digital-ocean-environment-type fails

  • Open
  • quality assurance status badge
Details
2 participants
  • Franz Geffke
  • Florian Hoertlehner
Owner
unassigned
Submitted by
Florian Hoertlehner
Severity
normal
F
F
Florian Hoertlehner wrote on 2 Oct 2021 21:49
(address . bug-guix@gnu.org)
CADXXfWk7DFjDNcxZ6f4Qsk3HiFpNz6m-0fm4pwYsjo58Kn6z1A@mail.gmail.com
guix deploy leads to the following error:
("Unprocessable Entity")

The token that I use seems to be correct (there comes a different error
message when I define an invalid token).

This is the config file:


(use-modules
(gnu services admin))

(use-service-modules networking ssh web)
(use-package-modules bootloaders ssh)

(define %system
(operating-system
(host-name "atlanticocean")
(timezone "Etc/UTC")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")
(terminal-outputs '(console))))
(file-systems (cons (file-system
(mount-point "/")
;; Must be vda2 or you won't be able to reboot
after `guix deploy`.
;; This is because our base image makes an EFI
partition at vda1.
(device "/dev/vda2")
(type "ext4"))
%base-file-systems))
(services
(append (list (service dhcp-client-service-type)
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(password-authentication? #false)
(permit-root-login #t)
(authorized-keys
;; Authorise our SSH key.
`(("root" ,(local-file "id_rsa.pub"))))))
;; Security updates, yes please!
(service unattended-upgrade-service-type)
;; Note that Nginx isn't automatically restarted during
;; `guix deploy`, so run `herd restart nginx`.
)
(modify-services %base-services
;; The server must trust the Guix packages you build. If you
add the signing-key
;; manually it will be overridden on next `guix deploy` giving
;; "error: unauthorized public key". This automatically adds
the signing-key.
(guix-service-type config =>
(guix-configuration
(inherit config)
(authorized-keys
(append (list (local-file
"/etc/guix/signing-key.pub"))

%default-authorized-guix-keys)))))))))


(define c-do
(digital-ocean-configuration
(region "nyc1")
(size "s-1vcpu-1gb")
(enable-ipv6? #f)
(ssh-key "/home/f/repo/myLinux/data/ssh/f")
(tags (list "ubuntu-s-1vcpu-1gb-nyc1-01"
))
))


(list (machine
(operating-system %system)
(environment digital-ocean-environment-type)
(configuration c-do)))
Attachment: file
F
F
Franz Geffke wrote on 18 Oct 2021 13:08
(address . 50977@debbugs.gnu.org)
20211018120843.6b5ef6e0@pantherx.org
I just ran into the same issue on a droplet in a different region.

The only detail that stands out is that 'private_networking' as seen
here [1] has been depreciated on the DO API [2]. I doubt that is the
reason this is failing though.

Toggle quote (4 lines)
> This parameter has been deprecated. Use vpc_uuid instead to specify a
> VPC network for the Droplet. If no vpc_uuid is provided, the Droplet
> will be placed in your account's default VPC for the region.

[1]
[2]

Here's the related config:

(list (machine
(operating-system %system)
(environment digital-ocean-environment-type)
(configuration (digital-ocean-configuration
(region "fra1")
(size "s-1vcpu-1gp")
(ssh-key "/home/franz/.ssh/do_staging")
(tags (list "pantherx" "staging"))
(enable-ipv6? #f)))))
F
F
Franz Geffke wrote on 18 Oct 2021 21:40
(address . 50977@debbugs.gnu.org)
20211018204047.0473e078@pantherx.org
I've done some more digging. There are various issues with the script
that actually converts the Debian 9 Droplet to Guix.

1. The SSL certificates of gnu.org fail on Debian 9 (since end of Sep).
This appears to be related to a change in LetsEncrypt root certificates
2. The guix binary used is rather old

I don't have time to submit a merge request now. I have adapted the
included script to work on Debian 9 (uncomment 1x line), 11 and Ubuntu
21.04. This should be good until the bug has been resolved.

```
#!/bin/bash

# Guix 1.3.0 on DigitalOcean
# Convert Debian 11 or Ubuntu 21.04

###### MODIFY

TIMEZONE="Europe/Berlin"
LOCALE="en_US.utf8"
USERNAME="guix"
USER_COMMENT="guix's account"
USER_PASSWORD="Gq2M6JqNS2W6mgkY"

###### MODIFY END

CONFIG=/etc/bootstrap-config.scm
CRYPT='$6$abc'

apt-get update -y
apt-get install curl xz-utils -y
# Uncomment this for Debian 9
# sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
&& update-ca-certificates -f wget
/tmp tar --warning=no-timestamp -xf
~/guix-binary-1.3.0.x86_64-linux.tar.xz mv var/guix /var/ && mv gnu /
mkdir -p ~root/.config/guix
ln -sf /var/guix/profiles/per-user/root/current-guix
~root/.config/guix/current export GUIX_PROFILE="`echo
~root`/.config/guix/current" ; source $GUIX_PROFILE/etc/profile
groupadd --system guixbuild
for i in `seq -w 1 10`;
do
useradd -g guixbuild -G guixbuild \
-d /var/empty -s `which nologin` \
-c "Guix build user $i" --system \
guixbuilder$i;
done;

cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
/etc/systemd/system/ systemctl start guix-daemon && systemctl enable
guix-daemon mkdir -p /usr/local/bin
cd /usr/local/bin
ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix
mkdir -p /usr/local/share/info
cd /usr/local/share/info
for i in /var/guix/profiles/per-user/root/current-guix/share/info/*; do
ln -s $i; done
guix archive --authorize <
~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub # guix pull
guix package -i glibc-utf8-locales
export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"
guix package -i openssl

PUBLIC_IPV4=$(curl -s
NETMASK=$(curl -s
GATEWAY=$(curl -s

function write_server_config() {
cat >> $CONFIG <<EOL
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh certs tls)

(operating-system
(host-name "${HOSTNAME}")
(timezone "${TIMEZONE}")
(locale "${LOCALE}")

(initrd-modules (append (list "virtio_scsi")
%base-initrd-modules))

(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")))
(file-systems (append
(list (file-system
(device "/dev/vda1")
(mount-point "/")
(type "ext4")))
%base-file-systems))

(users (cons (user-account
(name "${USERNAME}")
(comment "${USER_COMMENT}")
(group "users")
(password (crypt "${USER_PASSWORD}" "${CRYPT}"))

(supplementary-groups '("wheel"))
(home-directory "/home/${USERNAME}"))
%base-user-accounts))

;; Globally-installed packages.
(packages (cons* screen openssh nss-certs gnutls %base-packages))

(services (cons* (static-networking-service "eth0" "${PUBLIC_IPV4}"
#:netmask "${NETMASK}"
#:gateway "${GATEWAY}"
#:name-servers '("84.200.69.80" "84.200.70.40"))
(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)))
%base-services)))
EOL
}

write_server_config

# guix pull
guix system build /etc/bootstrap-config.scm
# these appear to be the necessary on Ubuntu 21.04
mv /etc/ssl /etc/bk_ssl
mv /etc/pam.d /etc/bk_pam.d
mv /etc/skel /etc/bk_skel

guix system reconfigure /etc/bootstrap-config.scm
mv /etc /old-etc
mkdir /etc
cp -r
/old-etc/{passwd,group,shadow,gshadow,mtab,guix,bootstrap-config.scm}
/etc/ guix system reconfigure /etc/bootstrap-config.scm

reboot
```
?