From unknown Thu Aug 14 21:43:45 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#43106 <43106@debbugs.gnu.org> To: bug#43106 <43106@debbugs.gnu.org> Subject: Status: [PATCH] DRAFT services: childhurd: Support for setting secrets. Reply-To: bug#43106 <43106@debbugs.gnu.org> Date: Fri, 15 Aug 2025 04:43:45 +0000 retitle 43106 [PATCH] DRAFT services: childhurd: Support for setting secret= s. reassign 43106 guix-patches submitter 43106 "Jan (janneke) Nieuwenhuizen" severity 43106 normal tag 43106 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 29 17:57:44 2020 Received: (at submit) by debbugs.gnu.org; 29 Aug 2020 21:57:44 +0000 Received: from localhost ([127.0.0.1]:49238 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kC8qw-0007mt-BA for submit@debbugs.gnu.org; Sat, 29 Aug 2020 17:57:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:32816) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kC8qp-0007mi-Qd for submit@debbugs.gnu.org; Sat, 29 Aug 2020 17:57:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50142) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kC8qp-0000zv-Gx for guix-patches@gnu.org; Sat, 29 Aug 2020 17:57:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59100) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kC8qp-0000qd-6e; Sat, 29 Aug 2020 17:57:31 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=34410 helo=dundal.fritz.box) by fencepost.gnu.org with esmtpa (Exim 4.82) (envelope-from ) id 1kC8qo-0000IY-5I; Sat, 29 Aug 2020 17:57:30 -0400 From: "Jan (janneke) Nieuwenhuizen" To: guix-patches@gnu.org Subject: [PATCH] DRAFT services: childhurd: Support for setting secrets. Date: Sat, 29 Aug 2020 23:57:26 +0200 Message-Id: <20200829215726.3910-1-janneke@gnu.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) TODO: This seems to work...but it can keep the shepherd from finishing for quite some time (half a minute)...not sure what to do here, WDYT? A great way to play with it is by doing something like --8<---------------cut here---------------start------------->8--- sudo -E ./pre-inst-env guile -c '(use-modules (gnu build childhurd)) (hurd-vm-copy-secrets 10022 "/etc/childhurd")' --8<---------------cut here---------------end--------------->8--- * gnu/build/childhurd.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * gnu/services/virtualization.scm (hurd-vm-shepherd-service): Use it to set secrets. (hurd-vm-port): New function. (hurd-vm-net-options): Use it. * doc/guix.texi (The Hurd in a Virtual Machine): Document it. --- doc/guix.texi | 19 ++++++++ gnu/build/childhurd.scm | 77 +++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/virtualization.scm | 52 +++++++++++++++++----- 4 files changed, 138 insertions(+), 11 deletions(-) create mode 100644 gnu/build/childhurd.scm diff --git a/doc/guix.texi b/doc/guix.texi index 0b79a49814..334ee5e05c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25119,6 +25119,7 @@ Return the name of @var{platform}---a string such as @code{"arm"}. @cindex @code{hurd} @cindex the Hurd +@cindex childhurd Service @code{hurd-vm} provides support for running GNU/Hurd in a virtual machine (VM), a so-called ``Childhurd''. The virtual machine is @@ -25200,6 +25201,24 @@ with forwarded ports : @code{(+ 15900 (* 1000 @var{ID}))} @end example +@item @code{secret-root} (default: @code{#f}) +If set, the root directory with out-of-band secrets to be injected into +the childhurd once it runs. Childhurds are volatile which means that on +every startup, secrets such as the SSH host keys and Guix signing key +are recreated. + +Typical use is setting @code{secret-root} to @code{"/etc/childhurd"} +pointing at a tree of non-volatile secrets like so + +@example +/etc/childhurd/etc/guix/signing-key.pub +/etc/childhurd/etc/guix/signing-key.sec +/etc/childhurd/etc/ssh/ssh_host_ed25519_key +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub +@end example + @end table @end deftp diff --git a/gnu/build/childhurd.scm b/gnu/build/childhurd.scm new file mode 100644 index 0000000000..87c5cc0cd0 --- /dev/null +++ b/gnu/build/childhurd.scm @@ -0,0 +1,77 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu build childhurd) + #:use-module (ice-9 rdelim) + #:use-module (guix build utils) + + ;; #:use-module (ssh auth) + ;; #:use-module (ssh channel) + ;; #:use-module (ssh session) + ;; #:use-module (ssh sftp) + + #:autoload (ssh auth) (userauth-password!) + #:autoload (ssh channel) (make-channel + channel-open-session channel-request-exec + channel-get-exit-status) + #:autoload (ssh session) (make-session connect! disconnect!) + #:autoload (ssh sftp) (make-sftp-session + call-with-remote-output-file sftp-chmod) + + #:export (hurd-vm-copy-secrets)) + +;;; Commentary: +;;; +;;; Utility procedures for a childhurd. +;;; +;;; Code: + +(define* (hurd-vm-copy-secrets port secret-root #:key (retry 20)) + "Copy all files under SECRET-ROOT using ssh to childhurd at local PORT." + (format (current-error-port) "hurd-vm-copy-secrets\n") + (let ((session (make-session #:host "127.0.0.1" #:port port + #:user "root"))) + (let loop ((result (connect! session)) (retry retry)) + (unless (equal? result 'ok) + (format (current-error-port) "Waiting for childhurd...\n") + (when (zero? retry) + (error "Could not connect childhurd" session result)) + (sleep 1) + (disconnect! session) + (loop (connect! session) (1- retry)))) + (let ((result (userauth-password! session ""))) + (unless (equal? result 'success) + (error "Could not set userauth-password" session result))) + (let ((sftp-session (make-sftp-session session))) + (define (copy-file source) + (let ((text (with-input-from-file source read-string)) + (mode (stat:mode (stat source))) + (target (substring source (string-length secret-root)))) + (call-with-remote-output-file sftp-session target + ;;(cute display text <>) + (lambda (port) (display text port))) + (sftp-chmod sftp-session target mode))) + (for-each copy-file (find-files secret-root)) + (let ((channel (make-channel session))) + (channel-open-session channel) + (channel-request-exec channel "herd restart sshd") + (unless (zero? (channel-get-exit-status channel)) + (error "Failed to restart sshd")))) + (disconnect! session))) + +;;; childhurd.scm ends here diff --git a/gnu/local.mk b/gnu/local.mk index d956e52d97..f872f1ba77 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -648,6 +648,7 @@ GNU_SYSTEM_MODULES = \ %D%/build/accounts.scm \ %D%/build/activation.scm \ %D%/build/bootloader.scm \ + %D%/build/childhurd.scm \ %D%/build/cross-toolchain.scm \ %D%/build/image.scm \ %D%/build/file-systems.scm \ diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index b93ed70099..f496c06764 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -39,6 +39,7 @@ #:use-module (gnu system) #:use-module (guix derivations) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix monads) #:use-module (guix packages) #:use-module (guix records) @@ -61,7 +62,10 @@ hurd-vm-configuration-options hurd-vm-configuration-id hurd-vm-configuration-net-options + hurd-vm-configuration-secrets + hurd-vm-disk-image + hurd-vm-port hurd-vm-net-options hurd-vm-service-type @@ -849,7 +853,9 @@ functionality of the kernel Linux."))) (default #f)) (net-options hurd-vm-configuration-net-options ;list of string (thunked) - (default (hurd-vm-net-options this-record)))) + (default (hurd-vm-net-options this-record))) + (secret-root hurd-vm-configuration-secret-root ;#f or string + (default #f))) (define (hurd-vm-disk-image config) "Return a disk-image for the Hurd according to CONFIG." @@ -861,15 +867,23 @@ functionality of the kernel Linux."))) (size disk-size) (operating-system os))))) -(define (hurd-vm-net-options config) +(define (hurd-vm-port config base) + "Return the forwarded vm port for this childhurd config." (let ((id (or (hurd-vm-configuration-id config) 0))) - (define (qemu-vm-port base) - (number->string (+ base (* 1000 id)))) - `("--device" "rtl8139,netdev=net0" - "--netdev" ,(string-append - "user,id=net0" - ",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 10022) "-:2222" - ",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 15900) "-:5900")))) + (+ base (* 1000 id)))) +(define %hurd-vm-ssh-port 10022) +(define %hurd-vm-vnc-port 15900) + +(define (hurd-vm-net-options config) + `("--device" "rtl8139,netdev=net0" + "--netdev" + ,(string-append "user,id=net0" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-ssh-port)) + "-:2222" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-vnc-port)) + "-:5900"))) (define (hurd-vm-shepherd-service config) "Return a for a Hurd in a Virtual Machine with CONFIG." @@ -900,8 +914,24 @@ functionality of the kernel Linux."))) (string->symbol (number->string id))) provisions) provisions)) - (requirement '(networking)) - (start #~(make-forkexec-constructor #$vm-command)) + (requirement '(loopback networking user-processes)) + (start + (with-imported-modules (source-module-closure '((gnu build childhurd) + (guix build utils))) + (with-extensions (list guile-ssh) + #~(let ((spawn (make-forkexec-constructor #$vm-command))) + (use-modules (gnu build childhurd)) + (lambda _ + (let ((pid (spawn)) + (port #$(hurd-vm-port config %hurd-vm-ssh-port)) + (root #$(hurd-vm-configuration-secret-root config))) + (when (and root (directory-exists? root)) + (catch #t + (lambda _ + (hurd-vm-copy-secrets port root)) + (lambda (key . args) + (format (current-error-port) "childhurd: ~a ~s\n" key args)))) + pid)))))) (stop #~(make-kill-destructor)))))) (define hurd-vm-service-type -- Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 30 09:44:20 2020 Received: (at 43106) by debbugs.gnu.org; 30 Aug 2020 13:44:20 +0000 Received: from localhost ([127.0.0.1]:49656 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCNd2-000748-64 for submit@debbugs.gnu.org; Sun, 30 Aug 2020 09:44:20 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCNcx-00073s-Et for 43106@debbugs.gnu.org; Sun, 30 Aug 2020 09:44:15 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:39965) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kCNcs-0002sp-4P; Sun, 30 Aug 2020 09:44:06 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41822 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kCNcr-0002tY-0L; Sun, 30 Aug 2020 09:44:05 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: "Jan \(janneke\) Nieuwenhuizen" Subject: Re: [bug#43106] [PATCH] DRAFT services: childhurd: Support for setting secrets. References: <20200829215726.3910-1-janneke@gnu.org> Date: Sun, 30 Aug 2020 15:44:03 +0200 In-Reply-To: <20200829215726.3910-1-janneke@gnu.org> (Jan Nieuwenhuizen's message of "Sat, 29 Aug 2020 23:57:26 +0200") Message-ID: <87h7ski6zg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi! "Jan (janneke) Nieuwenhuizen" skribis: > TODO: This seems to work...but it can keep the shepherd from finishing for > quite some time (half a minute)...not sure what to do here, WDYT? > > A great way to play with it is by doing something like > > sudo -E ./pre-inst-env guile -c '(use-modules (gnu build childhurd)) (hur= d-vm-copy-secrets 10022 "/etc/childhurd")' > > * gnu/build/childhurd.