Struggling with a caching substitute server

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* Struggling with a caching substitute server
@ 2016-04-04 13:56 Pjotr Prins
  2016-04-04 21:04 ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: Pjotr Prins @ 2016-04-04 13:56 UTC (permalink / raw)
  To: guix-devel

I am running client and server in exactly the same checked out guix
repository. Server:

  ./pre-inst-env guix publish -u guix-publisher
    publishing /gnu/store on 0.0.0.0, port 8080

Client on the same server

  ./pre-inst-env guix package -i hello --dry-run
    The following derivations would be built:
     /gnu/store/ipsmyhrsfnfvyb096fpiscd7rn3d9557-profile.drv
     /gnu/store/l6z8ln2r4x9g2y6yy62ly3f8jx2k1rxy-ca-certificate-bundle.drv
     /gnu/store/v79w8yj766ryqnc6i1k8ry6wi8vfhy3f-info-dir.drv
  The following file would be downloaded:
     /gnu/store/zby49aqfbd9w9br4l52mvb3y6f9vfv22-hello-2.10

After installing the package it is in /gnu/store/zby49aqfbd9w9br4l52mvb3y6f9vfv22-hello-2.10


Now from a different remote machine using my substitute caching server

  ./pre-inst-env guix package -i hello --substitute-urls="http://guix.myserver.org" --dry-run

keeps on wanting to build the thing from scratch.

While from that same machine

   curl http://guix.myserver.org:8080/nix-cache-info
     StoreDir: /gnu/store
     WantMassQuery: 0

appears to work fine.

The response for both queries is:

Query from main server:

GET /nix-cache-info
GET /xgm6wxkja6llvkz8jck95i6cmh3c93yh.narinfo
GET /w6im8ck36hpjyh9zjmz9mr2vkppfhzid.narinfo
GET /9wq9z5jq3g691f836lhi0633g26lfl8n.narinfo

Query from remote

GET /nix-cache-info
GET /x2lhjhbxd5dqmis350gkc352v9z1pr8r.narinfo
GET /jkxa2ga4x0gqvx6x790anpwhnm7d278w.narinfo
GET /ic8sabq35jisj5wmi860d85i09qghq1x.narinfo

which suggests the files it wants to fetch are not the same, though the starting point 
(the checked out guix dir) should be exactly the same. The last commit is the same.

When I use hydra, no packages from source are built and the package
installed in exactly the same path
/gnu/store/zby49aqfbd9w9br4l52mvb3y6f9vfv22-hello-2.10A

This is my reproducible build environment. I would like tho have the
caching substitute server do the right thing. What am I missing?

Pj.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Struggling with a caching substitute server
  2016-04-04 13:56 Struggling with a caching substitute server Pjotr Prins
@ 2016-04-04 21:04 ` Ludovic Courtès
  2016-04-04 21:47   ` Pjotr Prins
  2016-04-05  7:57   ` Pjotr Prins
  0 siblings, 2 replies; 6+ messages in thread
From: Ludovic Courtès @ 2016-04-04 21:04 UTC (permalink / raw)
  To: Pjotr Prins; +Cc: guix-devel

Pjotr Prins <pjotr.public12@thebird.nl> skribis:

> I am running client and server in exactly the same checked out guix
> repository. Server:
>
>   ./pre-inst-env guix publish -u guix-publisher
>     publishing /gnu/store on 0.0.0.0, port 8080
>
> Client on the same server
>
>   ./pre-inst-env guix package -i hello --dry-run

If ‘guix publish’ and ‘guix package’ run on the same machine, then
nothing will happen: ‘guix publish’ serves what’s in /gnu/store, and
‘guix package’ will resort to substitutes only when something’s missing
from /gnu/store, in which case ‘guix publish’ won’t have it either.

> Now from a different remote machine using my substitute caching server
>
>   ./pre-inst-env guix package -i hello --substitute-urls="http://guix.myserver.org" --dry-run
>
> keeps on wanting to build the thing from scratch.

Did you authorize the singing key of that server?

> Query from main server:
>
> GET /nix-cache-info
> GET /xgm6wxkja6llvkz8jck95i6cmh3c93yh.narinfo
> GET /w6im8ck36hpjyh9zjmz9mr2vkppfhzid.narinfo
> GET /9wq9z5jq3g691f836lhi0633g26lfl8n.narinfo
>
> Query from remote
>
> GET /nix-cache-info
> GET /x2lhjhbxd5dqmis350gkc352v9z1pr8r.narinfo
> GET /jkxa2ga4x0gqvx6x790anpwhnm7d278w.narinfo
> GET /ic8sabq35jisj5wmi860d85i09qghq1x.narinfo
>
> which suggests the files it wants to fetch are not the same, though the starting point 
> (the checked out guix dir) should be exactly the same. The last commit is the same.

