the system
> is configured.
Sounds interesting. We don’t have a good story on how to deal with
secrets currently, and this is problematic for deployments.
>> Q3: One of DepOps' main features for me is easy use and the automatic
>> refresh of Let's Encrypt certificates. Basically I just say: "Create
>> certificates for hostnames A, B, C" and everything happens
>> automatically: Configuration of nginx, creating the CSR, requesting the
>> certificate, renewal, etc. What is the status for something like this
>> for GuixSD?
>
> We have an nginx service, so you can write a configuration that points
> to certs generated by Let's Encrypt. The cron service could be
> configured to periodically run the Let's Encrypt tool that refreshes
> the certificates periodically. The pieces are all there, you just
> need to put them together. This is what I plan to do when I finally
> get around to switching my VPS from Debian to GuixSD. Since this is
> all just Scheme code, we could write abstractions that make this
> common use-case "just work" for people so they don't have to worry
> about the details. One step at a time. :)
There’s even a patch that brings a Cerbot service!
https://bugs.gnu.org/26685
People commented on it but the patch still needs love to reach its final
form. Maybe you can help? :-)
Thanks,
Ludo’.
prev parent reply other threads:[~2017-10-06 13:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-17 18:34 Status of "GuixOps"? Hartmut Goebel
2017-09-18 10:48 ` Ricardo Wurmus
2017-09-21 4:54 ` Christopher Allan Webber
2017-09-22 15:50 ` Thompson, David
2017-10-06 13:18 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877ew8pg7v.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=dthompson2@worcester.edu \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).