From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 31825@debbugs.gnu.org
Subject: bug#31825: guix offload fails with guix-authenticate error
Date: Sun, 17 Jun 2018 22:31:33 -0400 [thread overview]
Message-ID: <87bmc87rlm.fsf@gmail.com> (raw)
In-Reply-To: <877en1xbpq.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 15 Jun 2018 00:08:49 +0200")
Hi Ludo,
ludo@gnu.org (Ludovic Courtès) writes:
> Hello,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> I've read the documentation carefully many times, but I still can't make
>> `guix offload' work. It always fails like so:
>>
>> guix offload test
>> guix offload: testing 1 build machines defined in '/etc/guix/machines.scm'...
>> guix offload: '192.168.1.105' is running guile (GNU Guile) 2.2.3
>> guix offload: Guix is usable on '192.168.1.105' (test returned "/gnu/store/883yjkl46dxw9mzykykmbs0yzwyxm17z-test")
>> sending 1 store item to '192.168.1.105'...
>> exporting path `/gnu/store/wrv01knf5xa76j73afscj066pbqq1na3-export-test'
>> guix offload: error: build failed: program `guix-authenticate' failed with exit code 1
>
> Presumably what this means is that the remote machine rejected the store
> item we sent it.
>
> To fix it, you need to authorize the signing key of the first machine on
> the second machine, using ‘guix archive --authorize’.
> You also need to do the reverse and ‘guix offload test’ will also check
> that.
>
> Can you make sure the machines are authorized by each other? (Check
> /etc/guix/acl on each.)
I've verified this a couple times, following the manual
carefully. Here's a sample of what I did:
* On the main machine
$ sudo guix archive --generate-key
guix archive: error: key pair exists under '/etc/guix'; remove it first
$ cat /etc/guix/signing-key.pub
(public-key
(ecc
(curve Ed25519)
(q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#)
)
)
$ scp /etc/guix/signing-key.pub x220:/tmp
signing-key.pub 100% 118 46.5KB/s 00:00
* On the offload machine
$ ssh x220
$ sudo -E guix archive --authorize < /tmp/signing-key.pub # on x220 machine
On my offload machine, the authorized key is added to
/usr/local/etc/guix/acl rather than /etc/guix/acl. I'm not sure why that
is, since this Guix was guix pulled, so it should be standard. But it
shouldn't matter since that running guix-daemon in gdb allowed me to see
that it was using a nixConfDir value set to "/usr/local/etc/guix".
$ sudo cat /etc/guix/acl
--8<---------------cut here---------------start------------->8---
(acl
(entry
(public-key
(rsa
(n #00DB1634E3D9DFAC97AE4734DAE968CCB15EE4815C82BDC254883DBB49FE1EF32268E82D4BBE0E35298C481C9DA1551642FAFF05AEC1A60712F1BB4BE7D25D7EFF7A4F89704A5A9AC232870CB9F2476C3B538A0E990A8825DEB73081D317001FB8A188600F2FEF5F5F570E857F3EE4355077A3C3918ED72723A56BA55C466D400658974D7DAD1F6B7B63C192B9C2704D98BBFF1C3BD5B8EF11A8ADC83ACB8FD8E9F1E792FDAD262415D13F2DEE55F330908CFDA9C3C8C32B64F7DD088457D34F445E2E2C83C6D680549DC9B6E6573B89496567204ED285E67A279F2F667080BA941D80D015CE87B0FB6A91A99CECC7D91D2D210B00E4B6E611DA51DB008F1DFE3FCAC6B27393FA781D45F9A15FC7B8785A3E86BA6592B2916CA22CF1E40FC85F85CACA590461154F58F3580B16398908EF32076F411299C28727C94D88B6A618F84DD73AEBED8270BCB6690928CB1BF250C35E1F6BF3B1B30D05BA246ECE8F69D9065DE26F4B3E0D814D70A9C27CB5B7B050C9090590D3A9EF83374F2643E5446FBD39DDB124DBF6DFDAA6D18E2560AD0CBFA11C959C9B7316BF19963A191967054E9FD97DC14D71082B30B1C90A46E8996682474C3BCB51BA0882958897B6DD35E41B5174D0A6BCDE97B89043E95BD1B70DE61DA666893B417196A180005466BC3A742FDF04E89B04460E3E6BC72E7F1B5FEA5B3092FEE551A3C447C12E104E65#)
(e #010001#)
)
)
(tag
(guix import)
)
)
)
--8<---------------cut here---------------end--------------->8---
$ sudo cat /usr/local/etc/guix/acl
--8<---------------cut here---------------start------------->8---
(acl
(entry
(public-key
(ecc
(curve Ed25519)
(q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#)
)
)
(tag
(guix import)
)
)
)
--8<---------------cut here---------------end--------------->8---
Notice that the same key can be added multiple times by using the
--authorize command, but cleaning up the file doesn't seem to help.
$ sudo -E guix archive --generate-key
guix archive: error: key pair exists under '/usr/local/etc/guix'; remove it first
$ cat /usr/local/etc/guix/signing-key.pub
(public-key
(ecc
(curve Ed25519)
(q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#)
)
)
* Back to my main machine
$ scp x220:/usr/local/etc/guix/signing-key.pub /tmp
signing-key.pub 100% 118 35.3KB/s 00:00
$ sudo -E guix archive --authorize < /tmp/signing-key.pub
$ sudo cat /etc/guix/acl
--8<---------------cut here---------------start------------->8---
(acl
(entry
(public-key
(ecc
(curve Ed25519)
(q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#)
)
)
(tag
(guix import)
)
)
(entry
(public-key
(ecc
(curve Ed25519)
(q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#)
)
)
(tag
(guix import)
)
)
)
--8<---------------cut here---------------end--------------->8---
$ guix offload test
--8<---------------cut here---------------start------------->8---
Connection to 192.168.1.105 closed.
maxim@apteryx ~$ guix offload test
guix offload: testing 1 build machines defined in '/etc/guix/machines.scm'...
guix offload: '192.168.1.105' is running guile (GNU Guile) 2.2.3
guix offload: Guix is usable on '192.168.1.105' (test returned "/gnu/store/883yjkl46dxw9mzykykmbs0yzwyxm17z-test")
sending 1 store item to '192.168.1.105'...
exporting path `/gnu/store/smgzvgc9krglk0mjpcscg5450l05w4dg-export-test'
guix offload: error: build failed: program `guix-authenticate' failed
with exit code 1
--8<---------------cut here---------------end--------------->8---
Any other ideas?
Thank you!
Maxim
next prev parent reply other threads:[~2018-06-18 2:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 3:54 bug#31825: guix offload fails with guix-authenticate error Maxim Cournoyer
2018-06-14 22:08 ` Ludovic Courtès
2018-06-18 2:31 ` Maxim Cournoyer [this message]
2018-06-18 8:32 ` Ludovic Courtès
2018-06-19 2:35 ` Maxim Cournoyer
2018-06-19 9:28 ` Ludovic Courtès
[not found] ` <871sd354mb.fsf@gmail.com>
2018-06-19 14:49 ` Ludovic Courtès
2018-06-20 3:01 ` Maxim Cournoyer
2018-06-20 3:54 ` swedebugia
2018-06-22 2:13 ` Maxim Cournoyer
2018-06-20 14:06 ` Ludovic Courtès
2020-02-22 5:18 ` Maxim Cournoyer
2021-08-08 4:09 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bmc87rlm.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=31825@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.