From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37831) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMBKZ-0000lv-VJ for guix-patches@gnu.org; Tue, 05 Dec 2017 06:24:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMBKU-0003b3-Sz for guix-patches@gnu.org; Tue, 05 Dec 2017 06:24:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:37781) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eMBKU-0003aw-PO for guix-patches@gnu.org; Tue, 05 Dec 2017 06:24:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eMBKU-0002sq-Gq for guix-patches@gnu.org; Tue, 05 Dec 2017 06:24:02 -0500 Subject: [bug#29467] [PATCH] web: Don't error about missing ssl related files. Resent-Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Tue, 05 Dec 2017 12:23:39 +0100 From: julien lepiller In-Reply-To: <87vahlctq3.fsf@gnu.org> References: <20171127082620.19237-1-mail@cbaines.net> <873b92b926e5037c904e1d0599ca6b63@lepiller.eu> <87vahlctq3.fsf@gnu.org> Message-ID: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 29467@debbugs.gnu.org Le 2017-12-05 12:14, ludo@gnu.org a écrit : > Hi, > > julien lepiller skribis: > >> Le 2017-11-27 09:26, Christopher Baines a écrit : >>> Erroring here prevents doing things like building a system using >>> nginx on a >>> different machine from where it's intended to be deployed, or >>> creating >>> containers and VMs that use the ssl-certificate parts of the nginx >>> configuration, without also getting these files to exist. >>> >>> * gnu/services/web.scm (emit-nginx-server-config): Don't error on >>> missing ssl >>> related files. >>> --- >>> gnu/services/web.scm | 10 ---------- >>> 1 file changed, 10 deletions(-) >>> >>> diff --git a/gnu/services/web.scm b/gnu/services/web.scm >>> index 9d713003c..1af32278c 100644 >>> --- a/gnu/services/web.scm >>> +++ b/gnu/services/web.scm >>> @@ -191,16 +191,6 @@ of index files." >>> (syntax-parameterize ((<> (identifier-syntax x*))) >>> (list tail ...)) >>> '()))) >>> - (for-each >>> - (match-lambda >>> - ((record-key . file) >>> - (if (and file (not (file-exists? file))) > > There’s another problem: ‘file-exists?’ checks the current machine, > under the current root file system. That check doesn’t work if you do > “guix system init config.scm /some/other/root”, or if you create a > container, or with the envisioned “guix system reconfigure --remote”. > >> Hi, when configuring nginx for the first time, users will probably >> forget to >> configure ssl properly. The default is to enable ssl and find >> certificates in >> /etc/nginx. When these files don't exist, nginx will fail to start and >> at least >> one user complained it was hard to debug. This code was introduced to >> prevent >> such a mistake. > > Yes, I agree that it’s nice to have early error reports. > >> Maybe we should set the default to #f (but then users would have to >> configure >> more fields to enable https). Maybe we should add a configuration >> option like >> warn-only? (default to #f) to only warn about missing files. Or maybe >> there's >> a way to show nginx that another service is providing that file? > > Good questions. > > We cannot check for file existence at configuration time for the > reasons > above. > > We cannot check for file existence at build time because certificates > may be part of the machine’s state; they are typically managed in a > stateful fashion, outside of GuixSD. > > So the only option we’re left with is checking at run time, when we > start the service. But that’s something nginx already does, I think? > > As for the default, I would be in favor of setting it to #f, because I > can’t really think of a default that would work for everyone. > > WDYT? Having it default to #f is fine with me. Nginx does this check at runtime and will refuse to start if these files are missing. Keeping https-port to 443 and certificates to #f means it will not be able to establish a connection to the client, but the http website will be available. So just setting the key and the certificate to #f by default should be OK. > > Ludo’.