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. > * gnu/services/virtualization.scm (hurd-vm-shepherd-service): Use it to s= et > secrets. > (hurd-vm-port): New function. > (hurd-vm-net-options): Use it. > * doc/guix.texi (The Hurd in a Virtual Machine): Document it. Nice, thanks for working on it! > +@item @code{secret-root} (default: @code{#f}) > +If set, the root directory with out-of-band secrets to be injected into > +the childhurd once it runs. Childhurds are volatile which means that on > +every startup, secrets such as the SSH host keys and Guix signing key > +are recreated. > + > +Typical use is setting @code{secret-root} to @code{"/etc/childhurd"} > +pointing at a tree of non-volatile secrets like so > + > +@example > +/etc/childhurd/etc/guix/signing-key.pub > +/etc/childhurd/etc/guix/signing-key.sec > +/etc/childhurd/etc/ssh/ssh_host_ed25519_key > +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key > +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub > +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub > +@end example Would it make sense to have a list of source/target pairs instead of a directory: (("/etc/childhurd/pubkey" . "/etc/guix/signing-key.pub") =E2=80=A6) ? [...] > +(define-module (gnu build childhurd) > + #:use-module (ice-9 rdelim) > + #:use-module (guix build utils) > + > + ;; #:use-module (ssh auth) > + ;; #:use-module (ssh channel) > + ;; #:use-module (ssh session) > + ;; #:use-module (ssh sftp) > + > + #:autoload (ssh auth) (userauth-password!) You could add the file to MODULES_NOT_COMPILED in gnu/local.mk to avoid the autoload dance. > +(define* (hurd-vm-copy-secrets port secret-root #:key (retry 20)) > + "Copy all files under SECRET-ROOT using ssh to childhurd at local PORT= ." > + (format (current-error-port) "hurd-vm-copy-secrets\n") > + (let ((session (make-session #:host "127.0.0.1" #:port port > + #:user "root"))) I just realized that we have a bootstrapping issue here: we have to explicitly skip SSH host authentication because we haven=E2=80=99t installe= d the host keys yet. The boot sequence of the guest is actually: generate SSH host keys, start sshd, receive host keys over SFTP. [...] > - (start #~(make-forkexec-constructor #$vm-command)) > + (requirement '(loopback networking user-processes)) > + (start > + (with-imported-modules (source-module-closure '((gnu build childh= urd) > + (guix build utils= ))) > + (with-extensions (list guile-ssh) > + #~(let ((spawn (make-forkexec-constructor #$vm-command))) > + (use-modules (gnu build childhurd)) We should use the =E2=80=98modules=E2=80=99 field of ins= tead of a non-top-level =E2=80=98use-modules=E2=80=99. > + (lambda _ > + (let ((pid (spawn)) > + (port #$(hurd-vm-port config %hurd-vm-ssh-port)) > + (root #$(hurd-vm-configuration-secret-root config)= )) > + (when (and root (directory-exists? root)) > + (catch #t > + (lambda _ > + (hurd-vm-copy-secrets port root)) > + (lambda (key . args) > + (format (current-error-port) "childhurd: ~a ~s\n= " key args)))) To avoid race conditions, we probably have to wait until PORT becomes available, no? Also, the VM boots even if we=E2=80=99ve failed to inject t= he secrets, right? As discussed on IRC, attached is my attempt at addressing this problem: the guest would run an activation snippet early on to receive secret files over raw unauthenticated TCP, blocking until it has received them. What=E2=80=99s missing from this patch is the host side that actually conne= cts to the guest and sends this file. I think it has the advantage of failing in case the secrets haven=E2=80=99t= been installed and it avoids the SSH host key bootstrapping issue. (It has at least the disadvantage of not being fully implemented. :-)) Also, longer term, it would allow us to not force password-less root authentication in the VM. I=E2=80=99m tempted to go the raw TCP way; WDYT? We can pair-hack on it if= you feel like it! Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable modified gnu/services/virtualization.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2017 Ryan Moe -;;; Copyright =C2=A9 2018 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2018, 2020 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen ;;; ;;; This file is part of GNU Guix. @@ -804,6 +804,93 @@ given QEMU package." compiled for other architectures using QEMU and the @code{binfmt_misc} functionality of the kernel Linux."))) =20 + +;;; +;;; Secrets for guest VMs. +;;; + +(define (secret-service-activation port) + "Return an activation snippet that fetches sensitive material at PORT, o= ver +TCP." + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils) + (rnrs io ports) + (rnrs bytevectors) + (ice-9 match)) + + (define (wait-for-client port) + ;; Wait for a TCP connection on PORT. Note: We cannot use the + ;; virtio-serial ports, which would be safer, because they are + ;; (presumably) unsupported on GNU/Hurd. + (let ((sock (socket AF_INET SOCK_STREAM 0))) + (bind sock AF_INET INADDR_ANY port) + (listen sock 1) + (format (current-error-port) + "waiting for secrets on port ~a...~%" + port) + (match (accept sock) + ((client . address) + (format (current-error-port) "client connection from ~a~%" + (inet-ntop (sockaddr:fam address) + (sockaddr:addr address))) + (close-port sock) + client)))) + + ;; TODO: Remove when (@ (guix build utils) dump-port) has a 'size' + ;; parameter. + (define (dump in out size) + ;; Copy SIZE bytes from IN to OUT. + (define buf-size 65536) + (define buf (make-bytevector buf-size)) + + (let loop ((left size)) + (if (<=3D left 0) + 0 + (let ((read (get-bytevector-n! in buf 0 (min left buf-size= )))) + (if (eof-object? read) + left + (begin + (put-bytevector out buf 0 read) + (loop (- left read)))))))) + + (define (read-secrets port) + ;; Read secret files from PORT and install them. + (match (false-if-exception (read port)) + (('secrets ('version 0) + ('files ((files sizes modes) ...))) + (for-each (lambda (file size mode) + (format (current-error-port) + "installing file '~a' (~a bytes)...~%" + file size) + (mkdir-p (dirname file)) + (call-with-output-file file + (lambda (output) + (dump port output size) + (chmod file mode)))) + files sizes modes)) + (_ + (format (current-error-port) + "invalid secrets received~%") + (sleep 3) + (reboot)))) + + (let ((port (wait-for-client #$port))) + (read-secrets port) + (close-port port)))) + + (computed-file "secret-service-client" install-secrets)) + +(define secret-service-type + (service-type + (name 'secret-service) + (extensions (list (service-extension activation-service-type + secret-service-activation))) + (description + "This service fetches secret key and other sensitive material over TCP= at +boot time. This service is meant to be used by virtual machines (VMs) that +can only be accessed by their host."))) + ;;; ;;; The Hurd in VM service: a Childhurd. @@ -819,6 +906,8 @@ functionality of the kernel Linux."))) (target "/dev/vda") (timeout 0))) (services (cons* + ;; Receive secret keys on port 5900, TCP. + (service secret-service-type 5900) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) modified gnu/system/examples/bare-hurd.tmpl @@ -41,14 +41,16 @@ (host-name "guixygnu") (timezone "Europe/Amsterdam") (packages (cons openssh-sans-x %base-packages/hurd)) - (services (cons (service openssh-service-type - (openssh-configuration - (openssh openssh-sans-x) - (use-pam? #f) - (port-number 2222) - (permit-root-login #t) - (allow-empty-passwords? #t) - (password-authentication? #t))) - %base-services/hurd)))) + (services (append (list (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (use-pam? #f) + (port-number 2222) + (permit-root-login #t) + (allow-empty-passwords? #t) + (password-authentication? #t))) + (service (@@ (gnu services virtualization) + secret-service-type))) + %base-services/hurd)))) =20 %hurd-os --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 30 16:41:49 2020 Received: (at 43106) by debbugs.gnu.org; 30 Aug 2020 20:41:49 +0000 Received: from localhost ([127.0.0.1]:50836 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCU8y-0006mN-Kx for submit@debbugs.gnu.org; Sun, 30 Aug 2020 16:41:49 -0400 Received: from eggs.gnu.org ([209.51.188.92]:36754) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCU8t-0006m7-Hy for 43106@debbugs.gnu.org; Sun, 30 Aug 2020 16:41:39 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:44866) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kCU8o-0004FD-0h; Sun, 30 Aug 2020 16:41:30 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=40166 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kCU8n-0007dl-CT; Sun, 30 Aug 2020 16:41:29 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#43106] [PATCH] DRAFT services: childhurd: Support for setting secrets. Organization: AvatarAcademy.nl References: <20200829215726.3910-1-janneke@gnu.org> <87h7ski6zg.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Sun, 30 Aug 2020 22:41:24 +0200 In-Reply-To: <87h7ski6zg.