Ludovic Courtès writes: Hi! > "Jan (janneke) Nieuwenhuizen" skribis: >> >> +@example >> +/etc/childhurd/etc/guix/signing-key.pub >> +/etc/childhurd/etc/guix/signing-key.sec >> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key >> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key >> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub >> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub >> +@end example > > Would it make sense to have a list of source/target pairs instead of a > directory: > > (("/etc/childhurd/pubkey" . "/etc/guix/signing-key.pub") > …) > > ? We could do that...I'm not opposed to it and in fact I thought about something like this but then opted for the file system root idea because I didn't see the need for adding this extra indirection. If you think it's a good idea, sure. Postponed that for now, though. >> + ;; #:use-module (ssh auth) >> + ;; #:use-module (ssh channel) >> + ;; #:use-module (ssh session) >> + ;; #:use-module (ssh sftp) >> + >> + #:autoload (ssh auth) (userauth-password!) > > You could add the file to MODULES_NOT_COMPILED in gnu/local.mk to avoid > the autoload dance. Ah, right, thanks, good to know. Following another path now, so I'm leaving this for a bit. >> +(define* (hurd-vm-copy-secrets port secret-root #:key (retry 20)) >> + "Copy all files under SECRET-ROOT using ssh to childhurd at local PORT." >> + (format (current-error-port) "hurd-vm-copy-secrets\n") >> + (let ((session (make-session #:host "127.0.0.1" #:port port >> + #:user "root"))) > > I just realized that we have a bootstrapping issue here: we have to > explicitly skip SSH host authentication because we haven’t installed the > host keys yet. Right! Hmm... > The boot sequence of the guest is actually: generate SSH host keys, > start sshd, receive host keys over SFTP. > > [...] > >> - (start #~(make-forkexec-constructor #$vm-command)) >> + (requirement '(loopback networking user-processes)) >> + (start >> + (with-imported-modules (source-module-closure '((gnu build childhurd) >> + (guix build utils))) >> + (with-extensions (list guile-ssh) >> + #~(let ((spawn (make-forkexec-constructor #$vm-command))) >> + (use-modules (gnu build childhurd)) > > We should use the ‘modules’ field of instead of a > non-top-level ‘use-modules’. OK, done. >> + (lambda _ >> + (let ((pid (spawn)) >> + (port #$(hurd-vm-port config %hurd-vm-ssh-port)) >> + (root #$(hurd-vm-configuration-secret-root config))) >> + (when (and root (directory-exists? root)) >> + (catch #t >> + (lambda _ >> + (hurd-vm-copy-secrets port root)) >> + (lambda (key . args) >> + (format (current-error-port) "childhurd: ~a ~s\n" key args)))) > > To avoid race conditions, we probably have to wait until PORT becomes > available, no? Also, the VM boots even if we’ve failed to inject the > secrets, right? Yes on both...that's a problem. > As discussed on IRC, attached is my attempt at addressing this problem: > the guest would run an activation snippet early on to receive secret > files over raw unauthenticated TCP, blocking until it has received them. > What’s missing from this patch is the host side that actually connects > to the guest and sends this file. Okay. > I think it has the advantage of failing in case the secrets haven’t been > installed and it avoids the SSH host key bootstrapping issue. (It has > at least the disadvantage of not being fully implemented. :-)) Also, > longer term, it would allow us to not force password-less root > authentication in the VM. > > I’m tempted to go the raw TCP way; WDYT? We can pair-hack on it if you > feel like it! That would be great. I'm attaching a new iteration of our combined work Using client.scm: --8<---------------cut here---------------start------------->8--- (use-modules (gnu build secret-service)) (hurd-vm-secret-service-copy-secrets 5999 "/home/janneke/var/geert/childhurd") --8<---------------cut here---------------end--------------->8--- and (cutting the body of secret-service-activation to) server.scm: --8<---------------cut here---------------start------------->8--- (use-modules (ice-9 match) (guix build utils) (rnrs bytevectors) (ice-9 binary-ports)) [...] (define (wait-for-client port) (let ((port (wait-for-client 5999))) (read-secrets port) (close-port port)) --8<---------------cut here---------------end--------------->8--- this actually copies files...However, the secret-service does not build: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix system disk-image gnu/system/examples/bare-hurd.tmpl guix system: error: reference to invalid output 'out' of derivation '/gnu/store/189x9ph3piyihbs6asnjkinc5qqwfw1h-secret-service-client.drv' [1]22:40:08 janneke@dundal:~/src/guix/master [env] --8<---------------cut here---------------end--------------->8--- ...it seems we're missing something obvious. Thanks, Janneke