unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Declarative /etc/guix/acl?
@ 2020-10-11 10:39 Ludovic Courtès
  2020-10-11 11:07 ` Jan Nieuwenhuizen
  2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  0 siblings, 2 replies; 7+ messages in thread
From: Ludovic Courtès @ 2020-10-11 10:39 UTC (permalink / raw)
  To: guix-devel; +Cc: 39819

Hi!

For some reason, /etc/guix/acl is not declarative on Guix System: we let
users modify it and assume it’s stateful, which can surprise users as in
<https://issues.guix.gnu.org/39819>.

Should we make it declarative, just like most of /etc?  I think so.  For
a build farm like berlin, it would force admins to explicitly list all
the authorized keys in their config—annoying change, but not a bad
thing.

WDYT?

The problem is the transition.  We would need to at least create a
backup of /etc/guix/acl on the next activation, or better yet, warn
users or error out at reconfigure time.

Thoughts?

Ludo’.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Declarative /etc/guix/acl?
  2020-10-11 10:39 Declarative /etc/guix/acl? Ludovic Courtès
@ 2020-10-11 11:07 ` Jan Nieuwenhuizen
       [not found]   ` <87v9ffppvf.fsf@gnu.org>
  2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  1 sibling, 1 reply; 7+ messages in thread
From: Jan Nieuwenhuizen @ 2020-10-11 11:07 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 39819

Ludovic Courtès writes:

Hello!

> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
>
> Should we make it declarative, just like most of /etc?  I think so.

Yes, I think so too.  However, if you have your own substitute server,
you now can run guix archive --authorize < ..., e.g. at
bootstrap/install time.  For such cases, IWBN to have a --authorized-key
argument to guix build / guix system.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Declarative /etc/guix/acl?
       [not found]   ` <87v9ffppvf.fsf@gnu.org>
@ 2020-10-12 20:26     ` Jan Nieuwenhuizen
  0 siblings, 0 replies; 7+ messages in thread
From: Jan Nieuwenhuizen @ 2020-10-12 20:26 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 39819

Ludovic Courtès writes:

Hello,

> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> Ludovic Courtès writes:
>
>> However, if you have your own substitute server, you now can run guix
>> archive --authorize < ..., e.g. at bootstrap/install time.  For such
>> cases, IWBN to have a --authorized-key argument to guix build / guix
>> system.
>
> There’s already an ‘authorized-keys’ field in ‘guix-configuration’:
>
>   https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-guix_002dconfiguration
>
> So you would just list keys there.  Is that what you have in mind?
>
> The option is already there, it’s just non-authoritative.

I was thinking about the initial installer scenario; when guix-daemon is
already running and you didn't build the guix system yourself.  But
yeah, I guess this is an exceptional or corner case and you can always
build your own installer and add the key there.

Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-11 10:39 Declarative /etc/guix/acl? Ludovic Courtès
  2020-10-11 11:07 ` Jan Nieuwenhuizen
@ 2020-10-21 15:08 ` Ludovic Courtès
  2020-10-21 16:06   ` Vagrant Cascadian
                     ` (2 more replies)
  1 sibling, 3 replies; 7+ messages in thread
From: Ludovic Courtès @ 2020-10-21 15:08 UTC (permalink / raw)
  To: 39819; +Cc: guix-devel

Fixes <https://bugs.gnu.org/39819>.
Reported by Maxim Cournoyer <maxim.cournoyer@gmail.com>.

* gnu/services/base.scm (substitute-key-authorization): Symlink
DEFAULT-ACL to /etc/guix/acl unconditionally.  Add code to optionally
back up /etc/guix/acl if it was possibly modified by hand.
* doc/guix.texi (Base Services): Clarify the effect of setting
'authorize-keys?' to true.  Mention the backup.  Give an example showing
how to authorize substitutes from another server.
---
 doc/guix.texi         | 36 ++++++++++++++++++++++++++++++++++++
 gnu/services/base.scm | 16 ++++++++++++----
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index c161012da5..50d2d9a730 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14571,11 +14571,26 @@ Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
 (@pxref{Substitutes}).
 
