* 'guix system vm' questions
@ 2016-06-29 6:57 myglc2
2016-06-29 14:10 ` Thompson, David
0 siblings, 1 reply; 14+ messages in thread
From: myglc2 @ 2016-06-29 6:57 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 1001 bytes --]
I have a headless server running Guix/Debian 8.3 on which I would like
to run some guix vms. So far, I have a script (see mkvm.sh, attached)
that runs a single vm. It has some issues:
1) lsh-service hangs waiting for keystrokes on the QEMU console
2) passwords need to be set in the QEMU console
3) on the vm, 'guix package -i' throws an error, e.g.,
(on the console)
v1 login: u1
password: <password>
$ guix package -i
accepted connection from pid 390, user u1
guix package: error: build failed: changing ownership of '/path/store': Read-only file system
4) I can't log in to the vm like I expected, e.g. 'ssh u1@10.0.2.15'
times out
5) I would like to have the user 'u1' share read/write access to the
$HOME directory and be able to use $HOME/.ssh credentials
Your suggestions &/or sample configurations would be most welcome.
TIA - George
PS I am running this guix git checkout ...
* master d6e374a gnu: mafft: Update to 7.299.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: mkvm.sh --]
[-- Type: text/x-sh, Size: 1484 bytes --]
#!/bin/bash
# make and run a Guix VM
set -x
VMNUM=1
tmpdir=vm$VMNUM
rm -fr $tmpdir
mkdir $tmpdir
# vm.config
cat > "$tmpdir/vm.scm"<<EOF
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules admin
disk
ssh rsync wget screen
version-control
emacs
xorg certs
graphviz
package-management
)
(operating-system
(host-name "v1")
(timezone "America/New_York")
(locale "en_US.utf8")
(bootloader (grub-configuration (device "/dev/sda")))
(file-systems (cons (file-system
(device "g1sd")
(title 'label)
(mount-point "/")
(type "ext4"))
%base-file-systems))
(users (cons* (user-account
(name "u1")
(comment "u 1")
(group "users")
(supplementary-groups '("wheel"))
(home-directory "/home/u1"))
%base-user-accounts))
(packages
(cons*
glibc-utf8-locales
parted
openssh nss-certs xauth rsync wget git git-manpages
emacs magit screen
graphviz
guix
%base-packages
)
)
(services (cons* (dhcp-client-service)
(lsh-service #:root-login? #t)
%base-services)))
EOF
# show guix version
# guix system --version
(stat $HOME/.config/guix/latest | grep File:)
git -C ~/.config/guix/latest branch -av | grep '* master'
make -C $HOME/.config/guix/latest -s
# make vm & run
# Note: '-k en-us' is a hack to get Mac XQuartz keys to sort of work
$(guix system vm $tmpdir/vm.scm --expose=$HOME --share=$HOME/tmp=/exchange) -k en-us
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-29 6:57 'guix system vm' questions myglc2
@ 2016-06-29 14:10 ` Thompson, David
2016-06-29 15:48 ` Leo Famulari
2016-06-30 21:20 ` myglc2
0 siblings, 2 replies; 14+ messages in thread
From: Thompson, David @ 2016-06-29 14:10 UTC (permalink / raw)
To: myglc2; +Cc: help-guix
On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
> I have a headless server running Guix/Debian 8.3 on which I would like
> to run some guix vms. So far, I have a script (see mkvm.sh, attached)
> that runs a single vm. It has some issues:
>
> 1) lsh-service hangs waiting for keystrokes on the QEMU console
LSH needs to be initialized with a key on first boot, which is why you
need to type to create entropy. This sucks for automation, so I would
recommend OpenSSH instead, but we don't have an openssh-service yet.
> 2) passwords need to be set in the QEMU console
What is the QEMU console? If you mean user passwords, it is possible
to specify the hashed password in a user account in your OS config
file, IIRC.
