[bug#43155] [PATCH] hydra//build-machines: Update childhurd-net-options for secret-service.

[Jan Nieuwenhuizen <janneke@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 3048 bytes --]

Ludovic Courtès writes:

Hi!

> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> With bug https://bugs.gnu.org/43106 just closed we now have a nice way
>> to inject secrets into the Childhurds.
>>
>> Using the attached patch, which needs a fresh pull and reconfigure on
>> berlin (at least the nodes 101,102 that run Childhurds), we can create a
>> tree of childhurd secrets like so
>>
>> /etc/childhurd/etc/guix/signing-key.pub
>> /etc/childhurd/etc/guix/signing-key.sec
>> /etc/childhurd/etc/ssh/ssh_host_ed25519_key
>> /etc/childhurd/etc/ssh/ssh_host_ecdsa_key
>> /etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
>> /etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
>>
>> ...and then we should be able to start offloading builds for the Hurd.
>
> Yup!  Probably we’ll create /etc/childhurd/HOST for each VM, so we also
> need to adjust <hurd-vm-configuration> accordingly, right?

Yes, we can add something like

      (secret-root (format #f "/etc/childhurd/~a" id))

to the

    (service hurd-vm-service-type
        (hurd-vm-configuration
          ...

(i'm a bit curious, though, why we would want to differentiate between
childhurds, they can be all identical?)

> (I realize that the current code will silently keep going if we forget
> to put the secret files in place; IOW, the service config doesn’t show
> the files we intended to push as secrets.  Oh well, we’ll see that
> later.)

Yes, I guess that's a feature -- "you" can start it once, then do
something like

    mkdir -p /etc/childhurd/etc
    scp -r childhurd:/etc/guix /etc/childhurd/etc
    scp -r childhurd:/etc/ssh /etc/childhurd/etc

>> (I guess we then also need to add a cuirass jobs for the Hurd?)
>
> Yes, or maybe just change ‘systems’ in the Cuirass specs for
> ‘guix-master’, but then it’ll try to build everything for GNU/Hurd,
> which doesn’t sound like a great idea for now.

I agree, not much sense in that yet.

> Perhaps we can simply add a separate jobset pulling from ‘master’ but
> building only for i586-gnu and only the “core” package set?

Hmm, why can't I find the definition of "core"?.  Anyway, It would be a
great first step to build (everything needef for) "hello", after that we
want to have/try "guile-3.0" and possibly "guix".

>>>From 6d1c388ed82c260af27b556c0677e780ee410b05 Mon Sep 17 00:00:00 2001
>> From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
>> Date: Tue, 1 Sep 2020 16:31:42 +0200
>> Subject: [PATCH] hydra//build-machines: Update childhurd-net-options for
>>  secret-service.
>> Content-Transfer-Encoding: 8bit
>> Content-Type: text/plain; charset=UTF-8
>>
>> * hydra/modules/sysadmin/build-machines.scm (berlin-new-build-machine-os)
>> [childhurd-net-options]: Include secret-service local QEMU forwarding.
>> Use variables from (gnu services virtualization).
>
> LGTM, thanks!

Great, pushed to guix-maintenance as 04c0fc1ea110b82d6180bbc1b2f895e55e746cd8

Janneke

...after first pushing this -- Ooopss typo fix


[-- Attachment #2: 0001-hydra-build-machines-Oops-typo-in-childhurd-net-opti.patch --]
[-- Type: text/x-patch, Size: 1371 bytes --]

From 35dd1de08f1b812a22184e925b089ffc471c52de Mon Sep 17 00:00:00 2001
From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Date: Wed, 2 Sep 2020 07:52:13 +0200
Subject: [PATCH 1/2] hydra/build-machines: Oops, typo in
 childhurd-net-options.
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8

* hydra/modules/sysadmin/build-machines.scm (berlin-new-build-machine-os)
[childhurd-net-options]: Remove stray dot from parameter list.
---
 hydra/modules/sysadmin/build-machines.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hydra/modules/sysadmin/build-machines.scm b/hydra/modules/sysadmin/build-machines.scm
index b4afcbe..0a3e113 100644
--- a/hydra/modules/sysadmin/build-machines.scm
+++ b/hydra/modules/sysadmin/build-machines.scm
@@ -118,7 +118,7 @@ EMULATED-ARCHITECTURES, unless it's empty."
                        (mcron-configuration (jobs (list gc-job))))
               (operating-system-user-services %hurd-vm-operating-system)))))
 
-  (define (childhurd-net-options . config)
+  (define (childhurd-net-options config)
     "Expose SSH and VNC ports on 0.0.0.0; for first Childhurd VM those
 are 10022 and 15900."
     (let ((id 0))
-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com


[-- Attachment #3: Type: text/plain, Size: 152 bytes --]


-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com