bug#31825: guix offload fails with guix-authenticate error

[ludo@gnu.org (Ludovic Courtès)]

Hello!

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> I just did:
>
> sudo cp /usr/local/etc/guix/signing* /etc/guix/
>
> And it is now working. Ouf!

Woohoo!

> Summarizing this adventure:
>
> 0) Make sure your .bashrc doesn't exit early when it is executed in
> non-interactive mode (as is the case in Ubuntu).
>
> 1) Make sure the guix-authenticate program is available on the host as
> well as the offload machines, by installing guix (guix package -i guix)
> in the corresponding user profiles and sourcing
> $HOME/guix.profile/etc/profile in the ~/.bashrc.
>
> 2) Make sure all your guix-daemons are configured to use /etc/guix as
> their sysconfdir, as Guix offload currently seems hardcoded to only look
> things under /etc/guix.

Hmm nothing’s hard-coded; it’s the daemon on the remote host that knows
where to look for keys etc.

I suspect there was a mixture of Guix with --sysconfdir=/etc and with
--sysconfdir=/usr/local/etc, perhaps due to an earlier installation
built from source or something, and that this is what led to the mess.

I’m afraid there’s not much Guix itself can do, but if you investigate
and manage to determine how we ended up with this confusion, perhaps
we’ll have ideas on how to avoid it.

> 3) Don't trust any errors output by guix offload ;)

Yeah we can definitely do better.  :-)

> It'd be nice if this was as simple as setting up a Jenkins node... You
> tell Guix which machine you want to use and give it SSH access, and it
> does the required setup without having the user messing around with keys
> and what not.

The security implications of authorizing each other’s keys are serious,
and have to be made by root on both machines.  So I’m not sure we could
easily automate it.  It’s quite common for SSH daemons to disallow root
logins by default, for instance, which prevents automation in this case.

> But I'm seeing far ahead. For now, we could start by adding some points
> to the `guix offload` info manual. Then we can try to modify the code to
> better capture the error messages. 

Yes, I’d say improving ‘guix offload status’ should be the priority.  To
be honest, I’m not sure anything important is missing in the manual,
looking at the items above.

Thanks,
Ludo’.