guix-service-type authorized keys are not honored when /etc/guix/acl exists

  • Done
  • quality assurance status badge
Details
5 participants
  • Efraim Flashner
  • Jan Nieuwenhuizen
  • Ludovic Courtès
  • Maxim Cournoyer
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
important
M
M
Maxim Cournoyer wrote on 28 Feb 2020 05:30
(name . bug-guix)(address . bug-guix@gnu.org)
87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me
Hello,

I spent the evening debugging why my authorized keys for the
guix-service-type wouldn't appear under /etc/guix/acl upon
reconfiguration (and 'guix offload test' would be unhelpfully reporting
"guix offload: error: program
`/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
failed with exit code 1", see issue https://bugs.gnu.org/34786).

It turns out that the guix-activation script that is supposed to add the authorized keys does this:

Toggle snippet (6 lines)
(unless (file-exists? "/etc/guix/acl")
(mkdir-p "/etc/guix")
(copy-file #+default-acl "/etc/guix/acl")
(chmod "/etc/guix/acl" #o600)))))

i.e., it doesn't do anything if a /etc/guix/acl file already exists.
This means that the only time it ought to do anything is the first time
the system was reconfigured (or perhaps, init?).

I would have expected the keys declared in my operating system
configuration to be used along those with /etc/guix/acl, or added to it.

Maxim
M
M
Maxim Cournoyer wrote on 28 Feb 2020 05:32
(address . 39819@debbugs.gnu.org)
87pndzl4ay.fsf@gmail.com
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (23 lines)
> Hello,
>
> I spent the evening debugging why my authorized keys for the
> guix-service-type wouldn't appear under /etc/guix/acl upon
> reconfiguration (and 'guix offload test' would be unhelpfully reporting
> "guix offload: error: program
> `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
> failed with exit code 1", see issue <https://bugs.gnu.org/34786>).
>
> It turns out that the guix-activation script that is supposed to add the authorized keys does this:
>
> (unless (file-exists? "/etc/guix/acl")
> (mkdir-p "/etc/guix")
> (copy-file #+default-acl "/etc/guix/acl")
> (chmod "/etc/guix/acl" #o600)))))
>
> i.e., it doesn't do anything if a /etc/guix/acl file already exists.
> This means that the only time it ought to do anything is the first time
> the system was reconfigured (or perhaps, init?).
>
> I would have expected the keys declared in my operating system
> configuration to be used along those with /etc/guix/acl, or added to it.

I forgot to mention, the above code is from (gnu services base), more
specifically from the `substitute-key-authorization' procedure.
L
L
Ludovic Courtès wrote on 11 Oct 2020 12:39
Declarative /etc/guix/acl?
(address . guix-devel@gnu.org)(address . 39819@debbugs.gnu.org)
87v9fhf3my.fsf@inria.fr
Hi!

For some reason, /etc/guix/acl is not declarative on Guix System: we let
users modify it and assume it’s stateful, which can surprise users as in

Should we make it declarative, just like most of /etc? I think so. For
a build farm like berlin, it would force admins to explicitly list all
the authorized keys in their config—annoying change, but not a bad
thing.

WDYT?

The problem is the transition. We would need to at least create a
backup of /etc/guix/acl on the next activation, or better yet, warn
users or error out at reconfigure time.

Thoughts?

Ludo’.
E
E
Efraim Flashner wrote on 11 Oct 2020 13:00
(name . Ludovic Courtès)(address . ludo@gnu.org)
20201011110012.GD1301@E5400
On Sun, Oct 11, 2020 at 12:39:17PM +0200, Ludovic Courtès wrote:
Toggle quote (13 lines)
> Hi!
>
> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
>
> Should we make it declarative, just like most of /etc? I think so. For
> a build farm like berlin, it would force admins to explicitly list all
> the authorized keys in their config—annoying change, but not a bad
> thing.
>
> WDYT?

