inconstency with offloading

  • Done
  • quality assurance status badge
Details
3 participants
  • Ludovic Courtès
  • Maxim Cournoyer
  • zimoun
Owner
unassigned
Submitted by
zimoun
Severity
normal
Z
Z
zimoun wrote on 15 Dec 2021 18:02
(address . bug-guix@gnu.org)
87y24lol6r.fsf@gmail.com
Hi,

The manual provides [1] the example:

Toggle snippet (10 lines)
(build-machine
(name "armeight.example.org")
(systems (list "aarch64-linux"))
(host-key "ssh-rsa AAAAB3Nza…")
(user "alice")
(private-key
(string-append (getenv "HOME")
"/.ssh/identity-for-guix")))

but what is not clear is 'getenv' from who. Concretly, adding 'pk' it
reads:

Toggle snippet (6 lines)
$ guix offload test

;;; ("/home/simon")
guix offload: testing 2 build machines defined in '/etc/guix/machines.scm'...

however, when really building with offload:

Toggle snippet (11 lines)
$ guix build -L /tmp/mine r-cipr
The following derivation will be built:
/gnu/store/mzixy5hhx79xx33k03acaasml87c0knc-r-cipr-0.1.0-1.4b01bb8.drv

;;; ("/root")
process 6815 acquired build slot '/var/guix/offload/x.x.x.x:22/0'
process 6815 acquired build slot '/var/guix/offload/x.x.x.x:22/0'
normalized load on machine 'x.x.x.x' is 0.00


"guix offload tes" does the correct thing, not "guix build".


Cheers,
simon


M
M
Maxim Cournoyer wrote on 16 Dec 2021 05:09
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 52517@debbugs.gnu.org)
87ilvp8a2o.fsf@gmail.com
Hello Simon!

zimoun <zimon.toutoune@gmail.com> writes:

Toggle quote (31 lines)
> Hi,
>
> The manual provides [1] the example:
>
> (build-machine
> (name "armeight.example.org")
> (systems (list "aarch64-linux"))
> (host-key "ssh-rsa AAAAB3Nza…")
> (user "alice")
> (private-key
> (string-append (getenv "HOME")
> "/.ssh/identity-for-guix")))
>
>
> but what is not clear is 'getenv' from who. Concretly, adding 'pk' it
> reads:
>
> $ guix offload test
>
> ;;; ("/home/simon")
> guix offload: testing 2 build machines defined in '/etc/guix/machines.scm'...
>
>
> however, when really building with offload:
>
> $ guix build -L /tmp/mine r-cipr
> The following derivation will be built:
> /gnu/store/mzixy5hhx79xx33k03acaasml87c0knc-r-cipr-0.1.0-1.4b01bb8.drv
>
> ;;; ("/root")

Good observation; a similar issue I had reported is

Maxim
L
L
Ludovic Courtès wrote on 3 Jan 2022 17:52
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 52517@debbugs.gnu.org)
87sfu4g3s0.fsf@gnu.org
Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (29 lines)
> The manual provides [1] the example:
>
> (build-machine
> (name "armeight.example.org")
> (systems (list "aarch64-linux"))
> (host-key "ssh-rsa AAAAB3Nza…")
> (user "alice")
> (private-key
> (string-append (getenv "HOME")
> "/.ssh/identity-for-guix")))
>
>
> but what is not clear is 'getenv' from who. Concretly, adding 'pk' it
> reads:
>
> $ guix offload test
>
> ;;; ("/home/simon")
> guix offload: testing 2 build machines defined in '/etc/guix/machines.scm'...
>
>
> however, when really building with offload:
>
> $ guix build -L /tmp/mine r-cipr
> The following derivation will be built:
> /gnu/store/mzixy5hhx79xx33k03acaasml87c0knc-r-cipr-0.1.0-1.4b01bb8.drv
>
> ;;; ("/root")

This is because guix-daemon spawns ‘guix offload’ as root.

But yeah, I agree that the example contributes to the confusion.

How about changing the manual as shown below?

Ludo’.
Toggle diff (18 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 43549da388..9c1f30e83f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1250,9 +1250,10 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
(systems (list "aarch64-linux"))
(host-key "ssh-rsa AAAAB3Nza@dots{}")
(user "alice")
- (private-key
- (string-append (getenv "HOME")
- "/.ssh/identity-for-guix"))))
+
+ ;; Remember 'guix offload' is spawned by
+ ;; 'guix-daemon' as root.
+ (private-key "/root/.ssh/identity-for-guix")))
@end lisp
@noindent
Z
Z
zimoun wrote on 3 Jan 2022 18:16
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 52517@debbugs.gnu.org)
86czl8viwt.fsf@gmail.com
Hi,

On Mon, 03 Jan 2022 at 17:52, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (2 lines)
> This is because guix-daemon spawns ‘guix offload’ as root.

