all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists
@ 2020-02-28  4:30 Maxim Cournoyer
  2020-02-28  4:32 ` Maxim Cournoyer
  2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
  0 siblings, 2 replies; 13+ messages in thread
From: Maxim Cournoyer @ 2020-02-28  4:30 UTC (permalink / raw)
  To: 39819

Hello,

I spent the evening debugging why my authorized keys for the
guix-service-type wouldn't appear under /etc/guix/acl upon
reconfiguration (and 'guix offload test' would be unhelpfully reporting
"guix offload: error: program
`/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
failed with exit code 1", see issue <https://bugs.gnu.org/34786>).

It turns out that the guix-activation script that is supposed to add the authorized keys does this:

--8<---------------cut here---------------start------------->8---
   (unless (file-exists? "/etc/guix/acl")
     (mkdir-p "/etc/guix")
     (copy-file #+default-acl "/etc/guix/acl")
     (chmod "/etc/guix/acl" #o600)))))
--8<---------------cut here---------------end--------------->8---

i.e., it doesn't do anything if a /etc/guix/acl file already exists.
This means that the only time it ought to do anything is the first time
the system was reconfigured (or perhaps, init?).

I would have expected the keys declared in my operating system
configuration to be used along those with /etc/guix/acl, or added to it.

Maxim

^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists
  2020-02-28  4:30 bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists Maxim Cournoyer
@ 2020-02-28  4:32 ` Maxim Cournoyer
  2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
  1 sibling, 0 replies; 13+ messages in thread
From: Maxim Cournoyer @ 2020-02-28  4:32 UTC (permalink / raw)
  To: 39819

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> Hello,
>
> I spent the evening debugging why my authorized keys for the
> guix-service-type wouldn't appear under /etc/guix/acl upon
> reconfiguration (and 'guix offload test' would be unhelpfully reporting
> "guix offload: error: program
> `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
> failed with exit code 1", see issue <https://bugs.gnu.org/34786>).
>
> It turns out that the guix-activation script that is supposed to add the authorized keys does this:
>
>    (unless (file-exists? "/etc/guix/acl")
>      (mkdir-p "/etc/guix")
>      (copy-file #+default-acl "/etc/guix/acl")
>      (chmod "/etc/guix/acl" #o600)))))
>
> i.e., it doesn't do anything if a /etc/guix/acl file already exists.
> This means that the only time it ought to do anything is the first time
> the system was reconfigured (or perhaps, init?).
>
> I would have expected the keys declared in my operating system
> configuration to be used along those with /etc/guix/acl, or added to it.

I forgot to mention, the above code is from (gnu services base), more
specifically from the `substitute-key-authorization' procedure.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Declarative /etc/guix/acl?
@ 2020-10-11 10:39 ` Ludovic Courtès
  2020-10-11 11:00   ` bug#39819: " Efraim Flashner
                     ` (2 more replies)
  0 siblings, 3 replies; 13+ messages in thread
From: Ludovic Courtès @ 2020-10-11 10:39 UTC (permalink / raw)
  To: guix-devel; +Cc: 39819

Hi!

For some reason, /etc/guix/acl is not declarative on Guix System: we let
users modify it and assume it’s stateful, which can surprise users as in
<https://issues.guix.gnu.org/39819>.

Should we make it declarative, just like most of /etc?  I think so.  For
a build farm like berlin, it would force admins to explicitly list all
the authorized keys in their config—annoying change, but not a bad
thing.

WDYT?

The problem is the transition.  We would need to at least create a
backup of /etc/guix/acl on the next activation, or better yet, warn
users or error out at reconfigure time.

Thoughts?

Ludo’.


^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#39819: Declarative /etc/guix/acl?
  2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
@ 2020-10-11 11:00   ` Efraim Flashner
  2020-10-11 11:07   ` Jan Nieuwenhuizen
  2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  2 siblings, 0 replies; 13+ messages in thread
From: Efraim Flashner @ 2020-10-11 11:00 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 39819

[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

On Sun, Oct 11, 2020 at 12:39:17PM +0200, Ludovic Courtès wrote:
> Hi!
> 
> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
> 
> Should we make it declarative, just like most of /etc?  I think so.  For
> a build farm like berlin, it would force admins to explicitly list all
> the authorized keys in their config—annoying change, but not a bad
> thing.
> 
> WDYT?