+When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+changed by invoking @command{guix archive --authorize}.  You must
+instead adjust @code{guix-configuration} as you wish and reconfigure the
+system.  This ensures that your operating system configuration file is
+self-contained.
+
+@quotation Note
+When booting or reconfiguring to a system where @code{authorize-keys?}
+is true, the existing @file{/etc/guix/acl} file is backed up as
+@file{/etc/guix/acl.bak} if it was determined to be a manually modified
+file.  This is to facilitate migration from earlier versions, which
+allowed for in-place modifications to @file{/etc/guix/acl}.
+@end quotation
+
 @vindex %default-authorized-guix-keys
 @item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
 The list of authorized key files for archive imports, as a list of
 string-valued gexps (@pxref{Invoking guix archive}).  By default, it
 contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}).
+See @code{substitute-urls} below for an example on how to change it.
 
 @item @code{use-substitutes?} (default: @code{#t})
 Whether to use substitutes.
@@ -14583,6 +14598,27 @@ Whether to use substitutes.
 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
 The list of URLs where to look for substitutes by default.
 
+Support you would like to fetch substitutes from @code{guix.example.org}
+in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
+two things: (1) add @code{guix.example.org} to @code{substitute-urls},
+and (2) authorize its signing key, having done appropriate checks
+(@pxref{Substitute Server Authorization}).  The configuration below does
+exactly that:
+
+@lisp
+(guix-configuration
+  (substitute-urls
+   (append (list "https://guix.example.org")
+           %default-substitute-urls))
+  (authorized-keys
+   (append (list (local-file "./guix.example.org-key.pub"))
+           %default-authorized-guix-keys)))
+@end lisp
+
+This example assumes that the file @file{./guix.example.org-key.pub}
+contains the public key that @code{guix.example.org} uses to sign
+substitutes.
+
 @item @code{max-silent-time} (default: @code{0})
 @itemx @code{timeout} (default: @code{0})
 The number of seconds of silence and the number of seconds of activity,
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 04bc991356..37b0a13ea7 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1476,10 +1476,18 @@ archive' public keys, with GUIX."
     #~(begin
         (use-modules (guix build utils))
 
-        (unless (file-exists? "/etc/guix/acl")
-          (mkdir-p "/etc/guix")
-          (copy-file #+default-acl "/etc/guix/acl")
-          (chmod "/etc/guix/acl" #o600)))))
+        ;; If the ACL already exists, move it out of the way.  Create a backup
+        ;; if it's a regular file: it's likely that the user manually updated
+        ;; it with 'guix archive --authorize'.
+        (if (file-exists? "/etc/guix/acl")
+            (if (and (symbolic-link? "/etc/guix/acl")
+                     (store-file-name? (readlink "/etc/guix/acl")))
+                (delete-file "/etc/guix/acl")
+                (rename-file "/etc/guix/acl" "/etc/guix/acl.bak"))
+            (mkdir-p "/etc/guix"))
+
+        ;; Installed the declared ACL.
+        (symlink #+default-acl "/etc/guix/acl"))))
 
 (define %default-authorized-guix-keys
   ;; List of authorized substitute keys.
-- 
2.28.0



^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
@ 2020-10-21 16:06   ` Vagrant Cascadian
  2020-10-24 23:08   ` bug#39819: " Ludovic Courtès
  2020-10-24 23:11   ` Ludovic Courtès
  2 siblings, 0 replies; 7+ messages in thread
From: Vagrant Cascadian @ 2020-10-21 16:06 UTC (permalink / raw)
  To: Ludovic Courtès, 39819; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1458 bytes --]

On 2020-10-21, Ludovic Courtès wrote:
> diff --git a/doc/guix.texi b/doc/guix.texi
> index c161012da5..50d2d9a730 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
...
> @@ -14583,6 +14598,27 @@ Whether to use substitutes.
>  @item @code{substitute-urls} (default: @code{%default-substitute-urls})
>  The list of URLs where to look for substitutes by default.
>  
> +Support you would like to fetch substitutes from @code{guix.example.org}

(substitute* "Support" "Suppose")

?

> +in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
> +two things: (1) add @code{guix.example.org} to @code{substitute-urls},
> +and (2) authorize its signing key, having done appropriate checks
> +(@pxref{Substitute Server Authorization}).  The configuration below does
> +exactly that:
> +
> +@lisp
> +(guix-configuration
> +  (substitute-urls
> +   (append (list "https://guix.example.org")
> +           %default-substitute-urls))
> +  (authorized-keys
> +   (append (list (local-file "./guix.example.org-key.pub"))
> +           %default-authorized-guix-keys)))
> +@end lisp
> +
> +This example assumes that the file @file{./guix.example.org-key.pub}
> +contains the public key that @code{guix.example.org} uses to sign
> +substitutes.
> +
>  @item @code{max-silent-time} (default: @code{0})
>  @itemx @code{timeout} (default: @code{0})
>  The number of seconds of silence and the number of seconds of activity,

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  2020-10-21 16:06   ` Vagrant Cascadian
@ 2020-10-24 23:08   ` Ludovic Courtès
  2020-10-24 23:11   ` Ludovic Courtès
  2 siblings, 0 replies; 7+ messages in thread
From: Ludovic Courtès @ 2020-10-24 23:08 UTC (permalink / raw)
  To: 39819-done; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

Hello!

