Package: guix;
Reported by: Florian Hoertlehner <hoertlehner <at> gmail.com>
Date: Sat, 2 Oct 2021 19:51:02 UTC
Severity: normal
To reply to this bug, email your comments to 50977 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-guix <at> gnu.org:bug#50977; Package guix.
(Sat, 02 Oct 2021 19:51:02 GMT) Full text and rfc822 format available.Florian Hoertlehner <hoertlehner <at> gmail.com>:bug-guix <at> gnu.org.
(Sat, 02 Oct 2021 19:51:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Florian Hoertlehner <hoertlehner <at> gmail.com> To: bug-guix <at> gnu.org Subject: digital-ocean-environment-type fails Date: Sat, 2 Oct 2021 21:49:49 +0200
[Message part 1 (text/plain, inline)]
guix deploy leads to the following error:
https://api.digitalocean.com/v2/droplets: HTTP post failed: 422
("Unprocessable Entity")
The token that I use seems to be correct (there comes a different error
message when I define an invalid token).
This is the config file:
(use-modules
(gnu services admin))
(use-service-modules networking ssh web)
(use-package-modules bootloaders ssh)
(define %system
(operating-system
(host-name "atlanticocean")
(timezone "Etc/UTC")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")
(terminal-outputs '(console))))
(file-systems (cons (file-system
(mount-point "/")
;; Must be vda2 or you won't be able to reboot
after `guix deploy`.
;; This is because our base image makes an EFI
partition at vda1.
(device "/dev/vda2")
(type "ext4"))
%base-file-systems))
(services
(append (list (service dhcp-client-service-type)
(service openssh-service-type
(openssh-configuration
(openssh openssh-sans-x)
(password-authentication? #false)
(permit-root-login #t)
(authorized-keys
;; Authorise our SSH key.
`(("root" ,(local-file "id_rsa.pub"))))))
;; Security updates, yes please!
(service unattended-upgrade-service-type)
;; Note that Nginx isn't automatically restarted during
;; `guix deploy`, so run `herd restart nginx`.
)
(modify-services %base-services
;; The server must trust the Guix packages you build. If you
add the signing-key
;; manually it will be overridden on next `guix deploy` giving
;; "error: unauthorized public key". This automatically adds
the signing-key.
(guix-service-type config =>
(guix-configuration
(inherit config)
(authorized-keys
(append (list (local-file
"/etc/guix/signing-key.pub"))
%default-authorized-guix-keys)))))))))
(define c-do
(digital-ocean-configuration
(region "nyc1")
(size "s-1vcpu-1gb")
(enable-ipv6? #f)
(ssh-key "/home/f/repo/myLinux/data/ssh/f")
(tags (list "ubuntu-s-1vcpu-1gb-nyc1-01"
))
))
(list (machine
(operating-system %system)
(environment digital-ocean-environment-type)
(configuration c-do)))
[Message part 2 (text/html, inline)]
bug-guix <at> gnu.org:bug#50977; Package guix.
(Mon, 18 Oct 2021 14:59:02 GMT) Full text and rfc822 format available.Message #8 received at 50977 <at> debbugs.gnu.org (full text, mbox):
From: Franz Geffke <franz <at> pantherx.org> To: 50977 <at> debbugs.gnu.org Subject: digital-ocean-environment-type fails Date: Mon, 18 Oct 2021 12:08:43 +0100
I just ran into the same issue on a droplet in a different region. The only detail that stands out is that 'private_networking' as seen here [1] has been depreciated on the DO API [2]. I doubt that is the reason this is failing though. > This parameter has been deprecated. Use vpc_uuid instead to specify a > VPC network for the Droplet. If no vpc_uuid is provided, the Droplet > will be placed in your account's default VPC for the region. [1] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/machine/digital-ocean.scm#n339 [2] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/machine/digital-ocean.scm#n339 Here's the related config: (list (machine (operating-system %system) (environment digital-ocean-environment-type) (configuration (digital-ocean-configuration (region "fra1") (size "s-1vcpu-1gp") (ssh-key "/home/franz/.ssh/do_staging") (tags (list "pantherx" "staging")) (enable-ipv6? #f)))))
bug-guix <at> gnu.org:bug#50977; Package guix.
(Mon, 18 Oct 2021 19:42:02 GMT) Full text and rfc822 format available.Message #11 received at 50977 <at> debbugs.gnu.org (full text, mbox):
From: Franz Geffke <franz <at> pantherx.org> To: 50977 <at> debbugs.gnu.org Subject: digital-ocean-environment-type fails Date: Mon, 18 Oct 2021 20:40:47 +0100
I've done some more digging. There are various issues with the script
that actually converts the Debian 9 Droplet to Guix.
1. The SSL certificates of gnu.org fail on Debian 9 (since end of Sep).
This appears to be related to a change in LetsEncrypt root certificates
2. The guix binary used is rather old
I don't have time to submit a merge request now. I have adapted the
included script to work on Debian 9 (uncomment 1x line), 11 and Ubuntu
21.04. This should be good until the bug has been resolved.
```
#!/bin/bash
# Guix 1.3.0 on DigitalOcean
# Convert Debian 11 or Ubuntu 21.04
###### MODIFY
TIMEZONE="Europe/Berlin"
LOCALE="en_US.utf8"
USERNAME="guix"
USER_COMMENT="guix's account"
USER_PASSWORD="Gq2M6JqNS2W6mgkY"
###### MODIFY END
CONFIG=/etc/bootstrap-config.scm
CRYPT='$6$abc'
apt-get update -y
apt-get install curl xz-utils -y
# Uncomment this for Debian 9
# sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
&& update-ca-certificates -f wget
https://ftp.gnu.org/gnu/guix/guix-binary-1.3.0.x86_64-linux.tar.xz cd
/tmp tar --warning=no-timestamp -xf
~/guix-binary-1.3.0.x86_64-linux.tar.xz mv var/guix /var/ && mv gnu /
mkdir -p ~root/.config/guix
ln -sf /var/guix/profiles/per-user/root/current-guix
~root/.config/guix/current export GUIX_PROFILE="`echo
~root`/.config/guix/current" ; source $GUIX_PROFILE/etc/profile
groupadd --system guixbuild
for i in `seq -w 1 10`;
do
useradd -g guixbuild -G guixbuild \
-d /var/empty -s `which nologin` \
-c "Guix build user $i" --system \
guixbuilder$i;
done;
cp ~root/.config/guix/current/lib/systemd/system/guix-daemon.service
/etc/systemd/system/ systemctl start guix-daemon && systemctl enable
guix-daemon mkdir -p /usr/local/bin
cd /usr/local/bin
ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix
mkdir -p /usr/local/share/info
cd /usr/local/share/info
for i in /var/guix/profiles/per-user/root/current-guix/share/info/*; do
ln -s $i; done
guix archive --authorize <
~root/.config/guix/current/share/guix/ci.guix.gnu.org.pub # guix pull
guix package -i glibc-utf8-locales
export GUIX_LOCPATH="$HOME/.guix-profile/lib/locale"
guix package -i openssl
HOSTNAME=$(curl -s http://169.254.169.254/metadata/v1/hostname)
PUBLIC_IPV4=$(curl -s
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address)
NETMASK=$(curl -s
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/netmask)
GATEWAY=$(curl -s
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/gateway)
function write_server_config() {
cat >> $CONFIG <<EOL
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh certs tls)
(operating-system
(host-name "${HOSTNAME}")
(timezone "${TIMEZONE}")
(locale "${LOCALE}")
(initrd-modules (append (list "virtio_scsi")
%base-initrd-modules))
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/vda")))
(file-systems (append
(list (file-system
(device "/dev/vda1")
(mount-point "/")
(type "ext4")))
%base-file-systems))
(users (cons (user-account
(name "${USERNAME}")
(comment "${USER_COMMENT}")
(group "users")
(password (crypt "${USER_PASSWORD}" "${CRYPT}"))
(supplementary-groups '("wheel"))
(home-directory "/home/${USERNAME}"))
%base-user-accounts))
;; Globally-installed packages.
(packages (cons* screen openssh nss-certs gnutls %base-packages))
(services (cons* (static-networking-service "eth0" "${PUBLIC_IPV4}"
#:netmask "${NETMASK}"
#:gateway "${GATEWAY}"
#:name-servers '("84.200.69.80" "84.200.70.40"))
(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)))
%base-services)))
EOL
}
write_server_config
# guix pull
guix system build /etc/bootstrap-config.scm
# these appear to be the necessary on Ubuntu 21.04
mv /etc/ssl /etc/bk_ssl
mv /etc/pam.d /etc/bk_pam.d
mv /etc/skel /etc/bk_skel
guix system reconfigure /etc/bootstrap-config.scm
mv /etc /old-etc
mkdir /etc
cp -r
/old-etc/{passwd,group,shadow,gshadow,mtab,guix,bootstrap-config.scm}
/etc/ guix system reconfigure /etc/bootstrap-config.scm
reboot
```
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.