unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* `guix pull` of an ssh channel fails
@ 2021-05-11 16:32 Bone Baboon
  2021-05-12 20:08 ` Bone Baboon
  0 siblings, 1 reply; 7+ messages in thread
From: Bone Baboon @ 2021-05-11 16:32 UTC (permalink / raw)
  To: help-guix

I have a substitute server that needs to build a couple of packages with
patches:

* inetutlis version 2.0 from the core-updates branch instead of 1.9.4
  from the master branch
** https://issues.guix.gnu.org/issue/48214#10

* glib with longer test timeout
** https://issues.guix.gnu.org/issue/48024#12

* offlineimap without tests
** https://issues.guix.gnu.org/issue/48213#2

I am trying to setup a channel for this substitute server's patched Guix
repository. `guix pull` is failing.

On a client of the substitute server I have reconfigured with this in
it's system configuration:

```
    (service guix-service-type
	     (guix-configuration
	      (authorized-keys
	       (list
		(local-file
		 "/path/to/signing-key.pub")))))
```
Where signing-key.pub is the substitute server's public signing key.

I have added the ssh public key of the substitute server to the client
with `ssh-copy-id`.  The substitute server's ssh public key is in
~/.ssh/authorize_keys.  I have also done the reverse with the client's
ssh public key and it is on the substitute server's
~/.ssh/authorize_keys.

This is the contents of ~/.config/guix/channels.scm:

```
(list
 (channel
  (name 'guix)
  (url "ssh://<user>@<ip-address>:22/path/to/patched-guix-repo/")
  (branch "master")))
```

When I run `guix pull` I get this error.

```
Updating channel 'guix' from Git repository at 'ssh://<user>@<ip-address>:22/path/to/patched-guix-repo/'...
guix pull: error: Git error: error authenticating: no auth sock variable
```

I can successfully run `git clone
ssh://<user>@<ip-address>:22/path/to/patched-guix-repo`.

I can successfully transfer files from the substitute server to the
client with scp without entering a password.

Can a channel use a ssh url?


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: `guix pull` of an ssh channel fails
  2021-05-11 16:32 `guix pull` of an ssh channel fails Bone Baboon
@ 2021-05-12 20:08 ` Bone Baboon
  2021-05-13 17:36   ` Phil
  0 siblings, 1 reply; 7+ messages in thread
From: Bone Baboon @ 2021-05-12 20:08 UTC (permalink / raw)
  To: Bone Baboon; +Cc: help-guix

I received help from civodul on #guix.  They suggested I run
`ssh-agent`.

After running `ssh-agent` and using the environment variables it outputs
in the command `SSH_AUTH_SOCK=/tmp/ssh-XXXXXXLfu5ES/agent.18550
SSH_AGENT_PID=18551 guix pull` I am no longer getting this error message
"guix pull: error: Git error: error authenticating: no auth sock
variable".

However I now get this error message "guix pull: error: Git error:
Failed to retrieve list of SSH authentication methods: Failed getting
response`".

Bone Baboon writes:

> I have a substitute server that needs to build a couple of packages with
> patches:
>
> * inetutlis version 2.0 from the core-updates branch instead of 1.9.4
>   from the master branch
> ** https://issues.guix.gnu.org/issue/48214#10
>
> * glib with longer test timeout
> ** https://issues.guix.gnu.org/issue/48024#12
>
> * offlineimap without tests
> ** https://issues.guix.gnu.org/issue/48213#2
>
> I am trying to setup a channel for this substitute server's patched Guix
> repository. `guix pull` is failing.
>
> On a client of the substitute server I have reconfigured with this in
> it's system configuration:
>
> ```
>     (service guix-service-type
> 	     (guix-configuration
> 	      (authorized-keys
> 	       (list
> 		(local-file
> 		 "/path/to/signing-key.pub")))))
> ```
> Where signing-key.pub is the substitute server's public signing key.
>
> I have added the ssh public key of the substitute server to the client
> with `ssh-copy-id`.  The substitute server's ssh public key is in
> ~/.ssh/authorize_keys.  I have also done the reverse with the client's
> ssh public key and it is on the substitute server's
> ~/.ssh/authorize_keys.
>
> This is the contents of ~/.config/guix/channels.scm:
>
> ```
> (list
>  (channel
>   (name 'guix)
>   (url "ssh://<user>@<ip-address>:22/path/to/patched-guix-repo/")
>   (branch "master")))
> ```
>
> When I run `guix pull` I get this error.
>
> ```
> Updating channel 'guix' from Git repository at 'ssh://<user>@<ip-address>:22/path/to/patched-guix-repo/'...
> guix pull: error: Git error: error authenticating: no auth sock variable
> ```
>
> I can successfully run `git clone
> ssh://<user>@<ip-address>:22/path/to/patched-guix-repo`.
>
> I can successfully transfer files from the substitute server to the
> client with scp without entering a password.
>
> Can a channel use a ssh url?



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: `guix pull` of an ssh channel fails
  2021-05-12 20:08 ` Bone Baboon
@ 2021-05-13 17:36   ` Phil
  2021-05-14 15:25     ` Bone Baboon
  0 siblings, 1 reply; 7+ messages in thread
From: Phil @ 2021-05-13 17:36 UTC (permalink / raw)
  To: Bone Baboon; +Cc: help-guix

Hi,

Bone Baboon writes:

> I received help from civodul on #guix.  They suggested I run
> `ssh-agent`.

Yes this is necessary - Guix will only read a key from an agent not a file.

>
> After running `ssh-agent` and using the environment variables it outputs
> in the command `SSH_AUTH_SOCK=/tmp/ssh-XXXXXXLfu5ES/agent.18550
> SSH_AGENT_PID=18551 guix pull` I am no longer getting this error message
> "guix pull: error: Git error: error authenticating: no auth sock
> variable".

As a side note check-out "keychain" as much nicer way of automating
ssh-agent management.

>
> However I now get this error message "guix pull: error: Git error:
> Failed to retrieve list of SSH authentication methods: Failed getting
> response`".

When I have seen this error it means the SSH key in the ssh-agent is not
permissioned to read the contents of the git repo over SSH, containing either the
channel itself or any other repos referenced in the channel that you hold
locally.  I use BitBucket not vanilla Git - the solution in BitBucket is
to add the public key of the SSH key in your agent to your account with
read priviledges.  If you happen to be using GitHub you'll need to add
your key here, I think - it's the same idea: https://github.com/settings/ssh/new

One last test you can do is can you git clone your channel from the
console?  My guess is this won't work if Guix is also having problems -
but you can then reduce the problem to one of git not guix.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: `guix pull` of an ssh channel fails
  2021-05-13 17:36   ` Phil
@ 2021-05-14 15:25     ` Bone Baboon
  2021-05-15  7:07       ` Phil
  0 siblings, 1 reply; 7+ messages in thread
From: Bone Baboon @ 2021-05-14 15:25 UTC (permalink / raw)
  To: Phil; +Cc: help-guix

Phil writes:
>> After running `ssh-agent` and using the environment variables it outputs
>> in the command `SSH_AUTH_SOCK=/tmp/ssh-XXXXXXLfu5ES/agent.18550
>> SSH_AGENT_PID=18551 guix pull` I am no longer getting this error message
>> "guix pull: error: Git error: error authenticating: no auth sock
>> variable".
>>
>> However I now get this error message "guix pull: error: Git error:
>> Failed to retrieve list of SSH authentication methods: Failed getting
>> response`".
>
> When I have seen this error it means the SSH key in the ssh-agent is not
> permissioned to read the contents of the git repo over SSH, containing either the
> channel itself or any other repos referenced in the channel that you hold
> locally.

I had previously added the client's SSH public key to the
`~/.ssh/authorized_keys` file of the computer with the Git repository
with `ssh-copy-id`.  However that did not resolve this error message.

I have changed the permission of the git repository I am trying to use
as a channel with this command `chmod --recursive u=rwx,g=rwx,o=rwx
<git-repository>`.  However this did not resolve this error message.

How would I make the SSH key in the ssh-agent permissioned to read the
contents of the git repository over SSH?  It might already be as I can
successfully git clone the repository.

> I use BitBucket not vanilla Git - the solution in BitBucket is
> to add the public key of the SSH key in your agent to your account with
> read priviledges.  If you happen to be using GitHub you'll need to add
> your key here, I think - it's the same idea: https://github.com/settings/ssh/new

The channel is a vanilla Git repository.

I searched for a Git forge service with `guix search`.  There were no
results for sourcehut, Gitea, Gogs or GitLab.  Any suggestions for a Git
forge service that is packaged for Guix?

> One last test you can do is can you git clone your channel from the
> console?  My guess is this won't work if Guix is also having problems -
> but you can then reduce the problem to one of git not guix.

It looks like there is no problem with SSH.  I can make an SSH
connection to the computer that has the Git repository without needing
to enter a password.  I can also scp files from the computer with the
Git repository without needing to enter a password.

It also looks like there is no problem with Git.  I can clone the
channel `git clone
ssh://<user>@<ip-address>:22/absolute/path/to/<git-repo>/`.  Where
<user> is the user in the output of `ls -l <git-repo>`.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: `guix pull` of an ssh channel fails
  2021-05-14 15:25     ` Bone Baboon
@ 2021-05-15  7:07       ` Phil
  2021-05-15  8:29         ` divoplade
  2021-05-17 13:39         ` Bone Baboon
  0 siblings, 2 replies; 7+ messages in thread
From: Phil @ 2021-05-15  7:07 UTC (permalink / raw)
  To: Bone Baboon; +Cc: help-guix

Hi

Bone Baboon writes:

> It also looks like there is no problem with Git.  I can clone the
> channel `git clone
> ssh://<user>@<ip-address>:22/absolute/path/to/<git-repo>/`.  Where
> <user> is the user in the output of `ls -l <git-repo>`.

Interesting - I only have one other suggestion - given "git clone" is
working on its own from the same console session as guix is failing.

When you "git clone" and when you "guix pull", I would change the
LogLevel on the ssh config to force verbose logging.  Check that the
same method of authentication is being using in both cases (i.e the
agent and not the id_rsa files).  My theory here is that "git clone" is
using your id_rsa file which is working, and for some reason the
ssh-agent is failing for guix.  This is total speculation on my behalf
of course.

Another cruder way to test this is to move your private key out of your .ssh
directory so ssh doesn't find it by default.  Then manually add it to
your agent.  This should ensure that only the agent will be used by
ssh.  Does the git clone still work?

Apart from this I'm out of ideas I'm afraid.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: `guix pull` of an ssh channel fails
  2021-05-15  7:07       ` Phil
@ 2021-05-15  8:29         ` divoplade
  2021-05-17 13:39         ` Bone Baboon
  1 sibling, 0 replies; 7+ messages in thread
From: divoplade @ 2021-05-15  8:29 UTC (permalink / raw)
  To: Phil, Bone Baboon; +Cc: help-guix

Hello,

Le samedi 15 mai 2021 à 08:07 +0100, Phil a écrit :
> It also looks like there is no problem with Git.  I can clone the
> > channel `git clone
> > ssh://<user>@<ip-address>:22/absolute/path/to/<git-repo>/`.  Where
> > <user> is the user in the output of `ls -l <git-repo>`.

guix uses libgit2, which is not the same implementation as git. libgit2
does not support everything git does. So, it can happen that git works
but libgit2 does not.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: `guix pull` of an ssh channel fails
  2021-05-15  7:07       ` Phil
  2021-05-15  8:29         ` divoplade
@ 2021-05-17 13:39         ` Bone Baboon
  1 sibling, 0 replies; 7+ messages in thread
From: Bone Baboon @ 2021-05-17 13:39 UTC (permalink / raw)
  To: Phil; +Cc: help-guix

Phil writes:
> My theory here is that "git clone" is using your id_rsa file which is
> working, and for some reason the ssh-agent is failing for guix.

> Another cruder way to test this is to move your private key out of
> your .ssh directory so ssh doesn't find it by default.  Then manually
> add it to your agent.

Thank you I am now able to successfully pull from my channel.

You were correct that the ssh-agent was not aware of the private key.

I ran `SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXkCtuv/agent.3548 ssh-add`.

Then this worked `SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXkCtuv/agent.3548 guix
pull --disable-authentication`.


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-05-17 13:41 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-11 16:32 `guix pull` of an ssh channel fails Bone Baboon
2021-05-12 20:08 ` Bone Baboon
2021-05-13 17:36   ` Phil
2021-05-14 15:25     ` Bone Baboon
2021-05-15  7:07       ` Phil
2021-05-15  8:29         ` divoplade
2021-05-17 13:39         ` Bone Baboon

unofficial mirror of help-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-user/0 guix-user/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-user guix-user/ https://yhetil.org/guix-user \
		help-guix@gnu.org
	public-inbox-index guix-user

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.user
	nntp://news.gmane.io/gmane.comp.gnu.guix.user


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git