The set of narinfos queried is a function of what’s in the local
/gnu/store (clients only ask about things not already on disk) so it’s
normal that the requests differ.

HTH!

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Struggling with a caching substitute server
  2016-04-04 21:04 ` Ludovic Courtès
@ 2016-04-04 21:47   ` Pjotr Prins
  2016-04-05  7:57   ` Pjotr Prins
  1 sibling, 0 replies; 6+ messages in thread
From: Pjotr Prins @ 2016-04-04 21:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Mon, Apr 04, 2016 at 11:04:12PM +0200, Ludovic Courtès wrote:
> Did you authorize the singing key of that server?

Maybe I did not. I'll check tomorrow. It would be nice if we got some
feedback from the system. Silent failures is not so great.

Pj.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Struggling with a caching substitute server
  2016-04-04 21:04 ` Ludovic Courtès
  2016-04-04 21:47   ` Pjotr Prins
@ 2016-04-05  7:57   ` Pjotr Prins
  2016-04-05  9:29     ` Ludovic Courtès
  1 sibling, 1 reply; 6+ messages in thread
From: Pjotr Prins @ 2016-04-05  7:57 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Mon, Apr 04, 2016 at 11:04:12PM +0200, Ludovic Courtès wrote:
> Did you authorize the singing key of that server?

That fixed it. I had switched clients forgetting about this one. Would
it be possible to generate a warning for using a (1) URL where guix
publish server is not reached and (2) where the client is not
authorized? Silent failure just has the user guessing.

> HTH!

Absolutely :)

Pj.
-- 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Struggling with a caching substitute server
  2016-04-05  7:57   ` Pjotr Prins
@ 2016-04-05  9:29     ` Ludovic Courtès
  2016-04-05 10:37       ` Pjotr Prins
  0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2016-04-05  9:29 UTC (permalink / raw)
  To: Pjotr Prins; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

Pjotr Prins <pjotr.public12@thebird.nl> skribis:

> On Mon, Apr 04, 2016 at 11:04:12PM +0200, Ludovic Courtès wrote:
>> Did you authorize the singing key of that server?
>
> That fixed it. I had switched clients forgetting about this one. Would
> it be possible to generate a warning for using a (1) URL where guix
> publish server is not reached and (2) where the client is not
> authorized? Silent failure just has the user guessing.

My initial thoughts was that this is not a failure, so not something to
warn about.  Indeed, at any time the admin can change the ACL, which in
turn makes substitutes available or not.

Besides, signatures are per substitute, so a warning would have to be
generated for each substitute that is signed by an unauthorized
signature, I think.  Like this:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 535 bytes --]

diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index 82ce069..fdd72b2 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -412,7 +412,9 @@ or is signed by an unauthorized key."
         (and hash signature
              (signature-case (signature hash acl)
                (valid-signature #t)
-               (else #f))))))
+               (else
+                (warning (_ "bad sig!~%"))
+                #f))))))
 
 (define (write-narinfo narinfo port)
   "Write NARINFO to PORT."

[-- Attachment #3: Type: text/plain, Size: 71 bytes --]


This would obviously be suboptimal.

Any suggestions?

Ludo’.

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: Struggling with a caching substitute server
  2016-04-05  9:29     ` Ludovic Courtès
@ 2016-04-05 10:37       ` Pjotr Prins
  0 siblings, 0 replies; 6+ messages in thread
From: Pjotr Prins @ 2016-04-05 10:37 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Tue, Apr 05, 2016 at 11:29:05AM +0200, Ludovic Courtès wrote:
> This would obviously be suboptimal.
> 
> Any suggestions?

I think is *helpful* when dealing with deployments. At least I know
where to look now ;). Multiple missing ACLs could be displayed as one
(combined) warning, if noise is a problem. But, personally, I would
like to see all warnings for each key at least once. And also for
not working URLs.

Pj.

-- 

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-04-05 10:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-04 13:56 Struggling with a caching substitute server Pjotr Prins
2016-04-04 21:04 ` Ludovic Courtès
2016-04-04 21:47   ` Pjotr Prins
2016-04-05  7:57   ` Pjotr Prins
2016-04-05  9:29     ` Ludovic Courtès
2016-04-05 10:37       ` Pjotr Prins

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.