> 3) on the vm, 'guix package -i' throws an error, e.g.,
>
> (on the console)
> v1 login: u1
> password: <password>
> $ guix package -i
> accepted connection from pid 390, user u1
> guix package: error: build failed: changing ownership of '/path/store': Read-only file system
The VMs created with 'guix system vm' are immutable. Copying the
result of 'guix system vm-image' is probably what you want.
> 4) I can't log in to the vm like I expected, e.g. 'ssh u1@10.0.2.15'
> times out
Sounds like you have a QEMU networking issue to figure out. Doesn't
seem related to Guix at all.
> 5) I would like to have the user 'u1' share read/write access to the
> $HOME directory and be able to use $HOME/.ssh credentials
Once you have a writable disk image, you can just write files to the
home directory as you please. GuixSD does not manage files in
stateful directories like $HOME.
HTH,
- Dave
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-29 14:10 ` Thompson, David
@ 2016-06-29 15:48 ` Leo Famulari
2016-07-01 20:15 ` myglc2
2016-07-11 19:32 ` Leo Famulari
2016-06-30 21:20 ` myglc2
1 sibling, 2 replies; 14+ messages in thread
From: Leo Famulari @ 2016-06-29 15:48 UTC (permalink / raw)
To: Thompson, David; +Cc: myglc2, help-guix
On Wed, Jun 29, 2016 at 10:10:35AM -0400, Thompson, David wrote:
> On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
> > I have a headless server running Guix/Debian 8.3 on which I would like
> > to run some guix vms. So far, I have a script (see mkvm.sh, attached)
> > that runs a single vm. It has some issues:
> >
> > 1) lsh-service hangs waiting for keystrokes on the QEMU console
>
> LSH needs to be initialized with a key on first boot, which is why you
> need to type to create entropy. This sucks for automation, so I would
> recommend OpenSSH instead, but we don't have an openssh-service yet.
In your operating system configuration, you can pass 'initialize? #f' to
lsh-service to skip the SSH seed and host-key initialization. You will
need to initialize the LSH service later, before you can use it.
How does OpenSSH get entropy without blocking on first boot? Before
shipping an openssh-service, we should make sure that OpenSSH doesn't
assume that /dev/urandom is safe to use; my understanding is that it
isn't safe immediately after first boot.
We should look into QEMU's VirtIO RNG, which could help here:
http://wiki.qemu-project.org/Features-Done/VirtIORNG
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
@ 2016-06-29 18:23 David Craven
2016-06-30 13:10 ` David Craven
0 siblings, 1 reply; 14+ messages in thread
From: David Craven @ 2016-06-29 18:23 UTC (permalink / raw)
To: help-guix
HW_RANDOM_VIRTIO is enabled in the default kernel.
Starting the vm like this enables the hwrng:
/gnu/store/3rqbwx34kfa789jbywfbxl90nids08cf-run-vm.sh -device virtio-rng-pci
and it works as can be verified by
cat /dev/hwrng
The only missing components from what I can tell is packaging rng-tools
and adding a service to add /dev/hwrng to the entropy pool on boot.
https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/
> We should look into QEMU's VirtIO RNG, which could help here:
> http://wiki.qemu-project.org/Features-Done/VirtIORNG
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-29 18:23 David Craven
@ 2016-06-30 13:10 ` David Craven
2016-07-03 13:53 ` myglc2
0 siblings, 1 reply; 14+ messages in thread
From: David Craven @ 2016-06-30 13:10 UTC (permalink / raw)
To: help-guix
So I packaged rng-tools and created a shepherd service, but I realized
that the service needs to be started before the activation part of the
lsh service. What's the best way to do this?
https://git.lysator.liu.se/lsh/lsh/blob/master/src/lsh-make-seed.c#L1075
On Wed, Jun 29, 2016 at 8:23 PM, David Craven <david@craven.ch> wrote:
> HW_RANDOM_VIRTIO is enabled in the default kernel.
