From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: bug#31825: guix offload fails with guix-authenticate error Date: Sun, 17 Jun 2018 22:31:33 -0400 Message-ID: <87bmc87rlm.fsf@gmail.com> References: <87y3firpjs.fsf@gmail.com> <877en1xbpq.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41372) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fUjxd-0003bh-Ii for bug-guix@gnu.org; Sun, 17 Jun 2018 22:32:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fUjxa-0001nH-DM for bug-guix@gnu.org; Sun, 17 Jun 2018 22:32:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46328) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fUjxa-0001n9-90 for bug-guix@gnu.org; Sun, 17 Jun 2018 22:32:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fUjxa-0005bv-2f for bug-guix@gnu.org; Sun, 17 Jun 2018 22:32:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <877en1xbpq.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 15 Jun 2018 00:08:49 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 31825@debbugs.gnu.org Hi Ludo, ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Hello, > > Maxim Cournoyer skribis: > >> I've read the documentation carefully many times, but I still can't make >> `guix offload' work. It always fails like so: >> >> guix offload test >> guix offload: testing 1 build machines defined in '/etc/guix/machines.sc= m'... >> guix offload: '192.168.1.105' is running guile (GNU Guile) 2.2.3 >> guix offload: Guix is usable on '192.168.1.105' (test returned "/gnu/sto= re/883yjkl46dxw9mzykykmbs0yzwyxm17z-test") >> sending 1 store item to '192.168.1.105'... >> exporting path `/gnu/store/wrv01knf5xa76j73afscj066pbqq1na3-export-test' >> guix offload: error: build failed: program `guix-authenticate' failed wi= th exit code 1 > > Presumably what this means is that the remote machine rejected the store > item we sent it. > > To fix it, you need to authorize the signing key of the first machine on > the second machine, using =E2=80=98guix archive --authorize=E2=80=99. > You also need to do the reverse and =E2=80=98guix offload test=E2=80=99 w= ill also check > that. > > Can you make sure the machines are authorized by each other? (Check > /etc/guix/acl on each.) I've verified this a couple times, following the manual carefully. Here's a sample of what I did: * On the main machine $ sudo guix archive --generate-key guix archive: error: key pair exists under '/etc/guix'; remove it first $ cat /etc/guix/signing-key.pub=20 (public-key=20 (ecc=20 (curve Ed25519) (q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#) ) ) $ scp /etc/guix/signing-key.pub x220:/tmp signing-key.pub 100% 118 46.5KB/s 00:00 * On the offload machine $ ssh x220 $ sudo -E guix archive --authorize < /tmp/signing-key.pub # on x220 machi= ne On my offload machine, the authorized key is added to /usr/local/etc/guix/acl rather than /etc/guix/acl. I'm not sure why that is, since this Guix was guix pulled, so it should be standard. But it shouldn't matter since that running guix-daemon in gdb allowed me to see that it was using a nixConfDir value set to "/usr/local/etc/guix". $ sudo cat /etc/guix/acl --8<---------------cut here---------------start------------->8--- (acl=20 (entry=20 (public-key=20 (rsa=20 (n #00DB1634E3D9DFAC97AE4734DAE968CCB15EE4815C82BDC254883DBB49FE1EF3226= 8E82D4BBE0E35298C481C9DA1551642FAFF05AEC1A60712F1BB4BE7D25D7EFF7A4F89704A5A= 9AC232870CB9F2476C3B538A0E990A8825DEB73081D317001FB8A188600F2FEF5F5F570E857= F3EE4355077A3C3918ED72723A56BA55C466D400658974D7DAD1F6B7B63C192B9C2704D98BB= FF1C3BD5B8EF11A8ADC83ACB8FD8E9F1E792FDAD262415D13F2DEE55F330908CFDA9C3C8C32= B64F7DD088457D34F445E2E2C83C6D680549DC9B6E6573B89496567204ED285E67A279F2F66= 7080BA941D80D015CE87B0FB6A91A99CECC7D91D2D210B00E4B6E611DA51DB008F1DFE3FCAC= 6B27393FA781D45F9A15FC7B8785A3E86BA6592B2916CA22CF1E40FC85F85CACA590461154F= 58F3580B16398908EF32076F411299C28727C94D88B6A618F84DD73AEBED8270BCB6690928C= B1BF250C35E1F6BF3B1B30D05BA246ECE8F69D9065DE26F4B3E0D814D70A9C27CB5B7B050C9= 090590D3A9EF83374F2643E5446FBD39DDB124DBF6DFDAA6D18E2560AD0CBFA11C959C9B731= 6BF19963A191967054E9FD97DC14D71082B30B1C90A46E8996682474C3BCB51BA0882958897= B6DD35E41B5174D0A6BCDE97B89043E95BD1B70DE61DA666893B417196A180005466BC3A742= FDF04E89B04460E3E6BC72E7F1B5FEA5B3092FEE551A3C447C12E104E65#) (e #010001#) ) ) (tag=20 (guix import) ) ) ) --8<---------------cut here---------------end--------------->8--- $ sudo cat /usr/local/etc/guix/acl=20 --8<---------------cut here---------------start------------->8--- (acl=20 (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #EEA139318243D36EB4C728DB96856AB15C47AB64C765FA134CCFB12444B82A7C#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#) ) ) (tag=20 (guix import) ) ) ) --8<---------------cut here---------------end--------------->8--- Notice that the same key can be added multiple times by using the --authorize command, but cleaning up the file doesn't seem to help. $ sudo -E guix archive --generate-key guix archive: error: key pair exists under '/usr/local/etc/guix'; remove it= first $ cat /usr/local/etc/guix/signing-key.pub=20 (public-key=20 (ecc=20 (curve Ed25519) (q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#) ) ) * Back to my main machine $ scp x220:/usr/local/etc/guix/signing-key.pub /tmp signing-key.pub 100% 118 35.3KB/s 00:00 $ sudo -E guix archive --authorize < /tmp/signing-key.pub $ sudo cat /etc/guix/acl --8<---------------cut here---------------start------------->8--- (acl=20 (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #5ED0F681F77731AD676285A6DB5986DA5252DE1AA597DFC56835FF948C150834#) ) ) (tag=20 (guix import) ) ) (entry=20 (public-key=20 (ecc=20 (curve Ed25519) (q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#) ) ) (tag=20 (guix import) ) ) ) --8<---------------cut here---------------end--------------->8--- $ guix offload test --8<---------------cut here---------------start------------->8--- Connection to 192.168.1.105 closed. maxim@apteryx ~$ guix offload test guix offload: testing 1 build machines defined in '/etc/guix/machines.scm'.= .. guix offload: '192.168.1.105' is running guile (GNU Guile) 2.2.3 guix offload: Guix is usable on '192.168.1.105' (test returned "/gnu/store/= 883yjkl46dxw9mzykykmbs0yzwyxm17z-test") sending 1 store item to '192.168.1.105'... exporting path `/gnu/store/smgzvgc9krglk0mjpcscg5450l05w4dg-export-test' guix offload: error: build failed: program `guix-authenticate' failed with exit code 1 --8<---------------cut here---------------end--------------->8--- Any other ideas? Thank you! Maxim