I've been surprised by it at least once. (That it was more than once is
on me...)

> The problem is the transition.  We would need to at least create a
> backup of /etc/guix/acl on the next activation, or better yet, warn
> users or error out at reconfigure time.
> 
> Thoughts?
> 
> Ludo’.
> 

activation script: (when (file-exists? "/etc/guix/acl")
                     (rename-file "/etc/guix/acl"
                                  "/etc/guix/acl-old"))

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Declarative /etc/guix/acl?
  2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
  2020-10-11 11:00   ` bug#39819: " Efraim Flashner
@ 2020-10-11 11:07   ` Jan Nieuwenhuizen
  2020-10-12 12:53     ` bug#39819: " Ludovic Courtès
  2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  2 siblings, 1 reply; 13+ messages in thread
From: Jan Nieuwenhuizen @ 2020-10-11 11:07 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 39819

Ludovic Courtès writes:

Hello!

> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
>
> Should we make it declarative, just like most of /etc?  I think so.

Yes, I think so too.  However, if you have your own substitute server,
you now can run guix archive --authorize < ..., e.g. at
bootstrap/install time.  For such cases, IWBN to have a --authorized-key
argument to guix build / guix system.

Greetings,
Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com


^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#39819: Declarative /etc/guix/acl?
  2020-10-11 11:07   ` Jan Nieuwenhuizen
@ 2020-10-12 12:53     ` Ludovic Courtès
  2020-10-12 20:26       ` Jan Nieuwenhuizen
  0 siblings, 1 reply; 13+ messages in thread
From: Ludovic Courtès @ 2020-10-12 12:53 UTC (permalink / raw)
  To: Jan Nieuwenhuizen; +Cc: guix-devel, 39819

Hi,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

> Ludovic Courtès writes:
>
> Hello!
>
>> For some reason, /etc/guix/acl is not declarative on Guix System: we let
>> users modify it and assume it’s stateful, which can surprise users as in
>> <https://issues.guix.gnu.org/39819>.
>>
>> Should we make it declarative, just like most of /etc?  I think so.
>
> Yes, I think so too.

OK.

> However, if you have your own substitute server, you now can run guix
> archive --authorize < ..., e.g. at bootstrap/install time.  For such
> cases, IWBN to have a --authorized-key argument to guix build / guix
> system.

There’s already an ‘authorized-keys’ field in ‘guix-configuration’:

  https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-guix_002dconfiguration

So you would just list keys there.  Is that what you have in mind?

The option is already there, it’s just non-authoritative.

Ludo’.




^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Declarative /etc/guix/acl?
  2020-10-12 12:53     ` bug#39819: " Ludovic Courtès
@ 2020-10-12 20:26       ` Jan Nieuwenhuizen
  0 siblings, 0 replies; 13+ messages in thread
From: Jan Nieuwenhuizen @ 2020-10-12 20:26 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel, 39819

Ludovic Courtès writes:

Hello,

> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> Ludovic Courtès writes:
>
>> However, if you have your own substitute server, you now can run guix
>> archive --authorize < ..., e.g. at bootstrap/install time.  For such
>> cases, IWBN to have a --authorized-key argument to guix build / guix
>> system.
>
> There’s already an ‘authorized-keys’ field in ‘guix-configuration’:
>
>   https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-guix_002dconfiguration
>
> So you would just list keys there.  Is that what you have in mind?
>
> The option is already there, it’s just non-authoritative.

I was thinking about the initial installer scenario; when guix-daemon is
already running and you didn't build the guix system yourself.  But
yeah, I guess this is an exceptional or corner case and you can always
build your own installer and add the key there.

Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
  2020-10-11 11:00   ` bug#39819: " Efraim Flashner
  2020-10-11 11:07   ` Jan Nieuwenhuizen
@ 2020-10-21 15:08   ` Ludovic Courtès
  2020-10-21 15:08     ` bug#39819: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section Ludovic Courtès
                       ` (3 more replies)
  2 siblings, 4 replies; 13+ messages in thread
From: Ludovic Courtès @ 2020-10-21 15:08 UTC (permalink / raw)
  To: 39819; +Cc: guix-devel

Fixes <https://bugs.gnu.org/39819>.
Reported by Maxim Cournoyer <maxim.cournoyer@gmail.com>.

* gnu/services/base.scm (substitute-key-authorization): Symlink
DEFAULT-ACL to /etc/guix/acl unconditionally.  Add code to optionally
back up /etc/guix/acl if it was possibly modified by hand.
* doc/guix.texi (Base Services): Clarify the effect of setting
'authorize-keys?' to true.  Mention the backup.  Give an example showing
how to authorize substitutes from another server.
---
 doc/guix.texi         | 36 ++++++++++++++++++++++++++++++++++++
 gnu/services/base.scm | 16 ++++++++++++----
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index c161012da5..50d2d9a730 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14571,11 +14571,26 @@ Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
 (@pxref{Substitutes}).
 
+When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+changed by invoking @command{guix archive --authorize}.  You must
+instead adjust @code{guix-configuration} as you wish and reconfigure the
+system.  This ensures that your operating system configuration file is
+self-contained.
+
+@quotation Note
+When booting or reconfiguring to a system where @code{authorize-keys?}
+is true, the existing @file{/etc/guix/acl} file is backed up as
+@file{/etc/guix/acl.bak} if it was determined to be a manually modified
+file.  This is to facilitate migration from earlier versions, which
+allowed for in-place modifications to @file{/etc/guix/acl}.
+@end quotation
+
 @vindex %default-authorized-guix-keys
 @item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
 The list of authorized key files for archive imports, as a list of
 string-valued gexps (@pxref{Invoking guix archive}).  By default, it
 contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}).
+See @code{substitute-urls} below for an example on how to change it.
 
 @item @code{use-substitutes?} (default: @code{#t})
 Whether to use substitutes.
@@ -14583,6 +14598,27 @@ Whether to use substitutes.
 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
 The list of URLs where to look for substitutes by default.
 
+Support you would like to fetch substitutes from @code{guix.example.org}
+in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
+two things: (1) add @code{guix.example.org} to @code{substitute-urls},
+and (2) authorize its signing key, having done appropriate checks
+(@pxref{Substitute Server Authorization}).  The configuration below does
+exactly that:
+
+@lisp
+(guix-configuration
+  (substitute-urls
+   (append (list "https://guix.example.org")
+           %default-substitute-urls))
+  (authorized-keys
+   (append (list (local-file "./guix.example.org-key.pub"))
+           %default-authorized-guix-keys)))
+@end lisp
+
+This example assumes that the file @file{./guix.example.org-key.pub}
+contains the public key that @code{guix.example.org} uses to sign
+substitutes.
+
 @item @code{max-silent-time} (default: @code{0})
 @itemx @code{timeout} (default: @code{0})
 The number of seconds of silence and the number of seconds of activity,
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 04bc991356..37b0a13ea7 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1476,10 +1476,18 @@ archive' public keys, with GUIX."
     #~(begin
         (use-modules (guix build utils))
 
-        (unless (file-exists? "/etc/guix/acl")
-          (mkdir-p "/etc/guix")
-          (copy-file #+default-acl "/etc/guix/acl")
-          (chmod "/etc/guix/acl" #o600)))))
+        ;; If the ACL already exists, move it out of the way.  Create a backup
+        ;; if it's a regular file: it's likely that the user manually updated
+        ;; it with 'guix archive --authorize'.
+        (if (file-exists? "/etc/guix/acl")
+            (if (and (symbolic-link? "/etc/guix/acl")
+                     (store-file-name? (readlink "/etc/guix/acl")))
+                (delete-file "/etc/guix/acl")
+                (rename-file "/etc/guix/acl" "/etc/guix/acl.bak"))
+            (mkdir-p "/etc/guix"))
+
+        ;; Installed the declared ACL.
+        (symlink #+default-acl "/etc/guix/acl"))))
 
