GNU bug report logs - #46760
guix deploy doesn't seem to be authorizing the machine that is deploying to the remote

Previous Next

Package: guix;

Reported by: pkill9 <pkill9 <at> runbox.com>

Date: Wed, 24 Feb 2021 23:57:02 UTC

Severity: normal

To reply to this bug, email your comments to 46760 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#46760; Package guix. (Wed, 24 Feb 2021 23:57:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to pkill9 <pkill9 <at> runbox.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 24 Feb 2021 23:57:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: pkill9 <pkill9 <at> runbox.com>
To: bug-guix <at> gnu.org
Subject: guix deploy doesn't seem to be authorizing the machine that is
 deploying to the remote
Date: Wed, 24 Feb 2021 23:56:08 +0000

I'm using the machine-ssh-configuration, I set `(authorize? #t)` which
the manual states should authorize the deploying machine onto the
remote host, but I get an error:
```
guix deploy: error: unauthorized public key: (public-key...
```

So I add to the OS definition:

```
 (guix-configuration
                   (authorized-keys (append `(,(local-file
"/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))

```

Which makes the error go away. I'm under the impression however that
the 'authorize? #t' field should be doing this without me needing to
add it to the OS configuration.
Information forwarded to bug-guix <at> gnu.org:
bug#46760; Package guix. (Thu, 23 Sep 2021 08:19:02 GMT) Full text and rfc822 format available.

Message #8 received at 46760 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Tropin <andrew <at> trop.in>
To: pkill9 <pkill9 <at> runbox.com>, 46760 <at> debbugs.gnu.org
Subject: Re: bug#46760: guix deploy doesn't seem to be authorizing the
 machine that is deploying to the remote
Date: Thu, 23 Sep 2021 11:18:47 +0300

[Message part 1 (text/plain, inline)]
On 2021-02-24 23:56, pkill9 wrote:

> I'm using the machine-ssh-configuration, I set `(authorize? #t)` which
> the manual states should authorize the deploying machine onto the
> remote host, but I get an error:
> ```
> guix deploy: error: unauthorized public key: (public-key...
> ```
>
> So I add to the OS definition:
>
> ```
>  (guix-configuration
>                    (authorized-keys (append `(,(local-file
> "/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))
>
> ```
>
> Which makes the error go away. I'm under the impression however that
> the 'authorize? #t' field should be doing this without me needing to
> add it to the OS configuration.

`(authorize? #t)` seems working, it does `guix archive --authorize <
local-key` on remote machine before reconfiguring, but after
reconfiguration is finished the value of /etc/guix/acl is reset by
guix-service-type and for some reason the error message you mentioned
appears.  Despite the error message the new generation is created and
new configuration is applied.  It seems something like copying auxiliary
file to remote store happens after reconfiguration is finished.  Will
try to investigate that, when will have some free time.

For now I do the same trick with changing the configuration for
guix-service-type:
https://diode.zone/w/fJNN6ExYA35NC19BRiHw2L?start=37m5s

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#46760; Package guix. (Thu, 28 Oct 2021 01:26:01 GMT) Full text and rfc822 format available.

Message #11 received at 46760 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Andrew Tropin <andrew <at> trop.in>
Cc: 46760 <at> debbugs.gnu.org, pkill9 <pkill9 <at> runbox.com>
Subject: Re: bug#46760: guix deploy doesn't seem to be authorizing the
 machine that is deploying to the remote
Date: Wed, 27 Oct 2021 21:25:04 -0400

Hello,

Andrew Tropin <andrew <at> trop.in> writes:

> On 2021-02-24 23:56, pkill9 wrote:
>
>> I'm using the machine-ssh-configuration, I set `(authorize? #t)` which
>> the manual states should authorize the deploying machine onto the
>> remote host, but I get an error:
>> ```
>> guix deploy: error: unauthorized public key: (public-key...
>> ```
>>
>> So I add to the OS definition:
>>
>> ```
>>  (guix-configuration
>>                    (authorized-keys (append `(,(local-file
>> "/etc/guix/signing-key.pub")) %default-authorized-guix-keys))))
>>
>> ```
>>
>> Which makes the error go away. I'm under the impression however that
>> the 'authorize? #t' field should be doing this without me needing to
>> add it to the OS configuration.
>
> `(authorize? #t)` seems working, it does `guix archive --authorize <
> local-key` on remote machine before reconfiguring, but after
> reconfiguration is finished the value of /etc/guix/acl is reset by
> guix-service-type and for some reason the error message you mentioned
> appears.  Despite the error message the new generation is created and
> new configuration is applied.  It seems something like copying auxiliary
> file to remote store happens after reconfiguration is finished.  Will
> try to investigate that, when will have some free time.
>
> For now I do the same trick with changing the configuration for
> guix-service-type:
> https://diode.zone/w/fJNN6ExYA35NC19BRiHw2L?start=37m5s

It probably has to do with commit
3b6e4e5fd05e72b8a32ff1a2d5e21464260e21e6, which made /etc/guix/acl
declarative by default.

Thanks,

Maxim
This bug report was last modified 2 years and 181 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.