I've been surprised by it at least once. (That it was more than once is
on me...)

Toggle quote (9 lines)
> The problem is the transition. We would need to at least create a
> backup of /etc/guix/acl on the next activation, or better yet, warn
> users or error out at reconfigure time.
>
> Thoughts?
>
> Ludo’.
>

activation script: (when (file-exists? "/etc/guix/acl")
(rename-file "/etc/guix/acl"
"/etc/guix/acl-old"))

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl+C5bwACgkQQarn3Mo9
g1EBjg/9HWxbP7R8gUQKf4djzZcygec+64uIFMjUZIcBbjnA2OiSM4rftuSI532h
C5p8TtqMpl10z0FCzu3veDYmFMrsvVNCMC/RDd07jO6uaYJe5IdspzA6Z7C9RJgx
tnyWioMKDU8xqB93fnQKntkXE4JtmQcDu1An6mI98UC0lYgFQ7RXsJbeRjDu97EJ
sEruDh7caxrZgnHWtzpUXxjgk55AODbKiNRoH6NEIHmaUI3rMv9/LgBQqT+HZj7x
qPiKJGS5zaIubIpBcrOUkbXFq0rs5uKQT3J3y0VjGlK2gI1XW1CyfAMugxEnZrTi
YSmEHaHkmhTGbU8bOaJy+g75hsWXe/QSVfXxXr5ZEVhTuuBRx3CJsXnUZDj33yDI
77PHMQYINk51Ffb+AMQsMHt7DULuU2cVOT1G2KilrBtFPYHFdDnXvpnUdw96wkeB
SWs9pwaM5Kl9ygdHTfx4R7LAR65ImOBOMoLJyRbGkf9vk1dhAIVZdt2iKVfXRQlF
5PuUjw09wIJ/LPJX50gft0zvsip2TWLZq3xLyJrw/n0nmmd1c9Cq846wl30UeYlc
sf6P2zJesB7xpo1nrXxtRRddlKWhUUwNr6EXv0fGa3ozVhbl4DFx+zTQjQHGtxmJ
wEktNgohVbQulDroTVl2rb9mo6nTeE6mZaK+TKmDNfG10Y2ovvk=
=lHOw
-----END PGP SIGNATURE-----


J
J
Jan Nieuwenhuizen wrote on 11 Oct 2020 13:07
Re: Declarative /etc/guix/acl?
(name . Ludovic Courtès)(address . ludo@gnu.org)
87k0vxaumm.fsf@gnu.org
Ludovic Courtès writes:

Hello!

Toggle quote (6 lines)
> For some reason, /etc/guix/acl is not declarative on Guix System: we let
> users modify it and assume it’s stateful, which can surprise users as in
> <https://issues.guix.gnu.org/39819>.
>
> Should we make it declarative, just like most of /etc? I think so.

Yes, I think so too. However, if you have your own substitute server,
you now can run guix archive --authorize < ..., e.g. at
bootstrap/install time. For such cases, IWBN to have a --authorized-key
argument to guix build / guix system.

Greetings,
Janneke

--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com
L
L
Ludovic Courtès wrote on 12 Oct 2020 14:53
(name . Jan Nieuwenhuizen)(address . janneke@gnu.org)
87v9ffppvf.fsf@gnu.org
Hi,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

Toggle quote (12 lines)
> Ludovic Courtès writes:
>
> Hello!
>
>> For some reason, /etc/guix/acl is not declarative on Guix System: we let
>> users modify it and assume it’s stateful, which can surprise users as in
>> <https://issues.guix.gnu.org/39819>.
>>
>> Should we make it declarative, just like most of /etc? I think so.
>
> Yes, I think so too.

OK.

Toggle quote (5 lines)
> However, if you have your own substitute server, you now can run guix
> archive --authorize < ..., e.g. at bootstrap/install time. For such
> cases, IWBN to have a --authorized-key argument to guix build / guix
> system.

There’s already an ‘authorized-keys’ field in ‘guix-configuration’:


So you would just list keys there. Is that what you have in mind?

The option is already there, it’s just non-authoritative.

Ludo’.
J
J
Jan Nieuwenhuizen wrote on 12 Oct 2020 22:26
(name . Ludovic Courtès)(address . ludo@gnu.org)
871ri31984.fsf@gnu.org
Ludovic Courtès writes:

Hello,

Toggle quote (17 lines)
> Jan Nieuwenhuizen <janneke@gnu.org> skribis:
>
>> Ludovic Courtès writes:
>
>> However, if you have your own substitute server, you now can run guix
>> archive --authorize < ..., e.g. at bootstrap/install time. For such
>> cases, IWBN to have a --authorized-key argument to guix build / guix
>> system.
>
> There’s already an ‘authorized-keys’ field in ‘guix-configuration’:
>
> https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#index-guix_002dconfiguration
>
> So you would just list keys there. Is that what you have in mind?
>
> The option is already there, it’s just non-authoritative.

I was thinking about the initial installer scenario; when guix-daemon is
already running and you didn't build the guix system yourself. But
yeah, I guess this is an exceptional or corner case and you can always
build your own installer and add the key there.

Janneke

--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com
L
L
Ludovic Courtès wrote on 21 Oct 2020 16:19
control message for bug #39819
(address . control@debbugs.gnu.org)
87y2jz3bly.fsf@gnu.org
severity 39819 important
quit
L
L
Ludovic Courtès wrote on 21 Oct 2020 17:08
[PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
(address . 39819@debbugs.gnu.org)
20201021150823.20508-1-ludo@gnu.org
Reported by Maxim Cournoyer <maxim.cournoyer@gmail.com>.

* gnu/services/base.scm (substitute-key-authorization): Symlink
DEFAULT-ACL to /etc/guix/acl unconditionally. Add code to optionally
back up /etc/guix/acl if it was possibly modified by hand.
* doc/guix.texi (Base Services): Clarify the effect of setting
'authorize-keys?' to true. Mention the backup. Give an example showing
how to authorize substitutes from another server.
---
doc/guix.texi | 36 ++++++++++++++++++++++++++++++++++++
gnu/services/base.scm | 16 ++++++++++++----
2 files changed, 48 insertions(+), 4 deletions(-)

Toggle diff (88 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index c161012da5..50d2d9a730 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14571,11 +14571,26 @@ Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}).
+When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+changed by invoking @command{guix archive --authorize}. You must
+instead adjust @code{guix-configuration} as you wish and reconfigure the
+system. This ensures that your operating system configuration file is
+self-contained.
+
+@quotation Note
+When booting or reconfiguring to a system where @code{authorize-keys?}
+is true, the existing @file{/etc/guix/acl} file is backed up as
+@file{/etc/guix/acl.bak} if it was determined to be a manually modified
+file. This is to facilitate migration from earlier versions, which
+allowed for in-place modifications to @file{/etc/guix/acl}.
+@end quotation
+
@vindex %default-authorized-guix-keys
@item @code{authorized-keys} (default: @code{%default-authorized-guix-keys})
The list of authorized key files for archive imports, as a list of
string-valued gexps (@pxref{Invoking guix archive}). By default, it
contains that of @code{@value{SUBSTITUTE-SERVER}} (@pxref{Substitutes}).
+See @code{substitute-urls} below for an example on how to change it.
@item @code{use-substitutes?} (default: @code{#t})
Whether to use substitutes.
@@ -14583,6 +14598,27 @@ Whether to use substitutes.
@item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default.
+Support you would like to fetch substitutes from @code{guix.example.org}
+in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
+two things: (1) add @code{guix.example.org} to @code{substitute-urls},
+and (2) authorize its signing key, having done appropriate checks
+(@pxref{Substitute Server Authorization}). The configuration below does
+exactly that:
+
+@lisp
+(guix-configuration
+ (substitute-urls
+ (append (list "https://guix.example.org")
+ %default-substitute-urls))
+ (authorized-keys
+ (append (list (local-file "./guix.example.org-key.pub"))
+ %default-authorized-guix-keys)))
+@end lisp
+
+This example assumes that the file @file{./guix.example.org-key.pub}
+contains the public key that @code{guix.example.org} uses to sign
+substitutes.
+
@item @code{max-silent-time} (default: @code{0})
@itemx @code{timeout} (default: @code{0})
The number of seconds of silence and the number of seconds of activity,
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 04bc991356..37b0a13ea7 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1476,10 +1476,18 @@ archive' public keys, with GUIX."
#~(begin
(use-modules (guix build utils))
- (unless (file-exists? "/etc/guix/acl")
- (mkdir-p "/etc/guix")
- (copy-file #+default-acl "/etc/guix/acl")
- (chmod "/etc/guix/acl" #o600)))))
+ ;; If the ACL already exists, move it out of the way. Create a backup
+ ;; if it's a regular file: it's likely that the user manually updated
+ ;; it with 'guix archive --authorize'.
+ (if (file-exists? "/etc/guix/acl")
+ (if (and (symbolic-link? "/etc/guix/acl")
+ (store-file-name? (readlink "/etc/guix/acl")))
+ (delete-file "/etc/guix/acl")
+ (rename-file "/etc/guix/acl" "/etc/guix/acl.bak"))
+ (mkdir-p "/etc/guix"))
+
+ ;; Installed the declared ACL.
+ (symlink #+default-acl "/etc/guix/acl"))))
(define %default-authorized-guix-keys
;; List of authorized substitute keys.
--
2.28.0
L
L
Ludovic Courtès wrote on 21 Oct 2020 17:08
[PATCH 2/2] doc: Add "Getting Substitutes from Other Servers" section.
(address . 39819@debbugs.gnu.org)
20201021150823.20508-2-ludo@gnu.org
* doc/guix.texi (Getting Substitutes from Other Servers): New node.
(Invoking guix-daemon): Add cross-reference.
(Substitute Server Authorization): Clarify that this is unnecessary on
Guix System.
(Invoking guix publish): Add cross-reference.
---
doc/guix.texi | 122 +++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 115 insertions(+), 7 deletions(-)