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Sun, 30 Aug 2020 15:44:03 +0200") Message-ID: <87mu2buarv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: Hi! > "Jan (janneke) Nieuwenhuizen" skribis: >> >> +@example >> +/etc/childhurd/etc/guix/signing-key.pub >> +/etc/childhurd/etc/guix/signing-key.sec >> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key >> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key >> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub >> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub >> +@end example > > Would it make sense to have a list of source/target pairs instead of a > directory: > > (("/etc/childhurd/pubkey" . "/etc/guix/signing-key.pub") > =E2=80=A6) > > ? We could do that...I'm not opposed to it and in fact I thought about something like this but then opted for the file system root idea because I didn't see the need for adding this extra indirection. If you think it's a good idea, sure. Postponed that for now, though. >> + ;; #:use-module (ssh auth) >> + ;; #:use-module (ssh channel) >> + ;; #:use-module (ssh session) >> + ;; #:use-module (ssh sftp) >> + >> + #:autoload (ssh auth) (userauth-password!) > > You could add the file to MODULES_NOT_COMPILED in gnu/local.mk to avoid > the autoload dance. Ah, right, thanks, good to know. Following another path now, so I'm leaving this for a bit. >> +(define* (hurd-vm-copy-secrets port secret-root #:key (retry 20)) >> + "Copy all files under SECRET-ROOT using ssh to childhurd at local POR= T." >> + (format (current-error-port) "hurd-vm-copy-secrets\n") >> + (let ((session (make-session #:host "127.0.0.1" #:port port >> + #:user "root"))) > > I just realized that we have a bootstrapping issue here: we have to > explicitly skip SSH host authentication because we haven=E2=80=99t instal= led the > host keys yet. Right! Hmm... > The boot sequence of the guest is actually: generate SSH host keys, > start sshd, receive host keys over SFTP. > > [...] > >> - (start #~(make-forkexec-constructor #$vm-command)) >> + (requirement '(loopback networking user-processes)) >> + (start >> + (with-imported-modules (source-module-closure '((gnu build child= hurd) >> + (guix build util= s))) >> + (with-extensions (list guile-ssh) >> + #~(let ((spawn (make-forkexec-constructor #$vm-command))) >> + (use-modules (gnu build childhurd)) > > We should use the =E2=80=98modules=E2=80=99 field of i= nstead of a > non-top-level =E2=80=98use-modules=E2=80=99. OK, done. >> + (lambda _ >> + (let ((pid (spawn)) >> + (port #$(hurd-vm-port config %hurd-vm-ssh-port)) >> + (root #$(hurd-vm-configuration-secret-root config= ))) >> + (when (and root (directory-exists? root)) >> + (catch #t >> + (lambda _ >> + (hurd-vm-copy-secrets port root)) >> + (lambda (key . args) >> + (format (current-error-port) "childhurd: ~a ~s\= n" key args)))) > > To avoid race conditions, we probably have to wait until PORT becomes > available, no? Also, the VM boots even if we=E2=80=99ve failed to inject= the > secrets, right? Yes on both...that's a problem. > As discussed on IRC, attached is my attempt at addressing this problem: > the guest would run an activation snippet early on to receive secret > files over raw unauthenticated TCP, blocking until it has received them. > What=E2=80=99s missing from this patch is the host side that actually con= nects > to the guest and sends this file. Okay. > I think it has the advantage of failing in case the secrets haven=E2=80= =99t been > installed and it avoids the SSH host key bootstrapping issue. (It has > at least the disadvantage of not being fully implemented. :-)) Also, > longer term, it would allow us to not force password-less root > authentication in the VM. > > I=E2=80=99m tempted to go the raw TCP way; WDYT? We can pair-hack on it = if you > feel like it! That would be great. I'm attaching a new iteration of our combined work Using client.scm: --8<---------------cut here---------------start------------->8--- (use-modules (gnu build secret-service)) (hurd-vm-secret-service-copy-secrets 5999 "/home/janneke/var/geert/childhur= d") --8<---------------cut here---------------end--------------->8--- and (cutting the body of secret-service-activation to) server.scm: --8<---------------cut here---------------start------------->8--- (use-modules (ice-9 match) (guix build utils) (rnrs bytevectors) (ice-9 binary-ports)) [...] (define (wait-for-client port) (let ((port (wait-for-client 5999))) (read-secrets port) (close-port port)) --8<---------------cut here---------------end--------------->8--- this actually copies files...However, the secret-service does not build: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix system disk-image gnu/system/examples/bare-hurd.tmpl guix system: error: reference to invalid output 'out' of derivation '/gnu/s= tore/189x9ph3piyihbs6asnjkinc5qqwfw1h-secret-service-client.drv' [1]22:40:08 janneke@dundal:~/src/guix/master [env] --8<---------------cut here---------------end--------------->8--- ...it seems we're missing something obvious. Thanks, Janneke --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=v2-0001-DRAFT-services-Add-secret-service-type.patch Content-Transfer-Encoding: quoted-printable >From 7c2523a6b25ec28539d3476bdc57d29db85bcbae Mon Sep 17 00:00:00 2001 From: "Jan (janneke) Nieuwenhuizen" Date: Sat, 29 Aug 2020 23:14:59 +0200 Subject: [PATCH v2] DRAFT services: Add secret-service-type. MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=3DUTF-8 TODO: $ ./pre-inst-env guix system disk-image gnu/system/examples/bare-hurd.tmpl guix system: error: reference to invalid output 'out' of derivation '/gnu/s= tore/189x9ph3piyihbs6asnjkinc5qqwfw1h-secret-service-client.drv' * split in two? * switch ownership/co-authorship? co-authored-by: Ludovic Court=C3=A8s * gnu/build/secret-service.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * gnu/services/virtualization.scm (hurd-vm-shepherd-service): Use it to copy secrets. (hurd-vm-port): New function. (hurd-vm-net-options): Use it. (secret-service-activation): New procedure. (secret-service-type): New variable. (%hurd-vm-operating-system): Add it. * gnu/system/examples/bare-hurd.tmpl (%hurd-os): Add it. * doc/guix.texi (The Hurd in a Virtual Machine): Document it. --- doc/guix.texi | 19 ++++ gnu/build/secret-service.scm | 68 +++++++++++++ gnu/local.mk | 1 + gnu/services/virtualization.scm | 151 ++++++++++++++++++++++++++--- gnu/system/examples/bare-hurd.tmpl | 20 ++-- 5 files changed, 238 insertions(+), 21 deletions(-) create mode 100644 gnu/build/secret-service.scm diff --git a/doc/guix.texi b/doc/guix.texi index 6206a93857..f8e03242b2 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25119,6 +25119,7 @@ Return the name of @var{platform}---a string such a= s @code{"arm"}. =20 @cindex @code{hurd} @cindex the Hurd +@cindex childhurd =20 Service @code{hurd-vm} provides support for running GNU/Hurd in a virtual machine (VM), a so-called ``Childhurd''. The virtual machine is @@ -25200,6 +25201,24 @@ with forwarded ports : @code{(+ 15900 (* 1000 @var{ID}))} @end example =20 +@item @code{secret-root} (default: @code{#f}) +If set, the root directory with out-of-band secrets to be injected into +the childhurd once it runs. Childhurds are volatile which means that on +every startup, secrets such as the SSH host keys and Guix signing key +are recreated. + +Typical use is setting @code{secret-root} to @code{"/etc/childhurd"} +pointing at a tree of non-volatile secrets like so + +@example +/etc/childhurd/etc/guix/signing-key.pub +/etc/childhurd/etc/guix/signing-key.sec +/etc/childhurd/etc/ssh/ssh_host_ed25519_key +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub +@end example + @end table @end deftp =20 diff --git a/gnu/build/secret-service.scm b/gnu/build/secret-service.scm new file mode 100644 index 0000000000..fc817f8c5c --- /dev/null +++ b/gnu/build/secret-service.scm @@ -0,0 +1,68 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu build secret-service) + #:use-module (srfi srfi-26) + #:use-module (ice-9 rdelim) + #:use-module (guix build utils) + + #:export (hurd-vm-secret-service-copy-secrets)) + +;;; Commentary: +;;; +;;; Utility procedures for copying secrets into a VM. +;;; +;;; Code: + +(define* (hurd-vm-secret-service-copy-secrets port secret-root #:key (retr= y 20)) + "Copy all files under SECRET-ROOT using TCP to secret-service listening = at +local PORT." + + (define (file->file+size+mode file-name) + (let ((stat (stat file-name)) + (target (substring file-name (string-length secret-root)))) + (list target (stat:size stat) (stat:mode stat)))) + + (format (current-error-port) "hurd-vm-secret-service-copy-secrets\n") + + (let ((sock (socket AF_INET SOCK_STREAM 0)) + (addr (make-socket-address AF_INET INADDR_LOOPBACK port))) + ;; connect to wait for port + (let loop ((retry retry)) + (if (zero? retry) + (error "connecting to childhurd failed") + (catch 'system-error + (lambda _ + (connect sock addr)) + (lambda (key . args) + (format (current-error-port) "connect failed: ~a ~s\n" key a= rgs) + (sleep 1) + (loop (1- retry)))))) + (format (current-error-port) "connected!\n") + ;; copy tree + (let* ((files (find-files secret-root)) + (files-sizes-modes (map file->file+size+mode files)) + (secrets `(secrets + (version 0) + (files ,files-sizes-modes)))) + (write secrets sock) + (for-each (compose (cute display <> sock) + (cute with-input-from-file <> read-string)) + files)))) + +;;; secret-service.scm ends here diff --git a/gnu/local.mk b/gnu/local.mk index 8854698178..1d8022fd11 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -659,6 +659,7 @@ GNU_SYSTEM_MODULES =3D \ %D%/build/linux-initrd.scm \ %D%/build/linux-modules.scm \ %D%/build/marionette.scm \ + %D%/build/secret-service.scm \ %D%/build/vm.scm \ \ %D%/tests.scm \ diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.= scm index b93ed70099..aa9b06f74b 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =C2=A9 2017 Ryan Moe -;;; Copyright =C2=A9 2018 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2018, 2020 Ludovic Court=C3=A8s ;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen ;;; ;;; This file is part of GNU Guix. @@ -39,6 +39,7 @@ #:use-module (gnu system) #:use-module (guix derivations) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix monads) #:use-module (guix packages) #:use-module (guix records) @@ -48,6 +49,7 @@ #:use-module (srfi srfi-9) #:use-module (srfi srfi-26) #:use-module (rnrs bytevectors) + #:use-module (ice-9 binary-ports) #:use-module (ice-9 match) =20 #:export (%hurd-vm-operating-system @@ -61,7 +63,10 @@ hurd-vm-configuration-options hurd-vm-configuration-id hurd-vm-configuration-net-options + hurd-vm-configuration-secrets + hurd-vm-disk-image + hurd-vm-port hurd-vm-net-options hurd-vm-service-type =20 @@ -804,6 +809,94 @@ given QEMU package." compiled for other architectures using QEMU and the @code{binfmt_misc} functionality of the kernel Linux."))) =20 + +;;; +;;; Secrets for guest VMs. +;;; + +(define (secret-service-activation port) + "Return an activation snippet that fetches sensitive material at PORT, o= ver +TCP." + (define install-secrets + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils) + (rnrs io ports) + (rnrs bytevectors) + (ice-9 match)) + + (define (wait-for-client port) + ;; Wait for a TCP connection on PORT. Note: We cannot use the + ;; virtio-serial ports, which would be safer, because they are + ;; (presumably) unsupported on GNU/Hurd. + (let ((sock (socket AF_INET SOCK_STREAM 0))) + (bind sock AF_INET INADDR_ANY port) + (listen sock 1) + (format (current-error-port) + "waiting for secrets on port ~a...~%" + port) + (match (accept sock) + ((client . address) + (format (current-error-port) "client connection from ~a~%" + (inet-ntop (sockaddr:fam address) + (sockaddr:addr address))) + (close-port sock) + client)))) + + ;; TODO: Remove when (@ (guix build utils) dump-port) has a 'siz= e' + ;; parameter. + (define (dump in out size) + ;; Copy SIZE bytes from IN to OUT. + (define buf-size 65536) + (define buf (make-bytevector buf-size)) + + (let loop ((left size)) + (if (<=3D left 0) + 0 + (let ((read (get-bytevector-n! in buf 0 (min left buf-si= ze)))) + (if (eof-object? read) + left + (begin + (put-bytevector out buf 0 read) + (loop (- left read)))))))) + + (define (read-secrets port) + ;; Read secret files from PORT and install them. + (match (false-if-exception (read port)) + (('secrets ('version 0) + ('files ((files sizes modes) ...))) + (for-each (lambda (file size mode) + (format (current-error-port) + "installing file '~a' (~a bytes)...