 (define %default-authorized-guix-keys
   ;; List of authorized substitute keys.
-- 
2.28.0



^ permalink raw reply related	[flat|nested] 13+ messages in thread

* bug#39819: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section.
  2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
@ 2020-10-21 15:08     ` Ludovic Courtès
  2020-10-21 16:06     ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Vagrant Cascadian
                       ` (2 subsequent siblings)
  3 siblings, 0 replies; 13+ messages in thread
From: Ludovic Courtès @ 2020-10-21 15:08 UTC (permalink / raw)
  To: 39819; +Cc: guix-devel

* doc/guix.texi (Getting Substitutes from Other Servers): New node.
(Invoking guix-daemon): Add cross-reference.
(Substitute Server Authorization): Clarify that this is unnecessary on
Guix System.
(Invoking guix publish): Add cross-reference.
---
 doc/guix.texi | 122 +++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 115 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 50d2d9a730..a3534b5939 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -222,6 +222,7 @@ Substitutes
 
 * Official Substitute Server::  One particular source of substitutes.
 * Substitute Server Authorization::  How to enable or disable substitutes.
+* Getting Substitutes from Other Servers::  Substitute diversity.
 * Substitute Authentication::   How Guix verifies substitutes.
 * Proxy Settings::              How to get substitutes via proxy.
 * Substitution Failure::        What happens when substitution fails.
@@ -1467,8 +1468,8 @@ When the daemon runs with @option{--no-substitutes}, clients can still
 explicitly enable substitution @i{via} the @code{set-build-options}
 remote procedure call (@pxref{The Store}).
 
-@item --substitute-urls=@var{urls}
 @anchor{daemon-substitute-urls}
+@item --substitute-urls=@var{urls}
 Consider @var{urls} the default whitespace-separated list of substitute
 source URLs.  When this option is omitted,
 @indicateurl{https://@value{SUBSTITUTE-SERVER}} is used.
@@ -1476,6 +1477,9 @@ source URLs.  When this option is omitted,
 This means that substitutes may be downloaded from @var{urls}, as long
 as they are signed by a trusted signature (@pxref{Substitutes}).
 
+@xref{Getting Substitutes from Other Servers}, for more information on
+how to configure the daemon to get substitutes from other servers.
+
 @cindex offloading
 @item --no-offload
 Do not use offload builds to other machines (@pxref{Daemon Offload
@@ -3554,6 +3558,7 @@ also result from derivation builds, can be available as substitutes.
 @menu
 * Official Substitute Server::  One particular source of substitutes.
 * Substitute Server Authorization::  How to enable or disable substitutes.
+* Getting Substitutes from Other Servers::  Substitute diversity.
 * Substitute Authentication::   How Guix verifies substitutes.
 * Proxy Settings::              How to get substitutes via proxy.
 * Substitution Failure::        What happens when substitution fails.
@@ -3603,6 +3608,11 @@ imports, using the @command{guix archive} command (@pxref{Invoking guix
 archive}).  Doing so implies that you trust @code{@value{SUBSTITUTE-SERVER}} to not
 be compromised and to serve genuine substitutes.
 
+@quotation Note
+If you are using Guix System, you can skip this section: Guix System
+authorizes substitutes from @code{@value{SUBSTITUTE-SERVER}} by default.
+@end quotation
+
 The public key for @code{@value{SUBSTITUTE-SERVER}} is installed along with Guix, in
 @code{@var{prefix}/share/guix/@value{SUBSTITUTE-SERVER}.pub}, where @var{prefix} is
 the installation prefix of Guix.  If you installed Guix from source,
@@ -3653,6 +3663,108 @@ guix-daemon}).  It can also be disabled temporarily by passing the
 @option{--no-substitutes} option to @command{guix package},
 @command{guix build}, and other command-line tools.
 
