Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at 68733) by debbugs.gnu.org; 29 Jan 2024 13:17:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 29 08:17:34 2024
Received: from localhost ([127.0.0.1]:59277 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rURW1-0003E4-LI
for submit <at> debbugs.gnu.org; Mon, 29 Jan 2024 08:17:33 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:42414)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1rURVy-0003Dk-VC
for 68733 <at> debbugs.gnu.org; Mon, 29 Jan 2024 08:17:31 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1rURVh-0002yP-7B; Mon, 29 Jan 2024 08:17:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
From; bh=HZoQqcYRvS9SfyNH0IXm84Uh7Txp57ov5Ehh9XEY6Mc=; b=d3fxrX+Fqs1xHuSezQIE
9sSQsZyNdqyzFbRq22ywPUW7xW8w0liat7/VqsmtKTucWiu0AgvQOwZh47Wu0ZR0goOBPa6TrboNF
HMQ9rjmbPY8Q1BNNoUrHR6AKL+RcnCO8Qcr12U+o02wVl0rBIWFc4GP+UYfuHpjCn2yfG0dqQgRSV
gmROIDQnSnOCoKVLno8wUq7fRyIOeRkoxrBPVpdDEdBfNPqZ3j6URogpvYtw3iK19Xcy+UWI4mWlb
NQE3gZyaJnQf3Mu7JIUNesrUkGy2GqUc6ggwReE1lqxX0PjU8XJ5VNaUKPXWGOhhjA6WnrLw5YLy7
E4RrzW2Z+QOpjg==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Herman Rimm <herman@HIDDEN>
Subject: Re: [bug#68733] [PATCH] machine: ssh: Add 'graft?' field.
In-Reply-To: <1eb737122611aa921fb8ec0257de0cb5aad5022e.1706266770.git.herman@HIDDEN>
(Herman Rimm's message of "Fri, 26 Jan 2024 11:59:30 +0100")
References: <1eb737122611aa921fb8ec0257de0cb5aad5022e.1706266770.git.herman@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: =?utf-8?Q?D=C3=A9cadi?= 10 =?utf-8?Q?Pluvi=C3=B4se?=
an 232 de la =?utf-8?Q?R=C3=A9volution=2C?= jour de la
=?utf-8?Q?Cogn=C3=A9e?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 29 Jan 2024 14:17:09 +0100
Message-ID: <87ede0qnxm.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 68733
Cc: Josselin Poiret <dev@HIDDEN>,
Simon Tournier <zimon.toutoune@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>,
Tobias Geerinckx-Rice <me@HIDDEN>, 68733 <at> debbugs.gnu.org,
Ricardo Wurmus <rekado@HIDDEN>, Christopher Baines <guix@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi,
Herman Rimm <herman@HIDDEN> skribis:
> * gnu/machine/ssh.scm (<machine-ssh-configuration>)[graft?]: New field.
> * gnu/scripts/deploy.scm (deploy-machine*): Reparameterize %graft?.
> * doc/guix.texi (Invoking guix deploy): Document it.
>
> Change-Id: Ide83bb465c9f30165f4ddc64e48c1b89484e3e69
> ---
> Hi,
>
> This patch allows disabling grafts per machine by way of a new graft?
> field for machine-ssh-configuration. I don't know what happens when a
> digital-ocean-configuration is used. But that won't matter if %graft?
> can be parameterized in (deploy-managed-host machine) in /gnu/machine/
> ssh.scm. However if %graft? is parameterized alongside %current-system,
> it does not affect grafting. Where should %graft? be parameterized?
[...]
> +@item @code{graft?} (default: @code{#t})
> +If false, system derivations will be built without applying any grafts o=
nto
> +packages. Grafting should be disabled for deployment to machines with a
> +differing architecture.
When deploying to a different architecture, is it enough to set
(build-locally? #f) ?
Now, this field only exists for =E2=80=98machine-ssh-configuration=E2=80=99=
and not for
Digital Ocean, but perhaps we could add it there?
Overall, I think we should cater to this use case (deploying to a
different architecture) without requiring users to disable grafts,
because that=E2=80=99d be exposing them to security vulnerabilities.
Thanks,
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#68733; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 26 Jan 2024 11:06:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 26 06:06:17 2024
Received: from localhost ([127.0.0.1]:50547 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rTK2K-0002Rj-S6
for submit <at> debbugs.gnu.org; Fri, 26 Jan 2024 06:06:17 -0500
Received: from lists.gnu.org ([2001:470:142::17]:59960)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <herman@HIDDEN>) id 1rTK2J-0002RN-6o
for submit <at> debbugs.gnu.org; Fri, 26 Jan 2024 06:06:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <herman@HIDDEN>) id 1rTK25-0002Hc-6H
for guix-patches@HIDDEN; Fri, 26 Jan 2024 06:06:01 -0500
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]
helo=email.rimm.ee)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
(Exim 4.90_1) (envelope-from <herman@HIDDEN>) id 1rTK23-0001ro-2F
for guix-patches@HIDDEN; Fri, 26 Jan 2024 06:06:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
t=1706267152;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ToopVGtORmAJ08CdKvyY7oJ3C1PGWe32Z0YnbDIHQTA=;
b=Kfm5KPVLH4ZPe8+Wt0TVOwc4kqJu787XWunA6N96vbSU7MokUPmc6QpY4OgkmD3tfvfXtt
jPvLpnF3bdsHBUT09odnuVL4O3KKpKEGysuWJiFWzz/eL5aM5npHJPZIlnlZ24FeZMy6lW
bMDBmXUFJhpg3dm+AgVyRrZ8EK07Cn4Ms1ndNByt2wpkbXtc29XIAQJHqg/RESxKQMtoXO
RWXKWVnbP0nWzgJSbVTyZgYc4GkAOGmkjeKoA8LNpAaSNHpmN2Nx8okeWAqehNsWRfIKL7
1A9Z6JyI4E3GfAf53lCKI4TFwrkjQwBWYPdTEt9RXGil0FWubCd+PtBXNjHZWw==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 70a8c77b
(TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
Fri, 26 Jan 2024 11:05:51 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] machine: ssh: Add 'graft?' field.
Date: Fri, 26 Jan 2024 11:59:30 +0100
Message-ID: <1eb737122611aa921fb8ec0257de0cb5aad5022e.1706266770.git.herman@HIDDEN>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
X-Debbugs-Cc: Christopher Baines <guix@HIDDEN>, Josselin Poiret <dev@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Mathieu Othacehe <othacehe@HIDDEN>, Ricardo Wurmus <rekado@HIDDEN>, Simon Tournier <zimon.toutoune@HIDDEN>, Tobias Geerinckx-Rice <me@HIDDEN>
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=81.205.150.117; envelope-from=herman@HIDDEN;
helo=email.rimm.ee
X-Spam_score_int: 12
X-Spam_score: 1.2
X-Spam_bar: +
X-Spam_report: (1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, TVD_RCVD_IP=0.001,
T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: Herman Rimm <herman@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)
* gnu/machine/ssh.scm (<machine-ssh-configuration>)[graft?]: New field.
* gnu/scripts/deploy.scm (deploy-machine*): Reparameterize %graft?.
* doc/guix.texi (Invoking guix deploy): Document it.
Change-Id: Ide83bb465c9f30165f4ddc64e48c1b89484e3e69
---
Hi,
This patch allows disabling grafts per machine by way of a new graft?
field for machine-ssh-configuration. I don't know what happens when a
digital-ocean-configuration is used. But that won't matter if %graft?
can be parameterized in (deploy-managed-host machine) in /gnu/machine/
ssh.scm. However if %graft? is parameterized alongside %current-system,
it does not affect grafting. Where should %graft? be parameterized?
Cheers,
Herman
doc/guix.texi | 5 ++++
gnu/machine/ssh.scm | 10 ++++---
guix/scripts/deploy.scm | 58 ++++++++++++++++++++++-------------------
3 files changed, 42 insertions(+), 31 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index db0c751ded..2e316ae709 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -124,6 +124,7 @@
Copyright @copyright{} 2023 Saku Laesvuori@*
Copyright @copyright{} 2023 Graham James Addis@*
Copyright @copyright{} 2023 Tomas Volf@*
+Copyright @copyright{} 2024 Herman Rimm@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -42359,6 +42360,10 @@ Invoking guix deploy
@item @code{authorize?} (default: @code{#t})
If true, the coordinator's signing key will be added to the remote's ACL
keyring.
+@item @code{graft?} (default: @code{#t})
+If false, system derivations will be built without applying any grafts onto
+packages. Grafting should be disabled for deployment to machines with a
+differing architecture.
@item @code{port} (default: @code{22})
@item @code{user} (default: @code{"root"})
@item @code{identity} (default: @code{#f})
diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
index b5984dc732..881576ff74 100644
--- a/gnu/machine/ssh.scm
+++ b/gnu/machine/ssh.scm
@@ -63,6 +63,7 @@ (define-module (gnu machine ssh)
machine-ssh-configuration-build-locally?
machine-ssh-configuration-authorize?
machine-ssh-configuration-allow-downgrades?
+ machine-ssh-configuration-graft?
machine-ssh-configuration-port
machine-ssh-configuration-user
machine-ssh-configuration-host-key
@@ -95,6 +96,8 @@ (define-record-type* <machine-ssh-configuration> machine-ssh-configuration
(default #t))
(allow-downgrades? machine-ssh-configuration-allow-downgrades? ; boolean
(default #f))
+ (graft? machine-ssh-configuration-graft? ; boolean
+ (default #t))
(safety-checks? machine-ssh-configuration-safety-checks? ;boolean
(default #t))
(port machine-ssh-configuration-port ; integer
@@ -489,12 +492,10 @@ (define (deploy-managed-host machine)
"Internal implementation of 'deploy-machine' for MACHINE instances with an
environment type of 'managed-host."
(define config (machine-configuration machine))
- (define host (machine-ssh-configuration-host-name config))
(define system (machine-ssh-configuration-system config))
(maybe-raise-unsupported-configuration-error machine)
- (when (machine-ssh-configuration-authorize?
- (machine-configuration machine))
+ (when (machine-ssh-configuration-authorize? config)
(unless (file-exists? %public-key-file)
(raise (formatted-message (G_ "no signing key '~a'. \
Have you run 'guix archive --generate-key'?")
@@ -512,7 +513,8 @@ (define (deploy-managed-host machine)
;; %BASE-INITRD-MODULES, gets to see the right value.
(parameterize ((%current-system system)
(%current-target-system #f))
- (let* ((os (machine-operating-system machine))
+ (let* ((host (machine-ssh-configuration-host-name config))
+ (os (machine-operating-system machine))
(eval (cut machine-remote-eval machine <>))
(menu-entries (map boot-parameters->menu-entry boot-parameters))
(bootloader-configuration (operating-system-bootloader os))
diff --git a/guix/scripts/deploy.scm b/guix/scripts/deploy.scm
index 4b1a603049..8ffc45e8c3 100644
--- a/guix/scripts/deploy.scm
+++ b/guix/scripts/deploy.scm
@@ -20,6 +20,7 @@
(define-module (guix scripts deploy)
#:use-module (gnu machine)
+ #:use-module (gnu machine ssh)
#:use-module (guix discovery)
#:use-module (guix scripts)
#:use-module (guix scripts build)
@@ -138,35 +139,38 @@ (define (deploy-machine* store machine)
(info (G_ "deploying to ~a...~%")
(machine-display-name machine))
- (guard* (c
- ;; On Guile 3.0, exceptions such as 'unbound-variable' are compound
- ;; and include a '&message'. However, that message only contains
- ;; the format string. Thus, special-case it here to avoid
- ;; displaying a bare format string.
- (((exception-predicate &exception-with-kind-and-args) c)
- (raise c))
+ (define config (machine-configuration machine))
+ (define graft? (machine-ssh-configuration-graft? config))
+ (parameterize ((%graft? (and (%graft?) graft?)))
+ (guard* (c
+ ;; On Guile 3.0, exceptions such as 'unbound-variable' are compound
+ ;; and include a '&message'. However, that message only contains
+ ;; the format string. Thus, special-case it here to avoid
+ ;; displaying a bare format string.
+ (((exception-predicate &exception-with-kind-and-args) c)
+ (raise c))
- ((message-condition? c)
- (leave (G_ "failed to deploy ~a: ~a~%")
- (machine-display-name machine)
- (condition-message c)))
- ((formatted-message? c)
- (leave (G_ "failed to deploy ~a: ~a~%")
- (machine-display-name machine)
- (apply format #f
- (gettext (formatted-message-string c)
- %gettext-domain)
- (formatted-message-arguments c))))
- ((deploy-error? c)
- (when (deploy-error-should-roll-back c)
- (info (G_ "rolling back ~a...~%")
- (machine-display-name machine))
- (run-with-store store (roll-back-machine machine)))
- (apply throw (deploy-error-captured-args c))))
- (run-with-store store (deploy-machine machine))
+ ((message-condition? c)
+ (leave (G_ "failed to deploy ~a: ~a~%")
+ (machine-display-name machine)
+ (condition-message c)))
+ ((formatted-message? c)
+ (leave (G_ "failed to deploy ~a: ~a~%")
+ (machine-display-name machine)
+ (apply format #f
+ (gettext (formatted-message-string c)
+ %gettext-domain)
+ (formatted-message-arguments c))))
+ ((deploy-error? c)
+ (when (deploy-error-should-roll-back c)
+ (info (G_ "rolling back ~a...~%")
+ (machine-display-name machine))
+ (run-with-store store (roll-back-machine machine)))
+ (apply throw (deploy-error-captured-args c))))
+ (run-with-store store (deploy-machine machine))
- (info (G_ "successfully deployed ~a~%")
- (machine-display-name machine))))
+ (info (G_ "successfully deployed ~a~%")
+ (machine-display-name machine)))))
(define (invoke-command store machine command)
"Invoke COMMAND, a list of strings, on MACHINE. Display its output (if any)
base-commit: cdf1d7dded027019f0ebbd5d6f0147b13dfdd28d
--
2.41.0
Herman Rimm <herman@HIDDEN>:guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN.
Full text available.guix@HIDDEN, dev@HIDDEN, ludo@HIDDEN, othacehe@HIDDEN, rekado@HIDDEN, zimon.toutoune@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:bug#68733; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.