Re: SSH error guix pull

[Wojtek Kosior via <help-guix@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 13761 bytes --]

> Thanks Wojtek for your kind help (my comments below).
> 
> Status update: I got it running!

Great to hear that :)

> [...]
> 
> and that's it: the setup that works.
> 
> However, The error `guix pull` ssh error only goes away after I 
> ssh to a remote computer: `$ ssh root@repo.local`; this command 
> somehow triggers something that makes `git pull` work. Odd.

Hmm.  Since the SSH agent remembers SSH key password, it'd make sense
that one has to first "unlock" a key in an interactive CLI session
before Guix can use it non-interactively.  If this also happens with
passwordless keys, then it's indeed odd.  Nevertheless, I guess a
hypothetical solution would be to allow Guix to — when desired — call
SSH with access to its TTY/PTY :)

Best
Wojtek


-- (sig_start)
website: https://koszko.org/koszko.html
fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A
follow me on Fediverse: https://friendica.me/profile/koszko/profile

♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
-- (sig_end)


On Tue, 05 Dec 2023 11:44:57 -0600 Mauritz Stenek <mstenek@disroot.org> wrote:

> Thanks Wojtek for your kind help (my comments below).
> 
> Status update: I got it running!
> 
> Perhaps I should clarify that I'm running a very light setup -- 
> Desktop services with dwm (I tried to go even leaner, but I 
> couldn't get the xorg server to work w/o a login manager); I'm 
> unsure if this is affecting the ssh setup.
> 
> This is what I did (the superflouos commented lines show my tweaks 
> to the doc's suggestion[1]):
> 
> (1) I created an ssh agent -- as per the shepherd docs[1] with 
> some tweaks. I added the `&` to the recommended bash setup to send 
> the job to the background:
> 
> ```
> if [[ ! -S ${XDG_RUNTIME_DIR-$HOME/.cache}/shepherd/socket ]]; 
> then
>     shepherd &
> fi
> ```
> 
> (2) I commented out `(shepherd service)` import and the 
> `(perform-service-action 'shepherd 'daemonize)` expression in the 
> `init.scm` file:
> 
> ```
> (use-modules ;; (shepherd service)
>              ((ice-9 ftw) #:select (scandir)))
> 
> ;; Send shepherd into the background
> ;; (perform-service-action 'shepherd 'daemonize)
> 
> ;; Load all the files in the directory 'init.d' with a suffix 
>    '.scm'.
> (for-each
>   (lambda (file)
>     (load (string-append "init.d/" file)))
>   (scandir (string-append (dirname (current-filename)) "/init.d")
>            (lambda (file)
>              (string-suffix? ".scm" file))))
> ```
> 
> (3): I removed the conditional export of the auth sock varible in 
> the `.bash_profile` file:
> 
> ```
> #if [[ ! -n ${SSH_CONNECTION} ]]; then
>     SSH_AUTH_SOCK=${XDG_RUNTIME_DIR-$HOME/.cache}/ssh-agent/socket
>     export SSH_AUTH_SOCK
> #fi
> ```
> 
> and that's it: the setup that works.
> 
> However, The error `guix pull` ssh error only goes away after I 
> ssh to a remote computer: `$ ssh root@repo.local`; this command 
> somehow triggers something that makes `git pull` work. Odd.
> 
> 
> [1]: 
> https://www.gnu.org/software/shepherd/manual/html_node/Managing-User-Services.html
> 
> On 2023-12-01 at 14:07, Wojtek Kosior <koszko@koszko.org> wrote:
> 
> > [[PGP Signed Part:Undecided]]  
> >> Starting service root...
> >> Service root started.
> >> Service root running with value #t.
> >> Service root has been started.
> >> Uncaught exception while loading configuration file 
> >> '/home/mst/.config/shepherd/init.scm': (goops-error #f "No 
> >> applicable method for ~S in call ~S" (#<<generic> 
> >> service-actions   
> >> (1)> (service-actions shepherd)) ())    
> >> ```
> >> 
> >> which I don't know how to fix.  
> >
> > I see…  I've never been using shepherd alone, in separation from 
> > Guix
> > but I see that my Guix-generated user shepherd config has this
> >
> > --8<---------------cut 
> > here---------------start------------->8---
> > (action 'root 'daemonize)
> > --8<---------------cut 
> > here---------------end--------------->8---
> >
> >
> > while the example you linked to uses
> >
> > --8<---------------cut 
> > here---------------end--------------->8---
> > (perform-service-action 'shepherd 'daemonize)
> > --8<---------------cut 
> > here---------------start------------->8---
> >
> >
> > Anyway, if there's no strong reason for not using Guix home, I'd 
> > suggest
> > using it.  I mean the `guix home` command and its subcommands. 
> > It
