Struggling with a caching substitute server

Struggling with a caching substitute server

[Pjotr Prins]

I am running client and server in exactly the same checked out guix
repository. Server:

  ./pre-inst-env guix publish -u guix-publisher
    publishing /gnu/store on 0.0.0.0, port 8080

Client on the same server

  ./pre-inst-env guix package -i hello --dry-run
    The following derivations would be built:
     /gnu/store/ipsmyhrsfnfvyb096fpiscd7rn3d9557-profile.drv
     /gnu/store/l6z8ln2r4x9g2y6yy62ly3f8jx2k1rxy-ca-certificate-bundle.drv
     /gnu/store/v79w8yj766ryqnc6i1k8ry6wi8vfhy3f-info-dir.drv
  The following file would be downloaded:
     /gnu/store/zby49aqfbd9w9br4l52mvb3y6f9vfv22-hello-2.10

After installing the package it is in /gnu/store/zby49aqfbd9w9br4l52mvb3y6f9vfv22-hello-2.10


Now from a different remote machine using my substitute caching server

  ./pre-inst-env guix package -i hello --substitute-urls="http://guix.myserver.org" --dry-run

keeps on wanting to build the thing from scratch.

While from that same machine

   curl http://guix.myserver.org:8080/nix-cache-info
     StoreDir: /gnu/store
     WantMassQuery: 0

appears to work fine.

The response for both queries is:

Query from main server:

GET /nix-cache-info
GET /xgm6wxkja6llvkz8jck95i6cmh3c93yh.narinfo
GET /w6im8ck36hpjyh9zjmz9mr2vkppfhzid.narinfo
GET /9wq9z5jq3g691f836lhi0633g26lfl8n.narinfo

Query from remote

GET /nix-cache-info
GET /x2lhjhbxd5dqmis350gkc352v9z1pr8r.narinfo
GET /jkxa2ga4x0gqvx6x790anpwhnm7d278w.narinfo
GET /ic8sabq35jisj5wmi860d85i09qghq1x.narinfo

which suggests the files it wants to fetch are not the same, though the starting point 
(the checked out guix dir) should be exactly the same. The last commit is the same.

When I use hydra, no packages from source are built and the package
installed in exactly the same path
/gnu/store/zby49aqfbd9w9br4l52mvb3y6f9vfv22-hello-2.10A

This is my reproducible build environment. I would like tho have the
caching substitute server do the right thing. What am I missing?

Pj.

Re: Struggling with a caching substitute server

[Ludovic Courtès]

Pjotr Prins <pjotr.public12@thebird.nl> skribis:

> I am running client and server in exactly the same checked out guix
> repository. Server:
>
>   ./pre-inst-env guix publish -u guix-publisher
>     publishing /gnu/store on 0.0.0.0, port 8080
>
> Client on the same server
>
>   ./pre-inst-env guix package -i hello --dry-run

If ‘guix publish’ and ‘guix package’ run on the same machine, then
nothing will happen: ‘guix publish’ serves what’s in /gnu/store, and
‘guix package’ will resort to substitutes only when something’s missing
from /gnu/store, in which case ‘guix publish’ won’t have it either.

> Now from a different remote machine using my substitute caching server
>
>   ./pre-inst-env guix package -i hello --substitute-urls="http://guix.myserver.org" --dry-run
>
> keeps on wanting to build the thing from scratch.

Did you authorize the singing key of that server?

> Query from main server:
>
> GET /nix-cache-info
> GET /xgm6wxkja6llvkz8jck95i6cmh3c93yh.narinfo
> GET /w6im8ck36hpjyh9zjmz9mr2vkppfhzid.narinfo
> GET /9wq9z5jq3g691f836lhi0633g26lfl8n.narinfo
>
> Query from remote
>
> GET /nix-cache-info
> GET /x2lhjhbxd5dqmis350gkc352v9z1pr8r.narinfo
> GET /jkxa2ga4x0gqvx6x790anpwhnm7d278w.narinfo
> GET /ic8sabq35jisj5wmi860d85i09qghq1x.narinfo
>
> which suggests the files it wants to fetch are not the same, though the starting point 
> (the checked out guix dir) should be exactly the same. The last commit is the same.

The set of narinfos queried is a function of what’s in the local
/gnu/store (clients only ask about things not already on disk) so it’s
normal that the requests differ.

HTH!

Ludo’.

Re: Struggling with a caching substitute server

[Pjotr Prins]

On Mon, Apr 04, 2016 at 11:04:12PM +0200, Ludovic Courtès wrote:
> Did you authorize the singing key of that server?

Maybe I did not. I'll check tomorrow. It would be nice if we got some
feedback from the system. Silent failures is not so great.

Pj.

Re: Struggling with a caching substitute server

[Pjotr Prins]

On Mon, Apr 04, 2016 at 11:04:12PM +0200, Ludovic Courtès wrote:
> Did you authorize the singing key of that server?

That fixed it. I had switched clients forgetting about this one. Would
it be possible to generate a warning for using a (1) URL where guix
publish server is not reached and (2) where the client is not
authorized? Silent failure just has the user guessing.

> HTH!

Absolutely :)

Pj.
-- 

Re: Struggling with a caching substitute server

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

Pjotr Prins <pjotr.public12@thebird.nl> skribis:

> On Mon, Apr 04, 2016 at 11:04:12PM +0200, Ludovic Courtès wrote:
>> Did you authorize the singing key of that server?
>
> That fixed it. I had switched clients forgetting about this one. Would
> it be possible to generate a warning for using a (1) URL where guix
> publish server is not reached and (2) where the client is not
> authorized? Silent failure just has the user guessing.

My initial thoughts was that this is not a failure, so not something to
warn about.  Indeed, at any time the admin can change the ACL, which in
turn makes substitutes available or not.

Besides, signatures are per substitute, so a warning would have to be
generated for each substitute that is signed by an unauthorized
signature, I think.  Like this:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 535 bytes --]

diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index 82ce069..fdd72b2 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -412,7 +412,9 @@ or is signed by an unauthorized key."
         (and hash signature
              (signature-case (signature hash acl)
                (valid-signature #t)
-               (else #f))))))
+               (else
+                (warning (_ "bad sig!~%"))
+                #f))))))
 
 (define (write-narinfo narinfo port)
   "Write NARINFO to PORT."

[-- Attachment #3: Type: text/plain, Size: 71 bytes --]


This would obviously be suboptimal.

Any suggestions?

Ludo’.

Re: Struggling with a caching substitute server

[Pjotr Prins]

On Tue, Apr 05, 2016 at 11:29:05AM +0200, Ludovic Courtès wrote:
> This would obviously be suboptimal.
> 
> Any suggestions?

I think is *helpful* when dealing with deployments. At least I know
where to look now ;). Multiple missing ACLs could be displayed as one
(combined) warning, if noise is a problem. But, personally, I would
like to see all warnings for each key at least once. And also for
not working URLs.

Pj.

--