>
> Starting the vm like this enables the hwrng:
> /gnu/store/3rqbwx34kfa789jbywfbxl90nids08cf-run-vm.sh -device virtio-rng-pci
> and it works as can be verified by
> cat /dev/hwrng
>
> The only missing components from what I can tell is packaging rng-tools
> and adding a service to add /dev/hwrng to the entropy pool on boot.
>
> https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/
>
>> We should look into QEMU's VirtIO RNG, which could help here:
>> http://wiki.qemu-project.org/Features-Done/VirtIORNG
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-29 14:10 ` Thompson, David
2016-06-29 15:48 ` Leo Famulari
@ 2016-06-30 21:20 ` myglc2
1 sibling, 0 replies; 14+ messages in thread
From: myglc2 @ 2016-06-30 21:20 UTC (permalink / raw)
To: help-guix
"Thompson, David" <dthompson2@worcester.edu> writes:
> On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
>> I have a headless server running Guix/Debian 8.3 on which I would like
>> to run some guix vms. So far, I have a script (see mkvm.sh, attached)
>> that runs a single vm. It has some issues:
[...]
> What is the QEMU console?
I meant the display window.
> If you mean user passwords, it is possible
> to specify the hashed password in a user account in your OS config
> file, IIRC.
Thanks, saw that. Being a qemu noobe and a bit lazy, I was hoping there
might be an example ;-)
>> 3) on the vm, 'guix package -i' throws an error, e.g.,
>>
>> (on the console)
>> v1 login: u1
>> password: <password>
>> $ guix package -i
>> accepted connection from pid 390, user u1
>> guix package: error: build failed: changing ownership of '/path/store': Read-only file system
>
> The VMs created with 'guix system vm' are immutable.
[...]
OH, so guix VM users should not expect to install packages. This was
non-obvious, at least to me. Maybe the doc should say this.
>> 4) I can't log in to the vm like I expected, e.g. 'ssh u1@10.0.2.15'
>> times out
>
> Sounds like you have a QEMU networking issue to figure out. Doesn't
> seem related to Guix at all.
OK, just wanted to make sure is isn't a know issue.
[...]
> HTH,
>
> - Dave
It did. Many thanks. - George
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-29 15:48 ` Leo Famulari
@ 2016-07-01 20:15 ` myglc2
2016-07-02 13:06 ` Ludovic Courtès
2016-07-11 19:32 ` Leo Famulari
1 sibling, 1 reply; 14+ messages in thread
From: myglc2 @ 2016-07-01 20:15 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 1761 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Wed, Jun 29, 2016 at 10:10:35AM -0400, Thompson, David wrote:
>> On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
>> > I have a headless server running Guix/Debian 8.3 on which I would like
>> > to run some guix vms. So far, I have a script (see mkvm.sh, attached)
>> > that runs a single vm. It has some issues:
>> >
>> > 1) lsh-service hangs waiting for keystrokes on the QEMU console
>>
>> LSH needs to be initialized with a key on first boot, which is why you
>> need to type to create entropy. This sucks for automation, so I would
>> recommend OpenSSH instead, but we don't have an openssh-service yet.
>
> In your operating system configuration, you can pass 'initialize? #f' to
> lsh-service to skip the SSH seed and host-key initialization. You will
> need to initialize the LSH service later, before you can use it.
I tried that and ... lsh spun looking for a seed file advising me to run
'lsh-make-seed', and then stopped.
'lsh-make-seed' was not available.
Maybe this is a bug?
What I saw on the VM:
### lsh spins and stops showing
[...]
Respawning ssh-daemon.
Service SSH-daemeon has started.
No seed file. Please create on by running
lwh-make-seed -o "/var/spool/lsh/yarrow-seed-file".
lshd: No rendomness generator available.
Service ssh-daemon has been disabled.
(Respawning too fast.)
### lsh-make-seed seems to be missing
v1 login: root
root@v1 ~# lsh-make-seed
-bash: lsh-make-seed: command not found
guix version:
Note: running from git checkout
File: ‘/home/g1/.config/guix/latest’ -> ‘../../dev/guix’
* master 242ad41 download: Use basic authentication when userinfo is present in URI.
test script: attached below
[-- Attachment #2: lsh --]
[-- Type: application/octet-stream, Size: 2124 bytes --]
#!/bin/bash
set -xe
# guix vm examples
# usage
# $ <scriptname> mk [vm#] - mak image
# $ <scriptname> run [vm#] - run image
CMD=`basename "$0"`
VMNUM=${2:-""}
TMPDIR=$PWD/tmp/$CMD$VMNUM
mkdir -p $TMPDIR
case $1 in
# make vm image
mk)
# vm.config
cat > "$TMPDIR/vm.scm"<<EOF
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules admin
disk
ssh rsync wget screen
version-control
emacs
xorg certs
graphviz
package-management
)
(operating-system
(host-name "v1")
(timezone "America/New_York")
(locale "en_US.utf8")
(bootloader (grub-configuration (device "/dev/sda")))
(file-systems (cons (file-system
(device "g1sd")
(title 'label)
(mount-point "/")
(type "ext4"))
%base-file-systems))
(users (cons* (user-account
(name "u1")
(comment "u 1")
(group "users")
(supplementary-groups '("wheel"))
(home-directory "/home/u1"))
%base-user-accounts))
(packages
(cons*
glibc-utf8-locales
parted
openssh nss-certs xauth rsync wget git git-manpages
emacs magit screen
graphviz
guix
%base-packages
)
)
(services (cons* (dhcp-client-service)
(lsh-service #:initialize? #f)
%base-services)))
EOF
# show guix version
# guix system --version
(stat $HOME/.config/guix/latest | grep File:) > $TMPDIR/guix-version
git -C ~/.config/guix/latest branch -av | grep '* master' >> $TMPDIR/guix-version
make -C $HOME/.config/guix/latest -s > $TMPDIR/guix-make.log
# make image & copy from store
cp -n $(guix system vm-image $TMPDIR/vm.scm --image-size=4GB) $TMPDIR/vm.img
# make writeable
chmod u+w $TMPDIR/vm.img
;;
run)
# run image
# Note: '-k en-us' is a hack to get Mac XQuartz keys to sort of work
# note: ' -device virtio-rng-pci ' testing other rdm source
qemu-system-x86_64 \
-net user \
-net nic,model=virtio \
-enable-kvm \
-m 256 \
-k en-us \
-device virtio-rng-pci \
$TMPDIR/vm.img
;;
*)
echo ERROR: you typed: \"$CMD $*\" which has missing arguments or invalid arguments
esac
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-07-01 20:15 ` myglc2
@ 2016-07-02 13:06 ` Ludovic Courtès
2016-07-03 13:47 ` myglc2
0 siblings, 1 reply; 14+ messages in thread
From: Ludovic Courtès @ 2016-07-02 13:06 UTC (permalink / raw)
To: myglc2; +Cc: help-guix
myglc2 <myglc2@gmail.com> skribis:
> Leo Famulari <leo@famulari.name> writes:
>
>> On Wed, Jun 29, 2016 at 10:10:35AM -0400, Thompson, David wrote:
>>> On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
>>> > I have a headless server running Guix/Debian 8.3 on which I would like
>>> > to run some guix vms. So far, I have a script (see mkvm.sh, attached)
>>> > that runs a single vm. It has some issues:
>>> >
>>> > 1) lsh-service hangs waiting for keystrokes on the QEMU console
>>>
>>> LSH needs to be initialized with a key on first boot, which is why you
>>> need to type to create entropy. This sucks for automation, so I would
>>> recommend OpenSSH instead, but we don't have an openssh-service yet.
>>
>> In your operating system configuration, you can pass 'initialize? #f' to
>> lsh-service to skip the SSH seed and host-key initialization. You will
>> need to initialize the LSH service later, before you can use it.
>
> I tried that and ... lsh spun looking for a seed file advising me to run
> 'lsh-make-seed', and then stopped.