> > handles — among others — shepherd configuration.  The link I 
> > gave
> > earlier was about using SSH through Guix home.  
> 
> Yes, I still need to explore Guix Home -- baby steps.
> 
> >> > Btw, there's perhaps another solution — pull from local git 
> >> > checkout.
> >> > You can pass a filesystem path instead of a url when running 
> >> > `guix
> >> > pull`. This might later cause some issues if you try to `sudo 
> >> > guix
> >> > system reconfigure` but that's another topic…    
> >> 
> >> I was able to install a package like this but it's not ideal.  
> >
> > You can also set serve a cloneable git repo over HTTP on 
> > localhost…
> > Here's a sample script for this that I happen to have written 
> > for my own
> > purposes just today ;)
> >
> > --8<---------------cut 
> > here---------------start------------->8---
> > #!/usr/bin/env -S guix repl --
> > !#
> >
> > ;; SPDX-License-Identifier: CC0-1.0
> >
> > ;; Copyright (C) 2023 Wojtek Kosior <koszko@koszko.org>
> > ;;
> > ;; Available under the terms of Creative Commons Zero v1.0 
> > Universal.
> >
> > (use-modules ((guix gexp) #:select
> >               (gexp file-append mixed-text-file program-file 
> >               lower-object))
> >              ((gnu packages version-control) #:select (git))
> >              ((gnu packages web) #:select (lighttpd))
> >              ((guix store) #:select (run-with-store with-store 
> >              %store-monad))
> >              ((guix monads) #:select (mlet mbegin return))
> >              ((guix derivations) #:select
> >               (built-derivations derivation-output-path 
> >               derivation-outputs)))
> >
> > (define here
> >   (dirname (current-filename)))
> >
> > (define git-http-backend
> >   (file-append git "/libexec/git-core/git-http-backend"))
> >
> > (define lighttpd-config
> >   (mixed-text-file "lighttpd.conf"
> >                    "\
> > server.document-root = \"/dev/null\"
> > server.modules = ( \"mod_alias\", \"mod_cgi\", \"mod_setenv\")
> > server.port = 8098
> >
> > alias.url = ( \"/guix\" => \"" git-http-backend "\" )
> > cgi.assign = (\"\" => \"\")
> >
> > setenv.add-environment = (
> >     \"GIT_PROJECT_ROOT\" => \"" here "\" + \"/.git\",
> >     \"GIT_HTTP_EXPORT_ALL\" => \"\"
> > )
> > "))
> >
> > (define run-lighttpd-guix-repo-server
> >   (program-file "run-lighttpd-guix-repo-server"
> >                 #~(system* #$(file-append lighttpd 
> >                 "/sbin/lighttpd") "-D"
> >                            "-f" #$lighttpd-config)))
> >
> > (system*
> >  (with-store store
> >    (run-with-store store
> >      (mlet %store-monad ((script-drv (lower-object
> >                                       run-lighttpd-guix-repo-server)))
> >        (mbegin %current-monad
> >          (built-derivations (list script-drv))
> >          (return (derivation-output-path
> >                   (assoc-ref (derivation-outputs script-drv) 
> >                   "out"))))))))
> > --8<---------------cut 
> > here---------------end--------------->8---
> >
> >
> > One can write it as, say, "serve-git-repo.scm" in a git project
> > checkout (possibly also listing it in `.git/info/exclude` to 
> > have git
> > ignore it).  Then `chmod +x` it and run — if all goes OK, it 
> > should
> > serve the repo at: http://localhost:8098/guix
> >
> > It's then possible to do e.g.
> >
> > --8<---------------cut 
> > here---------------start------------->8---
> > guix pull --url=http://localhost:8098/guix
> > --8<---------------cut 
> > here---------------end--------------->8---
> >
> > The benefit is that the aforementioned `guix system reconfigure` 
> > seems
> > to work afterwards (although the local git repo server needs to 
> > be
> > running during this time).
> >
> > Voila!  We no longer need to rely on remote git servers 
> > availability :)
> > It'd make sense	to also spawn this HTTP server through 
> > shepherd.
> > And to generalize it to be able to serve multiple repos at once 
> > — for
> > example a custom Guix tree, a channel other than "guix" and some
> > software projects  
> 
> Cool! I will definitely give this a try!
> 
> 
> >
> > Best
> > Wojtek
> >
> >
> > -- (sig_start)
> > website: https://koszko.org/koszko.html
> > fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A
> > follow me on Fediverse: 
> > https://friendica.me/profile/koszko/profile
> >
> > ♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ 
> > c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
> > ✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? 
> > U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
> > -- (sig_end)
> >
> >
> > On Fri, 01 Dec 2023 12:37:58 -0600 Mauritz Stenek 
> > <mstenek@disroot.org> wrote:
> >  
> >> On 2023-12-01 at 07:12, Wojtek Kosior <koszko@koszko.org> 
> >> wrote:
> >>   
> >> > [[PGP Signed Part:Undecided]]
> >> > Hi
> >> >    
> >> >> However, on a full Guix system I keep getting this error:
> >> >> 
> >> >> ```
> >> >> guix pull: error: Git error: error authenticating: no auth 
> >> >> sock 
> >> >> variable
> >> >> ```
> >> >> 
> >> >> and, for the life of me, I just can't get it to work.    
> >> >
> >> > Maybe you're not running ssh user agent daemon under your 
> >> > user? 
> >> > You
> >> > need it for this to work.
> >> >
> >> > You can probably spawn it in a number of ways.  One of them 
> >> > would be
> >> > through Guix home.  See this[1] Guix manual node for info 
> >> > about
> >> > ssh-agent's home service :)
> >> >
> >> > Also, you're not running `guix pull` with sudo, are you?  It 
> >> > wouldn't
> >> > work this way because sudo erases environment variables, 
> >> > including
> >> > "SSH_AUTH_SOCK".
> >> >
> >> > Btw, on my fully Guixified laptop I am using Guix home 
> >> > without
> >> > ssh-agent configured and yet I do have ssh-agent running 
> >> > under 
> >> > my user.
> >> > I'm not sure what started it…    
> >> 
> >> Seems like that is the situation. I actually tried to run the 
> >> ssh-agent user service example in the shepherd manual 
> >> (https://www.gnu.org/software/shepherd/manual/html_node/Managing-User-Services.html) 
> >> -- verbatim -- and I get this error:
> >> 
> >> ```
> >> Starting service root...
> >> Service root started.
> >> Service root running with value #t.
> >> Service root has been started.
> >> Uncaught exception while loading configuration file 
> >> '/home/mst/.config/shepherd/init.scm': (goops-error #f "No 
> >> applicable method for ~S in call ~S" (#<<generic> 
> >> service-actions   
> >> (1)> (service-actions shepherd)) ())    
> >> ```
> >> 
> >> which I don't know how to fix.
> >> 
> >> Other than that example, I'm at a loss with ssh.
> >>   
> >> >    
> >> >> (disclaimer: I'm a total scheme/guile neophyte -- and am 
> >> >> learning 
> >> >> as I go)    
> >> >
> >> > As all of us, haha :D    
> >> 
> >> :D
> >>   
> >> >
> >> > Btw, there's perhaps another solution — pull from local git 
> >> > checkout.
> >> > You can pass a filesystem path instead of a url when running 
> >> > `guix
> >> > pull`. This might later cause some issues if you try to `sudo 
> >> > guix
> >> > system reconfigure` but that's another topic…    
> >> 
> >> I was able to install a package like this but it's not ideal.
> >>   
> >> > Good luck and happy hacking!    
> >> 
> >> Thanks! I can tell you, it is a journey.
> >>   
> >> > Wojtek
> >> >
> >> > [1] 
> >> > https://guix.gnu.org/manual/devel/en/html_node/Secure-Shell.html
> >> >
> >> >
> >> > -- (sig_start)
> >> > website: https://koszko.org/koszko.html
> >> > fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 
> >> > FD1A
> >> > follow me on Fediverse: 
> >> > https://friendica.me/profile/koszko/profile
> >> >
> >> > ♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ 
> >> > c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
> >> > ✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? 
> >> > U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
> >> > -- (sig_end)
> >> >
> >> >
> >> > On Thu, 30 Nov 2023 19:47:43 -0600 Mauritz Stenek 
> >> > <mstenek@disroot.org> wrote:
> >> >    
> >> >> I'm trying out Guix and created a personal (private) channel 
> >> >> with 
> >> >> some custom packages. I access my git repo with ssh.
> >> >> 
> >> >> Using Guix on a foreign distro, pulling from my git repo 
> >> >> works 
> >> >> fine after applying this strategy: 
> >> >> https://issues.guix.gnu.org/31285.
> >> >> 
> >> >> However, on a full Guix system I keep getting this error:
> >> >> 
> >> >> ```
> >> >> guix pull: error: Git error: error authenticating: no auth 
> >> >> sock 
> >> >> variable
> >> >> ```
> >> >> 
> >> >> and, for the life of me, I just can't get it to work.
> >> >> 
> >> >> (disclaimer: I'm a total scheme/guile neophyte -- and am 
> >> >> learning 
> >> >> as I go)
> >> >> 
> >> >> Please help.
> >> >>     
> >> >
> >> > [[End of PGP Signed Part]]    
> >> 
> >>   
> >
> > [[End of PGP Signed Part]]  
> 
> 

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]