From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id WPu1KJhq32T+PgAASxT56A (envelope-from ) for ; Fri, 18 Aug 2023 14:56:56 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:478a::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id gHSEJ5hq32RsbwAAG6o9tA (envelope-from ) for ; Fri, 18 Aug 2023 14:56:56 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 430914FF5F for ; Fri, 18 Aug 2023 14:56:56 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=MBDYNShz; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692363416; a=rsa-sha256; cv=none; b=VS7voKJMelRmcYgK9/2+I1dvIhdLLQwO+aa8T2fvATrLrdibvUzq3rZLv9G8jTczwSNw8g jPhXsjtP0q52efwd9F4TfBbO3peoeOZaGZMDZ4q4YknIPwdsuzYILLWJ/Y8HsclsVooz1f y8MmOBFDD25nvJoT9d+Tv/k2nrGEnxaEMfFimMXFWe9xBjGxq0kcPS2B8hhegoR9PdvcbH MGRXVvL4pvvCt1Tc67zdEZP4XHfvrDx6k+iiKoZZMUF5ZzWK3JLoYzp7WBp4NuOgW7fZ3t KEu7C6hUSmuhRa0xv8qweGgt5vx9CLozulj6LhilMK8VgCc7l5h4zAEcEl2mqg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=MBDYNShz; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1692363416; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=b2g8JE4qwQfsTegabw5F5hyZFWEjwzQmbT4Pne202wk=; b=CFr7dhHkzQ/KJNxSoGaHsRUE0SsE5gT3Sw5MEe1WU2Ahn4YB+Z78id1KddcTECY3vNaV3s 4eJzGbnQxvblHPdx2a9/b2OKaZKz2eT1C4r69oJYr2iBiAQxNqHyc5MxrepBlVB6yZY8+p Xbfa2Fo2uXhNIODxwMHEx8tXrqoRKl2cWufUkellOCPbQ1vWeX7qTp/3+0YFQcA11bKU0o vqZFuL+2SeMkz7vRJwBMwvn8qjLCbMTFCY6uZj8TSSUgchy2V2WvuQFztn+fhfTsWPpoUV QCSj5x+QvJHZ2qLzhmenzpNuWc1fha2XsfXZN8c1mnk7DvakHYQ/O5ycbF3BXA== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qWz1c-0004nG-5p; Fri, 18 Aug 2023 08:56:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qWyz0-0004MF-JM for help-guix@gnu.org; Fri, 18 Aug 2023 08:53:43 -0400 Received: from mail-qt1-x830.google.com ([2607:f8b0:4864:20::830]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qWyyx-0007AL-Dm for help-guix@gnu.org; Fri, 18 Aug 2023 08:53:42 -0400 Received: by mail-qt1-x830.google.com with SMTP id d75a77b69052e-40ff796e8ddso5901451cf.2 for ; Fri, 18 Aug 2023 05:53:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692363217; x=1692968017; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=b2g8JE4qwQfsTegabw5F5hyZFWEjwzQmbT4Pne202wk=; b=MBDYNShzsLehLkcYK74zSrLaSnsnfnO1ZTXa2HEGsvuFhHx2PG9zX+yVn5WafHsfau RxEdCB1y01WRvBLQRyjuhkipGds9wEWWa4zrGdYTi8GPM9xJYsWI63Ls8aGSoFYp8lRo CS6QHrQ5dQMqc2EBD7YtSTHoLTBZuoWhGCzjxldJ4FjoPXRl8fgkzd0CHeOINyP/t+ED aK6ZrO+4zwV7ZqIWRiPtsGatfO5+dvyxhTS4FYMDv2Wt0Uw3aI/6929db2yZtCcm1LSV TgouGYv8iWtqTeOfC8Lc6XeDmggBbLwHlEsDuoVud2v9iZjyQ2SeqAe5NGlK3nshJ4+F pV7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692363217; x=1692968017; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=b2g8JE4qwQfsTegabw5F5hyZFWEjwzQmbT4Pne202wk=; b=jfs2eWCQ8pzSXFFz2uqV0Wio0Yw3Gkswc8DygXcuqKBJyJjg0J+UOXuEAie0sLPia1 P5vL4UputD/E5n09uRRfhmrR6E+vtQSBph2tbs0lpGEJ7Bgu9VHnVLSrxi386lvUzahj EaMD8BkM3MHeBtu8HpVZtBMHaUvrH4H66vo78EtHtPgUVY1fIukxqTsyJmmPqdBOO4j1 CIAqYdGzNeixIW25eAa78RmM/KMIkjnOprDyG5q2/5LH/d/IInmmrMA0d4XkOOXkDFmY eymXbrhPdSJkfL6vGLN8AzLYKSo4Hw+XMmKwvnjQHVI7bD8kIAN37VlxJrCwr+Ce4ZFj 4MFg== X-Gm-Message-State: AOJu0YxKEvU9fqQ7Hbsx/fG46ym4CDTyK7luN0Z5ULw+PEwFrehtpqSR +SHxjDFvCdEtknBQLJkTRU+HuIdljt4Q3Q== X-Google-Smtp-Source: AGHT+IFmZ6V276blNh7zjxIsvXGBq+zKxCFwv16NTtW785sEPfBzRkUrHthSmuOvMVBwtm0wvDvTzw== X-Received: by 2002:ac8:5708:0:b0:406:56cb:b617 with SMTP id 8-20020ac85708000000b0040656cbb617mr3850628qtw.53.1692363217295; Fri, 18 Aug 2023 05:53:37 -0700 (PDT) Received: from localhost (ool-ad039216.dyn.optonline.net. [173.3.146.22]) by smtp.gmail.com with ESMTPSA id c15-20020ac8110f000000b00403ad6ec2e8sm493653qtj.26.2023.08.18.05.53.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 05:53:36 -0700 (PDT) Date: Fri, 18 Aug 2023 15:53:19 +0300 From: Efraim Flashner To: Hartmut Goebel Cc: help-guix Subject: Re: Putting a file into system image ~user/ but not on reconfigure Message-ID: Mail-Followup-To: Hartmut Goebel , help-guix References: <7310402d-a58e-e64e-97fb-48bdcef77b9b@crazy-compilers.