~%" + file size) + (mkdir-p (dirname file)) + (call-with-output-file file + (lambda (output) + (dump port output size) + (chmod file mode)))) + files sizes modes)) + (_ + (format (current-error-port) + "invalid secrets received~%") + (sleep 3) + (reboot)))) + + (let ((port (wait-for-client #$port))) + (read-secrets port) + (close-port port))))) + + (computed-file "secret-service-client" install-secrets)) + +(define secret-service-type + (service-type + (name 'secret-service) + (extensions (list (service-extension activation-service-type + secret-service-activation))) + (description + "This service fetches secret key and other sensitive material over TCP= at +boot time. This service is meant to be used by virtual machines (VMs) that +can only be accessed by their host."))) + ;;; ;;; The Hurd in VM service: a Childhurd. @@ -819,6 +912,8 @@ functionality of the kernel Linux."))) (target "/dev/vda") (timeout 0))) (services (cons* + ;; Receive secret keys on port 5999, TCP. + (service secret-service-type 5999) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) @@ -849,7 +944,9 @@ functionality of the kernel Linux."))) (default #f)) (net-options hurd-vm-configuration-net-options ;list of string (thunked) - (default (hurd-vm-net-options this-record)))) + (default (hurd-vm-net-options this-record))) + (secret-root hurd-vm-configuration-secret-root ;#f or string + (default #f))) =20 (define (hurd-vm-disk-image config) "Return a disk-image for the Hurd according to CONFIG." @@ -861,15 +958,27 @@ functionality of the kernel Linux."))) (size disk-size) (operating-system os))))) =20 -(define (hurd-vm-net-options config) +(define (hurd-vm-port config base) + "Return the forwarded vm port for this childhurd config." (let ((id (or (hurd-vm-configuration-id config) 0))) - (define (qemu-vm-port base) - (number->string (+ base (* 1000 id)))) - `("--device" "rtl8139,netdev=3Dnet0" - "--netdev" ,(string-append - "user,id=3Dnet0" - ",hostfwd=3Dtcp:127.0.0.1:" (qemu-vm-port 10022) "-:222= 2" - ",hostfwd=3Dtcp:127.0.0.1:" (qemu-vm-port 15900) "-:590= 0")))) + (+ base (* 1000 id)))) +(define %hurd-vm-secrets-port 15999) +(define %hurd-vm-ssh-port 10022) +(define %hurd-vm-vnc-port 15900) + +(define (hurd-vm-net-options config) + `("--device" "rtl8139,netdev=3Dnet0" + "--netdev" + ,(string-append "user,id=3Dnet0" + ",hostfwd=3Dtcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-secrets-= port)) + "-:5999" + ",hostfwd=3Dtcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-ssh-port= )) + "-:2222" + ",hostfwd=3Dtcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-vnc-port= )) + "-:5900"))) =20 (define (hurd-vm-shepherd-service config) "Return a for a Hurd in a Virtual Machine with CONFIG= ." @@ -900,8 +1009,26 @@ functionality of the kernel Linux."))) (string->symbol (number->string id))) provisions) provisions)) - (requirement '(networking)) - (start #~(make-forkexec-constructor #$vm-command)) + (requirement '(loopback networking user-processes)) + (start + (with-imported-modules (source-module-closure '((gnu build secret-s= ervice) + (guix build utils))) + (with-extensions (list guile-ssh) + #~(let ((spawn (make-forkexec-constructor #$vm-command))) + (lambda _ + (let ((pid (spawn)) + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) + (root #$(hurd-vm-configuration-secret-root config))) + (when (and root (directory-exists? root)) + (catch #t + (lambda _ + (hurd-vm-secret-service-copy-secrets port root)) + (lambda (key . args) + (format (current-error-port) "childhurd: ~a ~s\n" = key args)))) + pid)))))) + (modules `((gnu build secret-service) + (guix build utils) + ,@%default-modules)) (stop #~(make-kill-destructor)))))) =20 (define hurd-vm-service-type diff --git a/gnu/system/examples/bare-hurd.tmpl b/gnu/system/examples/bare-= hurd.tmpl index 414a9379c8..2d00a7c8bb 100644 --- a/gnu/system/examples/bare-hurd.tmpl +++ b/gnu/system/examples/bare-hurd.tmpl @@ -41,14 +41,16 @@ (host-name "guixygnu") (timezone "Europe/Amsterdam") (packages (cons openssh-sans-x %base-packages/hurd)) - (services (cons (service openssh-service-type - (openssh-configuration - (openssh openssh-sans-x) - (use-pam? #f) - (port-number 2222) - (permit-root-login #t) - (allow-empty-passwords? #t) - (password-authentication? #t))) - %base-services/hurd)))) + (services (append (list (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (use-pam? #f) + (port-number 2222) + (permit-root-login #t) + (allow-empty-passwords? #t) + (password-authentication? #t))) + (service (@@ (gnu services virtualization) + secret-service-type) 5999)) + %base-services/hurd)))) =20 %hurd-os --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 31 02:39:40 2020 Received: (at 43106) by debbugs.gnu.org; 31 Aug 2020 06:39:40 +0000 Received: from localhost ([127.0.0.1]:51363 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCdTY-0000Ol-2n for submit@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:40 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35758) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCdTT-0000OJ-8x for 43106@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:30 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51264) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kCdTN-00011M-56; Mon, 31 Aug 2020 02:39:21 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=35160 helo=dundal.fritz.box) by fencepost.gnu.org with esmtpa (Exim 4.82) (envelope-from ) id 1kCdTL-0002CR-HN; Mon, 31 Aug 2020 02:39:20 -0400 From: "Jan (janneke) Nieuwenhuizen" To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , 43106@debbugs.gnu.org Subject: Re: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd Date: Mon, 31 Aug 2020 08:39:11 +0200 Message-Id: <20200831063913.664-1-janneke@gnu.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Jan Nieuwenhuizen writes: Hello, As discussed on IRC, version 3 follows. > Ludovic Courtès writes: >> "Jan (janneke) Nieuwenhuizen" skribis: >>> >>> +@example >>> +/etc/childhurd/etc/guix/signing-key.pub >>> +/etc/childhurd/etc/guix/signing-key.sec >>> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key >>> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key >>> +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub >>> +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub >>> +@end example >> >> Would it make sense to have a list of source/target pairs instead of a >> directory: >> >> (("/etc/childhurd/pubkey" . "/etc/guix/signing-key.pub") >> …) >> >> ? > > We could do that...I'm not opposed to it and in fact I thought about > something like this but then opted for the file system root idea because > I didn't see the need for adding this extra indirection. If you think > it's a good idea, sure. Postponed that for now, though. [this still open] Also, I think 5900 is a bad idea, qemu opens a server there. We could use ports 2222 (forwarded to 12222), as SSH only starts later -- but hmm. As this is all running as root anyway, I opted for 1004 (MI5). Greetings, Janneke Jan (janneke) Nieuwenhuizen (2): services: Add secret-service-type. services: childhurd: Support installing secrets from the host. doc/guix.texi | 21 +++++ gnu/build/secret-service.scm | 138 +++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/virtualization.scm | 92 ++++++++++++++++--- gnu/system/examples/bare-hurd.tmpl | 20 +++-- 5 files changed, 251 insertions(+), 21 deletions(-) create mode 100644 gnu/build/secret-service.scm -- Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 31 02:39:42 2020 Received: (at 43106) by debbugs.gnu.org; 31 Aug 2020 06:39:42 +0000 Received: from localhost ([127.0.0.1]:51365 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCdTg-0000P5-3W for submit@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:42 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35764) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCdTT-0000OL-Lf for 43106@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51265) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kCdTO-00011R-20; Mon, 31 Aug 2020 02:39:22 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=35160 helo=dundal.fritz.box) by fencepost.gnu.org with esmtpa (Exim 4.82) (envelope-from ) id 1kCdTN-0002CR-Fi; Mon, 31 Aug 2020 02:39:21 -0400 From: "Jan (janneke) Nieuwenhuizen" To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , 43106@debbugs.gnu.org Subject: [PATCH v3 1/2] services: Add secret-service-type. Date: Mon, 31 Aug 2020 08:39:12 +0200 Message-Id: <20200831063913.664-2-janneke@gnu.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200831063913.664-1-janneke@gnu.org> References: <20200831063913.664-1-janneke@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This adds a "secret-service" that can be added to a Childhurd VM to receive out-of-band secrets (keys) sent from the host. Co-authored-by: Ludovic Courtès * gnu/services/virtualization.scm (secret-service-activation): New procedure. (secret-service-type): New variable. * gnu/build/secret-service.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. --- gnu/build/secret-service.scm | 138 ++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/virtualization.scm | 29 ++++++- 3 files changed, 167 insertions(+), 1 deletion(-) create mode 100644 gnu/build/secret-service.scm diff --git a/gnu/build/secret-service.scm b/gnu/build/secret-service.scm new file mode 100644 index 0000000000..aa88f8c209 --- /dev/null +++ b/gnu/build/secret-service.scm @@ -0,0 +1,138 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2020 Ludovic Courtès +;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu build secret-service) + #:use-module (guix build utils) + + #:use-module (srfi srfi-26) + #:use-module (rnrs bytevectors) + #:use-module (ice-9 binary-ports) + #:use-module (ice-9 match) + #:use-module (ice-9 rdelim) + + #:export (secret-service-receive-secrets + secret-service-send-secrets)) + +;;; Commentary: +;;; +;;; Utility procedures for copying secrets into a VM. +;;; +;;; Code: + +(define* (secret-service-send-secrets port secret-root #:key (retry 60)) + "Copy all files under SECRET-ROOT using TCP to secret-service listening at +local PORT." + + (define (file->file+size+mode file-name) + (let ((stat (stat file-name)) + (target (substring file-name (string-length secret-root)))) + (list target (stat:size stat) (stat:mode stat)))) + + (format (current-error-port) "secret-service-send-secrets\n") + + (let ((sock (socket AF_INET SOCK_STREAM 0)) + (addr (make-socket-address AF_INET INADDR_LOOPBACK port))) + ;; connect to wait for port + (let loop ((retry retry)) + (if (zero? retry) + (error "connecting to childhurd failed") + (catch 'system-error + (lambda _ + (connect sock addr)) + (lambda (key . args) + (format (current-error-port) "connect failed: ~a ~s\n" key args) + (sleep 1) + (loop (1- retry)))))) + (format (current-error-port) "connected!\n") + ;; copy tree + (let* ((files (if secret-root (find-files secret-root) '())) + (files-sizes-modes (map file->file+size+mode files)) + (secrets `(secrets + (version 0) + (files ,files-sizes-modes)))) + (write secrets sock) + (for-each (compose (cute display <> sock) + (cute with-input-from-file <> read-string)) + files)))) + +(define (secret-service-receive-secrets port) + "Listen to local PORT and wait for a secret service client to send secrets. +Write them to the file system." + + (define (wait-for-client port) + ;; Wait for a TCP connection on PORT. Note: We cannot use the + ;; virtio-serial ports, which would be safer, because they are + ;; (presumably) unsupported on GNU/Hurd. + (let ((sock (socket AF_INET SOCK_STREAM 0))) + (bind sock AF_INET INADDR_ANY port) + (listen sock 1) + (format (current-error-port) + "waiting for secrets on port ~a...~%" + port) + (match (accept sock) + ((client . address) + (format (current-error-port) "client connection from ~a~%" + (inet-ntop (sockaddr:fam address) + (sockaddr:addr address))) + (close-port sock) + client)))) + + ;; TODO: Remove when (@ (guix build utils) dump-port) has a 'size' + ;; parameter. + (define (dump in out size) + ;; Copy SIZE bytes from IN to OUT. + (define buf-size 65536) + (define buf (make-bytevector buf-size)) + + (let loop ((left size)) + (if (<= left 0) + 0 + (let ((read (get-bytevector-n! in buf 0 (min left buf-size)))) + (if (eof-object? read) + left + (begin + (put-bytevector out buf 0 read) + (loop (- left read)))))))) + + (define (read-secrets port) + ;; Read secret files from PORT and install them. + (match (false-if-exception (read port)) + (('secrets ('version 0) + ('files ((files sizes modes) ...))) + (for-each (lambda (file size mode) + (format (current-error-port) + "installing file '~a' (~a bytes)...~%" + file size) + (mkdir-p (dirname file)) + (call-with-output-file file + (lambda (output) + (dump port output size) + (chmod file mode)))) + files sizes modes)) + (_ + (format (current-error-port) + "invalid secrets received~%") + #f))) + + (let* ((port (wait-for-client port)) + (result (read-secrets port))) + (close-port port) + result)) + +;;; secret-service.scm ends here diff --git a/gnu/local.mk b/gnu/local.mk index 8854698178..1d8022fd11 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -659,6 +659,7 @@ GNU_SYSTEM_MODULES = \ %D%/build/linux-initrd.scm \ %D%/build/linux-modules.scm \ %D%/build/marionette.scm \ + %D%/build/secret-service.scm \ %D%/build/vm.scm \ \ %D%/tests.scm \ diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index b93ed70099..6d6734dcd1 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Ryan Moe -;;; Copyright © 2018 Ludovic Courtès +;;; Copyright © 2018, 2020 Ludovic Courtès ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; ;;; This file is part of GNU Guix. @@ -804,6 +804,33 @@ given QEMU package." compiled for other architectures using QEMU and the @code{binfmt_misc} functionality of the kernel Linux."))) + +;;; +;;; Secrets for guest VMs. +;;; + +(define (secret-service-activation port) + "Return an activation snippet that fetches sensitive material at local PORT, +over TCP. Reboot upon failure." + (with-imported-modules '((gnu build secret-service) + (guix build utils)) + #~(begin + (use-modules (gnu build secret-service)) + (let ((sent (secret-service-receive-secrets #$port))) + (unless sent + (sleep 3) + (reboot)))))) + +(define secret-service-type + (service-type + (name 'secret-service) + (extensions (list (service-extension activation-service-type + secret-service-activation))) + (description + "This service fetches secret key and other sensitive material over TCP at +boot time. This service is meant to be used by virtual machines (VMs) that +can only be accessed by their host."))) + ;;; ;;; The Hurd in VM service: a Childhurd. -- Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 31 02:39:47 2020 Received: (at 43106) by debbugs.gnu.org; 31 Aug 2020 06:39:47 +0000 Received: from localhost ([127.0.0.1]:51367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCdTi-0000PC-ES for submit@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:47 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35778) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCdTW-0000OP-Rm for 43106@debbugs.gnu.org; Mon, 31 Aug 2020 02:39:37 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51266) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kCdTR-00011c-Je; Mon, 31 Aug 2020 02:39:25 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=35160 helo=dundal.fritz.box) by fencepost.gnu.org with esmtpa (Exim 4.82) (envelope-from ) id 1kCdTO-0002CR-HZ; Mon, 31 Aug 2020 02:39:25 -0400 From: "Jan (janneke) Nieuwenhuizen" To: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , 43106@debbugs.gnu.org Subject: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. Date: Mon, 31 Aug 2020 08:39:13 +0200 Message-Id: <20200831063913.664-3-janneke@gnu.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200831063913.664-1-janneke@gnu.org> References: <20200831063913.664-1-janneke@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 43106 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * gnu/system/examples/bare-hurd.tmpl (%hurd-os)[services]: Add secret-service. * gnu/services/virtualization.scm (%hurd-vm-operating-system): Likewise. (hurd-vm-shepherd-service): Use it to install secrets. * doc/guix.texi (The Hurd in a Virtual Machine): Document it. --- doc/guix.texi | 21 ++++++++++ gnu/services/virtualization.scm | 63 ++++++++++++++++++++++++------ gnu/system/examples/bare-hurd.tmpl | 20 +++++----- 3 files changed, 84 insertions(+), 20 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 6206a93857..8a6ab698e6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -25119,6 +25119,7 @@ Return the name of @var{platform}---a string such as @code{"arm"}. @cindex @code{hurd} @cindex the Hurd +@cindex childhurd Service @code{hurd-vm} provides support for running GNU/Hurd in a virtual machine (VM), a so-called ``Childhurd''. The virtual machine is @@ -25191,15 +25192,35 @@ By default, it produces @lisp '("--device" "rtl8139,netdev=net0" "--netdev" "user,id=net0\ + ,hostfwd=tcp:127.0.0.1:-:1004\ ,hostfwd=tcp:127.0.0.1:-:2222\ ,hostfwd=tcp:127.0.0.1:-:5900") @end lisp with forwarded ports @example +: @code{(+ 11004 (* 1000 @var{ID}))} : @code{(+ 10022 (* 1000 @var{ID}))} : @code{(+ 15900 (* 1000 @var{ID}))} @end example +@item @code{secret-root} (default: @code{#f}) +If set, the root directory with out-of-band secrets to be installed into +the childhurd once it runs. Childhurds are volatile which means that on +every startup, secrets such as the SSH host keys and Guix signing key +are recreated. + +Typical use is setting @code{secret-root} to @code{"/etc/childhurd"} +pointing at a tree of non-volatile secrets like so + +@example +/etc/childhurd/etc/guix/signing-key.pub +/etc/childhurd/etc/guix/signing-key.sec +/etc/childhurd/etc/ssh/ssh_host_ed25519_key +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key +/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub +/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub +@end example + @end table @end deftp diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm index 6d6734dcd1..1fa74f815e 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -39,6 +39,7 @@ #:use-module (gnu system) #:use-module (guix derivations) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix monads) #:use-module (guix packages) #:use-module (guix records) @@ -61,7 +62,10 @@ hurd-vm-configuration-options hurd-vm-configuration-id hurd-vm-configuration-net-options + hurd-vm-configuration-secrets + hurd-vm-disk-image + hurd-vm-port hurd-vm-net-options hurd-vm-service-type @@ -846,6 +850,8 @@ can only be accessed by their host."))) (target "/dev/vda") (timeout 0))) (services (cons* + ;; Receive secret keys on port 1004, TCP. + (service secret-service-type 1004) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) @@ -876,7 +882,9 @@ can only be accessed by their host."))) (default #f)) (net-options hurd-vm-configuration-net-options ;list of string (thunked) - (default (hurd-vm-net-options this-record)))) + (default (hurd-vm-net-options this-record))) + (secret-root hurd-vm-configuration-secret-root ;#f or string + (default #f))) (define (hurd-vm-disk-image config) "Return a disk-image for the Hurd according to CONFIG." @@ -888,15 +896,27 @@ can only be accessed by their host."))) (size disk-size) (operating-system os))))) -(define (hurd-vm-net-options config) +(define (hurd-vm-port config base) + "Return the forwarded vm port for this childhurd config." (let ((id (or (hurd-vm-configuration-id config) 0))) - (define (qemu-vm-port base) - (number->string (+ base (* 1000 id)))) - `("--device" "rtl8139,netdev=net0" - "--netdev" ,(string-append - "user,id=net0" - ",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 10022) "-:2222" - ",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 15900) "-:5900")))) + (+ base (* 1000 id)))) +(define %hurd-vm-secrets-port 11004) +(define %hurd-vm-ssh-port 10022) +(define %hurd-vm-vnc-port 15900) + +(define (hurd-vm-net-options config) + `("--device" "rtl8139,netdev=net0" + "--netdev" + ,(string-append "user,id=net0" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-secrets-port)) + "-:1004" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-ssh-port)) + "-:2222" + ",hostfwd=tcp:127.0.0.1:" + (number->string (hurd-vm-port config %hurd-vm-vnc-port)) + "-:5900"))) (define (hurd-vm-shepherd-service config) "Return a for a Hurd in a Virtual Machine with CONFIG." @@ -927,8 +947,29 @@ can only be accessed by their host."))) (string->symbol (number->string id))) provisions) provisions)) - (requirement '(networking)) - (start #~(make-forkexec-constructor #$vm-command)) + (requirement '(loopback networking user-processes)) + (start + (with-imported-modules + (source-module-closure '((gnu build secret-service) + (guix build utils))) + #~(let ((spawn (make-forkexec-constructor #$vm-command))) + (lambda _ + (let ((pid (spawn)) + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) + (root #$(hurd-vm-configuration-secret-root config))) + (and root (directory-exists? root) + (catch #t + (lambda _ + (secret-service-send-secrets port root)) + (lambda (keys . args) + (format (current-error-port) + "failed to send secrets: ~a ~s\n" key args) + (kill pid) + #f)) + pid)))))) + (modules `((gnu build secret-service) + (guix build utils) + ,@%default-modules)) (stop #~(make-kill-destructor)))))) (define hurd-vm-service-type diff --git a/gnu/system/examples/bare-hurd.tmpl b/gnu/system/examples/bare-hurd.tmpl index 414a9379c8..2d00a7c8bb 100644 --- a/gnu/system/examples/bare-hurd.tmpl +++ b/gnu/system/examples/bare-hurd.tmpl @@ -41,14 +41,16 @@ (host-name "guixygnu") (timezone "Europe/Amsterdam") (packages (cons openssh-sans-x %base-packages/hurd)) - (services (cons (service openssh-service-type - (openssh-configuration - (openssh openssh-sans-x) - (use-pam? #f) - (port-number 2222) - (permit-root-login #t) - (allow-empty-passwords? #t) - (password-authentication? #t))) - %base-services/hurd)))) + (services (append (list (service openssh-service-type + (openssh-configuration + (openssh openssh-sans-x) + (use-pam? #f) + (port-number 2222) + (permit-root-login #t) + (allow-empty-passwords? #t) + (password-authentication? #t))) + (service (@@ (gnu services virtualization) + secret-service-type) 5999)) + %base-services/hurd)))) %hurd-os -- Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 31 11:23:28 2020 Received: (at 43106) by debbugs.gnu.org; 31 Aug 2020 15:23:28 +0000 Received: from localhost ([127.0.0.1]:53386 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCleZ-0003e0-Ts for submit@debbugs.gnu.org; Mon, 31 Aug 2020 11:23:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:39496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kCleX-0003dm-Oo for 43106@debbugs.gnu.org; Mon, 31 Aug 2020 11:23:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57740) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kCleR-0007sw-Kb; Mon, 31 Aug 2020 11:23:19 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=37410 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kCleR-00075G-26; Mon, 31 Aug 2020 11:23:19 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. Organization: AvatarAcademy.nl References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> X-Url: http://AvatarAcademy.nl Date: Mon, 31 Aug 2020 17:23:11 +0200 In-Reply-To: <20200831063913.664-3-janneke@gnu.org> (Jan Nieuwenhuizen's message of "Mon, 31 Aug 2020 08:39:13 +0200") Message-ID: <87ft82et5s.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Jan (janneke) Nieuwenhuizen writes: > * gnu/system/examples/bare-hurd.tmpl (%hurd-os)[services]: Add secret-ser= vice. > * gnu/services/virtualization.scm (%hurd-vm-operating-system): Likewise. > (hurd-vm-shepherd-service): Use it to install secrets. > * doc/guix.texi (The Hurd in a Virtual Machine): Document it. [..] > diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualizatio= n.scm > index 6d6734dcd1..1fa74f815e 100644 > --- a/gnu/services/virtualization.scm > +++ b/gnu/services/virtualization.scm [..] > + (kill pid) Oops; (kill pid SIGTERM) or something > diff --git a/gnu/system/examples/bare-hurd.tmpl b/gnu/system/examples/bar= e-hurd.tmpl > index 414a9379c8..2d00a7c8bb 100644 > --- a/gnu/system/examples/bare-hurd.tmpl > +++ b/gnu/system/examples/bare-hurd.tmpl > @@ -41,14 +41,16 @@ [..] > + (service (@@ (gnu services virtualization) > + secret-service-type) 5999)) Oops, should be 1004. Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 06:01:48 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 10:01:48 +0000 Received: from localhost ([127.0.0.1]:55093 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36o-0004II-0Y for submit@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36i-0004Hv-NL for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47946) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD36c-0004qe-LS; Tue, 01 Sep 2020 06:01:34 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59160 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD36b-0002yt-Uo; Tue, 01 Sep 2020 06:01:34 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: "Jan \(janneke\) Nieuwenhuizen" Subject: Re: [PATCH v3 1/2] services: Add secret-service-type. In-Reply-To: <20200831063913.664-2-janneke@gnu.org> (Jan Nieuwenhuizen's message of "Mon, 31 Aug 2020 08:39:12 +0200") Date: Tue, 01 Sep 2020 10:26:34 +0200 Message-ID: <873641c37p.fsf@gnu.org> References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-2-janneke@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! "Jan (janneke) Nieuwenhuizen" skribis: > This adds a "secret-service" that can be added to a Childhurd VM to recei= ve > out-of-band secrets (keys) sent from the host. > > Co-authored-by: Ludovic Court=C3=A8s > > * gnu/services/virtualization.scm (secret-service-activation): New proced= ure. > (secret-service-type): New variable. > * gnu/build/secret-service.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. Very nice! Minor suggestions: > + (format (current-error-port) "secret-service-send-secrets\n") Perhaps write =E2=80=9Csending secrets to ~a:~a...~%=E2=80=9D or similar. > + (let ((sock (socket AF_INET SOCK_STREAM 0)) > + (addr (make-socket-address AF_INET INADDR_LOOPBACK port))) > + ;; connect to wait for port > + (let loop ((retry retry)) > + (if (zero? retry) > + (error "connecting to childhurd failed") s/childhurd/secret server/ > + (catch 'system-error > + (lambda _ > + (connect sock addr)) > + (lambda (key . args) > + (format (current-error-port) "connect failed: ~a ~s\n" key= args) Perhaps remove print =E2=80=9Cretrying connection=E2=80=9D (or similar), an= d re-throw the exception when RETRY is zero, so that it goes through as is (and thus you can remove the call to =E2=80=98error=E2=80=99 above.) > + ;; copy tree > + (let* ((files (if secret-root (find-files secret-root) '())) > + (files-sizes-modes (map file->file+size+mode files)) > + (secrets `(secrets > + (version 0) > + (files ,files-sizes-modes)))) > + (write secrets sock) > + (for-each (compose (cute display <> sock) > + (cute with-input-from-file <> read-string)) Instead of loading it all in memory, we can use =E2=80=98dump-port=E2=80=99= from (guix build utils) here. That=E2=80=99s it! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 06:01:48 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 10:01:48 +0000 Received: from localhost ([127.0.0.1]:55095 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36q-0004IO-8a for submit@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35992) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36m-0004I0-V8 for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47947) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD36h-0004r7-KQ; Tue, 01 Sep 2020 06:01:39 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59164 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD36h-0003Ng-3J; Tue, 01 Sep 2020 06:01:39 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: "Jan \(janneke\) Nieuwenhuizen" Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. In-Reply-To: <20200831063913.664-3-janneke@gnu.org> (Jan Nieuwenhuizen's message of "Mon, 31 Aug 2020 08:39:13 +0200") Date: Tue, 01 Sep 2020 10:37:40 +0200 Message-ID: <87tuwhao4r.fsf@gnu.org> References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) "Jan (janneke) Nieuwenhuizen" skribis: > * gnu/system/examples/bare-hurd.tmpl (%hurd-os)[services]: Add secret-ser= vice. > * gnu/services/virtualization.scm (%hurd-vm-operating-system): Likewise. > (hurd-vm-shepherd-service): Use it to install secrets. > * doc/guix.texi (The Hurd in a Virtual Machine): Document it. Yay, minor issues, but overall LGTM!\ > (services (cons* > + ;; Receive secret keys on port 1004, TCP. > + (service secret-service-type 1004) [...] > + (start > + (with-imported-modules > + (source-module-closure '((gnu build secret-service) > + (guix build utils))) > + #~(let ((spawn (make-forkexec-constructor #$vm-command))) > + (lambda _ > + (let ((pid (spawn)) > + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) > + (root #$(hurd-vm-configuration-secret-root config))) > + (and root (directory-exists? root) > + (catch #t > + (lambda _ > + (secret-service-send-secrets port root)) Perhaps =E2=80=98hurd-vm-service-type=E2=80=99 should unconditionally exten= d (via =E2=80=98service-extension=E2=80=99) =E2=80=98secret-service-type=E2=80=99,= just to ensure that Hurd VMs always include the secret service. In any case, we should assume that the VM is always running the secret service server, and thus call =E2=80=98secret-service-send-secrets=E2=80=99 unconditionally (=E2=80=98secret-service-send-secrets=E2=80=99 does (find-f= iles root), which returns the empty list when ROOT doesn=E2=80=99t exist, I think.) > + (lambda (keys . args) Should be =E2=80=9Ckey=E2=80=9D (singular). > + (format (current-error-port) > + "failed to send secrets: ~a ~s\n" key ar= gs) > + (kill pid) (kill (- pid)) to kill the whole process group (just in case). I=E2=80=99d remove the =E2=80=98format=E2=80=99 call and just re-throw the = exception: shepherd should report it correctly. [...] > + (service (@@ (gnu services virtualization) > + secret-service-type) 5999)) This is useful for testing but I wouldn=E2=80=99t commit it (in particular because the example would no longer work for people who=E2=80=99re just spa= wning the VM and not trying to feed it secrets over TCP). That=E2=80=99s it, thanks a lot! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 06:01:57 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 10:01:57 +0000 Received: from localhost ([127.0.0.1]:55101 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36z-0004J1-21 for submit@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:57 -0400 Received: from eggs.gnu.org ([209.51.188.92]:36026) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36w-0004Ic-NF for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:55 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47953) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD36r-0004rp-EB; Tue, 01 Sep 2020 06:01:49 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59168 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD36q-00047K-J4; Tue, 01 Sep 2020 06:01:49 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: "Jan \(janneke\) Nieuwenhuizen" Subject: Re: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd In-Reply-To: <20200831063913.664-1-janneke@gnu.org> (Jan Nieuwenhuizen's message of "Mon, 31 Aug 2020 08:39:11 +0200") Date: Tue, 01 Sep 2020 10:50:03 +0200 Message-ID: <87eenlank4.fsf@gnu.org> References: <20200831063913.664-1-janneke@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) "Jan (janneke) Nieuwenhuizen" skribis: > Also, I think 5900 is a bad idea, qemu opens a server there.