From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36234) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMBBp-0006qn-IS for guix-patches@gnu.org; Tue, 05 Dec 2017 06:15:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMBBm-0008CT-BF for guix-patches@gnu.org; Tue, 05 Dec 2017 06:15:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:37774) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eMBBm-0008CK-7b for guix-patches@gnu.org; Tue, 05 Dec 2017 06:15:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eMBBl-0002fz-VU for guix-patches@gnu.org; Tue, 05 Dec 2017 06:15:01 -0500 Subject: [bug#29467] [PATCH] web: Don't error about missing ssl related files. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20171127082620.19237-1-mail@cbaines.net> <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> Date: Tue, 05 Dec 2017 12:14:12 +0100 In-Reply-To: <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> (julien lepiller's message of "Mon, 27 Nov 2017 10:22:48 +0100") Message-ID: <87vahlctq3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: julien lepiller Cc: 29467@debbugs.gnu.org Hi, julien lepiller skribis: > Le 2017-11-27 09:26, Christopher Baines a =C3=A9crit=C2=A0: >> Erroring here prevents doing things like building a system using >> nginx on a >> different machine from where it's intended to be deployed, or creating >> containers and VMs that use the ssl-certificate parts of the nginx >> configuration, without also getting these files to exist. >> >> * gnu/services/web.scm (emit-nginx-server-config): Don't error on >> missing ssl >> related files. >> --- >> gnu/services/web.scm | 10 ---------- >> 1 file changed, 10 deletions(-) >> >> diff --git a/gnu/services/web.scm b/gnu/services/web.scm >> index 9d713003c..1af32278c 100644 >> --- a/gnu/services/web.scm >> +++ b/gnu/services/web.scm >> @@ -191,16 +191,6 @@ of index files." >> (syntax-parameterize ((<> (identifier-syntax x*))) >> (list tail ...)) >> '()))) >> - (for-each >> - (match-lambda >> - ((record-key . file) >> - (if (and file (not (file-exists? file))) There=E2=80=99s another problem: =E2=80=98file-exists?=E2=80=99 checks the = current machine, under the current root file system. That check doesn=E2=80=99t work if you= do =E2=80=9Cguix system init config.scm /some/other/root=E2=80=9D, or if you c= reate a container, or with the envisioned =E2=80=9Cguix system reconfigure --remote= =E2=80=9D. > Hi, when configuring nginx for the first time, users will probably > forget to > configure ssl properly. The default is to enable ssl and find > certificates in > /etc/nginx. When these files don't exist, nginx will fail to start and > at least > one user complained it was hard to debug. This code was introduced to > prevent > such a mistake. Yes, I agree that it=E2=80=99s nice to have early error reports. > Maybe we should set the default to #f (but then users would have to > configure > more fields to enable https). Maybe we should add a configuration > option like > warn-only? (default to #f) to only warn about missing files. Or maybe > there's > a way to show nginx that another service is providing that file? Good questions. We cannot check for file existence at configuration time for the reasons above. We cannot check for file existence at build time because certificates may be part of the machine=E2=80=99s state; they are typically managed in a stateful fashion, outside of GuixSD. So the only option we=E2=80=99re left with is checking at run time, when we start the service. But that=E2=80=99s something nginx already does, I thin= k? As for the default, I would be in favor of setting it to #f, because I can=E2=80=99t really think of a default that would work for everyone. WDYT? Ludo=E2=80=99.