Yeah this is expected: lshd won’t start if it cannot find a seed;
eventually, the Shepherd…
> Service SSH-daemeon has started.
> No seed file. Please create on by running
> lwh-make-seed -o "/var/spool/lsh/yarrow-seed-file".
> lshd: No rendomness generator available.
> Service ssh-daemon has been disabled.
> (Respawning too fast.)
… disables it.
> v1 login: root
> root@v1 ~# lsh-make-seed
> -bash: lsh-make-seed: command not found
I guess ‘lsh-service-type’ should be changed to extend
‘profile-service-type’ such that this command is available. WDYT?
Besides, we should add a service for OpenSSH’s sshd.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-07-02 13:06 ` Ludovic Courtès
@ 2016-07-03 13:47 ` myglc2
0 siblings, 0 replies; 14+ messages in thread
From: myglc2 @ 2016-07-03 13:47 UTC (permalink / raw)
To: help-guix
ludo@gnu.org (Ludovic Courtès) writes:
> myglc2 <myglc2@gmail.com> skribis:
>
>> Leo Famulari <leo@famulari.name> writes:
>>
>>> On Wed, Jun 29, 2016 at 10:10:35AM -0400, Thompson, David wrote:
>>>> On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
>>>> > I have a headless server running Guix/Debian 8.3 on which I would like
>>>> > to run some guix vms. So far, I have a script (see mkvm.sh, attached)
>>>> > that runs a single vm. It has some issues:
>>>> >
>>>> > 1) lsh-service hangs waiting for keystrokes on the QEMU console
>>>>
>>>> LSH needs to be initialized with a key on first boot, which is why you
>>>> need to type to create entropy. This sucks for automation, so I would
>>>> recommend OpenSSH instead, but we don't have an openssh-service yet.
>>>
>>> In your operating system configuration, you can pass 'initialize? #f' to
>>> lsh-service to skip the SSH seed and host-key initialization. You will
>>> need to initialize the LSH service later, before you can use it.
>>
>> I tried that and ... lsh spun looking for a seed file advising me to run
>> 'lsh-make-seed', and then stopped.
>
> Yeah this is expected: lshd won’t start if it cannot find a seed;
> eventually, the Shepherd…
>
>> Service SSH-daemeon has started.
>> No seed file. Please create on by running
>> lwh-make-seed -o "/var/spool/lsh/yarrow-seed-file".
>> lshd: No rendomness generator available.
>> Service ssh-daemon has been disabled.
>> (Respawning too fast.)
>
> … disables it.
>
>> v1 login: root
>> root@v1 ~# lsh-make-seed
>> -bash: lsh-make-seed: command not found
>
> I guess ‘lsh-service-type’ should be changed to extend
> ‘profile-service-type’ such that this command is available. WDYT?
Well I can't see how it will help in my use case. I can't think of why
it would be useful in practice, since lsh-make-seed is already being
called with --sloppy by 'ssh-service initialize? #t'.
The only reasons I can think of are ...
- to enable a user at the console to manually reproduce what
'ssh-service initialize? #t' does, and
- to avoid it being reported as a bug
... which is why I didn't report it as a bug.
Re my use case, am I correct in believing that the only way to address
it is to enhance lsh-service with an alternative initialization scheme
that does not require console input?
If so, maybe we should rename the current initialize to ...
INITIALIZE-REQUIRING-CONSOLE-INPUT?
... and add a new one named ...
INITIALIZE-UNATTENDED?
WDYT? - George
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-30 13:10 ` David Craven
@ 2016-07-03 13:53 ` myglc2
0 siblings, 0 replies; 14+ messages in thread
From: myglc2 @ 2016-07-03 13:53 UTC (permalink / raw)
To: help-guix
David Craven <david@craven.ch> writes:
> So I packaged rng-tools and created a shepherd service, but I realized
> that the service needs to be started before the activation part of the
> lsh service. What's the best way to do this?
>
> https://git.lysator.liu.se/lsh/lsh/blob/master/src/lsh-make-seed.c#L1075
>
> On Wed, Jun 29, 2016 at 8:23 PM, David Craven <david@craven.ch> wrote:
>> HW_RANDOM_VIRTIO is enabled in the default kernel.
>>
>> Starting the vm like this enables the hwrng:
>> /gnu/store/3rqbwx34kfa789jbywfbxl90nids08cf-run-vm.sh -device virtio-rng-pci
>> and it works as can be verified by
>> cat /dev/hwrng
>>
>> The only missing components from what I can tell is packaging rng-tools
>> and adding a service to add /dev/hwrng to the entropy pool on boot.
>>
>> https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/
>>
>>> We should look into QEMU's VirtIO RNG, which could help here:
>>> http://wiki.qemu-project.org/Features-Done/VirtIORNG
This sounds great. I see you submitted patches. Am I correct in thinking
that the next step is to add an lsh-option option that uses rmg-tools
instead of lsh-make-seed to set the yarrow seed?
TIA - George
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
@ 2016-07-03 16:09 David Craven
2016-07-06 16:17 ` myglc2
0 siblings, 1 reply; 14+ messages in thread
From: David Craven @ 2016-07-03 16:09 UTC (permalink / raw)
To: help-guix
@myglc2 the simplest workaround to this issue is to add -device
virtio-rng-pci to your qemu flags and patch lsh to use /dev/hwrng in
the /bin/lsh-make-seed file I linked to in a previous reply.
On Sun, Jul 3, 2016 at 6:00 PM, <help-guix-request@gnu.org> wrote:
> Send Help-Guix mailing list submissions to
> help-guix@gnu.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.gnu.org/mailman/listinfo/help-guix
> or, via email, send a message with subject or body 'help' to
> help-guix-request@gnu.org
>
> You can reach the person managing the list at
> help-guix-owner@gnu.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Help-Guix digest..."
>
>
> Today's Topics:
>
> 1. Re: 'guix system vm' questions (myglc2)
> 2. Re: 'guix system vm' questions (myglc2)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 03 Jul 2016 09:47:42 -0400
> From: myglc2 <myglc2@gmail.com>
> To: help-guix@gnu.org
> Subject: Re: 'guix system vm' questions
> Message-ID: <86mvly6dfl.fsf@gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> ludo@gnu.org (Ludovic Court?s) writes:
>
>> myglc2 <myglc2@gmail.com> skribis:
>>
>>> Leo Famulari <leo@famulari.name> writes:
>>>
>>>> On Wed, Jun 29, 2016 at 10:10:35AM -0400, Thompson, David wrote:
>>>>> On Wed, Jun 29, 2016 at 2:57 AM, myglc2 <myglc2@gmail.com> wrote:
>>>>> > I have a headless server running Guix/Debian 8.3 on which I would like
>>>>> > to run some guix vms. So far, I have a script (see mkvm.sh, attached)
>>>>> > that runs a single vm. It has some issues:
>>>>> >
>>>>> > 1) lsh-service hangs waiting for keystrokes on the QEMU console
>>>>>
>>>>> LSH needs to be initialized with a key on first boot, which is why you
>>>>> need to type to create entropy. This sucks for automation, so I would
>>>>> recommend OpenSSH instead, but we don't have an openssh-service yet.
>>>>
>>>> In your operating system configuration, you can pass 'initialize? #f' to
>>>> lsh-service to skip the SSH seed and host-key initialization. You will
>>>> need to initialize the LSH service later, before you can use it.
>>>
>>> I tried that and ... lsh spun looking for a seed file advising me to run
>>> 'lsh-make-seed', and then stopped.
>>
>> Yeah this is expected: lshd won?t start if it cannot find a seed;
>> eventually, the Shepherd?
>>
>>> Service SSH-daemeon has started.
>>> No seed file. Please create on by running
>>> lwh-make-seed -o "/var/spool/lsh/yarrow-seed-file".
>>> lshd: No rendomness generator available.
>>> Service ssh-daemon has been disabled.
>>> (Respawning too fast.)
>>
>> ? disables it.
>>
>>> v1 login: root
>>> root@v1 ~# lsh-make-seed
>>> -bash: lsh-make-seed: command not found
>>
>> I guess ?lsh-service-type? should be changed to extend
>> ?profile-service-type? such that this command is available. WDYT?
>
> Well I can't see how it will help in my use case. I can't think of why
> it would be useful in practice, since lsh-make-seed is already being
> called with --sloppy by 'ssh-service initialize? #t'.
>
> The only reasons I can think of are ...
>
> - to enable a user at the console to manually reproduce what
> 'ssh-service initialize? #t' does, and
>
> - to avoid it being reported as a bug
>
> ... which is why I didn't report it as a bug.
>
> Re my use case, am I correct in believing that the only way to address
> it is to enhance lsh-service with an alternative initialization scheme
> that does not require console input?
>
> If so, maybe we should rename the current initialize to ...
>
> INITIALIZE-REQUIRING-CONSOLE-INPUT?
>
> ... and add a new one named ...
>
> INITIALIZE-UNATTENDED?
>
> WDYT? - George
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 03 Jul 2016 09:53:28 -0400
> From: myglc2 <myglc2@gmail.com>
> To: help-guix@gnu.org
> Subject: Re: 'guix system vm' questions
> Message-ID: <86inwm6d5z.fsf@gmail.com>
> Content-Type: text/plain
>
> David Craven <david@craven.ch> writes:
>
>> So I packaged rng-tools and created a shepherd service, but I realized
>> that the service needs to be started before the activation part of the
>> lsh service. What's the best way to do this?
>>
>> https://git.lysator.liu.se/lsh/lsh/blob/master/src/lsh-make-seed.c#L1075
>>
>> On Wed, Jun 29, 2016 at 8:23 PM, David Craven <david@craven.ch> wrote:
>>> HW_RANDOM_VIRTIO is enabled in the default kernel.
>>>
>>> Starting the vm like this enables the hwrng:
>>> /gnu/store/3rqbwx34kfa789jbywfbxl90nids08cf-run-vm.sh -device virtio-rng-pci
>>> and it works as can be verified by
>>> cat /dev/hwrng
>>>
>>> The only missing components from what I can tell is packaging rng-tools
>>> and adding a service to add /dev/hwrng to the entropy pool on boot.
>>>
>>> https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/
>>>
>>>> We should look into QEMU's VirtIO RNG, which could help here:
>>>> http://wiki.qemu-project.org/Features-Done/VirtIORNG
>
> This sounds great. I see you submitted patches. Am I correct in thinking
> that the next step is to add an lsh-option option that uses rmg-tools
> instead of lsh-make-seed to set the yarrow seed?
>
> TIA - George
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Help-Guix mailing list
> Help-Guix@gnu.org
> https://lists.gnu.org/mailman/listinfo/help-guix
>
>
> ------------------------------
>
> End of Help-Guix Digest, Vol 8, Issue 4
> ***************************************
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-07-03 16:09 David Craven
@ 2016-07-06 16:17 ` myglc2
0 siblings, 0 replies; 14+ messages in thread
From: myglc2 @ 2016-07-06 16:17 UTC (permalink / raw)
To: help-guix
David Craven <david@craven.ch> writes:
[...]
>>
>> From: myglc2 <myglc2@gmail.com>
>>
>> David Craven <david@craven.ch> writes:
>>
>>> So I packaged rng-tools and created a shepherd service, but I realized
>>> that the service needs to be started before the activation part of the
>>> lsh service. What's the best way to do this?
>>>
>>> https://git.lysator.liu.se/lsh/lsh/blob/master/src/lsh-make-seed.c#L1075
>>>
>>> On Wed, Jun 29, 2016 at 8:23 PM, David Craven <david@craven.ch> wrote:
>>>> HW_RANDOM_VIRTIO is enabled in the default kernel.