=20 Oops, my bad! > We could use ports 2222 (forwarded to 12222), as SSH only starts later > -- but hmm. As this is all running as root anyway, I opted for 1004 > (MI5). Did you mean MI6? But then, why 1004? Just because we can=E2=80=99t use 0= 07? Curious! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 07:16:55 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 11:16:55 +0000 Received: from localhost ([127.0.0.1]:55243 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD4HX-0002ED-Fp for submit@debbugs.gnu.org; Tue, 01 Sep 2020 07:16:55 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55936) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD4HS-0002Dw-SO for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 07:16:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49575) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD4HM-0006VL-CV; Tue, 01 Sep 2020 07:16:44 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=46016 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD4HL-0006mM-5w; Tue, 01 Sep 2020 07:16:43 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd Organization: AvatarAcademy.nl References: <20200831063913.664-1-janneke@gnu.org> <87eenlank4.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Tue, 01 Sep 2020 13:16:33 +0200 In-Reply-To: <87eenlank4.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 01 Sep 2020 10:50:03 +0200") Message-ID: <87h7sh927i.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: > "Jan (janneke) Nieuwenhuizen" skribis: > >> Also, I think 5900 is a bad idea, qemu opens a server there.=20 > > Oops, my bad! > >> We could use ports 2222 (forwarded to 12222), as SSH only starts later >> -- but hmm. As this is all running as root anyway, I opted for 1004 >> (MI5). > > Did you mean MI6? Hmm, (checks the interwebs) yeah, Mi6. Then the joke is really too far-fetched, because > But then, why 1004? I was thinking MI5 ~> MIV =3D> (roman numerals) 1004. But that doesn't really work with "6" :-( > Just because we can=E2=80=99t use 007? Yeah, that too. Also, how to pick an arbitrary number? Anyway, it's' 1004 now, feel free to suggest something else :-) Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 09:39:17 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 13:39:17 +0000 Received: from localhost ([127.0.0.1]:55404 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD6VE-0007mj-Pk for submit@debbugs.gnu.org; Tue, 01 Sep 2020 09:39:17 -0400 Received: from eggs.gnu.org ([209.51.188.92]:36492) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD6V9-0007mT-Mj for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 09:39:11 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51489) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD6V4-000800-8b; Tue, 01 Sep 2020 09:39:02 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=59888 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD6V3-0002vH-HS; Tue, 01 Sep 2020 09:39:02 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [PATCH v3 1/2] services: Add secret-service-type. Organization: AvatarAcademy.nl References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-2-janneke@gnu.org> <873641c37p.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Tue, 01 Sep 2020 15:38:51 +0200 Message-ID: <87zh69d3bo.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: Hello, > "Jan (janneke) Nieuwenhuizen" skribis: > >> This adds a "secret-service" that can be added to a Childhurd VM to rece= ive >> out-of-band secrets (keys) sent from the host. >> >> Co-authored-by: Ludovic Court=C3=A8s >> >> * gnu/services/virtualization.scm (secret-service-activation): New proce= dure. >> (secret-service-type): New variable. >> * gnu/build/secret-service.scm: New file. >> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. > > Very nice! Minor suggestions: Great! >> + (format (current-error-port) "secret-service-send-secrets\n") > > Perhaps write =E2=80=9Csending secrets to ~a:~a...~%=E2=80=9D or similar. Ok. >> + (let ((sock (socket AF_INET SOCK_STREAM 0)) >> + (addr (make-socket-address AF_INET INADDR_LOOPBACK port))) >> + ;; connect to wait for port >> + (let loop ((retry retry)) >> + (if (zero? retry) >> + (error "connecting to childhurd failed") > > s/childhurd/secret server/ Ah, sure. >> + (catch 'system-error >> + (lambda _ >> + (connect sock addr)) >> + (lambda (key . args) >> + (format (current-error-port) "connect failed: ~a ~s\n" ke= y args) > > Perhaps remove print =E2=80=9Cretrying connection=E2=80=9D (or similar), = and re-throw > the exception when RETRY is zero, so that it goes through as is (and > thus you can remove the call to =E2=80=98error=E2=80=99 above.) Ah yes, changed it to (catch 'system-error (cut connect sock addr) (lambda (key . args) (when (zero? retry) (apply throw key args)) (format (current-error-port) "retrying connection~%") (sleep 1) (loop (1- retry))))) >> + ;; copy tree >> + (let* ((files (if secret-root (find-files secret-root) '())) >> + (files-sizes-modes (map file->file+size+mode files)) >> + (secrets `(secrets >> + (version 0) >> + (files ,files-sizes-modes)))) >> + (write secrets sock) >> + (for-each (compose (cute display <> sock) >> + (cute with-input-from-file <> read-string)) > > Instead of loading it all in memory, we can use =E2=80=98dump-port=E2=80= =99 from (guix > build utils) here. Nice, changed to (for-each (compose (cute dump-port <> sock) (cute open-input-file <>)) files)))) > That=E2=80=99s it! Thanks for your suggestions, Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 09:40:54 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 13:40:54 +0000 Received: from localhost ([127.0.0.1]:55411 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD6Ws-0007pM-9b for submit@debbugs.gnu.org; Tue, 01 Sep 2020 09:40:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:36892) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD6Wq-0007pA-Vw for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 09:40:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51512) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD6Wl-0008PJ-B7; Tue, 01 Sep 2020 09:40:47 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=59890 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD6Wk-000379-RW; Tue, 01 Sep 2020 09:40:47 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. Organization: AvatarAcademy.nl References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> <87tuwhao4r.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Tue, 01 Sep 2020 15:40:38 +0200 Message-ID: <87sgc1d38p.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: > "Jan (janneke) Nieuwenhuizen" skribis: > >> * gnu/system/examples/bare-hurd.tmpl (%hurd-os)[services]: Add secret-se= rvice. >> * gnu/services/virtualization.scm (%hurd-vm-operating-system): Likewise. >> (hurd-vm-shepherd-service): Use it to install secrets. >> * doc/guix.texi (The Hurd in a Virtual Machine): Document it. > > Yay, minor issues, but overall LGTM! \o/ >> (services (cons* >> + ;; Receive secret keys on port 1004, TCP. >> + (service secret-service-type 1004) > > > [...] > >> + (start >> + (with-imported-modules >> + (source-module-closure '((gnu build secret-service) >> + (guix build utils))) >> + #~(let ((spawn (make-forkexec-constructor #$vm-command))) >> + (lambda _ >> + (let ((pid (spawn)) >> + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) >> + (root #$(hurd-vm-configuration-secret-root config))) >> + (and root (directory-exists? root) >> + (catch #t >> + (lambda _ >> + (secret-service-send-secrets port root)) > In any case, we should assume that the VM is always running the secret > service server, and thus call =E2=80=98secret-service-send-secrets=E2=80= =99 > unconditionally (=E2=80=98secret-service-send-secrets=E2=80=99 does (find= -files root), > which returns the empty list when ROOT doesn=E2=80=99t exist, Yeah I was struggling a bit with this; the hurd-vm-service and the childhurd must agree on the usage of secret-service. That's why I came up with this root-dir #f switch...but it's certainly simpler if we say that it must always be there. Let's see if we can get away with that! So, I removed the root-dir checks and we always call 'secret-service-send-secrets', and changed the default from #f to (secret-root hurd-vm-configuration-secret-root ;string (default "/etc/childhurd"))) where "/etc/childhurd" does not need to exist. > Perhaps =E2=80=98hurd-vm-service-type=E2=80=99 should unconditionally ext= end (via > =E2=80=98service-extension=E2=80=99) =E2=80=98secret-service-type=E2=80= =99, just to ensure that Hurd VMs > always include the secret service. Eh, hurd-vm-service lives in the host, the secret-services lives in the client; am I missing something? ;-) We could add a check for secret-service, possibly here (define (hurd-vm-disk-image config) "Return a disk-image for the Hurd according to CONFIG." (let ((os (hurd-vm-configuration-os config)) (disk-size (hurd-vm-configuration-disk-size config))) (system-image (image (inherit hurd-disk-image) (size disk-size) (operating-system os))))) and/or insert if it it's missing...seems a bit over the top to me? > I think.) Yes, it does, but then the default cannot be #f, it must be a string. I'm picking "/etc/childurd" as a default that need not exist. >> + (lambda (keys . args) > > Should be =E2=80=9Ckey=E2=80=9D (singular). Oops :-) >> + (format (current-error-port) >> + "failed to send secrets: ~a ~s\n" key a= rgs) >> + (kill pid) > > (kill (- pid)) to kill the whole process group (just in case). > > I=E2=80=99d remove the =E2=80=98format=E2=80=99 call and just re-throw th= e exception: shepherd > should report it correctly. Done! Changed to unconditionally run (catch #t (lambda _ (secret-service-send-secrets port root)) (lambda (key . args) (kill (- pid) SIGTERM) (apply throw key args))) pid))))) >> + (service (@@ (gnu services virtualization) >> + secret-service-type) 5999)) > > This is useful for testing but I wouldn=E2=80=99t commit it (in particular > because the example would no longer work for people who=E2=80=99re just s= pawning > the VM and not trying to feed it secrets over TCP). Right, removed. > That=E2=80=99s it, thanks a lot! You too! Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 10:17:13 2020 Received: (at 43106-done) by debbugs.gnu.org; 1 Sep 2020 14:17:13 +0000 Received: from localhost ([127.0.0.1]:56635 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD760-0002n3-As for submit@debbugs.gnu.org; Tue, 01 Sep 2020 10:17:13 -0400 Received: from eggs.gnu.org ([209.51.188.92]:47156) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD75y-0002mn-6Q for 43106-done@debbugs.gnu.org; Tue, 01 Sep 2020 10:17:11 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:52119) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD75q-0004nt-Rt; Tue, 01 Sep 2020 10:17:02 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=59904 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD75q-0008M3-7q; Tue, 01 Sep 2020 10:17:02 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. Organization: AvatarAcademy.nl References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> <87tuwhao4r.fsf@gnu.org> <87sgc1d38p.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Tue, 01 Sep 2020 16:16:52 +0200 In-Reply-To: <87sgc1d38p.fsf@gnu.org> (Jan Nieuwenhuizen's message of "Tue, 01 Sep 2020 15:40:38 +0200") Message-ID: <87imcxd1kb.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106-done Cc: 43106-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Jan Nieuwenhuizen writes: > Ludovic Court=C3=A8s writes: > >> "Jan (janneke) Nieuwenhuizen" skribis: > Eh, hurd-vm-service lives in the host, the secret-services lives in the > client; am I missing something? ;-) > > We could add a check for secret-service, possibly here [..] After aligning on IRC we decided this can be done later; pushed to master as 01cefb7a570d846476ff5cb05d3b1e3511db5d81, closing. Janneke --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 16:45:38 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 20:45:38 +0000 Received: from localhost ([127.0.0.1]:57497 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kDD9t-0002oy-SF for submit@debbugs.gnu.org; Tue, 01 Sep 2020 16:45:38 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37524) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kDD9r-0002ol-Pc for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 16:45:36 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58861) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDD9m-0006ub-Fe; Tue, 01 Sep 2020 16:45:30 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=51616 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kDD9f-00085B-4P; Tue, 01 Sep 2020 16:45:27 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Jan Nieuwenhuizen Subject: Re: [bug#43106] [PATCH v3 0/2] Secret services for the Childhurd References: <20200831063913.664-1-janneke@gnu.org> <87eenlank4.fsf@gnu.org> <87h7sh927i.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 01 Sep 2020 22:45:20 +0200 In-Reply-To: <87h7sh927i.fsf@gnu.org> (Jan Nieuwenhuizen's message of "Tue, 01 Sep 2020 13:16:33 +0200") Message-ID: <87d0358bvj.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Jan Nieuwenhuizen skribis: > Ludovic Court=C3=A8s writes: > >> "Jan (janneke) Nieuwenhuizen" skribis: >> >>> Also, I think 5900 is a bad idea, qemu opens a server there.=20 >> >> Oops, my bad! >> >>> We could use ports 2222 (forwarded to 12222), as SSH only starts later >>> -- but hmm. As this is all running as root anyway, I opted for 1004 >>> (MI5). >> >> Did you mean MI6? > > Hmm, (checks the interwebs) yeah, Mi6. Then the joke is really > too far-fetched, because > >> But then, why 1004? > > I was thinking MI5 ~> MIV =3D> (roman numerals) 1004. But that doesn't > really work with "6" :-( Oooh, brilliant! >> Just because we can=E2=80=99t use 007? > > Yeah, that too. Also, how to pick an arbitrary number? Anyway, it's' > 1004 now, feel free to suggest something else :-) 1004 is perfect, we have a good story to back it up! (And it=E2=80=99s not= in /etc/services, which makes it even better.) Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 16:54:36 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 20:54:36 +0000 Received: from localhost ([127.0.0.1]:57501 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kDDIZ-00031d-Pv for submit@debbugs.gnu.org; Tue, 01 Sep 2020 16:54:36 -0400 Received: from eggs.gnu.org ([209.51.188.92]:39350) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kDDIV-00031M-S1 for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 16:54:34 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58956) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDDIP-0007ue-4X; Tue, 01 Sep 2020 16:54:25 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=51620 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kDDIO-0000HC-7z; Tue, 01 Sep 2020 16:54:25 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Jan Nieuwenhuizen Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> <87tuwhao4r.fsf@gnu.org> <87sgc1d38p.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 01 Sep 2020 22:54:21 +0200 In-Reply-To: <87sgc1d38p.fsf@gnu.org> (Jan Nieuwenhuizen's message of "Tue, 01 Sep 2020 15:40:38 +0200") Message-ID: <877dtd8bgi.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! Jan Nieuwenhuizen skribis: > Ludovic Court=C3=A8s writes: [...] >> Perhaps =E2=80=98hurd-vm-service-type=E2=80=99 should unconditionally ex= tend (via >> =E2=80=98service-extension=E2=80=99) =E2=80=98secret-service-type=E2=80= =99, just to ensure that Hurd VMs >> always include the secret service. > > Eh, hurd-vm-service lives in the host, the secret-services lives in the > client; am I missing something? ;-) Ah no, it=E2=80=99s me. :-) > We could add a check for secret-service, possibly here > > (define (hurd-vm-disk-image config) > "Return a disk-image for the Hurd according to CONFIG." > (let ((os (hurd-vm-configuration-os config)) > (disk-size (hurd-vm-configuration-disk-size config))) > (system-image > (image > (inherit hurd-disk-image) > (size disk-size) > (operating-system os))))) > > and/or insert if it it's missing...seems a bit over the top to me? Yes, exactly. We could pass =E2=80=98os=E2=80=99 through =E2=80=98secret-service-operating-system=E2=80=99, where: (define (secret-service-operating-system os) (operating-system (inherit os) (services (cons (service secret-service-type) (operating-system-user-services os))))) (A similar pattern is found in =E2=80=98virtualized-operating-system=E2=80= =99 and =E2=80=98containerized-operating-system=E2=80=99.) Thanks for these patches! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 02 01:28:26 2020 Received: (at 43106) by debbugs.gnu.org; 2 Sep 2020 05:28:26 +0000 Received: from localhost ([127.0.0.1]:57952 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kDLJq-0007i6-05 for submit@debbugs.gnu.org; Wed, 02 Sep 2020 01:28:26 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48532) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kDLJl-0007hq-PO for 43106@debbugs.gnu.org; Wed, 02 Sep 2020 01:28:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:39372) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kDLJf-0006yn-Nd; Wed, 02 Sep 2020 01:28:15 -0400 Received: from [2001:980:1b4f:1:42d2:832d:bb59:862] (port=44488 helo=dundal.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kDLJe-0001Mx-O3; Wed, 02 Sep 2020 01:28:15 -0400 From: Jan Nieuwenhuizen To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. Organization: AvatarAcademy.nl References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> <87tuwhao4r.fsf@gnu.org> <87sgc1d38p.fsf@gnu.org> <877dtd8bgi.fsf@gnu.org> X-Url: http://AvatarAcademy.nl Date: Wed, 02 Sep 2020 07:28:04 +0200 In-Reply-To: <877dtd8bgi.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 01 Sep 2020 22:54:21 +0200") Message-ID: <87o8mo693v.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: Hello! > Jan Nieuwenhuizen skribis: > >> Ludovic Court=C3=A8s writes: > > [...] > >> We could add a check for secret-service, possibly here >> >> (define (hurd-vm-disk-image config) >> "Return a disk-image for the Hurd according to CONFIG." >> (let ((os (hurd-vm-configuration-os config)) >> (disk-size (hurd-vm-configuration-disk-size config))) >> (system-image >> (image >> (inherit hurd-disk-image) >> (size disk-size) >> (operating-system os))))) >> >> and/or insert if it it's missing...seems a bit over the top to me? > > Yes, exactly. We could pass =E2=80=98os=E2=80=99 through > =E2=80=98secret-service-operating-system=E2=80=99, where: > > (define (secret-service-operating-system os) > (operating-system > (inherit os) > (services (cons (service secret-service-type) > (operating-system-user-services os))))) > > (A similar pattern is found in =E2=80=98virtualized-operating-system=E2= =80=99 and > =E2=80=98containerized-operating-system=E2=80=99.) Right, that's nice. I've added this (attached commit) to master. > Thanks for these patches! Happy; thanks for helping! Janneke --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-services-hurd-vm-Have-Childhurd-always-include-the-s.patch Content-Transfer-Encoding: quoted-printable >From f07f479fc7417574c7bcb7ab3b70becda72eae25 Mon Sep 17 00:00:00 2001 From: "Jan (janneke) Nieuwenhuizen" Date: Wed, 2 Sep 2020 07:13:15 +0200 Subject: [PATCH] services: hurd-vm: Have Childhurd always include the secret-service. MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=3DUTF-8 * gnu/services/virtualization.scm (secret-service-operating-system): New procedure. (hurd-vm-disk-image): Use it to ensure a Childhurd always includes the secret-service. (%hurd-vm-operating-system): Remove secret-service. Co-authored-by: Ludovic Court=C3=A8s --- gnu/services/virtualization.scm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.= scm index 75fe203e15..20e104f48c 100644 --- a/gnu/services/virtualization.scm +++ b/gnu/services/virtualization.scm @@ -835,6 +835,14 @@ over TCP. Reboot upon failure." boot time. This service is meant to be used by virtual machines (VMs) that can only be accessed by their host."))) =20 +(define (secret-service-operating-system os) + "Return an operating system based on OS that includes the secret-service, +that will be listening to receive secret keys on port 1004, TCP." + (operating-system + (inherit os) + (services (cons (service secret-service-type 1004) + (operating-system-user-services os))))) + ;;; ;;; The Hurd in VM service: a Childhurd. @@ -850,8 +858,6 @@ can only be accessed by their host."))) (target "/dev/vda") (timeout 0))) (services (cons* - ;; Receive secret keys on port 1004, TCP. - (service secret-service-type 1004) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) @@ -887,8 +893,9 @@ can only be accessed by their host."))) (default "/etc/childhurd"))) =20 (define (hurd-vm-disk-image config) - "Return a disk-image for the Hurd according to CONFIG." - (let ((os (hurd-vm-configuration-os config)) + "Return a disk-image for the Hurd according to CONFIG. The secret-servi= ce +is added to the OS specified in CONFIG." + (let ((os (secret-service-operating-system (hurd-vm-configuration-os con= fig))) (disk-size (hurd-vm-configuration-disk-size config))) (system-image (image --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable --=20 Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar=C2=AE http://AvatarAcademy.com --=-=-=-- From unknown Thu Aug 14 21:43:45 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 30 Sep 2020 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator