guix deploy doesn't seem to be authorizing the machine that is deploying to the remote

  • Open
  • quality assurance status badge
Details
3 participants
  • Andrew Tropin
  • Maxim Cournoyer
  • pkill9
Owner
unassigned
Submitted by
pkill9
Severity
normal

Debbugs page

pkill9 wrote 4 years ago
(address . bug-guix@gnu.org)
20210224235608.31825f91@runbox.com
I'm using the machine-ssh-configuration, I set `(authorize? #t)` which
the manual states should authorize the deploying machine onto the
remote host, but I get an error:
```
guix deploy: error: unauthorized public key: (public-key...
```

So I add to the OS definition:

```
(guix-configuration
(authorized-keys (append `(,(local-file
"/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))

```

Which makes the error go away. I'm under the impression however that
the 'authorize? #t' field should be doing this without me needing to
add it to the OS configuration.
Andrew Tropin wrote 3 years ago
(name . pkill9)(address . pkill9@runbox.com)(address . 46760@debbugs.gnu.org)
871r5fg0wo.fsf@trop.in
On 2021-02-24 23:56, pkill9 wrote:

Toggle quote (20 lines)
> I'm using the machine-ssh-configuration, I set `(authorize? #t)` which
> the manual states should authorize the deploying machine onto the
> remote host, but I get an error:
> ```
> guix deploy: error: unauthorized public key: (public-key...
> ```
>
> So I add to the OS definition:
>
> ```
> (guix-configuration
> (authorized-keys (append `(,(local-file
> "/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))
>
> ```
>
> Which makes the error go away. I'm under the impression however that
> the 'authorize? #t' field should be doing this without me needing to
> add it to the OS configuration.

`(authorize? #t)` seems working, it does `guix archive --authorize <
local-key` on remote machine before reconfiguring, but after
reconfiguration is finished the value of /etc/guix/acl is reset by
guix-service-type and for some reason the error message you mentioned
appears. Despite the error message the new generation is created and
new configuration is applied. It seems something like copying auxiliary
file to remote store happens after reconfiguration is finished. Will
try to investigate that, when will have some free time.

For now I do the same trick with changing the configuration for
guix-service-type:
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmFMOGcACgkQIgjSCVjB
3rAEtg//ZRwOAzdRG9P6afCLFFK3aku4NVcAChHpaAX0PKhU/htMxm1CbTdrHCP6
jR6CbfIotRPnXSbgLvdtpWjmoLMr1qsfL/hPH53ZIFBdzJqJD7IMNEWAtpg+et19
xOyBZjGwBoVubQPXs1fsPAGJ91QHWzlkvvZ5GlYg6UMPajEJUaYZS5b6PEbrF+YU
JLq5e7gcHuaM8xZPIhjU7QaLCnEwwMP/3ZVPOj59lufb8ZDACSBh11crUuKOwnmE
HKociMmbQPHhhSBXhwE/aAZdpiqp1eH6xllrcCJDHRjZHodB2+A3tZGS74v6LjUA
5/lQh/ibkrdyI2KvDtJMDDSTxp+hcHQEXn+7i80vuBkMRWbwo4huozWsoUCyoCiI
MQLw5x8ddnS1IQZ9t2ceW/f39RrT6VuP3CcqnneqTaR24uRJHTPCngxKt9wEKbn3
Uo0EFyWPLbx7lq74pFab8wZcVSrCQPdwtnaN4PCp/L03J4YqYIWLYoOtqAeYscH2
WNJZm8hZxRtrzZHnuEiyFl+M3Qy8FvPNlICQDSLWRyeP+00oB3oYrNMwlVjsbE4d
o5bsXqEVKRrQW0cr1RKInf40plhEinWsXe8awFX2GC8XYIOEUvCn/7TJZcc3/hrv
OCWY7qn5ti+juVwKzNebCQy1zNamUP8YWPd18fZwOqO7iyW+xUg=
=K485
-----END PGP SIGNATURE-----

Maxim Cournoyer wrote 3 years ago
(name . Andrew Tropin)(address . andrew@trop.in)(address . 46760@debbugs.gnu.org)(name . pkill9)(address . pkill9@runbox.com)
877ddyaqkv.fsf@gmail.com
Hello,

Andrew Tropin <andrew@trop.in> writes:

Toggle quote (35 lines)
> On 2021-02-24 23:56, pkill9 wrote:
>
>> I'm using the machine-ssh-configuration, I set `(authorize? #t)` which
>> the manual states should authorize the deploying machine onto the
>> remote host, but I get an error:
>> ```
>> guix deploy: error: unauthorized public key: (public-key...
>> ```
>>
>> So I add to the OS definition:
>>
>> ```
>> (guix-configuration
>> (authorized-keys (append `(,(local-file
>> "/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))
>>
>> ```
>>
>> Which makes the error go away. I'm under the impression however that
>> the 'authorize? #t' field should be doing this without me needing to
>> add it to the OS configuration.
>
> `(authorize? #t)` seems working, it does `guix archive --authorize <
> local-key` on remote machine before reconfiguring, but after
> reconfiguration is finished the value of /etc/guix/acl is reset by
> guix-service-type and for some reason the error message you mentioned
> appears. Despite the error message the new generation is created and
> new configuration is applied. It seems something like copying auxiliary
> file to remote store happens after reconfiguration is finished. Will
> try to investigate that, when will have some free time.
>
> For now I do the same trick with changing the configuration for
> guix-service-type:
> https://diode.zone/w/fJNN6ExYA35NC19BRiHw2L?start=37m5s

It probably has to do with commit
3b6e4e5fd05e72b8a32ff1a2d5e21464260e21e6, which made /etc/guix/acl
declarative by default.

Thanks,

Maxim
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 46760@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 46760
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help