digital-ocean-environment-type fails

  • Open
  • quality assurance status badge
Details
2 participants
  • Franz Geffke
  • Florian Hoertlehner
Owner
unassigned
Submitted by
Florian Hoertlehner
Severity
normal
F
F
Florian Hoertlehner wrote on 2 Oct 2021 21:49
(address . bug-guix@gnu.org)
CADXXfWk7DFjDNcxZ6f4Qsk3HiFpNz6m-0fm4pwYsjo58Kn6z1A@mail.gmail.com
guix deploy leads to the following error:
("Unprocessable Entity")

The token that I use seems to be correct (there comes a different error
message when I define an invalid token).

This is the config file:


(use-modules
(gnu services admin))

(use-service-modules networking ssh web)
(use-package-modules bootloaders ssh)

(define %system
(operating-system
(host-name "atlanticocean")
(timezone "Etc/UTC")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")
(terminal-outputs '(console))))
(file-systems (cons (file-system
(mount-point "/")
;; Must be vda2 or you won't be able to reboot
after `guix deploy`.
;; This is because our base image makes an EFI
partition at vda1.
(device "/dev/vda2")
(type "ext4"))
%base-file-systems))
(services
(append (list (service dhcp-client-service-type)
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(password-authentication? #false)
(permit-root-login #t)
(authorized-keys
;; Authorise our SSH key.
`(("root" ,(local-file "id_rsa.pub"))))))
;; Security updates, yes please!
(service unattended-upgrade-service-type)
;; Note that Nginx isn't automatically restarted during
;; `guix deploy`, so run `herd restart nginx`.
)
(modify-services %base-services
;; The server must trust the Guix packages you build. If you
add the signing-key
;; manually it will be overridden on next `guix deploy` giving
;; "error: unauthorized public key". This automatically adds
the signing-key.
(guix-service-type config =>
(guix-configuration
(inherit config)
(authorized-keys
(append (list (local-file
"/etc/guix/signing-key.pub"))

%default-authorized-guix-keys)))))))))


(define c-do
(digital-ocean-configuration
(region "nyc1")
(size "s-1vcpu-1gb")
(enable-ipv6? #f)
(ssh-key "/home/f/repo/myLinux/data/ssh/f")
(tags (list "ubuntu-s-1vcpu-1gb-nyc1-01"
))
))


(list (machine
(operating-system %system)
(environment digital-ocean-environment-type)
(configuration c-do)))
Attachment: file
F
F
Franz Geffke wrote on 18 Oct 2021 13:08
(address . 50977@debbugs.gnu.org)
20211018120843.6b5ef6e0@pantherx.org
I just ran into the same issue on a droplet in a different region.

The only detail that stands out is that 'private_networking' as seen
here [1] has been depreciated on the DO API [2]. I doubt that is the
reason this is failing though.

Toggle quote (4 lines)
> This parameter has been deprecated. Use vpc_uuid instead to specify a
> VPC network for the Droplet. If no vpc_uuid is provided, the Droplet
> will be placed in your account's default VPC for the region.

[1]
[2]

Here's the related config:

(list (machine
(operating-system %system)
(environment digital-ocean-environment-type)
(configuration (digital-ocean-configuration
(region "fra1")
(size "s-1vcpu-1gp")
(ssh-key "/home/franz/.ssh/do_staging")
(tags (list "pantherx" "staging"))
(enable-ipv6? #f)))))
F
F
Franz Geffke wrote on 18 Oct 2021 21:40
(address . 50977@debbugs.gnu.org)
20211018204047.0473e078@pantherx.org
I've done some more digging. There are various issues with the script
that actually converts the Debian 9 Droplet to Guix.

1. The SSL certificates of gnu.org fail on Debian 9 (since end of Sep).
This appears to be related to a change in LetsEncrypt root certificates
2. The guix binary used is rather old

I don't have time to submit a merge request now. I have adapted the
included script to work on Debian 9 (uncomment 1x line), 11 and Ubuntu
21.04. This should be good until the bug has been resolved.

```
#!/bin/bash

# Guix 1.3.0 on DigitalOcean
# Convert Debian 11 or Ubuntu 21.04

###### MODIFY

TIMEZONE="Europe/Berlin"
LOCALE="en_US.utf8"
USERNAME="guix"
USER_COMMENT="guix's account"
USER_PASSWORD="Gq2M6JqNS2W6mgkY"

###### MODIFY END

CONFIG=/etc/bootstrap-config.scm
CRYPT='$6$abc'

apt-get update -y
apt-get install curl xz-utils -y
# Uncomment this for Debian 9
# sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
&& update-ca-certificates -f wget
/tmp tar --warning=no-timestamp -xf
~/guix-binary-1.3.0.x86_64-linux.tar.xz mv var/guix /var/ && mv gnu /
mkdir -p ~root/.config/guix
ln -sf /var/guix/profiles/per-user/root/current-guix
~root/.config/guix/current export GUIX_PROFILE="`echo
~root`/.config/guix/current" ; source $GUIX_PROFILE/etc/profile
groupadd --system guixbuild
for i in `seq -w 1 10`;
do
useradd -g guixbuild -G guixbuild \
-d /var/empty -s `which nologin` \
-c "Guix build user $i" --system \
guixbuilder$i;
done;

cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
/etc/systemd/system/ systemctl start guix-daemon && systemctl enable
guix-daemon mkdir -p /usr/local/bin
cd /usr/local/bin
ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix
mkdir -p /usr/local/share/info
cd /usr/local/share/info
for i in /var/guix/profiles/per-user/root/current-guix/share/info/*; do
ln -s $i; done
guix archive --authorize <
~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub # guix pull
guix package -i glibc-utf8-locales
export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"
guix package -i openssl

PUBLIC_IPV4=$(curl -s
NETMASK=$(curl -s
GATEWAY=$(curl -s

function write_server_config() {
cat >> $CONFIG <<EOL
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh certs tls)

(operating-system
(host-name "${HOSTNAME}")
(timezone "${TIMEZONE}")
(locale "${LOCALE}")

(initrd-modules (append (list "virtio_scsi")
%base-initrd-modules))

(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")))
(file-systems (append
(list (file-system
(device "/dev/vda1")
(mount-point "/")
(type "ext4")))
%base-file-systems))

(users (cons (user-account
(name "${USERNAME}")
(comment "${USER_COMMENT}")
(group "users")
(password (crypt "${USER_PASSWORD}" "${CRYPT}"))

(supplementary-groups '("wheel"))
(home-directory "/home/${USERNAME}"))
%base-user-accounts))

;; Globally-installed packages.
(packages (cons* screen openssh nss-certs gnutls %base-packages))

(services (cons* (static-networking-service "eth0" "${PUBLIC_IPV4}"
#:netmask "${NETMASK}"
#:gateway "${GATEWAY}"
#:name-servers '("84.200.69.80" "84.200.70.40"))
(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)))
%base-services)))
EOL
}

write_server_config

# guix pull
guix system build /etc/bootstrap-config.scm
# these appear to be the necessary on Ubuntu 21.04
mv /etc/ssl /etc/bk_ssl
mv /etc/pam.d /etc/bk_pam.d
mv /etc/skel /etc/bk_skel

guix system reconfigure /etc/bootstrap-config.scm
mv /etc /old-etc
mkdir /etc
cp -r
/old-etc/{passwd,group,shadow,gshadow,mtab,guix,bootstrap-config.scm}
/etc/ guix system reconfigure /etc/bootstrap-config.scm

reboot
```
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 50977@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 50977
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch