From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id gFLuOQ4mqF9uXgAA0tVLHw (envelope-from ) for ; Sun, 08 Nov 2020 17:08:30 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id AFSoNQ4mqF8QYgAAbx9fmQ (envelope-from ) for ; Sun, 08 Nov 2020 17:08:30 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A843F94021E for ; Sun, 8 Nov 2020 17:08:30 +0000 (UTC) Received: from localhost ([::1]:60018 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kboB3-0007Is-N3 for larch@yhetil.org; Sun, 08 Nov 2020 12:08:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:51614) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kboAv-0007Il-Tr for guix-devel@gnu.org; Sun, 08 Nov 2020 12:08:21 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53488) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kboAv-0001wk-IZ; Sun, 08 Nov 2020 12:08:21 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56466 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kboAv-0006D5-07; Sun, 08 Nov 2020 12:08:21 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Ricardo Wurmus Subject: Re: Make guix-publish's URL identical to cache file name References: <87o8kdpl0z.fsf@pengmeiyu.com> <87mtzu24ii.fsf@gnu.org> <87d00pya7k.fsf@elephly.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 18 Brumaire an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 08 Nov 2020 18:08:19 +0100 In-Reply-To: <87d00pya7k.fsf@elephly.net> (Ricardo Wurmus's message of "Sat, 07 Nov 2020 07:03:59 +0100") Message-ID: <87lffbvksc.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.51 X-TUID: GvOO7/Uvwc3R --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, Ricardo Wurmus skribis: > Ludovic Court=C3=A8s writes: > >> The simplest solution for now (I think that=E2=80=99s what Ricardo & co.= had in >> mind) would be for you to retrieve /var/cache/guix/publish on your >> server, as is, and then run =E2=80=98guix publish=E2=80=99 on your sever= : it will know >> where to find files. As I wrote to Jonathan, you can/should also run >> nginx on top of that as a proxy to your local =E2=80=98guix publish=E2= =80=99. >> >> Ricardo, can you remind us what the next steps would be? > > We need to make sure that *all* the files produced by =E2=80=9Cguix publi= sh=E2=80=9D > have correct permissions; IIRC some of the files are not readable at all > by users other than the owner of the files. Oops, I had forgotten, my bad. I=E2=80=99ll push the attached patch later today. Next we=E2=80=99ll need to update the =E2=80=98guix=E2=80=99 package, resta= rt =E2=80=98guix publish=E2=80=99 on berlin, and chmod a+r -R /var/cache/guix/publish. > Once that=E2=80=99s done we just need to start the rsync daemon again, > preferably as a shepherd service. Yes. Sounds like we have a plan! Peng Mei Yu: make sure to ping us in the coming weeks if you don=E2=80=99t = hear from us by then! Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/guix/scripts/publish.scm b/guix/scripts/publish.scm index e8faf379e2..e3c8711f5b 100644 --- a/guix/scripts/publish.scm +++ b/guix/scripts/publish.scm @@ -583,7 +583,10 @@ requested using POOL." ;; guarantee the TTL (see .) (with-atomic-file-output nar (lambda (port) - (write-file item port)))))) + (write-file item port) + ;; Make the file world-readable, contrary to what + ;; 'with-atomic-file-output' does. + (chmod port (logand #o644 (lognot (umask))))))))) (define* (bake-narinfo+nar cache item #:key ttl (compressions (list %no-compression)) @@ -615,7 +618,12 @@ requested using POOL." #:nar-path nar-path #:compressions compressions #:file-sizes sizes) - port))))) + port))) + + ;; Make the cached narinfo world-readable, contrary to what + ;; 'with-atomic-file-output' does, so that other users can rsync + ;; the whole cache. + (chmod port (logand #o644 (lognot (umask)))))) ;; Make narinfo files for OTHERS hard links to NARINFO such that the ;; atime-based cache eviction considers either all the nars or none diff --git a/tests/publish.scm b/tests/publish.scm index e46e6256b7..cafd0f13a2 100644 --- a/tests/publish.scm +++ b/tests/publish.scm @@ -434,6 +434,11 @@ References: ~%" (< ttl 3600))) (wait-for-file cached) + + ;; Both the narinfo and nar should be world-readable. + (= #o644 (stat:perms (lstat cached))) + (= #o644 (stat:perms (lstat nar))) + (let* ((body (http-get-port url)) (compressed (http-get nar-url)) (uncompressed (http-get (string-append base "nar/" --=-=-=--