From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id yPyzIgDg3GSHCQAASxT56A (envelope-from ) for ; Wed, 16 Aug 2023 16:41:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 6GivIgDg3GSJywAA9RJhRA (envelope-from ) for ; Wed, 16 Aug 2023 16:41:04 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 378905CBFC for ; Wed, 16 Aug 2023 16:41:04 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=mhUKOORB; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1692196864; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=aZz2ghghLq+X2Eei3VmzeNLpzXJdYWkt+gbEW8tNND4=; b=Q7cYnv/YuusTVdoBpdJtw3TTXlbm+nXgsT0WZmf+i724Xh/hv+yfo04pIfwYy8ri0Ly7dF JbtqtPvJWQrVDRtFAjiOoH6xaFXGJ/9Ql0XOdUjjvM/GzE9neyNdejbyy1yNrfpLXLNqiA m/42Lz8t/VAR9RQ9H29BAPvgy1rX2i36gvuaJ2ipyiqysbjUzVO8TJp6jcxbiYwerTLM/x MrlJ+dfWVN2t9Z6J/eIE3z+PLsAo2HuMLm/uDBrK3RnVJ8ZCRG+37OHsmmtsmeKFdQthXt dkE+HaTkVOOwcfKKzx+wRdJpV+xb8u8Q7Q2X/mq/YTiC+aZUxW2PNPg5ZDGojw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=mhUKOORB; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1692196864; a=rsa-sha256; cv=none; b=LNm43gBPTVW/0tV7s0R5LYz6watD11+ykErkbnGgaF6KZVAFptbUX6FlL2cAq9O0sl3tCJ Vr6+1UjJK4NqyWY8r08scfCbWe6O8XSoz0Pq4qp0+G/6lFjlf6C1ixjQlLMr4B3i7WQGc7 EPrDOYp3cI2hRkdOU2NbdQvacIkNBW1SCtlf+mAf2DOjTVFDgNjSF8BSMjASSNK9KpsS/c F9gTnHMeU3fN4F9kR1OPMnIOeFmOUbWfQMOGhlpqXxPy2pbvV2L/XZ5Kukhy9XG3kWILD7 bt00+uvMDsBSc3PrfTfDvNaTMkZ7jQ3sHZu0CsYyXxLcmMwKyeZ0XCaYWcWCxw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qWHh5-0002hs-2V; Wed, 16 Aug 2023 10:40:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qWHh0-0002bL-Rj for guix-devel@gnu.org; Wed, 16 Aug 2023 10:40:16 -0400 Received: from mail-qv1-xf36.google.com ([2607:f8b0:4864:20::f36]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qWHgw-0007BO-HO for guix-devel@gnu.org; Wed, 16 Aug 2023 10:40:13 -0400 Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-649463dc0b8so1606446d6.3 for ; Wed, 16 Aug 2023 07:40:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692196808; x=1692801608; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=aZz2ghghLq+X2Eei3VmzeNLpzXJdYWkt+gbEW8tNND4=; b=mhUKOORBnuzpAeLKtyi4IPS4dbPMwwWWL5GYlbCw8/C2lZgyCEC61KA5UPczsghnlY A5qvqvjWgGtVCQAycR800l4RmG25O4XnV2pMuCJAlUtZQXanFX4Id9tldiBp/JAjirJp jwRQCsF8aZrYu+8chRUQ6meRRN0wGt+7SP7jzgfZXWVwngIgsN2V4x3XAGXCXdfXsr0i SF4e76yN0NXCLbnx0wXJK8wXXUQduanyn47+BeAkl6dLvKVnqRCNC0GW98vSHeGzaKiS Q1Jt2byB1MvxhHg3cZZ5011GRhKYETG13De2UtLCmGEyTlOXjhiOAIVC31u3Yq8l0UF+ rslg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692196808; x=1692801608; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aZz2ghghLq+X2Eei3VmzeNLpzXJdYWkt+gbEW8tNND4=; b=RyvAQDfWjb3mL9M0FUKL7wchOUJC+85OAk18XJfTdCDixJMfwpoJyH66S7V+KlZlR5 hYKHBx7VLd3VTwjcgmyFRQ+Ak6Sm3Anta/DbuW7amGXuqGwrENBUsQYQr6Ft+lDBKXbI 1w6rjlomHRWc3MIFkan8jFsF4mjTlZZYPrE7w7Re5sB6KbSysJwl/LogaVZpXMUUAa4l oqrcpcgQ+ZCR3AlQjxdh/fS6bL47Bi7xQKORFpF9fTgUGfyzq2pF8BoHj1EmRRHTIX0D P5oexeFK1RNa4cpHC12BWyrL8D0zQ40NBG1MWer2M78djmmsMEgFNPaeg/E05+6kZroJ JuOw== X-Gm-Message-State: AOJu0YzY3PY8UtZDDdnIbp/mFcspT6/76hds6Xb0ERKNBUqtJykM8uzG