Toggle diff (178 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 50d2d9a730..a3534b5939 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -222,6 +222,7 @@ Substitutes
* Official Substitute Server:: One particular source of substitutes.
* Substitute Server Authorization:: How to enable or disable substitutes.
+* Getting Substitutes from Other Servers:: Substitute diversity.
* Substitute Authentication:: How Guix verifies substitutes.
* Proxy Settings:: How to get substitutes via proxy.
* Substitution Failure:: What happens when substitution fails.
@@ -1467,8 +1468,8 @@ When the daemon runs with @option{--no-substitutes}, clients can still
explicitly enable substitution @i{via} the @code{set-build-options}
remote procedure call (@pxref{The Store}).
-@item --substitute-urls=@var{urls}
@anchor{daemon-substitute-urls}
+@item --substitute-urls=@var{urls}
Consider @var{urls} the default whitespace-separated list of substitute
source URLs. When this option is omitted,
@indicateurl{https://@value{SUBSTITUTE-SERVER}} is used.
@@ -1476,6 +1477,9 @@ source URLs. When this option is omitted,
This means that substitutes may be downloaded from @var{urls}, as long
as they are signed by a trusted signature (@pxref{Substitutes}).
+@xref{Getting Substitutes from Other Servers}, for more information on
+how to configure the daemon to get substitutes from other servers.
+
@cindex offloading
@item --no-offload
Do not use offload builds to other machines (@pxref{Daemon Offload
@@ -3554,6 +3558,7 @@ also result from derivation builds, can be available as substitutes.
@menu
* Official Substitute Server:: One particular source of substitutes.
* Substitute Server Authorization:: How to enable or disable substitutes.
+* Getting Substitutes from Other Servers:: Substitute diversity.
* Substitute Authentication:: How Guix verifies substitutes.
* Proxy Settings:: How to get substitutes via proxy.
* Substitution Failure:: What happens when substitution fails.
@@ -3603,6 +3608,11 @@ imports, using the @command{guix archive} command (@pxref{Invoking guix
archive}). Doing so implies that you trust @code{@value{SUBSTITUTE-SERVER}} to not
be compromised and to serve genuine substitutes.
+@quotation Note
+If you are using Guix System, you can skip this section: Guix System
+authorizes substitutes from @code{@value{SUBSTITUTE-SERVER}} by default.
+@end quotation
+
The public key for @code{@value{SUBSTITUTE-SERVER}} is installed along with Guix, in
@code{@var{prefix}/share/guix/@value{SUBSTITUTE-SERVER}.pub}, where @var{prefix} is
the installation prefix of Guix. If you installed Guix from source,
@@ -3653,6 +3663,108 @@ guix-daemon}). It can also be disabled temporarily by passing the
@option{--no-substitutes} option to @command{guix package},
@command{guix build}, and other command-line tools.
+@node Getting Substitutes from Other Servers
+@subsection Getting Substitutes from Other Servers
+
+@cindex substitute servers, adding more
+Guix can look up and fetch substitutes from several servers. This is
+useful when you are using packages from additional channels for which
+the official server does not have substitutes but another server
+provides them. Another situation where this is useful is when you would
+prefer to download from your organization's substitute server, resorting
+to the official server only as a fallback or dismissing it altogether.
+
+You can give Guix a list of substitute server URLs and it will check
+them in the specified order. You also need to explicitly authorize the
+public keys of substitute servers to instruct Guix to accept the
+substitutes they sign.
+
+On Guix System, this is achieved by modifying the configuration of the
+@code{guix} service. Since the @code{guix} service is part of the
+default lists of services, @code{%base-services} and
+@code{%desktop-services}, you can use @code{modify-services} to change
+its configuration and add the URLs and substitute keys that you want
+(@pxref{Service Reference, @code{modify-services}}).
+
+As an example, suppose you want to fetch substitutes from
+@code{guix.example.org} and to authorize the signing key of that server,
+in addition to the default @code{@value{SUBSTITUTE-SERVER}}. The
+resulting operating system configuration will look something like:
+
+@lisp
+(operating-system
+ ;; @dots{}
+ (services
+ ;; Assume we're starting from '%desktop-services'. Replace it
+ ;; with the list of services you're actually using.
+ (modify-services %desktop-services
+ (guix-service-type config =>
+ (guix-configuration
+ (inherit config)
+ (substitute-urls
+ (append (list "https://guix.example.org")
+ %default-substitute-urls))
+ (authorized-keys
+ (append (list (local-file "./key.pub"))
+ %default-authorized-guix-keys)))))))
+@end lisp
+
+This assumes that the file @file{key.pub} contains the signing key of
+@code{guix.example.org}. With this change in place in your operating
+system configuration file (say @file{/etc/config.scm}), you can
+reconfigure and restart the @code{guix-daemon} service or reboot so the
+changes take effect:
+
+@example
+$ sudo guix system reconfigure /etc/config.scm
+$ sudo herd restart guix-daemon
+@end example
+
+If you're running Guix on a ``foreign distro'', you would instead take
+the following steps to get substitutes from additional servers:
+
+@enumerate
+@item
+Edit the service configuration file for @code{guix-daemon}; when using
+systemd, this is normally
+@file{/etc/systemd/system/guix-daemon.service}. Add the
+@option{--substitute-urls} option on the @command{guix-daemon} command
+line and list the URLs of interest (@pxref{daemon-substitute-urls,
+@code{guix-daemon --substitute-urls}}):
+
+@example
+@dots{} --substitute-urls='https://guix.example.org https://@value{SUBSTITUTE-SERVER}'
+@end example
+
+@item
+Restart the daemon. For systemd, it goes like this:
+
+@example
+systemctl daemon-reload
+systemctl restart guix-daemon.service
+@end example
+
+@item
+Authorize the key of the new server (@pxref{Invoking guix archive}):
+
+@example
+guix archive --authorize < key.pub
+@end example
+
+Again this assumes @file{key.pub} contains the public key that
+@code{guix.example.org} uses to sign substitutes.
+@end enumerate
+
+Now you're all set! Substitutes will be preferably taken from
+@code{https://guix.example.org}, using @code{@value{SUBSTITUTE-SERVER}}
+as a fallback. Of course you can list as many substitute servers as you
+like, with the caveat that substitute lookup can be slowed down if too
+many servers need to be contacted.
+
+Note that there are also situations where one may want to add the URL of
+a substitute server @emph{without} authorizing its key.
+@xref{Substitute Authentication}, to understand this fine point.
+
@node Substitute Authentication
@subsection Substitute Authentication
@@ -11873,12 +11985,8 @@ spawn an HTTP server on port 8080:
guix publish
@end example
-Once a publishing server has been authorized (@pxref{Invoking guix
-archive}), the daemon may download substitutes from it:
-
-@example
-guix-daemon --substitute-urls=http://example.org:8080
-@end example
+Once a publishing server has been authorized, the daemon may download
+substitutes from it. @xref{Getting Substitutes from Other Servers}.
By default, @command{guix publish} compresses archives on the fly as it
serves them. This ``on-the-fly'' mode is convenient in that it requires
--
2.28.0
V
V
Vagrant Cascadian wrote on 21 Oct 2020 18:06
Re: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
(address . guix-devel@gnu.org)
87mu0f8swv.fsf@ponder
On 2020-10-21, Ludovic Courtès wrote:
Toggle quote (4 lines)
> diff --git a/doc/guix.texi b/doc/guix.texi
> index c161012da5..50d2d9a730 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
...
Toggle quote (6 lines)
> @@ -14583,6 +14598,27 @@ Whether to use substitutes.
> @item @code{substitute-urls} (default: @code{%default-substitute-urls})
> The list of URLs where to look for substitutes by default.
>
> +Support you would like to fetch substitutes from @code{guix.example.org}

(substitute* "Support" "Suppose")

?

Toggle quote (23 lines)
> +in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
> +two things: (1) add @code{guix.example.org} to @code{substitute-urls},
> +and (2) authorize its signing key, having done appropriate checks
> +(@pxref{Substitute Server Authorization}). The configuration below does
> +exactly that:
> +
> +@lisp
> +(guix-configuration
> + (substitute-urls
> + (append (list "https://guix.example.org")
> + %default-substitute-urls))
> + (authorized-keys
> + (append (list (local-file "./guix.example.org-key.pub"))
> + %default-authorized-guix-keys)))
> +@end lisp
> +
> +This example assumes that the file @file{./guix.example.org-key.pub}
> +contains the public key that @code{guix.example.org} uses to sign
> +substitutes.
> +
> @item @code{max-silent-time} (default: @code{0})
> @itemx @code{timeout} (default: @code{0})
> The number of seconds of silence and the number of seconds of activity,
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX5BcowAKCRDcUY/If5cW
qoj5AQCA4IdGTa+Dmq6D+JttRMnYWBkeStK45PtXlzew8mupPgEAzmSLIgFBfxYi
2bFp0eHoa40X07zIppxRYiZq/2frRAE=
=Iaod
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 25 Oct 2020 01:08
Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl really declarative by default.
(address . 39819-done@debbugs.gnu.org)(address . guix-devel@gnu.org)
87tuujgr23.fsf@gnu.org
Hello!

I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.

Let me know if anything is amiss!

Thanks,
Ludo’.
Toggle diff (52 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
@code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
(@pxref{Substitutes}).
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
changed by invoking @command{guix archive --authorize}. You must
instead adjust @code{guix-configuration} as you wish and reconfigure the
system. This ensures that your operating system configuration file is
self-contained.
@quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
is true, the existing @file{/etc/guix/acl} file is backed up as
@file{/etc/guix/acl.bak} if it was determined to be a manually modified
file. This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
@item @code{substitute-urls} (default: @code{%default-substitute-urls})
The list of URLs where to look for substitutes by default.
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
in addition to @code{@value{SUBSTITUTE-SERVER}}. You will need to do
two things: (1) add @code{guix.example.org} to @code{substitute-urls},
and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
(permit-root-login #t)
(allow-empty-passwords? #t)
(password-authentication? #t)))
- %base-services/hurd))))
+
+ ;; By default, the secret service introduces a pre-initialized
+ ;; /etc/guix/acl file in the childhurd. Thus, clear
+ ;; 'authorize-key?' so that it's not overridden at activation
+ ;; time.
+ (modify-services %base-services/hurd
+ (guix-service-type config =>
+ (guix-configuration
+ (inherit config)
+ (authorize-key? #f))))))))
(define-record-type* <hurd-vm-configuration>
hurd-vm-configuration make-hurd-vm-configuration
Closed
L
L
Ludovic Courtès wrote on 25 Oct 2020 01:11
(address . 39819@debbugs.gnu.org)(address . guix-devel@gnu.org)
87pn57gqyd.fsf@gnu.org
BTW, attached it the script I used to retrieve the signing keys of all
the build nodes of the build farm so we can have them declared in the
config of the head node. You may find it handy if you have a similar
setup!

Ludo’.
(use-modules (guix scripts offload) (guix ssh) (guix inferior) (ssh session) (srfi srfi-34) (ice-9 match)) (define open-ssh-session (@@ (guix scripts offload) open-ssh-session)) (define build-machine-name (@@ (guix scripts offload) build-machine-name)) (define build-machine-port (@@ (guix scripts offload) build-machine-port)) (define (fetch-key machine) (format #t "fetching key from ~s...~%" machine) (let* ((session (open-ssh-session machine 5)) (inferior (remote-inferior session))) (define key (inferior-eval '(begin (use-modules (rnrs io ports)) (with-fluids ((%default-port-encoding "ISO-8859-1")) (call-with-input-file "/etc/guix/signing-key.pub" get-string-all))) inferior)) (define file (string-append (build-machine-name machine) (match (build-machine-port machine) (22 "") (port (string-append ":" (number->string port)))) ".pub")) (with-fluids ((%default-port-encoding "ISO-8859-1")) (call-with-output-file file (lambda (port) (display key port)))) (close-inferior inferior) (disconnect! session))) (let ((machines (load "/etc/guix/machines.scm"))) (for-each (lambda (machine) (guard (c (pk 'fail c)) (fetch-key machine))) machines))
J
J
Jan Nieuwenhuizen wrote on 25 Oct 2020 06:59
(address . 39819@debbugs.gnu.org)
87y2ju9783.fsf@gnu.org
Ludovic Courtès writes:

Hello,

Toggle quote (16 lines)
> I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
> with the changes below, accounting for Vagrant’s comment and for the
> fact that childhurds rely on the non-declarative behavior (which hadn’t
> occurred to me before), as well as fixing other typos.
>
>
> + ;; By default, the secret service introduces a pre-initialized
> + ;; /etc/guix/acl file in the childhurd. Thus, clear
> + ;; 'authorize-key?' so that it's not overridden at activation
> + ;; time.
> + (modify-services %base-services/hurd
> + (guix-service-type config =>
> + (guix-configuration
> + (inherit config)
> + (authorize-key? #f))))))))

Ah, good catch!

Janneke

--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com| Avatar® http://AvatarAcademy.com
?