+@node Getting Substitutes from Other Servers
+@subsection Getting Substitutes from Other Servers
+
+@cindex substitute servers, adding more
+Guix can look up and fetch substitutes from several servers.  This is
+useful when you are using packages from additional channels for which
+the official server does not have substitutes but another server
+provides them.  Another situation where this is useful is when you would
+prefer to download from your organization's substitute server, resorting
+to the official server only as a fallback or dismissing it altogether.
+
+You can give Guix a list of substitute server URLs and it will check
+them in the specified order.  You also need to explicitly authorize the
+public keys of substitute servers to instruct Guix to accept the
+substitutes they sign.
+
+On Guix System, this is achieved by modifying the configuration of the
+@code{guix} service.  Since the @code{guix} service is part of the
+default lists of services, @code{%base-services} and
+@code{%desktop-services}, you can use @code{modify-services} to change
+its configuration and add the URLs and substitute keys that you want
+(@pxref{Service Reference, @code{modify-services}}).
+
+As an example, suppose you want to fetch substitutes from
+@code{guix.example.org} and to authorize the signing key of that server,
+in addition to the default @code{@value{SUBSTITUTE-SERVER}}.  The
+resulting operating system configuration will look something like:
+
+@lisp
+(operating-system
+  ;; @dots{}
+  (services
+    ;; Assume we're starting from '%desktop-services'.  Replace it
+    ;; with the list of services you're actually using.
+    (modify-services %desktop-services
+      (guix-service-type config =>
+                        (guix-configuration
+                          (inherit config)
+                          (substitute-urls
+                            (append (list "https://guix.example.org")
+                                    %default-substitute-urls))
+                          (authorized-keys
+                            (append (list (local-file "./key.pub"))
+                                    %default-authorized-guix-keys)))))))
+@end lisp
+
+This assumes that the file @file{key.pub} contains the signing key of
+@code{guix.example.org}.  With this change in place in your operating
+system configuration file (say @file{/etc/config.scm}), you can
+reconfigure and restart the @code{guix-daemon} service or reboot so the
+changes take effect:
+
+@example
+$ sudo guix system reconfigure /etc/config.scm
+$ sudo herd restart guix-daemon
+@end example
+
+If you're running Guix on a ``foreign distro'', you would instead take
+the following steps to get substitutes from additional servers:
+
+@enumerate
+@item
+Edit the service configuration file for @code{guix-daemon}; when using
+systemd, this is normally
+@file{/etc/systemd/system/guix-daemon.service}.  Add the
+@option{--substitute-urls} option on the @command{guix-daemon} command
+line and list the URLs of interest (@pxref{daemon-substitute-urls,
+@code{guix-daemon --substitute-urls}}):
+
+@example
+@dots{} --substitute-urls='https://guix.example.org https://@value{SUBSTITUTE-SERVER}'
+@end example
+
+@item
+Restart the daemon.  For systemd, it goes like this:
+
+@example
+systemctl daemon-reload
+systemctl restart guix-daemon.service
+@end example
+
+@item
+Authorize the key of the new server (@pxref{Invoking guix archive}):
+
+@example
+guix archive --authorize < key.pub
+@end example
+
+Again this assumes @file{key.pub} contains the public key that
+@code{guix.example.org} uses to sign substitutes.
+@end enumerate
+
+Now you're all set!  Substitutes will be preferably taken from
+@code{https://guix.example.org}, using @code{@value{SUBSTITUTE-SERVER}}
+as a fallback.  Of course you can list as many substitute servers as you
+like, with the caveat that substitute lookup can be slowed down if too
+many servers need to be contacted.
+
+Note that there are also situations where one may want to add the URL of
+a substitute server @emph{without} authorizing its key.
+@xref{Substitute Authentication}, to understand this fine point.
+
 @node Substitute Authentication
 @subsection Substitute Authentication
 
@@ -11873,12 +11985,8 @@ spawn an HTTP server on port 8080:
 guix publish
 @end example
 
-Once a publishing server has been authorized (@pxref{Invoking guix
-archive}), the daemon may download substitutes from it:
-
-@example
-guix-daemon --substitute-urls=http://example.org:8080
-@end example
+Once a publishing server has been authorized, the daemon may download
+substitutes from it.  @xref{Getting Substitutes from Other Servers}.
 