Yes. The issue is I cannot offload to a machine where I have an SSH
account and where Guix is installed if the sysadmin does not configure
correctly this /root/.ssh/.


Toggle quote (16 lines)
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 43549da388..9c1f30e83f 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -1250,9 +1250,10 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
> (systems (list "aarch64-linux"))
> (host-key "ssh-rsa AAAAB3Nza@dots{}")
> (user "alice")
> - (private-key
> - (string-append (getenv "HOME")
> - "/.ssh/identity-for-guix"))))
> +
> + ;; Remember 'guix offload' is spawned by
> + ;; 'guix-daemon' as root.
> + (private-key "/root/.ssh/identity-for-guix")))

This patch LGTM. At least, it could save time for people configuring
offload. :-)

I am fine to close the issue but, as I said, the fix seems to be able to
offload without root access but just an SSH access.


Cheers,
simon
L
L
Ludovic Courtès wrote on 3 Jan 2022 19:30
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 52517-done@debbugs.gnu.org)
87k0fgfz8y.fsf@gnu.org
Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (8 lines)
> On Mon, 03 Jan 2022 at 17:52, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> This is because guix-daemon spawns ‘guix offload’ as root.
>
> Yes. The issue is I cannot offload to a machine where I have an SSH
> account and where Guix is installed if the sysadmin does not configure
> correctly this /root/.ssh/.

True. That’s admittedly not as flexible as it could be.

Interestingly, GUIX_DAEMON_SOCKET=ssh://… almost achieves that.

Perhaps we could implement “user-level offloading”, probably in addition
to system-wide offloading? Food for thought…

Toggle quote (19 lines)
>> diff --git a/doc/guix.texi b/doc/guix.texi
>> index 43549da388..9c1f30e83f 100644
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -1250,9 +1250,10 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
>> (systems (list "aarch64-linux"))
>> (host-key "ssh-rsa AAAAB3Nza@dots{}")
>> (user "alice")
>> - (private-key
>> - (string-append (getenv "HOME")
>> - "/.ssh/identity-for-guix"))))
>> +
>> + ;; Remember 'guix offload' is spawned by
>> + ;; 'guix-daemon' as root.
>> + (private-key "/root/.ssh/identity-for-guix")))
>
> This patch LGTM. At least, it could save time for people configuring
> offload. :-)

Alright, committing.

Toggle quote (3 lines)
> I am fine to close the issue but, as I said, the fix seems to be able to
> offload without root access but just an SSH access.

Yes, we can discuss that separately.

A simple design would be to have clients install a “build handler”; when
the handler is called, it selects a machine, open a remote store
connection, copies missing inputs, starts the build, retrieves
outputs—all that from the client. Of course admins still have to
authorize keys both ways, but at least that gives more flexibility. (We
could also have a model where keys are authorized just one-way.)

Thanks,
Ludo’.
Closed
Z
Z
zimoun wrote on 3 Jan 2022 20:19
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 52517-done@debbugs.gnu.org)
86o84stynv.fsf@gmail.com
Hi Ludo,

On Mon, 03 Jan 2022 at 19:30, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (2 lines)
> Interestingly, GUIX_DAEMON_SOCKET=ssh://… almost achieves that.

Thanks for the hint.

Toggle quote (2 lines)
> Alright, committing.

Cool! Thanks.


Toggle quote (5 lines)
>> I am fine to close the issue but, as I said, the fix seems to be able to
>> offload without root access but just an SSH access.
>
> Yes, we can discuss that separately.

Yes…

Toggle quote (7 lines)
> A simple design would be to have clients install a “build handler”; when
> the handler is called, it selects a machine, open a remote store
> connection, copies missing inputs, starts the build, retrieves
> outputs—all that from the client. Of course admins still have to
> authorize keys both ways, but at least that gives more flexibility. (We
> could also have a model where keys are authorized just one-way.)

…and it is not easy. And somehow it is similar as the issue of «Public
guix offload server» discussed [1] recently (Oct. 2021).


Cheers,
simon
Closed
?