From mboxrd@z Thu Jan 1 00:00:00 1970 From: zerodaysfordays@sdf.lonestar.org (Jakob L. Kreuze) Subject: Re: =?utf-8?Q?=E2=80=9CTowards?= Guix for =?utf-8?Q?DevOps?= =?utf-8?Q?=E2=80=9D?= Date: Fri, 26 Jul 2019 10:17:01 -0400 Message-ID: <87r26clw2q.fsf@sdf.lonestar.org> References: <871ryvgow6.fsf@gnu.org> <87imrp40vy.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:55122) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hr14g-0004Gb-4Z for guix-devel@gnu.org; Fri, 26 Jul 2019 10:19:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hr14c-0008N9-46 for guix-devel@gnu.org; Fri, 26 Jul 2019 10:19:55 -0400 Received: from mx.sdf.org ([205.166.94.20]:60143) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hr14b-0008L6-QK for guix-devel@gnu.org; Fri, 26 Jul 2019 10:19:54 -0400 In-Reply-To: <87imrp40vy.fsf@gmail.com> (Alex Sassmannshausen's message of "Fri, 26 Jul 2019 10:10:25 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Sassmannshausen Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Hi Alex, Alex Sassmannshausen writes: > Hello, > > I just wanted to drop a quick note on the guix deploy work carried out > by Jakob. > > I've started using it to manage servers, and it seems to work an > absolute charm. Congratulations to all involved. That's awesome. Hearing another success story with 'guix deploy' absolutely made my day. > I did hit the following small stumbling blocks: > > - When first running guix deploy it complained about a missing > /etc/guix/signing-key.sec. I fairly quickly realised that deploy > probably used archive infrastructure, so figured out how to generate > the keys. But maybe the manual should contain a line about this? Excellent suggestion, I'll see about submitting a patch to mention that in the manual. The idea to automatically authorize the coordinator machine's signing key has been rolling around in my mind since I started on this, since it that something like that would fall into the category of "provisioning". > - The machine-ssh-configuration allows for the specification of users > other than root, but my understanding is that only root will allow for > a successful deployment (because root is required to actually > reconfigure the target system). I don't know what conclusions to draw > from this, as I'm not 100% on the roadmap for development. But maybe > for now, this could be a gotcha for new users. That's correct. This is another area where I'm not quite sure what the optimal solution would be; conventional wisdom suggests that a server's SSH daemon should be configured to disallow root login, which makes me think that we should implement some sort of privilege escalation with 'sudo', but I'm open to additional suggestions. Thank you very much for your comments :) Regards, Jakob --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl07C10ACgkQ9Qb9Fp2P 2VrxLw/+M52AeYwi60NdwQZyEHhQeZ7Ix4OoQz85ach+5S8dkYkBKh5hY5fxmjSm r7bUYHkqSwG9qQQcqNjpCdwJzMcfz4lpVl4jSXmCLh/q/LWGlkPrn4/RZ0nQK7CD tMD/LwAICXgYoDO+U/788L7oAnSp7PWU+xAlnlRAXML9rCgSvTxBkDkqg0uEaCjX lOle4P/JEfQgzNdffWr3i1LVnobGyFPZzZxBBZgJgYkTVefLnHDqjxQJwGKwBihl kJMi1MqZYq4eJFkc+UWhE0PAY9qwr3uu3VG7NenWJpAKCeCDMMdtT4PAqwt4/ZyR zyCnIfSGN1WvRdfWoAElUjcNJT2K/SIf58QAb8YASRy3dlVRsWMdQ3/xoH3Pq2QD nqGQV9lbc9THh2Mq/cefkd4IwOSXfISuMoFc8ED1yHa0rWkZW26VZ8wtBcTcEOq7 Mj+clCgEMW/XaEt8c8HQQUUTEEFFC8DZuK8B/ehIlcRJAgc+eZQg2bDBYWQRw5sN dgr/oVDMeON2ZaJBTRByeUDAhuXaJIdt5xhNPed7EnlrpQqmWC+uEy1CTsh4Lxrr bxufRAtKX2QTI79/In7GUs72l4kh1dhN3zucqihL8IOwE33tdWVZ9sAm0p4VDp0j 6/EOZ9d13OiKWcVOiZktSE9IuFJYePVQiL4DJY/NrrIOYrrIQlI= =CAXl -----END PGP SIGNATURE----- --=-=-=--