 By default, @command{guix publish} compresses archives on the fly as it
 serves them.  This ``on-the-fly'' mode is convenient in that it requires
-- 
2.28.0





^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  2020-10-21 15:08     ` bug#39819: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section Ludovic Courtès
@ 2020-10-21 16:06     ` Vagrant Cascadian
  2020-10-24 23:08     ` bug#39819: " Ludovic Courtès
  2020-10-24 23:11     ` Ludovic Courtès
  3 siblings, 0 replies; 13+ messages in thread
From: Vagrant Cascadian @ 2020-10-21 16:06 UTC (permalink / raw)
  To: Ludovic Courtès, 39819; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1458 bytes --]

On 2020-10-21, Ludovic Courtès wrote:
> diff --git a/doc/guix.texi b/doc/guix.texi
> index c161012da5..50d2d9a730 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
...
> @@ -14583,6 +14598,27 @@ Whether to use substitutes.
>  @item @code{substitute-urls} (default: @code{%default-substitute-urls})
>  The list of URLs where to look for substitutes by default.
>  
> +Support you would like to fetch substitutes from @code{guix.example.org}

(substitute* "Support" "Suppose")

?

> +in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
> +two things: (1) add @code{guix.example.org} to @code{substitute-urls},
> +and (2) authorize its signing key, having done appropriate checks
> +(@pxref{Substitute Server Authorization}).  The configuration below does
> +exactly that:
> +
> +@lisp
> +(guix-configuration
> +  (substitute-urls
> +   (append (list "https://guix.example.org")
> +           %default-substitute-urls))
> +  (authorized-keys
> +   (append (list (local-file "./guix.example.org-key.pub"))
> +           %default-authorized-guix-keys)))
> +@end lisp
> +
> +This example assumes that the file @file{./guix.example.org-key.pub}
> +contains the public key that @code{guix.example.org} uses to sign
> +substitutes.
> +
>  @item @code{max-silent-time} (default: @code{0})
>  @itemx @code{timeout} (default: @code{0})
>  The number of seconds of silence and the number of seconds of activity,

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
  2020-10-21 15:08     ` bug#39819: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section Ludovic Courtès
  2020-10-21 16:06     ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Vagrant Cascadian
@ 2020-10-24 23:08     ` Ludovic Courtès
  2020-10-25  5:59       ` Jan Nieuwenhuizen
  2020-10-24 23:11     ` Ludovic Courtès
  3 siblings, 1 reply; 13+ messages in thread
From: Ludovic Courtès @ 2020-10-24 23:08 UTC (permalink / raw)
  To: 39819-done; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

Hello!

I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.

Let me know if anything is amiss!

Thanks,
Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 2690 bytes --]

diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
 (@pxref{Substitutes}).
 
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
 changed by invoking @command{guix archive --authorize}.  You must
 instead adjust @code{guix-configuration} as you wish and reconfigure the
 system.  This ensures that your operating system configuration file is
 self-contained.
 
 @quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
 is true, the existing @file{/etc/guix/acl} file is backed up as
 @file{/etc/guix/acl.bak} if it was determined to be a manually modified
 file.  This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
 The list of URLs where to look for substitutes by default.
 
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
 in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
 two things: (1) add @code{guix.example.org} to @code{substitute-urls},
 and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
                          (permit-root-login #t)
                          (allow-empty-passwords? #t)
                          (password-authentication? #t)))
-               %base-services/hurd))))
+
+               ;; By default, the secret service introduces a pre-initialized
+               ;; /etc/guix/acl file in the childhurd.  Thus, clear
+               ;; 'authorize-key?' so that it's not overridden at activation
+               ;; time.
+               (modify-services %base-services/hurd
+                 (guix-service-type config =>
+                                    (guix-configuration
+                                     (inherit config)
+                                     (authorize-key? #f))))))))
 
 (define-record-type* <hurd-vm-configuration>
   hurd-vm-configuration make-hurd-vm-configuration

^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
                       ` (2 preceding siblings ...)
  2020-10-24 23:08     ` bug#39819: " Ludovic Courtès
@ 2020-10-24 23:11     ` Ludovic Courtès
  3 siblings, 0 replies; 13+ messages in thread
From: Ludovic Courtès @ 2020-10-24 23:11 UTC (permalink / raw)
  To: 39819; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 236 bytes --]

BTW, attached it the script I used to retrieve the signing keys of all
the build nodes of the build farm so we can have them declared in the
config of the head node.  You may find it handy if you have a similar
setup!