FiZSVEJI+RvSmPtS5mI50F4= X-Google-Smtp-Source: AGHT+IEuxD8wK4Kl2paVGaIxscriWh9viZD8qoQjohUIMWAeKvh19Boef/eW2sbBne59NdCpC5m/6A== X-Received: by 2002:a0c:a811:0:b0:63c:f51f:6bfc with SMTP id w17-20020a0ca811000000b0063cf51f6bfcmr1873254qva.37.1692196808376; Wed, 16 Aug 2023 07:40:08 -0700 (PDT) Received: from localhost (ool-ad039216.dyn.optonline.net. [173.3.146.22]) by smtp.gmail.com with ESMTPSA id y17-20020a0c9a91000000b0063f62e0f2bfsm4839343qvd.22.2023.08.16.07.40.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Aug 2023 07:40:07 -0700 (PDT) Date: Wed, 16 Aug 2023 17:39:50 +0300 From: Efraim Flashner To: Nicolas Graves Cc: guix-devel@gnu.org, maxim.cournoyer@gmail.com, Felix Lechner , Ryan Sundberg , Andrew Tropin Subject: Re: btrfs recommended layout for snapshots? Message-ID: Mail-Followup-To: Nicolas Graves , guix-devel@gnu.org, maxim.cournoyer@gmail.com, Felix Lechner , Ryan Sundberg , Andrew Tropin References: <87jztxn2hc.fsf@ngraves.fr> <87h6p1n0sv.fsf@ngraves.fr> <87o7j776ha.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="6XI1CsE5N8qSkoOM" Content-Disposition: inline In-Reply-To: <87o7j776ha.fsf@ngraves.fr> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=2607:f8b0:4864:20::f36; envelope-from=efraim.flashner@gmail.com; helo=mail-qv1-xf36.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 378905CBFC X-Migadu-Scanner: mx1.migadu.com X-Spam-Score: -1.29 X-Migadu-Spam-Score: -1.29 X-TUID: hPkjPjNDCnfr --6XI1CsE5N8qSkoOM Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 16, 2023 at 10:10:25AM +0200, Nicolas Graves wrote: > On 2023-08-14 16:41, Nicolas Graves wrote: >=20 > >> - either not snapshotting the rootfs / at all, with the hypothesis that > >> we get it back entirely from config files. Is that possible ? Is the= re > >> information in / (I think of /etc in particular) that is saved, not > >> temporary and not managed by guix system that would justify that we > >> want to snapshot / at all? > >> This would allow to simply care about only a few "user data" > >> directories, and be sure to not miss anything when there's a need to > >> restore the state. > >> > >> I can't find easily a case of successful use of the second > >> configuration, but would be glad to find one, as well as some discussi= on > >> about what would be a recommended way to secure the state beyond > >> dotfiles. > > > > I've found some equivalent information on the NixOS side here : > > https://nixos.wiki/wiki/Impermanence > > > > Some (rare) directories indeed seem that would better be saved because > > their information is useful for the system, in the case of NixOS, it > > seems to be "/etc/nixos", "/etc/NetworkManager" (for system > > connections), "/var/log", "/var/lib". >=20 > Thank you all for your answers! >=20 > I actually managed to replicate the impermanence functionality by > creating btrfs subvolumes for "/etc/guix" "/etc/NetworkManager" > "/var/log" "/var/lib" "/var/guix" and 4 light patches (I'm currently > trying to remove one I think might be not