From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 27 23:30:42 2020 Received: (at submit) by debbugs.gnu.org; 28 Feb 2020 04:30:42 +0000 Received: from localhost ([127.0.0.1]:60518 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1j7XIP-0007yl-RH for submit@debbugs.gnu.org; Thu, 27 Feb 2020 23:30:42 -0500 Received: from lists.gnu.org ([209.51.188.17]:50765) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1j7XIN-0007yY-D1 for submit@debbugs.gnu.org; Thu, 27 Feb 2020 23:30:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43420) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j7XIM-0004aP-1s for bug-guix@gnu.org; Thu, 27 Feb 2020 23:30:39 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,FREEMAIL_FROM, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j7XIK-0001VO-Vm for bug-guix@gnu.org; Thu, 27 Feb 2020 23:30:37 -0500 Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832]:42268) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j7XIK-0001V9-Q7 for bug-guix@gnu.org; Thu, 27 Feb 2020 23:30:36 -0500 Received: by mail-qt1-x832.google.com with SMTP id r5so1122248qtt.9 for ; Thu, 27 Feb 2020 20:30:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version; bh=PBmBC6CKKiAz2Fs6LL9CoAYef2cLrcnjSexP38lTTOs=; b=i+eouMAsxV+Z7NZyFbOzZ948zJGoeZ5IlGakVSxvTu4Jp8lHx5/wqIa996SUZO2mDp lDKjZGReNx1ezyG7oopbP3rIhXtp9vVLwnTDRxG02YOhmjikUKo+JdJ6QJuerhNUVkYV d3+stg6I/SdYs90hgSIxyiWeYkoM+czFN8sRyATeeccrjvkvyvq3SVryqhO5WYhYkJh2 WlvdvR/eWfRwEu071/OKi6Y5WI4LYuk0t+zcmy8oP/UcgEJW5uPXX73YU1cFOWJeQ/SM e3WdArYTkMUsc8ankLiTXyP/d3SiQuiILDSLuz1ZBargTkgRImdIvnIVclzY4+Hs/Xho LQdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=PBmBC6CKKiAz2Fs6LL9CoAYef2cLrcnjSexP38lTTOs=; b=c7/SGe87UPRQ6l+hzpQVuyUHhCPrsO7i6UHaOzokUcqRiKN9VYSPgTdUmZ4TbfsbCz LPshnIECep3NgvCH40mr1HYlVYCs2JlEzX979SWDaWu2SStm/Hfakrjy+hhdSrVx7d4l Q+r/lj59SmpiGuAo9xnw0mTGyotI2DPGnYZ04PDF8rDANk8vGZWi8ap6xLjf+GPHlLlz 870DGQpY9swOG82hNMgwZIKbAqLKVX8IWMF1cbPo4FjHunx0Tm2oBx8OHzAvwu/Zz0X1 n7v2CxJG7lLhwWIbZXbSg6t3qFV/iHqkPd/SCPSglkD371TaucqIOvBNLyTZM9BtL/9g x+Sw== X-Gm-Message-State: APjAAAWw5E+WAjX19ZjXuleDBTA95A4h+SwS7PCFvR9loPHB5owu8fpU xPNly7HdCGIVc+4cQ+CW5ci1sTrc X-Google-Smtp-Source: APXvYqyEIaE8Kk6x1P6Pik7dJMM94yp3Z5rJSOLUTGQxJgaLw9eaWNF9DWYVl8DpFyG35GxD31I4wg== X-Received: by 2002:ac8:7104:: with SMTP id z4mr1830198qto.18.1582864235952; Thu, 27 Feb 2020 20:30:35 -0800 (PST) Received: from apteryx (dsl-205-233-125-220.b2b2c.ca. [205.233.125.220]) by smtp.gmail.com with ESMTPSA id q196sm3571175qke.80.2020.02.27.20.30.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2020 20:30:35 -0800 (PST) From: Maxim Cournoyer X-Google-Original-From: Maxim Cournoyer To: bug-guix Subject: guix-service-type authorized keys are not honored when /etc/guix/acl exists Date: Thu, 27 Feb 2020 23:30:33 -0500 Message-ID: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::832 X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Hello, I spent the evening debugging why my authorized keys for the guix-service-type wouldn't appear under /etc/guix/acl upon reconfiguration (and 'guix offload test' would be unhelpfully reporting "guix offload: error: program `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix' failed with exit code 1", see issue ). It turns out that the guix-activation script that is supposed to add the authorized keys does this: --8<---------------cut here---------------start------------->8--- (unless (file-exists? "/etc/guix/acl") (mkdir-p "/etc/guix") (copy-file #+default-acl "/etc/guix/acl") (chmod "/etc/guix/acl" #o600))))) --8<---------------cut here---------------end--------------->8--- i.e., it doesn't do anything if a /etc/guix/acl file already exists. This means that the only time it ought to do anything is the first time the system was reconfigured (or perhaps, init?). I would have expected the keys declared in my operating system configuration to be used along those with /etc/guix/acl, or added to it. Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 27 23:33:01 2020 Received: (at 39819) by debbugs.gnu.org; 28 Feb 2020 04:33:01 +0000 Received: from localhost ([127.0.0.1]:60523 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1j7XKf-00083P-9f for submit@debbugs.gnu.org; Thu, 27 Feb 2020 23:33:01 -0500 Received: from mail-qt1-f175.google.com ([209.85.160.175]:40666) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1j7XKe-000835-99 for 39819@debbugs.gnu.org; Thu, 27 Feb 2020 23:33:00 -0500 Received: by mail-qt1-f175.google.com with SMTP id v25so1136190qto.7 for <39819@debbugs.gnu.org>; Thu, 27 Feb 2020 20:33:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:references:date:in-reply-to:message-id:user-agent :mime-version; bh=0S2wmQC/xy8vtJ8cfnR3Nnf9G+CSJ5+kCnyxx5njfGQ=; b=miKe00xk4kiiSr3KTf87Cz6J3bxoNfdukd1loANnQbQ8mzVoH8+r93rsN7FjbCK60t RAOP7aNaiRVminzvAvs2TZi1KWuAgCxafWNU3xhdU2kIT4fkcG27nAhPWmxtjQ9Ykb+1 HPn1J3tM3dq3/bUruCzgTAvk2CEfOf8/ZWZLUbdtXjZ+EtRsv9slJ6nZ/hShpJNXBN6x xxujTFhl1S5hOfNvWlZzSPr7U0D2W1ngG5h5T2sAu6BwFMoKG6uWMzAjzoJ7VTXxcf79 /cd8ZycS13mfbFTws2NC7Rii2owl1lctfI5ebyowxLvMkgrdpW0N7wvSLSdmfb1H0apw Oq3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=0S2wmQC/xy8vtJ8cfnR3Nnf9G+CSJ5+kCnyxx5njfGQ=; b=N2kL+MzesO5R3CJZHRyjrnMkScRFJWSRi/GiFdRM5rw91yMeGRf56YWE+ap3sjjgWV 4Upl+SoNtYuzU5VNr993c8gLHKlVu1330vqONmuqX/AZv3kMM5LynqjqjpJpiS1woGDg RVaMExcPXTeJ+XzIesspjzkHc5nccIhsCFLbCY9i05JKwcmLTquSPXsabl9mgl6SLleI j96vPCCDo/gHgt5+TcPCmhJ5jh2oGKR6L9LHyHVHdaAbP3TnuQ/ekgF8H12454op7gwT 0saYnKjq9u8+4kA0xpliAzRwJ27pniWWD66nb1TMQPQPvi+6GYxusuv+CFbG5vg2ytsi UoQw== X-Gm-Message-State: APjAAAWhF1deUOiigb4622wVZQObsZJwXYpweXhuE+H3dKF2BY8mGZUS ldFPivcLBst10W3Zrzwc7iQw0ioP X-Google-Smtp-Source: APXvYqw4n396M2GpL0wFtiOcTh1AV/ZmLdYF/rWEBn5X+4HmPUhoFexI+0W4YsbcJOD3l+L+llbU2A== X-Received: by 2002:ac8:4c90:: with SMTP id j16mr2639895qtv.298.1582864374566; Thu, 27 Feb 2020 20:32:54 -0800 (PST) Received: from apteryx (dsl-205-233-125-220.b2b2c.ca. [205.233.125.220]) by smtp.gmail.com with ESMTPSA id 62sm1848169qkk.84.2020.02.27.20.32.54 for <39819@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2020 20:32:54 -0800 (PST) From: Maxim Cournoyer To: 39819@debbugs.gnu.org Subject: Re: bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists References: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> Date: Thu, 27 Feb 2020 23:32:53 -0500 In-Reply-To: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> (Maxim Cournoyer's message of "Thu, 27 Feb 2020 23:30:33 -0500") Message-ID: <87pndzl4ay.