I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.

Let me know if anything is amiss!

Thanks,
Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 2690 bytes --]

diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
 (@pxref{Substitutes}).
 
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
 changed by invoking @command{guix archive --authorize}.  You must
 instead adjust @code{guix-configuration} as you wish and reconfigure the
 system.  This ensures that your operating system configuration file is
 self-contained.
 
 @quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
 is true, the existing @file{/etc/guix/acl} file is backed up as
 @file{/etc/guix/acl.bak} if it was determined to be a manually modified
 file.  This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
 The list of URLs where to look for substitutes by default.
 
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
 in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
 two things: (1) add @code{guix.example.org} to @code{substitute-urls},
 and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
                          (permit-root-login #t)
                          (allow-empty-passwords? #t)
                          (password-authentication? #t)))
-               %base-services/hurd))))
+
+               ;; By default, the secret service introduces a pre-initialized
+               ;; /etc/guix/acl file in the childhurd.  Thus, clear
+               ;; 'authorize-key?' so that it's not overridden at activation
+               ;; time.
+               (modify-services %base-services/hurd
+                 (guix-service-type config =>
+                                    (guix-configuration
+                                     (inherit config)
+                                     (authorize-key? #f))))))))
 
 (define-record-type* <hurd-vm-configuration>
   hurd-vm-configuration make-hurd-vm-configuration

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  2020-10-21 16:06   ` Vagrant Cascadian
  2020-10-24 23:08   ` bug#39819: " Ludovic Courtès
@ 2020-10-24 23:11   ` Ludovic Courtès
  2 siblings, 0 replies; 7+ messages in thread
From: Ludovic Courtès @ 2020-10-24 23:11 UTC (permalink / raw)
  To: 39819; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 236 bytes --]

BTW, attached it the script I used to retrieve the signing keys of all
the build nodes of the build farm so we can have them declared in the
config of the head node.  You may find it handy if you have a similar
setup!

Ludo’.


[-- Attachment #2: the code --]
[-- Type: text/plain, Size: 1651 bytes --]

(use-modules (guix scripts offload)
             (guix ssh)
             (guix inferior)
             (ssh session)
             (srfi srfi-34)
             (ice-9 match))

(define open-ssh-session
  (@@ (guix scripts offload) open-ssh-session))

(define build-machine-name (@@ (guix scripts offload) build-machine-name))
(define build-machine-port (@@ (guix scripts offload) build-machine-port))

(define (fetch-key machine)
  (format #t "fetching key from ~s...~%" machine)
  (let* ((session  (open-ssh-session machine 5))
         (inferior (remote-inferior session)))
    (define key
      (inferior-eval '(begin
                        (use-modules (rnrs io ports))

                        (with-fluids ((%default-port-encoding "ISO-8859-1"))
                          (call-with-input-file "/etc/guix/signing-key.pub"
                            get-string-all)))
                     inferior))

    (define file
      (string-append (build-machine-name machine)
                     (match (build-machine-port machine)
                       (22 "")
                       (port
                        (string-append ":"
                                       (number->string
                                        port))))
                     ".pub"))

    (with-fluids ((%default-port-encoding "ISO-8859-1"))
      (call-with-output-file file
        (lambda (port)
          (display key port))))

    (close-inferior inferior)
    (disconnect! session)))

(let ((machines (load "/etc/guix/machines.scm")))
  (for-each (lambda (machine)
              (guard (c (pk 'fail c))
                (fetch-key machine)))
            machines))

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-10-24 23:11 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-11 10:39 Declarative /etc/guix/acl? Ludovic Courtès
2020-10-11 11:07 ` Jan Nieuwenhuizen
     [not found]   ` <87v9ffppvf.fsf@gnu.org>
2020-10-12 20:26     ` Jan Nieuwenhuizen
2020-10-21 15:08 ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
2020-10-21 16:06   ` Vagrant Cascadian
2020-10-24 23:08   ` bug#39819: " Ludovic Courtès
2020-10-24 23:11   ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).