From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 01 06:01:48 2020 Received: (at 43106) by debbugs.gnu.org; 1 Sep 2020 10:01:48 +0000 Received: from localhost ([127.0.0.1]:55095 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36q-0004IO-8a for submit@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35992) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kD36m-0004I0-V8 for 43106@debbugs.gnu.org; Tue, 01 Sep 2020 06:01:45 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47947) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kD36h-0004r7-KQ; Tue, 01 Sep 2020 06:01:39 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59164 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kD36h-0003Ng-3J; Tue, 01 Sep 2020 06:01:39 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: "Jan \(janneke\) Nieuwenhuizen" Subject: Re: [PATCH v3 2/2] services: childhurd: Support installing secrets from the host. In-Reply-To: <20200831063913.664-3-janneke@gnu.org> (Jan Nieuwenhuizen's message of "Mon, 31 Aug 2020 08:39:13 +0200") Date: Tue, 01 Sep 2020 10:37:40 +0200 Message-ID: <87tuwhao4r.fsf@gnu.org> References: <20200831063913.664-1-janneke@gnu.org> <20200831063913.664-3-janneke@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Fructidor an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43106 Cc: 43106@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) "Jan (janneke) Nieuwenhuizen" skribis: > * gnu/system/examples/bare-hurd.tmpl (%hurd-os)[services]: Add secret-ser= vice. > * gnu/services/virtualization.scm (%hurd-vm-operating-system): Likewise. > (hurd-vm-shepherd-service): Use it to install secrets. > * doc/guix.texi (The Hurd in a Virtual Machine): Document it. Yay, minor issues, but overall LGTM!\ > (services (cons* > + ;; Receive secret keys on port 1004, TCP. > + (service secret-service-type 1004) [...] > + (start > + (with-imported-modules > + (source-module-closure '((gnu build secret-service) > + (guix build utils))) > + #~(let ((spawn (make-forkexec-constructor #$vm-command))) > + (lambda _ > + (let ((pid (spawn)) > + (port #$(hurd-vm-port config %hurd-vm-secrets-port)) > + (root #$(hurd-vm-configuration-secret-root config))) > + (and root (directory-exists? root) > + (catch #t > + (lambda _ > + (secret-service-send-secrets port root)) Perhaps =E2=80=98hurd-vm-service-type=E2=80=99 should unconditionally exten= d (via =E2=80=98service-extension=E2=80=99) =E2=80=98secret-service-type=E2=80=99,= just to ensure that Hurd VMs always include the secret service. In any case, we should assume that the VM is always running the secret service server, and thus call =E2=80=98secret-service-send-secrets=E2=80=99 unconditionally (=E2=80=98secret-service-send-secrets=E2=80=99 does (find-f= iles root), which returns the empty list when ROOT doesn=E2=80=99t exist, I think.) > + (lambda (keys . args) Should be =E2=80=9Ckey=E2=80=9D (singular). > + (format (current-error-port) > + "failed to send secrets: ~a ~s\n" key ar= gs) > + (kill pid) (kill (- pid)) to kill the whole process group (just in case). I=E2=80=99d remove the =E2=80=98format=E2=80=99 call and just re-throw the = exception: shepherd should report it correctly. [...] > + (service (@@ (gnu services virtualization) > + secret-service-type) 5999)) This is useful for testing but I wouldn=E2=80=99t commit it (in particular because the example would no longer work for people who=E2=80=99re just spa= wning the VM and not trying to feed it secrets over TCP). That=E2=80=99s it, thanks a lot! Ludo=E2=80=99.