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 39819 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Maxim Cournoyer writes: > Hello, > > I spent the evening debugging why my authorized keys for the > guix-service-type wouldn't appear under /etc/guix/acl upon > reconfiguration (and 'guix offload test' would be unhelpfully reporting > "guix offload: error: program > `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix' > failed with exit code 1", see issue ). > > It turns out that the guix-activation script that is supposed to add the authorized keys does this: > > (unless (file-exists? "/etc/guix/acl") > (mkdir-p "/etc/guix") > (copy-file #+default-acl "/etc/guix/acl") > (chmod "/etc/guix/acl" #o600))))) > > i.e., it doesn't do anything if a /etc/guix/acl file already exists. > This means that the only time it ought to do anything is the first time > the system was reconfigured (or perhaps, init?). > > I would have expected the keys declared in my operating system > configuration to be used along those with /etc/guix/acl, or added to it. I forgot to mention, the above code is from (gnu services base), more specifically from the `substitute-key-authorization' procedure. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 11 06:39:26 2020 Received: (at 39819) by debbugs.gnu.org; 11 Oct 2020 10:39:27 +0000 Received: from localhost ([127.0.0.1]:39239 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRYlC-00084N-Kz for submit@debbugs.gnu.org; Sun, 11 Oct 2020 06:39:26 -0400 Received: from eggs.gnu.org ([209.51.188.92]:52372) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRYlA-000849-JC for 39819@debbugs.gnu.org; Sun, 11 Oct 2020 06:39:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50480) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRYl5-0004lP-AM; Sun, 11 Oct 2020 06:39:19 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=50636 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kRYl4-0001JH-Qj; Sun, 11 Oct 2020 06:39:19 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Subject: Declarative /etc/guix/acl? X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 =?utf-8?Q?Vend=C3=A9miaire?= an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 11 Oct 2020 12:39:17 +0200 Message-ID: <87v9fhf3my.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: 39819@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! For some reason, /etc/guix/acl is not declarative on Guix System: we let users modify it and assume it=E2=80=99s stateful, which can surprise users = as in . Should we make it declarative, just like most of /etc? I think so. For a build farm like berlin, it would force admins to explicitly list all the authorized keys in their config=E2=80=94annoying change, but not a bad thing. WDYT? The problem is the transition. We would need to at least create a backup of /etc/guix/acl on the next activation, or better yet, warn users or error out at reconfigure time. Thoughts? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 11 07:00:53 2020 Received: (at 39819) by debbugs.gnu.org; 11 Oct 2020 11:00:53 +0000 Received: from localhost ([127.0.0.1]:39250 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRZ5w-00007m-Lx for submit@debbugs.gnu.org; Sun, 11 Oct 2020 07:00:52 -0400 Received: from flashner.co.il ([178.62.234.194]:46588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRZ5v-00007Z-2C for 39819@debbugs.gnu.org; Sun, 11 Oct 2020 07:00:51 -0400 Received: from localhost (unknown [141.226.15.20]) by flashner.co.il (Postfix) with ESMTPSA id 3B538401E5; Sun, 11 Oct 2020 11:00:45 +0000 (UTC) Date: Sun, 11 Oct 2020 14:00:12 +0300 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#39819: Declarative /etc/guix/acl? Message-ID: <20201011110012.GD1301@E5400> References: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> <87v9fhf3my.fsf@inria.fr> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5p8PegU4iirBW1oA" Content-Disposition: inline In-Reply-To: <87v9fhf3my.fsf@inria.fr> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org, 39819@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --5p8PegU4iirBW1oA Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 11, 2020 at 12:39:17PM +0200, Ludovic Court=C3=A8s wrote: > Hi! >=20 > For some reason, /etc/guix/acl is not declarative on Guix System: we let > users modify it and assume it=E2=80=99s stateful, which can surprise user= s as in > . >=20 > Should we make it declarative, just like most of /etc? I think so. For > a build farm like berlin, it would force admins to explicitly list all > the authorized keys in their config=E2=80=94annoying change, but not a bad > thing. >=20 > WDYT? I've been surprised by it at least once. (That it was more than once is on me...) > The problem is the transition. We would need to at least create a > backup of /etc/guix/acl on the next activation, or better yet, warn > users or error out at reconfigure time. >=20 > Thoughts? >=20 > Ludo=E2=80=99. >=20 activation script: (when (file-exists? "/etc/guix/acl") (rename-file "/etc/guix/acl" "/etc/guix/acl-old")) --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --5p8PegU4iirBW1oA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl+C5bwACgkQQarn3Mo9 g1EBjg/9HWxbP7R8gUQKf4djzZcygec+64uIFMjUZIcBbjnA2OiSM4rftuSI532h C5p8TtqMpl10z0FCzu3veDYmFMrsvVNCMC/RDd07jO6uaYJe5IdspzA6Z7C9RJgx tnyWioMKDU8xqB93fnQKntkXE4JtmQcDu1An6mI98UC0lYgFQ7RXsJbeRjDu97EJ sEruDh7caxrZgnHWtzpUXxjgk55AODbKiNRoH6NEIHmaUI3rMv9/LgBQqT+HZj7x qPiKJGS5zaIubIpBcrOUkbXFq0rs5uKQT3J3y0VjGlK2gI1XW1CyfAMugxEnZrTi YSmEHaHkmhTGbU8bOaJy+g75hsWXe/QSVfXxXr5ZEVhTuuBRx3CJsXnUZDj33yDI 77PHMQYINk51Ffb+AMQsMHt7DULuU2cVOT1G2KilrBtFPYHFdDnXvpnUdw96wkeB SWs9pwaM5Kl9ygdHTfx4R7LAR65ImOBOMoLJyRbGkf9vk1dhAIVZdt2iKVfXRQlF 5PuUjw09wIJ/LPJX50gft0zvsip2TWLZq3xLyJrw/n0nmmd1c9Cq846wl30UeYlc sf6P2zJesB7xpo1nrXxtRRddlKWhUUwNr6EXv0fGa3ozVhbl4DFx+zTQjQHGtxmJ wEktNgohVbQulDroTVl2rb9mo6nTeE6mZaK+TKmDNfG10Y2ovvk= =lHOw -----END PGP SIGNATURE----- --5p8PegU4iirBW1oA-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 11 07:07:41 2020 Received: (at 39819) by debbugs.gnu.org; 11 Oct 2020 11:07:41 +0000 Received: from localhost ([127.0.0.1]:39258 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRZCX-0000KH-Ed for submit@debbugs.gnu.org; Sun, 11 Oct 2020 07:07:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRZCV-0000K4-Qr for 39819@debbugs.gnu.org; Sun, 11 Oct 2020 07:07:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50629) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRZCO-0007aQ-6n; Sun, 11 Oct 2020 07:07:33 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=48410 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kRZCN-0001YX-5r; Sun, 11 Oct 2020 07:07:32 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Declarative /etc/guix/acl? Organization: AvatarAcademy.nl References: <87v9fhf3my.fsf@inria.fr> X-Url: http://AvatarAcademy.nl Date: Sun, 11 Oct 2020 13:07:29 +0200 In-Reply-To: <87v9fhf3my.fsf@inria.fr> ("Ludovic =?utf-8?Q?Court=C3=A8s=22?= =?utf-8?Q?'s?= message of "Sun, 11 Oct 2020 12:39:17 +0200") Message-ID: <87k0vxaumm.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org, 39819@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: Hello! > For some reason, /etc/guix/acl is not declarative on Guix System: we let > users modify it and assume it=E2=80=99s stateful, which can surprise user= s as in > . > > Should we make it declarative, just like most of /etc? I think so. Yes, I think so too. However, if you have your own substitute server, you now can run guix archive --authorize < ..., e.g. at bootstrap/install time. For such cases, IWBN to have a --authorized-key argument to guix build / guix system. Greetings, Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 12 08:53:37 2020 Received: (at 39819) by debbugs.gnu.org; 12 Oct 2020 12:53:37 +0000 Received: from localhost ([127.0.0.1]:41887 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRxKb-0007an-FY for submit@debbugs.gnu.org; Mon, 12 Oct 2020 08:53:37 -0400 Received: from eggs.gnu.org ([209.51.188.92]:57162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kRxKW-0007aX-A6 for 39819@debbugs.gnu.org; Mon, 12 Oct 2020 08:53:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:42284) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kRxKQ-0001E3-VB; Mon, 12 Oct 2020 08:53:26 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=54388 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kRxKP-0008IY-PR; Mon, 12 Oct 2020 08:53:26 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Jan Nieuwenhuizen Subject: Re: Declarative /etc/guix/acl? References: <87v9fhf3my.fsf@inria.fr> <87k0vxaumm.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 21 =?utf-8?Q?Vend=C3=A9miaire?= an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 12 Oct 2020 14:53:24 +0200 In-Reply-To: <87k0vxaumm.fsf@gnu.org> (Jan Nieuwenhuizen's message of "Sun, 11 Oct 2020 13:07:29 +0200") Message-ID: <87v9ffppvf.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org, 39819@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Jan Nieuwenhuizen skribis: > Ludovic Court=C3=A8s writes: > > Hello! > >> For some reason, /etc/guix/acl is not declarative on Guix System: we let >> users modify it and assume it=E2=80=99s stateful, which can surprise use= rs as in >> . >> >> Should we make it declarative, just like most of /etc? I think so. > > Yes, I think so too. OK. > However, if you have your own substitute server, you now can run guix > archive --authorize < ..., e.g. at bootstrap/install time. For such > cases, IWBN to have a --authorized-key argument to guix build / guix > system. There=E2=80=99s already an =E2=80=98authorized-keys=E2=80=99 field in =E2= =80=98guix-configuration=E2=80=99: https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-g= uix_002dconfiguration So you would just list keys there. Is that what you have in mind? The option is already there, it=E2=80=99s just non-authoritative. Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 12 16:27:05 2020 Received: (at 39819) by debbugs.gnu.org; 12 Oct 2020 20:27:05 +0000 Received: from localhost ([127.0.0.1]:44062 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kS4PR-0002jW-7K for submit@debbugs.gnu.org; Mon, 12 Oct 2020 16:27:05 -0400 Received: from eggs.gnu.org ([209.51.188.92]:57102) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kS4PQ-0002j2-Bi for 39819@debbugs.gnu.org; Mon, 12 Oct 2020 16:27:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50024) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kS4PI-0001fX-2q; Mon, 12 Oct 2020 16:26:56 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=41742 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kS4PF-0005Dw-WC; Mon, 12 Oct 2020 16:26:55 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: Declarative /etc/guix/acl? Organization: AvatarAcademy.nl References: <87v9fhf3my.fsf@inria.fr> <87k0vxaumm.fsf@gnu.org> <87v9ffppvf.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Mon, 12 Oct 2020 22:26:51 +0200 In-Reply-To: <87v9ffppvf.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Mon, 12 Oct 2020 14:53:24 +0200") Message-ID: <871ri31984.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org, 39819@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: Hello, > Jan Nieuwenhuizen skribis: > >> Ludovic Court=C3=A8s writes: > >> However, if you have your own substitute server, you now can run guix >> archive --authorize < ..., e.g. at bootstrap/install time. For such >> cases, IWBN to have a --authorized-key argument to guix build / guix >> system. > > There=E2=80=99s already an =E2=80=98authorized-keys=E2=80=99 field in =E2= =80=98guix-configuration=E2=80=99: > > https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index= -guix_002dconfiguration > > So you would just list keys there. Is that what you have in mind? > > The option is already there, it=E2=80=99s just non-authoritative. I was thinking about the initial installer scenario; when guix-daemon is already running and you didn't build the guix system yourself. But yeah, I guess this is an exceptional or corner case and you can always build your own installer and add the key there. Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 21 10:19:47 2020 Received: (at control) by debbugs.gnu.org; 21 Oct 2020 14:19:47 +0000 Received: from localhost ([127.0.0.1]:50141 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVExv-0000rt-GD for submit@debbugs.gnu.org; Wed, 21 Oct 2020 10:19:47 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40824) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVExu-0000rf-Ix for control@debbugs.gnu.org; Wed, 21 Oct 2020 10:19:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49853) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVExo-0002sW-65 for control@debbugs.gnu.org; Wed, 21 Oct 2020 10:19:41 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43746 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kVExm-0004f8-K2 for control@debbugs.gnu.org; Wed, 21 Oct 2020 10:19:39 -0400 Date: Wed, 21 Oct 2020 16:19:37 +0200 Message-Id: <87y2jz3bly.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #39819 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) severity 39819 important quit From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 21 11:08:54 2020 Received: (at 39819) by debbugs.gnu.org; 21 Oct 2020 15:08:54 +0000 Received: from localhost ([127.0.0.1]:50214 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVFjR-0004Es-R8 for submit@debbugs.gnu.org; Wed, 21 Oct 2020 11:08:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54310) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVFjQ-0004EW-5x for 39819@debbugs.gnu.org; Wed, 21 Oct 2020 11:08:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50686) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVFjK-0000rQ-3X; Wed, 21 Oct 2020 11:08:46 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43788 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kVFjJ-00063Y-K5; Wed, 21 Oct 2020 11:08:45 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: 39819@debbugs.gnu.org Subject: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default. Date: Wed, 21 Oct 2020 17:08:22 +0200 Message-Id: <20201021150823.20508-1-ludo@gnu.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <87v9fhf3my.fsf@inria.fr> References: <87v9fhf3my.fsf@inria.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org, =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Fixes . Reported by Maxim Cournoyer . * gnu/services/base.scm (substitute-key-authorization): Symlink DEFAULT-ACL to /etc/guix/acl unconditionally. Add code to optionally back up /etc/guix/acl if it was possibly modified by hand. * doc/guix.texi (Base Services): Clarify the effect of setting 'authorize-keys?' to true. Mention the backup. Give an example showing how to authorize substitutes from another server. --- doc/guix.texi | 36 ++++++++++++++++++++++++++++++++++++ gnu/services/base.scm | 16 ++++++++++++---- 2 files changed, 48 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index c161012da5..50d2d9a730 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14571,11 +14571,26 @@ Whether to authorize the substitute keys listed in @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}). +When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be +changed by invoking @command{guix archive --authorize}. You must +instead adjust @code{guix-configuration} as you wish and reconfigure the +system. This ensures that your operating system configuration file is +self-contained. + +@quotation Note +When booting or reconfiguring to a system where @code{authorize-keys?} +is true, the existing @file{/etc/guix/acl} file is backed up as +@file{/etc/guix/acl.bak} if it was determined to be a manually modified +file. This is to facilitate migration from earlier versions, which +allowed for in-place modifications to @file{/etc/guix/acl}. +@end quotation + @vindex %default-authorized-guix-keys @item @code{authorized-keys} (default: @code{%default-authorized-guix-keys}) The list of authorized key files for archive imports, as a list of string-valued gexps (@pxref{Invoking guix archive}). By default, it contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}). +See @code{substitute-urls} below for an example on how to change it. @item @code{use-substitutes?