>>>>
>>>> Starting the vm like this enables the hwrng:
>>>> /gnu/store/3rqbwx34kfa789jbywfbxl90nids08cf-run-vm.sh -device virtio-rng-pci
>>>> and it works as can be verified by
>>>> cat /dev/hwrng
>>>>
>>>> The only missing components from what I can tell is packaging rng-tools
>>>> and adding a service to add /dev/hwrng to the entropy pool on boot.
>>>>
>>>> https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/
>>>>
>>>>> We should look into QEMU's VirtIO RNG, which could help here:
>>>>> http://wiki.qemu-project.org/Features-Done/VirtIORNG
>>
>> This sounds great. I see you submitted patches. Am I correct in thinking
>> that the next step is to add an lsh-option option that uses rmg-tools
>> instead of lsh-make-seed to set the yarrow seed?
>>
> @myglc2 the simplest workaround to this issue is to add -device
> virtio-rng-pci to your qemu flags ...
Thanks, that works but ...
> ... and patch lsh to use /dev/hwrng in the /bin/lsh-make-seed file I
> linked to in a previous reply.
... I don't follow this. Are you referring to the posts above?
I have your "b58cbf9 * services: Add rngd-service." patch. Is the idea
to add entropy so we don't need to bang on the keyboard? Or is an
additional patch required/in the pipeline/a self help item?
Thanks - George
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
@ 2016-07-07 16:26 David Craven
0 siblings, 0 replies; 14+ messages in thread
From: David Craven @ 2016-07-07 16:26 UTC (permalink / raw)
To: help-guix
> ... I don't follow this. Are you referring to the posts above?
The idea was that replacing /dev/random with /dev/hwrng would do the trick,
https://git.lysator.liu.se/lsh/lsh/blob/master/src/lsh-make-seed.c#L237
but I haven't actually tested it.
I didn't get lsh to work with rngd-service because of the rngd-service
would have to load before the lsh-activation-service, which is not the
case. I there isn't enough entropy in /dev/random it starts it's
lsh-make-seed script which doesn't query /dev/random anymore. This
means that entropy added too late is like no entropy added at all.
There is dropbear-service waiting for review, which works without
rngd-service. If you find test the patch from guix-devel you have to
replace the -net user flag in vm.scm with -net
user,hostfwd=tcp::10022-:22. Just adding it after didn't work. I'll
submit a patch soon to fix that, by using environment variables, so
you can just source qemu-flags.sh.
Cheers
David
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: 'guix system vm' questions
2016-06-29 15:48 ` Leo Famulari
2016-07-01 20:15 ` myglc2
@ 2016-07-11 19:32 ` Leo Famulari
1 sibling, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-11 19:32 UTC (permalink / raw)
To: Thompson, David; +Cc: myglc2, help-guix
On Wed, Jun 29, 2016 at 11:48:42AM -0400, Leo Famulari wrote:
> How does OpenSSH get entropy without blocking on first boot?
According to 'INSTALL' in the OpenSSH source code, OpenSSH gets random
numbers from the "libcrypto" backup, which for us is OpenSSL, which uses
/dev/urandom.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2016-07-11 19:33 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-29 6:57 'guix system vm' questions myglc2
2016-06-29 14:10 ` Thompson, David
2016-06-29 15:48 ` Leo Famulari
2016-07-01 20:15 ` myglc2
2016-07-02 13:06 ` Ludovic Courtès
2016-07-03 13:47 ` myglc2
2016-07-11 19:32 ` Leo Famulari
2016-06-30 21:20 ` myglc2
-- strict thread matches above, loose matches on Subject: below --
2016-06-29 18:23 David Craven
2016-06-30 13:10 ` David Craven
2016-07-03 13:53 ` myglc2
2016-07-03 16:09 David Craven
2016-07-06 16:17 ` myglc2
2016-07-07 16:26 David Craven
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).