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MiP3g2L+NlUmYfP5" Content-Disposition: inline In-Reply-To: X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=2607:f8b0:4864:20::830; envelope-from=efraim.flashner@gmail.com; helo=mail-qt1-x830.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx0.migadu.com X-Spam-Score: -6.79 X-Migadu-Queue-Id: 430914FF5F X-Migadu-Spam-Score: -6.79 X-TUID: Bb+rEDlqSSaY --MiP3g2L+NlUmYfP5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 17, 2023 at 09:30:24PM +0200, Hartmut Goebel wrote: > Hello Efraim, >=20 > Am 13.08.23 um 16:58 schrieb Efraim Flashner: > > I feel compelled to ask if the key must be in > > ~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant > > is acceptable. >=20 > I'm afraid it needs to be in ~vagrant/.ssh/authorized_keys: When first > booting the machine, Vagrant logs into it and replaces the key. Thus the > user vagrant must be allowed to change the respective file. >=20 > Why are you asking? What would be easier (in respect of not re-installing > the key), if putting the key into /etc/ssh/authorized_keys.d/vagrant would > work? There's already tooling available to place a key in /etc/ssh/authorized_keys.d/vagrant, and when you include an os-config in the image you can leave that line out. That way it'll be there in the initial image when it is created (and when /etc is populated on first boot) but it would disappear on reconfigure. I suppose another option would be a one-off service that checks if ~vagrant/.ssh/authorized_keys exists, and if it doesn't then create one with the desired key and chown and chmod ~/.ssh to vagrant. > > Also, could you use /etc/services or another file in /etc/static as a > > marker that the system has been booted at least once before? >=20 > Such a marker would be okay. Anyhow to make this work, some respective new > service would need to detect this quite early, before /etc/service gets > linked. Otherwise the service could not distinguish between "first" and "= at > least once"- Or did I misse something? >=20 > Is there some means of ordering service execution/start? I'd have to dive into the internals of system bring up a bit, but if I understand correctly before first boot there's a series of derivations that get combined together during boot to create the actual running system. Then after first boot they "actually live in their final locations", and get swapped out on reconfigure. So before first boot there's a bunch of files in /etc that aren't actually present yet, but after first boot they've been linked into place. I mostly got this from building system images so its definitely possible that I've understood it incorrectly. Also as I think about it more, other than depending on some filesystem service, I'm not sure what you could depend on that would definitely slot in correctly to run on first-boot. I suppose /etc/ssh/ssh_host_ed25519_key won't be there on first boot, but you'd still basically be racing the openssh-service. --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --MiP3g2L+NlUmYfP5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmTfabgACgkQQarn3Mo9 g1H3Jw/+NenWyH+otvj9QWA+gZ7YR4lVj7N+lXMMgJrWedspuA1GPm4MROe9w4rD mhdCqNj4GAppDImBFdbbejzviwBz7MveP4l4zijtc1bjP0XUnrnN+oXruSO0pwau 9oKfkH0w+prZGfyzEObattzCozH3U5Rh7qryGbLBqbIHBoDNoiQlqyvGmMZ0xQ7S ycF2QiWkmYclpctdpfExhHeE6pECbdexzkBEk/u7+NmLxUE046G61CejtPl+fk0g eLXIuoeHr/4D7Mk+i15IrlZp9ZdcDEjOcJkCwCJ4SwOVKTnc+K0OSLIwVhexrh5A QuwOGNwzwFqG6j6zNX38Uk6QW7mpN1zz03vQPHEU8tnGGj30f1eix+hkSHw0DR2G qwQw5IIjieLH5cWw9PHzpT/N/irlxlWal3yj5+srUCeQ6YpGqu1fMk685UB6OwwU YFb4BDqiGJzghVmNsjlqnLeoek2ILmhzdfndL3N83nsxREdyUsP8LZwkbe3Fyrv1 VXOtrFf08D27w9QjHJGcwtnKV3kHIGbaRYY31T4wrRnpaP6ZRDiBH5gn252Acr2o P8m1WKNkS/WscBLog3Cw6cleotJmzGT9o2wrLDdPHOnqpo4y5Dob1heJUOmHAe1C TB3WrdDoG624dAoh53jQLB0vz4a59NypebmaANaN7SCyOTJzd08= =Ya7Y -----END PGP SIGNATURE----- --MiP3g2L+NlUmYfP5--