} (default: @code{#t}) Whether to use substitutes. @@ -14583,6 +14598,27 @@ Whether to use substitutes. @item @code{substitute-urls} (default: @code{%default-substitute-urls}) The list of URLs where to look for substitutes by default. +Support you would like to fetch substitutes from @code{guix.example.org} +in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do +two things: (1) add @code{guix.example.org} to @code{substitute-urls}, +and (2) authorize its signing key, having done appropriate checks +(@pxref{Substitute Server Authorization}). The configuration below does +exactly that: + +@lisp +(guix-configuration + (substitute-urls + (append (list "https://guix.example.org") + %default-substitute-urls)) + (authorized-keys + (append (list (local-file "./guix.example.org-key.pub")) + %default-authorized-guix-keys))) +@end lisp + +This example assumes that the file @file{./guix.example.org-key.pub} +contains the public key that @code{guix.example.org} uses to sign +substitutes. + @item @code{max-silent-time} (default: @code{0}) @itemx @code{timeout} (default: @code{0}) The number of seconds of silence and the number of seconds of activity, diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 04bc991356..37b0a13ea7 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1476,10 +1476,18 @@ archive' public keys, with GUIX." #~(begin (use-modules (guix build utils)) - (unless (file-exists? "/etc/guix/acl") - (mkdir-p "/etc/guix") - (copy-file #+default-acl "/etc/guix/acl") - (chmod "/etc/guix/acl" #o600))))) + ;; If the ACL already exists, move it out of the way. Create a backup + ;; if it's a regular file: it's likely that the user manually updated + ;; it with 'guix archive --authorize'. + (if (file-exists? "/etc/guix/acl") + (if (and (symbolic-link? "/etc/guix/acl") + (store-file-name? (readlink "/etc/guix/acl"))) + (delete-file "/etc/guix/acl") + (rename-file "/etc/guix/acl" "/etc/guix/acl.bak")) + (mkdir-p "/etc/guix")) + + ;; Installed the declared ACL. + (symlink #+default-acl "/etc/guix/acl")))) (define %default-authorized-guix-keys ;; List of authorized substitute keys. -- 2.28.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 21 11:08:54 2020 Received: (at 39819) by debbugs.gnu.org; 21 Oct 2020 15:08:54 +0000 Received: from localhost ([127.0.0.1]:50216 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVFjS-0004Ev-65 for submit@debbugs.gnu.org; Wed, 21 Oct 2020 11:08:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54316) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVFjQ-0004EX-6B for 39819@debbugs.gnu.org; Wed, 21 Oct 2020 11:08:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50687) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kVFjK-0000rX-V6; Wed, 21 Oct 2020 11:08:46 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43788 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kVFjK-00063Y-GK; Wed, 21 Oct 2020 11:08:46 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: 39819@debbugs.gnu.org Subject: [PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section. Date: Wed, 21 Oct 2020 17:08:23 +0200 Message-Id: <20201021150823.20508-2-ludo@gnu.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> References: <87v9fhf3my.fsf@inria.fr> <20201021150823.20508-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org, =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * doc/guix.texi (Getting Substitutes from Other Servers): New node. (Invoking guix-daemon): Add cross-reference. (Substitute Server Authorization): Clarify that this is unnecessary on Guix System. (Invoking guix publish): Add cross-reference. --- doc/guix.texi | 122 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 115 insertions(+), 7 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 50d2d9a730..a3534b5939 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -222,6 +222,7 @@ Substitutes * Official Substitute Server:: One particular source of substitutes. * Substitute Server Authorization:: How to enable or disable substitutes. +* Getting Substitutes from Other Servers:: Substitute diversity. * Substitute Authentication:: How Guix verifies substitutes. * Proxy Settings:: How to get substitutes via proxy. * Substitution Failure:: What happens when substitution fails. @@ -1467,8 +1468,8 @@ When the daemon runs with @option{--no-substitutes}, clients can still explicitly enable substitution @i{via} the @code{set-build-options} remote procedure call (@pxref{The Store}). -@item --substitute-urls=@var{urls} @anchor{daemon-substitute-urls} +@item --substitute-urls=@var{urls} Consider @var{urls} the default whitespace-separated list of substitute source URLs. When this option is omitted, @indicateurl{https://@value{SUBSTITUTE-SERVER}} is used. @@ -1476,6 +1477,9 @@ source URLs. When this option is omitted, This means that substitutes may be downloaded from @var{urls}, as long as they are signed by a trusted signature (@pxref{Substitutes}). +@xref{Getting Substitutes from Other Servers}, for more information on +how to configure the daemon to get substitutes from other servers. + @cindex offloading @item --no-offload Do not use offload builds to other machines (@pxref{Daemon Offload @@ -3554,6 +3558,7 @@ also result from derivation builds, can be available as substitutes. @menu * Official Substitute Server:: One particular source of substitutes. * Substitute Server Authorization:: How to enable or disable substitutes. +* Getting Substitutes from Other