GNU bug report logs -
#39819
guix-service-type authorized keys are not honored when /etc/guix/acl exists
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39819 in the body.
You can then email your comments to 39819 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Fri, 28 Feb 2020 04:31:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 28 Feb 2020 04:31:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
I spent the evening debugging why my authorized keys for the
guix-service-type wouldn't appear under /etc/guix/acl upon
reconfiguration (and 'guix offload test' would be unhelpfully reporting
"guix offload: error: program
`/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
failed with exit code 1", see issue <https://bugs.gnu.org/34786>).
It turns out that the guix-activation script that is supposed to add the authorized keys does this:
--8<---------------cut here---------------start------------->8---
(unless (file-exists? "/etc/guix/acl")
(mkdir-p "/etc/guix")
(copy-file #+default-acl "/etc/guix/acl")
(chmod "/etc/guix/acl" #o600)))))
--8<---------------cut here---------------end--------------->8---
i.e., it doesn't do anything if a /etc/guix/acl file already exists.
This means that the only time it ought to do anything is the first time
the system was reconfigured (or perhaps, init?).
I would have expected the keys declared in my operating system
configuration to be used along those with /etc/guix/acl, or added to it.
Maxim
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Fri, 28 Feb 2020 04:34:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hello,
>
> I spent the evening debugging why my authorized keys for the
> guix-service-type wouldn't appear under /etc/guix/acl upon
> reconfiguration (and 'guix offload test' would be unhelpfully reporting
> "guix offload: error: program
> `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
> failed with exit code 1", see issue <https://bugs.gnu.org/34786>).
>
> It turns out that the guix-activation script that is supposed to add the authorized keys does this:
>
> (unless (file-exists? "/etc/guix/acl")
> (mkdir-p "/etc/guix")
> (copy-file #+default-acl "/etc/guix/acl")
> (chmod "/etc/guix/acl" #o600)))))
>
> i.e., it doesn't do anything if a /etc/guix/acl file already exists.
> This means that the only time it ought to do anything is the first time
> the system was reconfigured (or perhaps, init?).
>
> I would have expected the keys declared in my operating system
> configuration to be used along those with /etc/guix/acl, or added to it.
I forgot to mention, the above code is from (gnu services base), more
specifically from the `substitute-key-authorization' procedure.
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Sun, 11 Oct 2020 10:40:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Hi!
For some reason, /etc/guix/acl is not declarative on Guix System: we let
users modify it and assume it’s stateful, which can surprise users as in
<https://issues.guix.gnu.org/39819>.
Should we make it declarative, just like most of /etc? I think so. For
a build farm like berlin, it would force admins to explicitly list all
the authorized keys in their config—annoying change, but not a bad
thing.
WDYT?
The problem is the transition. We would need to at least create a
backup of /etc/guix/acl on the next activation, or better yet, warn
users or error out at reconfigure time.
Thoughts?
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Sun, 11 Oct 2020 11:01:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 39819 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Oct 11, 2020 at 12:39:17PM +0200, Ludovic Courtès wrote:
> Hi!
>
> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
>
> Should we make it declarative, just like most of /etc? I think so. For
> a build farm like berlin, it would force admins to explicitly list all
> the authorized keys in their config—annoying change, but not a bad
> thing.
>
> WDYT?
I've been surprised by it at least once. (That it was more than once is
on me...)
> The problem is the transition. We would need to at least create a
> backup of /etc/guix/acl on the next activation, or better yet, warn
> users or error out at reconfigure time.
>
> Thoughts?
>
> Ludo’.
>
activation script: (when (file-exists? "/etc/guix/acl")
(rename-file "/etc/guix/acl"
"/etc/guix/acl-old"))
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Sun, 11 Oct 2020 11:08:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès writes:
Hello!
> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
>
> Should we make it declarative, just like most of /etc? I think so.
Yes, I think so too. However, if you have your own substitute server,
you now can run guix archive --authorize < ..., e.g. at
bootstrap/install time. For such cases, IWBN to have a --authorized-key
argument to guix build / guix system.
Greetings,
Janneke
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Mon, 12 Oct 2020 12:54:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Hi,
Jan Nieuwenhuizen <janneke <at> gnu.org> skribis:
> Ludovic Courtès writes:
>
> Hello!
>
>> For some reason, /etc/guix/acl is not declarative on Guix System: we let
>> users modify it and assume it’s stateful, which can surprise users as in
>> <https://issues.guix.gnu.org/39819>.
>>
>> Should we make it declarative, just like most of /etc? I think so.
>
> Yes, I think so too.
OK.
> However, if you have your own substitute server, you now can run guix
> archive --authorize < ..., e.g. at bootstrap/install time. For such
> cases, IWBN to have a --authorized-key argument to guix build / guix
> system.
There’s already an ‘authorized-keys’ field in ‘guix-configuration’:
https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-guix_002dconfiguration
So you would just list keys there. Is that what you have in mind?
The option is already there, it’s just non-authoritative.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Mon, 12 Oct 2020 20:28:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès writes:
Hello,
> Jan Nieuwenhuizen <janneke <at> gnu.org> skribis:
>
>> Ludovic Courtès writes:
>
>> However, if you have your own substitute server, you now can run guix
>> archive --authorize < ..., e.g. at bootstrap/install time. For such
>> cases, IWBN to have a --authorized-key argument to guix build / guix
>> system.
>
> There’s already an ‘authorized-keys’ field in ‘guix-configuration’:
>
> https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-guix_002dconfiguration
>
> So you would just list keys there. Is that what you have in mind?
>
> The option is already there, it’s just non-authoritative.
I was thinking about the initial installer scenario; when guix-daemon is
already running and you didn't build the guix system yourself. But
yeah, I guess this is an exceptional or corner case and you can always
build your own installer and add the key there.
Janneke
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 21 Oct 2020 14:20:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Wed, 21 Oct 2020 15:09:01 GMT)
Full text and
rfc822 format available.
Message #28 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Fixes <https://bugs.gnu.org/39819>.
Reported by Maxim Cournoyer <maxim.cournoyer <at> gmail.com>.
* gnu/services/base.scm (substitute-key-authorization): Symlink
DEFAULT-ACL to /etc/guix/acl unconditionally. Add code to optionally
back up /etc/guix/acl if it was possibly modified by hand.
* doc/guix.texi (Base Services): Clarify the effect of setting
'authorize-keys?' to true. Mention the backup. Give an example showing
how to authorize substitutes from another server.
---
doc/guix.texi | 36 ++++++++++++++++++++++++++++++++++++
gnu/services/base.scm | 16 ++++++++++++----
2 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index c161012da5..50d2d9a730 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14571,11 +14571,26 @@ Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}).
+When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+changed by invoking @command{guix archive --authorize}. You must
+instead adjust @code{guix-configuration} as you wish and reconfigure the
+system. This ensures that your operating system configuration file is
+self-contained.
+
+@quotation Note
+When booting or reconfiguring to a system where @code{authorize-keys?}
+is true, the existing @file{/etc/guix/acl} file is backed up as
+@file{/etc/guix/acl.bak} if it was determined to be a manually modified
+file. This is to facilitate migration from earlier versions, which
+allowed for in-place modifications to @file{/etc/guix/acl}.
+@end quotation
+
@vindex %default-authorized-guix-keys
@item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
The list of authorized key files for archive imports, as a list of
string-valued gexps (@pxref{Invoking guix archive}). By default, it
contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}).
+See @code{substitute-urls} below for an example on how to change it.
@item @code{use-substitutes?} (default: @code{#t})
Whether to use substitutes.
@@ -14583,6 +14598,27 @@ Whether to use substitutes.
@item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default.
+Support you would like to fetch substitutes from @code{guix.example.org}
+in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
+two things: (1) add @code{guix.example.org} to @code{substitute-urls},
+and (2) authorize its signing key, having done appropriate checks
+(@pxref{Substitute Server Authorization}). The configuration below does
+exactly that:
+
+@lisp
+(guix-configuration
+ (substitute-urls
+ (append (list "https://guix.example.org")
+ %default-substitute-urls))
+ (authorized-keys
+ (append (list (local-file "./guix.example.org-key.pub"))
+ %default-authorized-guix-keys)))
+@end lisp
+
+This example assumes that the file @file{./guix.example.org-key.pub}
+contains the public key that @code{guix.example.org} uses to sign
+substitutes.
+
@item @code{max-silent-time} (default: @code{0})
@itemx @code{timeout} (default: @code{0})
The number of seconds of silence and the number of seconds of activity,
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 04bc991356..37b0a13ea7 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1476,10 +1476,18 @@ archive' public keys, with GUIX."
#~(begin
(use-modules (guix build utils))
- (unless (file-exists? "/etc/guix/acl")
- (mkdir-p "/etc/guix")
- (copy-file #+default-acl "/etc/guix/acl")
- (chmod "/etc/guix/acl" #o600)))))
+ ;; If the ACL already exists, move it out of the way. Create a backup
+ ;; if it's a regular file: it's likely that the user manually updated
+ ;; it with 'guix archive --authorize'.
+ (if (file-exists? "/etc/guix/acl")
+ (if (and (symbolic-link? "/etc/guix/acl")
+ (store-file-name? (readlink "/etc/guix/acl")))
+ (delete-file "/etc/guix/acl")
+ (rename-file "/etc/guix/acl" "/etc/guix/acl.bak"))
+ (mkdir-p "/etc/guix"))
+
+ ;; Installed the declared ACL.
+ (symlink #+default-acl "/etc/guix/acl"))))
(define %default-authorized-guix-keys
;; List of authorized substitute keys.
--
2.28.0
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Wed, 21 Oct 2020 15:09:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 39819 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Getting Substitutes from Other Servers): New node.
(Invoking guix-daemon): Add cross-reference.
(Substitute Server Authorization): Clarify that this is unnecessary on
Guix System.
(Invoking guix publish): Add cross-reference.
---
doc/guix.texi | 122 +++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 115 insertions(+), 7 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 50d2d9a730..a3534b5939 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -222,6 +222,7 @@ Substitutes
* Official Substitute Server:: One particular source of substitutes.
* Substitute Server Authorization:: How to enable or disable substitutes.
+* Getting Substitutes from Other Servers:: Substitute diversity.
* Substitute Authentication:: How Guix verifies substitutes.
* Proxy Settings:: How to get substitutes via proxy.
* Substitution Failure:: What happens when substitution fails.
@@ -1467,8 +1468,8 @@ When the daemon runs with @option{--no-substitutes}, clients can still
explicitly enable substitution @i{via} the @code{set-build-options}
remote procedure call (@pxref{The Store}).
-@item --substitute-urls=@var{urls}
@anchor{daemon-substitute-urls}
+@item --substitute-urls=@var{urls}
Consider @var{urls} the default whitespace-separated list of substitute
source URLs. When this option is omitted,
@indicateurl{https://@value{SUBSTITUTE-SERVER}} is used.
@@ -1476,6 +1477,9 @@ source URLs. When this option is omitted,
This means that substitutes may be downloaded from @var{urls}, as long
as they are signed by a trusted signature (@pxref{Substitutes}).
+@xref{Getting Substitutes from Other Servers}, for more information on
+how to configure the daemon to get substitutes from other servers.
+
@cindex offloading
@item --no-offload
Do not use offload builds to other machines (@pxref{Daemon Offload
@@ -3554,6 +3558,7 @@ also result from derivation builds, can be available as substitutes.
@menu
* Official Substitute Server:: One particular source of substitutes.
* Substitute Server Authorization:: How to enable or disable substitutes.
+* Getting Substitutes from Other Servers:: Substitute diversity.
* Substitute Authentication:: How Guix verifies substitutes.
* Proxy Settings:: How to get substitutes via proxy.
* Substitution Failure:: What happens when substitution fails.
@@ -3603,6 +3608,11 @@ imports, using the @command{guix archive} command (@pxref{Invoking guix
archive}). Doing so implies that you trust @code{@value{SUBSTITUTE-SERVER}} to not
be compromised and to serve genuine substitutes.
+@quotation Note
+If you are using Guix System, you can skip this section: Guix System
+authorizes substitutes from @code{@value{SUBSTITUTE-SERVER}} by default.
+@end quotation
+
The public key for @code{@value{SUBSTITUTE-SERVER}} is installed along with Guix, in
@code{@var{prefix}/share/guix/@value{SUBSTITUTE-SERVER}.pub}, where @var{prefix} is
the installation prefix of Guix. If you installed Guix from source,
@@ -3653,6 +3663,108 @@ guix-daemon}). It can also be disabled temporarily by passing the
@option{--no-substitutes} option to @command{guix package},
@command{guix build}, and other command-line tools.
+@node Getting Substitutes from Other Servers
+@subsection Getting Substitutes from Other Servers
+
+@cindex substitute servers, adding more
+Guix can look up and fetch substitutes from several servers. This is
+useful when you are using packages from additional channels for which
+the official server does not have substitutes but another server
+provides them. Another situation where this is useful is when you would
+prefer to download from your organization's substitute server, resorting
+to the official server only as a fallback or dismissing it altogether.
+
+You can give Guix a list of substitute server URLs and it will check
+them in the specified order. You also need to explicitly authorize the
+public keys of substitute servers to instruct Guix to accept the
+substitutes they sign.
+
+On Guix System, this is achieved by modifying the configuration of the
+@code{guix} service. Since the @code{guix} service is part of the
+default lists of services, @code{%base-services} and
+@code{%desktop-services}, you can use @code{modify-services} to change
+its configuration and add the URLs and substitute keys that you want
+(@pxref{Service Reference, @code{modify-services}}).
+
+As an example, suppose you want to fetch substitutes from
+@code{guix.example.org} and to authorize the signing key of that server,
+in addition to the default @code{@value{SUBSTITUTE-SERVER}}. The
+resulting operating system configuration will look something like:
+
+@lisp
+(operating-system
+ ;; @dots{}
+ (services
+ ;; Assume we're starting from '%desktop-services'. Replace it
+ ;; with the list of services you're actually using.
+ (modify-services %desktop-services
+ (guix-service-type config =>
+ (guix-configuration
+ (inherit config)
+ (substitute-urls
+ (append (list "https://guix.example.org")
+ %default-substitute-urls))
+ (authorized-keys
+ (append (list (local-file "./key.pub"))
+ %default-authorized-guix-keys)))))))
+@end lisp
+
+This assumes that the file @file{key.pub} contains the signing key of
+@code{guix.example.org}. With this change in place in your operating
+system configuration file (say @file{/etc/config.scm}), you can
+reconfigure and restart the @code{guix-daemon} service or reboot so the
+changes take effect:
+
+@example
+$ sudo guix system reconfigure /etc/config.scm
+$ sudo herd restart guix-daemon
+@end example
+
+If you're running Guix on a ``foreign distro'', you would instead take
+the following steps to get substitutes from additional servers:
+
+@enumerate
+@item
+Edit the service configuration file for @code{guix-daemon}; when using
+systemd, this is normally
+@file{/etc/systemd/system/guix-daemon.service}. Add the
+@option{--substitute-urls} option on the @command{guix-daemon} command
+line and list the URLs of interest (@pxref{daemon-substitute-urls,
+@code{guix-daemon --substitute-urls}}):
+
+@example
+@dots{} --substitute-urls='https://guix.example.org https://@value{SUBSTITUTE-SERVER}'
+@end example
+
+@item
+Restart the daemon. For systemd, it goes like this:
+
+@example
+systemctl daemon-reload
+systemctl restart guix-daemon.service
+@end example
+
+@item
+Authorize the key of the new server (@pxref{Invoking guix archive}):
+
+@example
+guix archive --authorize < key.pub
+@end example
+
+Again this assumes @file{key.pub} contains the public key that
+@code{guix.example.org} uses to sign substitutes.
+@end enumerate
+
+Now you're all set! Substitutes will be preferably taken from
+@code{https://guix.example.org}, using @code{@value{SUBSTITUTE-SERVER}}
+as a fallback. Of course you can list as many substitute servers as you
+like, with the caveat that substitute lookup can be slowed down if too
+many servers need to be contacted.
+
+Note that there are also situations where one may want to add the URL of
+a substitute server @emph{without} authorizing its key.
+@xref{Substitute Authentication}, to understand this fine point.
+
@node Substitute Authentication
@subsection Substitute Authentication
@@ -11873,12 +11985,8 @@ spawn an HTTP server on port 8080:
guix publish
@end example
-Once a publishing server has been authorized (@pxref{Invoking guix
-archive}), the daemon may download substitutes from it:
-
-@example
-guix-daemon --substitute-urls=http://example.org:8080
-@end example
+Once a publishing server has been authorized, the daemon may download
+substitutes from it. @xref{Getting Substitutes from Other Servers}.
By default, @command{guix publish} compresses archives on the fly as it
serves them. This ``on-the-fly'' mode is convenient in that it requires
--
2.28.0
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Wed, 21 Oct 2020 16:08:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 39819 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2020-10-21, Ludovic Courtès wrote:
> diff --git a/doc/guix.texi b/doc/guix.texi
> index c161012da5..50d2d9a730 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
...
> @@ -14583,6 +14598,27 @@ Whether to use substitutes.
> @item @code{substitute-urls} (default: @code{%default-substitute-urls})
> The list of URLs where to look for substitutes by default.
>
> +Support you would like to fetch substitutes from @code{guix.example.org}
(substitute* "Support" "Suppose")
?
> +in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
> +two things: (1) add @code{guix.example.org} to @code{substitute-urls},
> +and (2) authorize its signing key, having done appropriate checks
> +(@pxref{Substitute Server Authorization}). The configuration below does
> +exactly that:
> +
> +@lisp
> +(guix-configuration
> + (substitute-urls
> + (append (list "https://guix.example.org")
> + %default-substitute-urls))
> + (authorized-keys
> + (append (list (local-file "./guix.example.org-key.pub"))
> + %default-authorized-guix-keys)))
> +@end lisp
> +
> +This example assumes that the file @file{./guix.example.org-key.pub}
> +contains the public key that @code{guix.example.org} uses to sign
> +substitutes.
> +
> @item @code{max-silent-time} (default: @code{0})
> @itemx @code{timeout} (default: @code{0})
> The number of seconds of silence and the number of seconds of activity,
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Sat, 24 Oct 2020 23:09:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer.
(Sat, 24 Oct 2020 23:09:02 GMT)
Full text and
rfc822 format available.
Message #39 received at 39819-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.
Let me know if anything is amiss!
Thanks,
Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}).
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
changed by invoking @command{guix archive --authorize}. You must
instead adjust @code{guix-configuration} as you wish and reconfigure the
system. This ensures that your operating system configuration file is
self-contained.
@quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
is true, the existing @file{/etc/guix/acl} file is backed up as
@file{/etc/guix/acl.bak} if it was determined to be a manually modified
file. This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
@item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default.
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
two things: (1) add @code{guix.example.org} to @code{substitute-urls},
and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
(permit-root-login #t)
(allow-empty-passwords? #t)
(password-authentication? #t)))
- %base-services/hurd))))
+
+ ;; By default, the secret service introduces a pre-initialized
+ ;; /etc/guix/acl file in the childhurd. Thus, clear
+ ;; 'authorize-key?' so that it's not overridden at activation
+ ;; time.
+ (modify-services %base-services/hurd
+ (guix-service-type config =>
+ (guix-configuration
+ (inherit config)
+ (authorize-key? #f))))))))
(define-record-type* <hurd-vm-configuration>
hurd-vm-configuration make-hurd-vm-configuration
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Sat, 24 Oct 2020 23:12:01 GMT)
Full text and
rfc822 format available.
Message #42 received at 39819 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
BTW, attached it the script I used to retrieve the signing keys of all
the build nodes of the build farm so we can have them declared in the
config of the head node. You may find it handy if you have a similar
setup!
Ludo’.
[fetch-signing-keys.scm (text/plain, inline)]
(use-modules (guix scripts offload)
(guix ssh)
(guix inferior)
(ssh session)
(srfi srfi-34)
(ice-9 match))
(define open-ssh-session
(@@ (guix scripts offload) open-ssh-session))
(define build-machine-name (@@ (guix scripts offload) build-machine-name))
(define build-machine-port (@@ (guix scripts offload) build-machine-port))
(define (fetch-key machine)
(format #t "fetching key from ~s...~%" machine)
(let* ((session (open-ssh-session machine 5))
(inferior (remote-inferior session)))
(define key
(inferior-eval '(begin
(use-modules (rnrs io ports))
(with-fluids ((%default-port-encoding "ISO-8859-1"))
(call-with-input-file "/etc/guix/signing-key.pub"
get-string-all)))
inferior))
(define file
(string-append (build-machine-name machine)
(match (build-machine-port machine)
(22 "")
(port
(string-append ":"
(number->string
port))))
".pub"))
(with-fluids ((%default-port-encoding "ISO-8859-1"))
(call-with-output-file file
(lambda (port)
(display key port))))
(close-inferior inferior)
(disconnect! session)))
(let ((machines (load "/etc/guix/machines.scm")))
(for-each (lambda (machine)
(guard (c (pk 'fail c))
(fetch-key machine)))
machines))
Information forwarded
to
bug-guix <at> gnu.org:
bug#39819; Package
guix.
(Sun, 25 Oct 2020 06:00:01 GMT)
Full text and
rfc822 format available.
Message #45 received at 39819 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès writes:
Hello,
> I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
> with the changes below, accounting for Vagrant’s comment and for the
> fact that childhurds rely on the non-declarative behavior (which hadn’t
> occurred to me before), as well as fixing other typos.
>
>
> + ;; By default, the secret service introduces a pre-initialized
> + ;; /etc/guix/acl file in the childhurd. Thus, clear
> + ;; 'authorize-key?' so that it's not overridden at activation
> + ;; time.
> + (modify-services %base-services/hurd
> + (guix-service-type config =>
> + (guix-configuration
> + (inherit config)
> + (authorize-key? #f))))))))
Ah, good catch!
Janneke
--
Jan Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 22 Nov 2020 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 152 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.