Ludo’.


[-- Attachment #2: the code --]
[-- Type: text/plain, Size: 1651 bytes --]

(use-modules (guix scripts offload)
             (guix ssh)
             (guix inferior)
             (ssh session)
             (srfi srfi-34)
             (ice-9 match))

(define open-ssh-session
  (@@ (guix scripts offload) open-ssh-session))

(define build-machine-name (@@ (guix scripts offload) build-machine-name))
(define build-machine-port (@@ (guix scripts offload) build-machine-port))

(define (fetch-key machine)
  (format #t "fetching key from ~s...~%" machine)
  (let* ((session  (open-ssh-session machine 5))
         (inferior (remote-inferior session)))
    (define key
      (inferior-eval '(begin
                        (use-modules (rnrs io ports))

                        (with-fluids ((%default-port-encoding "ISO-8859-1"))
                          (call-with-input-file "/etc/guix/signing-key.pub"
                            get-string-all)))
                     inferior))

    (define file
      (string-append (build-machine-name machine)
                     (match (build-machine-port machine)
                       (22 "")
                       (port
                        (string-append ":"
                                       (number->string
                                        port))))
                     ".pub"))

    (with-fluids ((%default-port-encoding "ISO-8859-1"))
      (call-with-output-file file
        (lambda (port)
          (display key port))))

    (close-inferior inferior)
    (disconnect! session)))

(let ((machines (load "/etc/guix/machines.scm")))
  (for-each (lambda (machine)
              (guard (c (pk 'fail c))
                (fetch-key machine)))
            machines))

^ permalink raw reply	[flat|nested] 13+ messages in thread

* bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
  2020-10-24 23:08     ` bug#39819: " Ludovic Courtès
@ 2020-10-25  5:59       ` Jan Nieuwenhuizen
  0 siblings, 0 replies; 13+ messages in thread
From: Jan Nieuwenhuizen @ 2020-10-25  5:59 UTC (permalink / raw)
  To: 39819; +Cc: maxim.cournoyer

Ludovic Courtès writes:

Hello,

> I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
> with the changes below, accounting for Vagrant’s comment and for the
> fact that childhurds rely on the non-declarative behavior (which hadn’t
> occurred to me before), as well as fixing other typos.
>
>
> +               ;; By default, the secret service introduces a pre-initialized
> +               ;; /etc/guix/acl file in the childhurd.  Thus, clear
> +               ;; 'authorize-key?' so that it's not overridden at activation
> +               ;; time.
> +               (modify-services %base-services/hurd
> +                 (guix-service-type config =>
> +                                    (guix-configuration
> +                                     (inherit config)
> +                                     (authorize-key? #f))))))))

Ah, good catch!

Janneke

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com




^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2020-10-25  6:00 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-28  4:30 bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists Maxim Cournoyer
2020-02-28  4:32 ` Maxim Cournoyer
2020-10-11 10:39 ` Declarative /etc/guix/acl? Ludovic Courtès
2020-10-11 11:00   ` bug#39819: " Efraim Flashner
2020-10-11 11:07   ` Jan Nieuwenhuizen
2020-10-12 12:53     ` bug#39819: " Ludovic Courtès
2020-10-12 20:26       ` Jan Nieuwenhuizen
2020-10-21 15:08   ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Ludovic Courtès
2020-10-21 15:08     ` bug#39819: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section Ludovic Courtès
2020-10-21 16:06     ` [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default Vagrant Cascadian
2020-10-24 23:08     ` bug#39819: " Ludovic Courtès
2020-10-25  5:59       ` Jan Nieuwenhuizen
2020-10-24 23:11     ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.