Servers:: Substitute diversity. * Substitute Authentication:: How Guix verifies substitutes. * Proxy Settings:: How to get substitutes via proxy. * Substitution Failure:: What happens when substitution fails. @@ -3603,6 +3608,11 @@ imports, using the @command{guix archive} command (@pxref{Invoking guix archive}). Doing so implies that you trust @code{@value{SUBSTITUTE-SERVER}} to not be compromised and to serve genuine substitutes. +@quotation Note +If you are using Guix System, you can skip this section: Guix System +authorizes substitutes from @code{@value{SUBSTITUTE-SERVER}} by default. +@end quotation + The public key for @code{@value{SUBSTITUTE-SERVER}} is installed along with Guix, in @code{@var{prefix}/share/guix/@value{SUBSTITUTE-SERVER}.pub}, where @var{prefix} is the installation prefix of Guix. If you installed Guix from source, @@ -3653,6 +3663,108 @@ guix-daemon}). It can also be disabled temporarily by passing the @option{--no-substitutes} option to @command{guix package}, @command{guix build}, and other command-line tools. +@node Getting Substitutes from Other Servers +@subsection Getting Substitutes from Other Servers + +@cindex substitute servers, adding more +Guix can look up and fetch substitutes from several servers. This is +useful when you are using packages from additional channels for which +the official server does not have substitutes but another server +provides them. Another situation where this is useful is when you would +prefer to download from your organization's substitute server, resorting +to the official server only as a fallback or dismissing it altogether. + +You can give Guix a list of substitute server URLs and it will check +them in the specified order. You also need to explicitly authorize the +public keys of substitute servers to instruct Guix to accept the +substitutes they sign. + +On Guix System, this is achieved by modifying the configuration of the +@code{guix} service. Since the @code{guix} service is part of the +default lists of services, @code{%base-services} and +@code{%desktop-services}, you can use @code{modify-services} to change +its configuration and add the URLs and substitute keys that you want +(@pxref{Service Reference, @code{modify-services}}). + +As an example, suppose you want to fetch substitutes from +@code{guix.example.org} and to authorize the signing key of that server, +in addition to the default @code{@value{SUBSTITUTE-SERVER}}. The +resulting operating system configuration will look something like: + +@lisp +(operating-system + ;; @dots{} + (services + ;; Assume we're starting from '%desktop-services'. Replace it + ;; with the list of services you're actually using. + (modify-services %desktop-services + (guix-service-type config => + (guix-configuration + (inherit config) + (substitute-urls + (append (list "https://guix.example.org") + %default-substitute-urls)) + (authorized-keys + (append (list (local-file "./key.pub")) + %default-authorized-guix-keys))))))) +@end lisp + +This assumes that the file @file{key.pub} contains the signing key of +@code{guix.example.org}. With this change in place in your operating +system configuration file (say @file{/etc/config.scm}), you can +reconfigure and restart the @code{guix-daemon} service or reboot so the +changes take effect: + +@example +$ sudo guix system reconfigure /etc/config.scm +$ sudo herd restart guix-daemon +@end example + +If you're running Guix on a ``foreign distro'', you would instead take +the following steps to get substitutes from additional servers: + +@enumerate +@item +Edit the service configuration file for @code{guix-daemon}; when using +systemd, this is normally +@file{/etc/systemd/system/guix-daemon.service}. Add the +@option{--substitute-urls} option on the @command{guix-daemon} command +line and list the URLs of interest (@pxref{daemon-substitute-urls, +@code{guix-daemon --substitute-urls}}): + +@example +@dots{} --substitute-urls='https://guix.example.org https://@value{SUBSTITUTE-SERVER}' +@end example + +@item +Restart the daemon. For systemd, it goes like this: + +@example +systemctl daemon-reload +systemctl restart guix-daemon.service +@end example + +@item +Authorize the key of the new server (@pxref{Invoking guix archive}): + +@example +guix archive --authorize < key.pub +@end example + +Again this assumes @file{key.pub} contains the public key that +@code{guix.example.org} uses to sign substitutes. +@end enumerate + +Now you're all set! Substitutes will be preferably taken from +@code{https://guix.example.org}, using @code{@value{SUBSTITUTE-SERVER}} +as a fallback. Of course you can list as many substitute servers as you +like, with the caveat that substitute lookup can be slowed down if too +many servers need to be contacted. + +Note that there are also situations where one may want to add the URL of +a substitute server @emph{without} authorizing its key. +@xref{Substitute Authentication}, to understand this fine point. + @node Substitute Authentication @subsection Substitute Authentication @@ -11873,12 +11985,8 @@ spawn an HTTP server on port 8080: guix publish @end example -Once a publishing server has been authorized (@pxref{Invoking guix -archive}), the daemon may download substitutes from it: - -@example -guix-daemon --substitute-urls=http://example.org:8080 -@end example +Once a publishing server has been authorized, the daemon may download +substitutes from it. @xref{Getting Substitutes from Other Servers}. By default, @command{guix publish} compresses archives on the fly as it serves them. This ``on-the-fly'' mode is convenient in that it requires -- 2.28.