necessary, will send them > here. They basically amount to create directories when they might not be > present or allowing the root "none" to pass to the mount call). With impermanence I'd save /etc/ssh so you don't have to regenerate keys each time. Or perhaps look into SSH Certificate Authority if you want to go crazy with it. > This allows me to start with a tmpfs rootfs, and the only annoying thing > I experience not is that the root password is not set (the account > password is set though, since we can include that in the definition of > an os). Boot time is a bit higher since /etc/machine-id and some other > files have to be recreated, but that's not really noticeable. >=20 > I don't know if I'll stick to this "impermanent" mode, but at least this > gives me the right information about what directories are worth > considering for snapshots (doesn't mean they are worth snapshotting), > and what a "precise" btrfs layout on Guix would have to consider. >=20 > I guess it's possible to do the same with my home as well (thus only > saving actual data and not consecutive linking metadata), but that might > require some more time and fine-grained applications considerations. >=20 > @Efraim : I don't have a /etc/guix/machines.scm to save (I don't have an > offloading deamon set for now), IIUC this means I could be doing as good > without "/etc/guix". What are the signing keys used for? The signing keys are used when offloading derivations to other machines. There's an example usage, with saving them for later, in the hurd-vm-service-type and the secret-root (by default in /etc/childhurd). > One weakness from this impermanence feature is that it's actually > application-dependent. For guix-system it's not very damaging (except if > we want very low-level optimizations, like setting nodatacow on > subvolumes with databases etc), but for guix-home, it makes things much > more difficult. @Andrew Tropin : maybe that's something we could in RDE in > a state-btrfs in (gnu home-services state) if we find a way to migrate > directories to subvolumes safely and reproducibly. >=20 > --=20 > Best regards, > Nicolas Graves --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --6XI1CsE5N8qSkoOM Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmTc360ACgkQQarn3Mo9 g1E9lA/+ONPZAAAJZYuvrZ+AypbJmgVecYtchhYD920936fV5xBOQa5B0xUIeLJi jTMflZ+doIHQzwunCn3jlhiSXjy+k0T80fhmScCY6ipbJvw1mhdh16y2aebb420f xyiZXnL5Z2HHPFbF7S8CB35BmKmmlimczG9QxYSaZHeeYGRAh5J5Zkhk9xMvS17P 0g/xICcuXwoYKguI5IMGz5yHJ7Vo96qY2B4wfligooQZrxyKdJR4oAMl1GTfYCOo /2QQfe3XyCWblOtx1VcWlhp+m9Fm68cLUs6YhqOZuQ7pEbxSKw87K8ABCfXUDknS 1UOhmJ0gB52QHi1BO5z+hNjfjnUH0F7mwbYPllok3nT5A1sx1ftbCP4dOEAoEwjt GW2CqKMbsosw6UonWJmu8T5Cayxbkk78QxRrUg5Tk6c42nJ0XXLnaIWfXtndEKlt HFTj/5gpPARuNL/2Sz2vcOWxH9pdatQW6Wed/x4WIl8w/CjvsdeJeofqCDW/7eoA YlaMWGVLawATbjSvmpMu2Kur10r+F1e4TxxJxNO0xZDVCuaDyZZnHqev5m8jXX/b s9PW1MC43XFPgFRxoAjPND8b5UUFG+N6NZcn6jo+eDn0UmcMfRFxApnJp75LAi5u bHTAxIdacnBzF4BfAZm+htdAPlEycjUH4Ty02z2RjyVWr0ozFFE= =Iba7 -----END PGP SIGNATURE----- --6XI1CsE5N8qSkoOM--