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 21 12:07:23 2020 Received: (at 39819) by debbugs.gnu.org; 21 Oct 2020 16:07:23 +0000 Received: from localhost ([127.0.0.1]:50337 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVGe3-0005nJ-EW for submit@debbugs.gnu.org; Wed, 21 Oct 2020 12:07:23 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:35150) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kVGe2-0005n5-56 for 39819@debbugs.gnu.org; Wed, 21 Oct 2020 12:07:22 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100e]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id DAC821AA41; Wed, 21 Oct 2020 09:07:15 -0700 (PDT) From: Vagrant Cascadian To: Ludovic =?utf-8?Q?Court=C3=A8s?= , 39819@debbugs.gnu.org Subject: Re: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default. In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> References: <87v9fhf3my.fsf@inria.fr> <20201021150823.20508-1-ludo@gnu.org> Date: Wed, 21 Oct 2020 09:06:56 -0700 Message-ID: <87mu0f8swv.fsf@ponder> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2020-10-21, Ludovic Court=C3=A8s wrote: > diff --git a/doc/guix.texi b/doc/guix.texi > index c161012da5..50d2d9a730 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi ... > @@ -14583,6 +14598,27 @@ Whether to use substitutes. > @item @code{substitute-urls} (default: @code{%default-substitute-urls}) > The list of URLs where to look for substitutes by default. >=20=20 > +Support you would like to fetch substitutes from @code{guix.example.org} (substitute* "Support" "Suppose") ? > +in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do > +two things: (1) add @code{guix.example.org} to @code{substitute-urls}, > +and (2) authorize its signing key, having done appropriate checks > +(@pxref{Substitute Server Authorization}). The configuration below does > +exactly that: > + > +@lisp > +(guix-configuration > + (substitute-urls > + (append (list "https://guix.example.org") > + %default-substitute-urls)) > + (authorized-keys > + (append (list (local-file "./guix.example.org-key.pub")) > + %default-authorized-guix-keys))) > +@end lisp > + > +This example assumes that the file @file{./guix.example.org-key.pub} > +contains the public key that @code{guix.example.org} uses to sign > +substitutes. > + > @item @code{max-silent-time} (default: @code{0}) > @itemx @code{timeout} (default: @code{0}) > The number of seconds of silence and the number of seconds of activity, --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX5BcowAKCRDcUY/If5cW qoj5AQCA4IdGTa+Dmq6D+JttRMnYWBkeStK45PtXlzew8mupPgEAzmSLIgFBfxYi 2bFp0eHoa40X07zIppxRYiZq/2frRAE= =Iaod -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 24 19:09:00 2020 Received: (at 39819-done) by debbugs.gnu.org; 24 Oct 2020 23:09:00 +0000 Received: from localhost ([127.0.0.1]:35436 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kWSei-0001D5-H5 for submit@debbugs.gnu.org; Sat, 24 Oct 2020 19:09:00 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kWSeh-0001Ct-24 for 39819-done@debbugs.gnu.org; Sat, 24 Oct 2020 19:08:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:55214) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kWSeb-0003ue-Si; Sat, 24 Oct 2020 19:08:53 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53992 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kWSeb-0004m9-Fw; Sat, 24 Oct 2020 19:08:53 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 39819-done@debbugs.gnu.org Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default. References: <87v9fhf3my.fsf@inria.fr> <20201021150823.20508-1-ludo@gnu.org> Date: Sun, 25 Oct 2020 01:08:52 +0200 In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> ("Ludovic =?utf-8?Q?Cou?= =?utf-8?Q?rt=C3=A8s=22's?= message of "Wed, 21 Oct 2020 17:08:22 +0200") Message-ID: <87tuujgr23.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819-done Cc: guix-devel@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897 with the changes below, accounting for Vagrant=E2=80=99s comment and for the fact that childhurds rely on the non-declarative behavior (which hadn=E2=80= =99t occurred to me before), as well as fixing other typos. Let me know if anything is amiss! Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/doc/guix.texi b/doc/guix.texi index 021d430c39..efb4ea1c47 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}). -When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be +When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be changed by invoking @command{guix archive --authorize}. You must instead adjust @code{guix-configuration} as you wish and reconfigure the system. This ensures that your operating system configuration file is self-contained. @quotation Note -When booting or reconfiguring to a system where @code{authorize-keys?} +When booting or reconfiguring to a system where @code{authorize-key?} is true, the existing @file{/etc/guix/acl} file is backed up as @file{/etc/guix/acl.bak} if it was determined to be a manually modified file. This is to facilitate migration from earlier versions, which @@ -14717,7 +14717,7 @@ Whether to use substitutes. @item @code{substitute-urls} (default: @code{%default-substitute-urls}) The list of URLs where to look for substitutes by default. -Support you would like to fetch substitutes from @code{guix.example.org} +Suppose you would like to fetch substitutes from @code{guix.example.org} in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do two things: (1) add @code{guix.example.org} to @code{substitute-urls}, and (2) authorize its signing key, having done appropriate checks diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index edd0b644f5..eaf0bbde43 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP." (permit-root-login #t) (allow-empty-passwords? #t) (password-authentication? #t))) - %base-services/hurd)))) + + ;; By default, the secret service introduces a pre-initialized + ;; /etc/guix/acl file in the childhurd. Thus, clear + ;; 'authorize-key?' so that it's not overridden at activation + ;; time. + (modify-services %base-services/hurd + (guix-service-type config => + (guix-configuration + (inherit config) + (authorize-key? #f)))))))) (define-record-type* hurd-vm-configuration make-hurd-vm-configuration --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 24 19:11:17 2020 Received: (at 39819) by debbugs.gnu.org; 24 Oct 2020 23:11:17 +0000 Received: from localhost ([127.0.0.1]:35442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kWSgu-0001HI-Vg for submit@debbugs.gnu.org; Sat, 24 Oct 2020 19:11:17 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56438) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kWSgt-0001H5-Aw for 39819@debbugs.gnu.org; Sat, 24 Oct 2020 19:11:15 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:55229) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kWSgo-0004Eq-4W; Sat, 24 Oct 2020 19:11:10 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53994 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kWSgn-0004yh-K9; Sat, 24 Oct 2020 19:11:09 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 39819@debbugs.gnu.org Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default. References: <87v9fhf3my.fsf@inria.fr> <20201021150823.20508-1-ludo@gnu.org> Date: Sun, 25 Oct 2020 01:11:06 +0200 In-Reply-To: <20201021150823.20508-1-ludo@gnu.org> ("Ludovic =?utf-8?Q?Cou?= =?utf-8?Q?rt=C3=A8s=22's?= message of "Wed, 21 Oct 2020 17:08:22 +0200") Message-ID: <87pn57gqyd.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: guix-devel@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable BTW, attached it the script I used to retrieve the signing keys of all the build nodes of the build farm so we can have them declared in the config of the head node. You may find it handy if you have a similar setup! Ludo=E2=80=99. --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=fetch-signing-keys.scm Content-Description: the code (use-modules (guix scripts offload) (guix ssh) (guix inferior) (ssh session) (srfi srfi-34) (ice-9 match)) (define open-ssh-session (@@ (guix scripts offload) open-ssh-session)) (define build-machine-name (@@ (guix scripts offload) build-machine-name)) (define build-machine-port (@@ (guix scripts offload) build-machine-port)) (define (fetch-key machine) (format #t "fetching key from ~s...~%" machine) (let* ((session (open-ssh-session machine 5)) (inferior (remote-inferior session))) (define key (inferior-eval '(begin (use-modules (rnrs io ports)) (with-fluids ((%default-port-encoding "ISO-8859-1")) (call-with-input-file "/etc/guix/signing-key.pub" get-string-all))) inferior)) (define file (string-append (build-machine-name machine) (match (build-machine-port machine) (22 "") (port (string-append ":" (number->string port)))) ".pub")) (with-fluids ((%default-port-encoding "ISO-8859-1")) (call-with-output-file file (lambda (port) (display key port)))) (close-inferior inferior) (disconnect! session))) (let ((machines (load "/etc/guix/machines.scm"))) (for-each (lambda (machine) (guard (c (pk 'fail c)) (fetch-key machine))) machines)) --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 25 01:59:22 2020 Received: (at 39819) by debbugs.gnu.org; 25 Oct 2020 05:59:22 +0000 Received: from localhost ([127.0.0.1]:35634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kWZ3p-0000jl-Tq for submit@debbugs.gnu.org; Sun, 25 Oct 2020 01:59:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:44484) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kWZ3m-0000jX-CT for 39819@debbugs.gnu.org; Sun, 25 Oct 2020 01:59:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59378) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kWZ3g-0001wp-LL; Sun, 25 Oct 2020 01:59:12 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=47906 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kWZ3f-0004f5-Ia; Sun, 25 Oct 2020 01:59:12 -0400 From: Jan Nieuwenhuizen To: 39819@debbugs.gnu.org Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default. Organization: AvatarAcademy.nl References: <87v9fhf3my.fsf@inria.fr> <20201021150823.20508-1-ludo@gnu.org> <87tuujgr23.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Sun, 25 Oct 2020 06:59:08 +0100 In-Reply-To: <87tuujgr23.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Sun, 25 Oct 2020 01:08:52 +0200") Message-ID: <87y2ju9783.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 39819 Cc: ludo@gnu.org, maxim.cournoyer@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: Hello, > I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897 > with the changes below, accounting for Vagrant=E2=80=99s comment and for = the > fact that childhurds rely on the non-declarative behavior (which hadn=E2= =80=99t > occurred to me before), as well as fixing other typos. > > > + ;; By default, the secret service introduces a pre-initia= lized > + ;; /etc/guix/acl file in the childhurd. Thus, clear > + ;; 'authorize-key?' so that it's not overridden at activa= tion > + ;; time. > + (modify-services %base-services/hurd > + (guix-service-type config =3D> > + (guix-configuration > + (inherit config) > + (authorize-key? #f)))))))) Ah, good catch! Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From unknown Sun Jun 22 07:38:20 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 22 Nov 2020 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator