Received: (at 52533) by debbugs.gnu.org; 17 Jan 2022 16:13:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 17 11:13:30 2022 Received: from localhost ([127.0.0.1]:47680 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1n9UdO-0002Aj-L8 for submit <at> debbugs.gnu.org; Mon, 17 Jan 2022 11:13:30 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:47560) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1n9UdJ-0002AQ-LQ for 52533 <at> debbugs.gnu.org; Mon, 17 Jan 2022 11:13:29 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 56DA154A; Mon, 17 Jan 2022 17:13:19 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pTY53L4JJ9uJ; Mon, 17 Jan 2022 17:13:18 +0100 (CET) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 55D4BCC; Mon, 17 Jan 2022 17:13:18 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN> <87r19bom0r.fsf@HIDDEN> <87tue77k40.fsf@HIDDEN> <87mtjz1t63.fsf@HIDDEN> <877daypk8r.fsf@HIDDEN> <87v8yijsp6.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Niv=C3=B4se?= an 230 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 17 Jan 2022 17:13:17 +0100 In-Reply-To: <87v8yijsp6.fsf@HIDDEN> (Maxim Cournoyer's message of "Mon, 17 Jan 2022 10:19:17 -0500") Message-ID: <875yqimjc2.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: hera.aquilenet.fr; none X-Rspamd-Server: hera X-Rspamd-Queue-Id: 56DA154A X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 52533 Cc: Mathieu Othacehe <othacehe@HIDDEN>, 52533 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) Hi, Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > > [...] > >> sshd could also be started via socket activation; =E2=80=98sshd=E2=80=99= subprocesses >> corresponding to existing logins would be unaffected. >> >>> Also, it seems to me inetd can already do "socket activation", if this >>> was somehow useful. >> >> Yes, inetd can do that. It would be nicer though to have it all >> integrated in the Shepherd. > > I'm not sure. The beauty of Shepherd, in my eyes, when compared to > other init systems, is that it is lean and clean. Leveraging what's > already out there (and part of GNU) seems an obvious path to me, as it: > > 1. Means less code to write, document and maintain. > 2. Creates more cohesion between various components of the GNU project. Heheh, Guix was started to address #2 actually. Today, I think #2 is okay but should not be an obstacle. As for #1, sure, but Shepherd will need to grow a proper event loop anyway, so socket activation won=E2=80=99t make much of a difference. Also, taking a step back, systemd undoubtedly changed user expectations for the better in terms of integration, monitoring, and logging. Having the same level of integration in the Shepherd would be a step in that direction. >> (Basically, it=E2=80=99s a choice we could make right away: do we move a= ll >> network daemons, plus things like guix-daemon, dbus-daemon, etc. etc. to >> inetd services, or do we instead extend the Shepherd to support socket >> activation? I=E2=80=99m rather in favor of the latter, but if in Guix S= ystem we >> build an abstraction that can equally well target inetd or a future >> Shepherd version, that=E2=80=99s even better.) > > We could start with just targeting inetd, and build the abstraction > later, if the need arises, perhaps? We may never need it. Yes, so what I had in mind is, in Guix System, something like <socket-activated-service>, which would kinda look like <shepherd-service> but be lowered (for now) to an inetd service. Thanks, Ludo=E2=80=99.
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.
Received: (at 52533) by debbugs.gnu.org; 17 Jan 2022 15:19:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 17 10:19:30 2022
Received: from localhost ([127.0.0.1]:47619 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1n9Tn7-0000aO-TJ
for submit <at> debbugs.gnu.org; Mon, 17 Jan 2022 10:19:30 -0500
Received: from mail-qk1-f179.google.com ([209.85.222.179]:36526)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maxim.cournoyer@HIDDEN>) id 1n9Tn3-0000a8-0R
for 52533 <at> debbugs.gnu.org; Mon, 17 Jan 2022 10:19:28 -0500
Received: by mail-qk1-f179.google.com with SMTP id p9so4729897qkh.3
for <52533 <at> debbugs.gnu.org>; Mon, 17 Jan 2022 07:19:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=from:to:cc:subject:references:date:in-reply-to:message-id
:user-agent:mime-version:content-transfer-encoding;
bh=x+VlrU46Xcrv2pN8dXrh/0ueAbzgFk0ukfv9XXfeRdI=;
b=aXyRfYxhibIdSk8bUJmV4ZmkAnxEvOqe33b4FL5YmYVPs+U8ek4OmOjnB4cwSu4zuj
pnhZusOl5oSbElXQMAun5SK5JICy3KPYhgrJ/O0xaoAN8HJnunssbStLvz7PCWDgBJvy
Jkz2HITIwYnoAbKiDnQgGKOSDq0lH4Uf4+7ENCBviSWXYywyiPUi7b1Mg7i+AdnqKyjF
A143VAedncUzSyQS8BiXM7v2zTIJS9rRCnS/g6+aTLV4evg2gVJpPmYW5gQ24bPqz74d
JRWNS/3BXlUfLcJpqQM2S6cCH0CGnV2rC7AIEqM/MmYUorDcWDswHsiX4IB/yeznWJCH
ogTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
:message-id:user-agent:mime-version:content-transfer-encoding;
bh=x+VlrU46Xcrv2pN8dXrh/0ueAbzgFk0ukfv9XXfeRdI=;
b=PTcQJI8aGex+ktYttru8oIZSgHxOBaNJPFm2CqTuGOPEHcqH0fZHWFIZ1qdc/wJ1bf
4n0cWmNc+dcB0LrOD3DpUUt98D3MqtdFnE7uX3gwoboAwZs/hKqxf2l3q3aKgJJKe2C9
s6z70oCybHm6/YZD865AHZsfv2TLhY3icIIT/AhJUYLS48H7E3tNUkOrKA4dkcGiN3n6
fvZHkVsiXzGoorOw5qFZniIDnqNQeuRlJ7adj1WQ5d4vV79ddv1kZf+v5SV0S0XFrUpW
rgeTX7LgJMEzxuszcMKrpStRC/lcRLupATOOwIHl+Pxn8+g6MryYf+g5fF2p+DV3a1q8
gnhQ==
X-Gm-Message-State: AOAM531oERqr/LaX3nvhLY8BmjotuFbYY3PZhYxI7dqz1Uo1uhbRkrbv
4JoYZGa8onnRQRKJzntMYC3FvZj14go=
X-Google-Smtp-Source: ABdhPJzQOHnmRLV0e1Upw2n47TGIiK6ZS6xKbTPnZqJg0F07B5lMuyoTc01yNXUg5zNQlsrZaokQ+A==
X-Received: by 2002:a05:620a:2544:: with SMTP id
s4mr14686601qko.128.1642432759100;
Mon, 17 Jan 2022 07:19:19 -0800 (PST)
Received: from hurd (dsl-205-236-230-134.b2b2c.ca. [205.236.230.134])
by smtp.gmail.com with ESMTPSA id bp34sm8993130qkb.73.2022.01.17.07.19.18
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 17 Jan 2022 07:19:18 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error
References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN>
<87r19bom0r.fsf@HIDDEN> <87tue77k40.fsf@HIDDEN>
<87mtjz1t63.fsf@HIDDEN> <877daypk8r.fsf@HIDDEN>
Date: Mon, 17 Jan 2022 10:19:17 -0500
In-Reply-To: <877daypk8r.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
=?utf-8?Q?s?= message of "Mon, 17 Jan 2022 14:25:24 +0100")
Message-ID: <87v8yijsp6.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 52533
Cc: Mathieu Othacehe <othacehe@HIDDEN>, 52533 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi Ludovic,
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
[...]
> sshd could also be started via socket activation; =E2=80=98sshd=E2=80=99 =
subprocesses
> corresponding to existing logins would be unaffected.
>
>> Also, it seems to me inetd can already do "socket activation", if this
>> was somehow useful.
>
> Yes, inetd can do that. It would be nicer though to have it all
> integrated in the Shepherd.
I'm not sure. The beauty of Shepherd, in my eyes, when compared to
other init systems, is that it is lean and clean. Leveraging what's
already out there (and part of GNU) seems an obvious path to me, as it:
1. Means less code to write, document and maintain.
2. Creates more cohesion between various components of the GNU project.
> (Basically, it=E2=80=99s a choice we could make right away: do we move all
> network daemons, plus things like guix-daemon, dbus-daemon, etc. etc. to
> inetd services, or do we instead extend the Shepherd to support socket
> activation? I=E2=80=99m rather in favor of the latter, but if in Guix Sy=
stem we
> build an abstraction that can equally well target inetd or a future
> Shepherd version, that=E2=80=99s even better.)
We could start with just targeting inetd, and build the abstraction
later, if the need arises, perhaps? We may never need it.
Thanks,
Maxim
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.Received: (at 52533) by debbugs.gnu.org; 17 Jan 2022 13:25:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 17 08:25:35 2022 Received: from localhost ([127.0.0.1]:45315 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1n9S0t-00055f-Fk for submit <at> debbugs.gnu.org; Mon, 17 Jan 2022 08:25:35 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:43770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1n9S0r-00055M-TM for 52533 <at> debbugs.gnu.org; Mon, 17 Jan 2022 08:25:34 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 127CE52F; Mon, 17 Jan 2022 14:25:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrGzUrU-UkZ4; Mon, 17 Jan 2022 14:25:25 +0100 (CET) Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 689752D7; Mon, 17 Jan 2022 14:25:25 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN> <87r19bom0r.fsf@HIDDEN> <87tue77k40.fsf@HIDDEN> <87mtjz1t63.fsf@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Niv=C3=B4se?= an 230 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 17 Jan 2022 14:25:24 +0100 In-Reply-To: <87mtjz1t63.fsf@HIDDEN> (Maxim Cournoyer's message of "Thu, 13 Jan 2022 11:45:08 -0500") Message-ID: <877daypk8r.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: hera.aquilenet.fr; none X-Rspamd-Server: hera X-Rspamd-Queue-Id: 127CE52F X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 52533 Cc: Mathieu Othacehe <othacehe@HIDDEN>, 52533 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) Hi, Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: >>> I was just kicked out of my own server due to this PAM/SSH issue. It >>> happens quite frequently here. Time for a fix :). > > Not a meaningful contribution to the discussion, but my workaround is to > disable PAM; as it is not enabled in OpenSSH by default, perhaps we > should also leave it off unless requested? What are the advantages of > having it on? Consistency: authentication had rather work consistently across all system services that depend on it. [...] >> The crux of the problem rather is the global /etc/pam.d: it=E2=80=99s va= lid for >> pre-glibc upgrade programs, or for post-glibc upgrade programs, but not >> both. >> >> FHS distros have a similar problem though; how do they handle it? Do >> they force services to be restarted when glibc is upgraded, or something >> along these lines? > > I just asked this question in Debian's OFTC channel: > > "how does debian handle glibc updates? are services restarted when it > happens? Or does it postpone updating glibc until the next reboot?" > > And got for answer: "there is no magic postponing of updates"; the > external needrestart [0] program was also mentioned. > > Researching some more, it seems this may be handled on Debian by the use > of postinst scripts (which is an arbitrary shell script run after a > package is installed); so the libc package of Debian for example > restarts the postgres service to avoid problems: > > [0] https://github.com/liske/needrestart > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D710275 Yeah. My recollection is that apt is interactive by default, and it would typically pop up a dialog telling you that services X and Y need to be restarted, and asking whether you want to restart them now. The difference compared to what we have (a message at then telling that you =E2=80=9Cmay need=E2=80=9D to run =E2=80=98herd restart X=E2=80=99), th= e benefit IIRC is that it tells you which services need to be restarted. [...] >> We could maybe sidestep the issue altogether with socket-activated >> services: they=E2=80=99d be started on-demand, so the second scenario ab= ove >> would be unlikely. But getting there is quite a bit of work=E2=80=A6 > > I fail to see how this would be a solution for openssh, which would > typically already be running unless you've never login ounce since the > machine was up (or am I missing something?). sshd could also be started via socket activation; =E2=80=98sshd=E2=80=99 su= bprocesses corresponding to existing logins would be unaffected. > Also, it seems to me inetd can already do "socket activation", if this > was somehow useful. Yes, inetd can do that. It would be nicer though to have it all integrated in the Shepherd. (Basically, it=E2=80=99s a choice we could make right away: do we move all network daemons, plus things like guix-daemon, dbus-daemon, etc. etc. to inetd services, or do we instead extend the Shepherd to support socket activation? I=E2=80=99m rather in favor of the latter, but if in Guix Syst= em we build an abstraction that can equally well target inetd or a future Shepherd version, that=E2=80=99s even better.) Ludo=E2=80=99.
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.
Received: (at 52533) by debbugs.gnu.org; 13 Jan 2022 16:45:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 13 11:45:23 2022
Received: from localhost ([127.0.0.1]:34369 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1n83E2-00016O-La
for submit <at> debbugs.gnu.org; Thu, 13 Jan 2022 11:45:23 -0500
Received: from mail-io1-f53.google.com ([209.85.166.53]:40940)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maxim.cournoyer@HIDDEN>) id 1n83Dy-000167-Ns
for 52533 <at> debbugs.gnu.org; Thu, 13 Jan 2022 11:45:20 -0500
Received: by mail-io1-f53.google.com with SMTP id k14so5185262ion.7
for <52533 <at> debbugs.gnu.org>; Thu, 13 Jan 2022 08:45:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=from:to:cc:subject:references:date:in-reply-to:message-id
:user-agent:mime-version:content-transfer-encoding;
bh=FYuwf660M4XEi7+BUzoGlZcew9ds06t8ExkLPvy33ak=;
b=dB6qCH5JG24V3q1Sh5YL+RYCNCxMvb1lCpcfEIKnc281bCVyZ9hTnF/vsxn1yUqQry
/wNXb8m78993C1/qzzyfgPOdSJ4VGa5Xi1JTI+rCo9hpGJ79prnabBfnvTIvufYSMnqv
iM6LadZQJUpPd4fHpCzl69jxef+BjzoBPxDjBzKPyPXoYtSk1UmoxYwE21ZcQH9HonvK
yXHOsWrUezcqgV2QvcdoiRuBbWtTNzrfeH8ipqRzWOmElsiSDmPALZA/9+eJ7tB5gYv+
Lq8FZffUD8yY7XOJthSu2JRHzr0Y1RgdC25b8AR9DWGGXrPyC71bOYqFGUJ0uQy5EOEl
SsZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
:message-id:user-agent:mime-version:content-transfer-encoding;
bh=FYuwf660M4XEi7+BUzoGlZcew9ds06t8ExkLPvy33ak=;
b=KrlUtpGXTOkefTSFqkoMh1Di+BCWZWvoTb3h2r1fDfo4ig2H2w61+JxTKE+YWaNkFs
Ih+tRCE9MkPPyVcTynYAPk8LebKkcN5m9ZSLRvg6jRLK/sFCjYDbAHUOn97+Jbe/pZS2
luqllEoOxndKsQD7WJsLNhBuesvl4ylhOTFTcUTAkwjMRkVuyZAUIVFIdTnIi1J0RIJR
oHRQm5V1av4kgJ1gg7GeYViwu9TBeHLljPOlXTZGZQlQ4AGZT7sj0Fv51GaXxzid92ue
amz6JZCaB1s7gVzmjYvwzyLV5QByFzU3ttxxHM9zKmGn9vquJ3YUziYmYhkzUaMzxh7p
zrVA==
X-Gm-Message-State: AOAM530Vwg2ZcUONLU7wlCoS3KaaDLY/9+5jQ0hwt+CMqiUbo6nZqnet
NdwLlqCTmarQWdeXH3qQrxCZocO3HM0=
X-Google-Smtp-Source: ABdhPJwes/80y6aozi3GZ72+23tnUI6ntHX2klr5NBngsGrPxl/M2fZsnP/YtzkDVApjIhX7EZ4JIA==
X-Received: by 2002:a6b:fd04:: with SMTP id c4mr2509230ioi.200.1642092312803;
Thu, 13 Jan 2022 08:45:12 -0800 (PST)
Received: from hurd (dsl-152-155.b2b2c.ca. [66.158.152.155])
by smtp.gmail.com with ESMTPSA id ay25sm3405129iob.37.2022.01.13.08.45.11
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 13 Jan 2022 08:45:12 -0800 (PST)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error
References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN>
<87r19bom0r.fsf@HIDDEN> <87tue77k40.fsf@HIDDEN>
Date: Thu, 13 Jan 2022 11:45:08 -0500
In-Reply-To: <87tue77k40.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
=?utf-8?Q?s?= message of "Thu, 13 Jan 2022 16:04:15 +0100")
Message-ID: <87mtjz1t63.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 52533
Cc: Mathieu Othacehe <othacehe@HIDDEN>, 52533 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hello,
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Hi,
>
> Mathieu Othacehe <othacehe@HIDDEN> skribis:
>
>>> This sounds a lot like this:
>>>
>>> https://issues.guix.gnu.org/32182#1
>>
>> I was just kicked out of my own server due to this PAM/SSH issue. It
>> happens quite frequently here. Time for a fix :).
Not a meaningful contribution to the discussion, but my workaround is to
disable PAM; as it is not enabled in OpenSSH by default, perhaps we
should also leave it off unless requested? What are the advantages of
having it on?
> Note that =E2=80=98guix deploy=E2=80=99 now opens a single SSH session, s=
tarting from
> 7f20e59a13a6acc3331e04185b8f1ed2538dcd0a, which might help mitigate the
> problem.
>
>> Regarding the two potential solutions that you proposed in 2018, are
>> they still actual? If yes, I could maybe try to implement the second
>> suggestion: introducing service chain-loading.
>
> Service chain-loading was implemented in the Shepherd a few years ago.
> However, it doesn=E2=80=99t really help; consider these two scenario:
>
> =E2=80=A2 You do =E2=80=98guix system reconfigure && herd restart term-=
tty1=E2=80=99. In that
> case, all is good: =E2=80=98term-tty1=E2=80=99, will run the new =E2=
=80=98mingetty=E2=80=99 process
> (post-glibc upgrade, thanks to service chain-loading) and =E2=80=98lo=
gin=E2=80=99
> will happily load the .so files listed in /etc/pam.d/login (also
> post-glibc upgrade).
>
> =E2=80=A2 You run =E2=80=98guix system reconfigure=E2=80=99 but do not =
restart =E2=80=98term-tty1=E2=80=99,
> =E2=80=98sshd=E2=80=99, and all the other services that depend on PAM=
: these
> pre-glibc upgrade programs will try dlopening the post-glibc upgrade
> PAM plugins, which will break.
>
> The crux of the problem rather is the global /etc/pam.d: it=E2=80=99s val=
id for
> pre-glibc upgrade programs, or for post-glibc upgrade programs, but not
> both.
>
> FHS distros have a similar problem though; how do they handle it? Do
> they force services to be restarted when glibc is upgraded, or something
> along these lines?
I just asked this question in Debian's OFTC channel:
"how does debian handle glibc updates? are services restarted when it
happens? Or does it postpone updating glibc until the next reboot?"
And got for answer: "there is no magic postponing of updates"; the
external needrestart [0] program was also mentioned.
Researching some more, it seems this may be handled on Debian by the use
of postinst scripts (which is an arbitrary shell script run after a
package is installed); so the libc package of Debian for example
restarts the postgres service to avoid problems:
[0] https://github.com/liske/needrestart
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D710275
> In our case, suppose libpam honors $PAM_DIRECTORY; we could tweak each
> PAM-using Shepherd service (login, sshd, etc.) so that it sets
> PAM_DIRECTORY=E2=80=A6 but how would we get the PAM_DIRECTORY value for t=
he OS
> being configured? Tricky!
Good question, but that seems a good path to pursue; old services would
be using their own old pam modules, allowing them to continue running
unimpacted, while new ones would get the updated pam modules.
> We could maybe sidestep the issue altogether with socket-activated
> services: they=E2=80=99d be started on-demand, so the second scenario abo=
ve
> would be unlikely. But getting there is quite a bit of work=E2=80=A6
I fail to see how this would be a solution for openssh, which would
typically already be running unless you've never login ounce since the
machine was up (or am I missing something?). Also, it seems to me inetd
can already do "socket activation", if this was somehow useful.
Thanks,
Maxim
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.
Received: (at 52533) by debbugs.gnu.org; 13 Jan 2022 15:04:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 13 10:04:26 2022
Received: from localhost ([127.0.0.1]:34236 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1n81eM-0004Dg-BU
for submit <at> debbugs.gnu.org; Thu, 13 Jan 2022 10:04:26 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:58758)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <ludo@HIDDEN>) id 1n81eK-0004DO-6b
for 52533 <at> debbugs.gnu.org; Thu, 13 Jan 2022 10:04:25 -0500
Received: from localhost (localhost [127.0.0.1])
by hera.aquilenet.fr (Postfix) with ESMTP id 4D2D12A0;
Thu, 13 Jan 2022 16:04:18 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id n09gJ4S1sWin; Thu, 13 Jan 2022 16:04:17 +0100 (CET)
Received: from ribbon (91-160-117-201.subs.proxad.net [91.160.117.201])
by hera.aquilenet.fr (Postfix) with ESMTPSA id D2F3222E;
Thu, 13 Jan 2022 16:04:15 +0100 (CET)
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Mathieu Othacehe <othacehe@HIDDEN>
Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error
References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN>
<87r19bom0r.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 24 =?utf-8?Q?Niv=C3=B4se?= an 230 de la =?utf-8?Q?R?=
=?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 13 Jan 2022 16:04:15 +0100
In-Reply-To: <87r19bom0r.fsf@HIDDEN> (Mathieu Othacehe's message of "Thu, 13
Jan 2022 13:31:00 +0100")
Message-ID: <87tue77k40.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
Authentication-Results: hera.aquilenet.fr;
none
X-Rspamd-Server: hera
X-Rspamd-Queue-Id: 4D2D12A0
X-Spamd-Result: default: False [-0.10 / 15.00]; ARC_NA(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_ENVRCPT(0.00)[gmail.com];
TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[];
MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[];
FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
MID_RHS_MATCH_FROM(0.00)[];
FREEMAIL_CC(0.00)[gmail.com,debbugs.gnu.org]
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 52533
Cc: 52533 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)
Hi,
Mathieu Othacehe <othacehe@HIDDEN> skribis:
>> This sounds a lot like this:
>>
>> https://issues.guix.gnu.org/32182#1
>
> I was just kicked out of my own server due to this PAM/SSH issue. It
> happens quite frequently here. Time for a fix :).
Note that =E2=80=98guix deploy=E2=80=99 now opens a single SSH session, sta=
rting from
7f20e59a13a6acc3331e04185b8f1ed2538dcd0a, which might help mitigate the
problem.
> Regarding the two potential solutions that you proposed in 2018, are
> they still actual? If yes, I could maybe try to implement the second
> suggestion: introducing service chain-loading.
Service chain-loading was implemented in the Shepherd a few years ago.
However, it doesn=E2=80=99t really help; consider these two scenario:
=E2=80=A2 You do =E2=80=98guix system reconfigure && herd restart term-tt=
y1=E2=80=99. In that
case, all is good: =E2=80=98term-tty1=E2=80=99, will run the new =E2=80=
=98mingetty=E2=80=99 process
(post-glibc upgrade, thanks to service chain-loading) and =E2=80=98logi=
n=E2=80=99
will happily load the .so files listed in /etc/pam.d/login (also
post-glibc upgrade).
=E2=80=A2 You run =E2=80=98guix system reconfigure=E2=80=99 but do not re=
start =E2=80=98term-tty1=E2=80=99,
=E2=80=98sshd=E2=80=99, and all the other services that depend on PAM: =
these
pre-glibc upgrade programs will try dlopening the post-glibc upgrade
PAM plugins, which will break.
The crux of the problem rather is the global /etc/pam.d: it=E2=80=99s valid=
for
pre-glibc upgrade programs, or for post-glibc upgrade programs, but not
both.
FHS distros have a similar problem though; how do they handle it? Do
they force services to be restarted when glibc is upgraded, or something
along these lines?
In our case, suppose libpam honors $PAM_DIRECTORY; we could tweak each
PAM-using Shepherd service (login, sshd, etc.) so that it sets
PAM_DIRECTORY=E2=80=A6 but how would we get the PAM_DIRECTORY value for the=
OS
being configured? Tricky!
We could maybe sidestep the issue altogether with socket-activated
services: they=E2=80=99d be started on-demand, so the second scenario above
would be unlikely. But getting there is quite a bit of work=E2=80=A6
Ludo=E2=80=99.
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.Received: (at 52533) by debbugs.gnu.org; 13 Jan 2022 12:39:08 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 13 07:39:08 2022 Received: from localhost ([127.0.0.1]:60414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1n7zNj-0005cB-TX for submit <at> debbugs.gnu.org; Thu, 13 Jan 2022 07:39:08 -0500 Received: from eggs.gnu.org ([209.51.188.92]:43192) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <othacehe@HIDDEN>) id 1n7zNh-0005bX-U8 for 52533 <at> debbugs.gnu.org; Thu, 13 Jan 2022 07:39:06 -0500 Received: from [2001:470:142:3::e] (port=42592 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <othacehe@HIDDEN>) id 1n7zNc-0004Mu-4s; Thu, 13 Jan 2022 07:39:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=jIm54H1Q8iB481I+RP5Xj2WqPI+d/013k1vnb3Jx5k4=; b=gqoOcuYkdYrz7v9QKA3/ tGpoAXkkk8Pcanxap8u+w+fT31C/YpoVltIyf9ZiZtMOa1oE5Elu1uGlog+U7m4r6EukDxcFx1vHs 2VieYmY3GRHw7amD2/tCyXPOjYcElG7jjyntYLXwacRxcol+fCvRwD+rKTBocALI8CnqHR2M0mvMZ ocoIaKTXbFJGrt4+3eiMN5uk8J8XcNNCIW51Lt6vivvA4VLXDXLGjcxArJ0xGhhI2xTNk3/B1jrKx bazT6Mj2MuSnwT+Fk5rf7rwrig4QVpP3uoG370XFkf6NeiSba1sXY2fkTTgpnM4ZerzyPE11D87zA JAXsubyuHY+BWw==; Received: from [2a01:e0a:19b:d9a0:2f3b:16f2:b776:3ef9] (port=35424 helo=meije) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <othacehe@HIDDEN>) id 1n7zNK-0008RW-AK; Thu, 13 Jan 2022 07:38:58 -0500 From: Mathieu Othacehe <othacehe@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN> <87r19bom0r.fsf@HIDDEN> Date: Thu, 13 Jan 2022 13:38:40 +0100 In-Reply-To: <87r19bom0r.fsf@HIDDEN> (Mathieu Othacehe's message of "Thu, 13 Jan 2022 13:31:00 +0100") Message-ID: <87ilunolnz.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 52533 Cc: 52533 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Regarding the two potential solutions that you proposed in 2018, are > they still actual? If yes, I could maybe try to implement the second > suggestion: introducing service chain-loading. Oh sorry, I stopped reading the thread at https://issues.guix.gnu.org/32182#1. Looks like the service chain-loading might not be enough, I'll keep digging. Thanks, Mathieu
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.
Received: (at 52533) by debbugs.gnu.org; 13 Jan 2022 12:31:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 13 07:31:14 2022
Received: from localhost ([127.0.0.1]:60392 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1n7zG6-0004N8-B6
for submit <at> debbugs.gnu.org; Thu, 13 Jan 2022 07:31:14 -0500
Received: from eggs.gnu.org ([209.51.188.92]:41760)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <othacehe@HIDDEN>) id 1n7zG1-0004EK-Lp
for 52533 <at> debbugs.gnu.org; Thu, 13 Jan 2022 07:31:12 -0500
Received: from [2001:470:142:3::e] (port=42530 helo=fencepost.gnu.org)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <othacehe@HIDDEN>)
id 1n7zFv-00036u-VP; Thu, 13 Jan 2022 07:31:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
From; bh=HI1P0HNbSern+zeGbjUoC/8aDpqtoLNjoqz66MGL+Po=; b=EaJzQTkWW99iOrYs+q0N
0qi2mnZ9/kliR8yplkP0p1w8pAS7Aj/3otHGe15vmiB7szEORxqaVqjNBP9Bano6itpxcsxHLjWVm
CIg3MVIHiW5PDJ7v/dlu4tCfBQAPsMmHCxZSjaaSjQuXbYppQ+3/zt9OmeHEbPMQVJwJFxiZMPz6g
YZCAdA52Neqy1Rv2qb9bWFVtJESzoDaWQU0wzVdAhgMPenRVVF6jnybLh7yWmpPxMMGDjbvOwB850
iVRpXELp3I46JVjS5oVSAKYHcrykuUh4lHciiL7UzkQryGcP4//TV/08fp2iEpIgUxJZDZFkGdoIE
UKEWtbrWp259BA==;
Received: from [2a01:e0a:19b:d9a0:2f3b:16f2:b776:3ef9] (port=35420 helo=meije)
by fencepost.gnu.org with esmtpsa
(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1)
(envelope-from <othacehe@HIDDEN>)
id 1n7zFw-0006sG-3B; Thu, 13 Jan 2022 07:31:04 -0500
From: Mathieu Othacehe <othacehe@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error
References: <87czlx88ez.fsf@HIDDEN> <87ilvor3sn.fsf@HIDDEN>
Date: Thu, 13 Jan 2022 13:31:00 +0100
In-Reply-To: <87ilvor3sn.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
=?utf-8?Q?s?= message of "Thu, 16 Dec 2021 16:02:32 +0100")
Message-ID: <87r19bom0r.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 52533
Cc: 52533 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hey,
> This sounds a lot like this:
>
> https://issues.guix.gnu.org/32182#1
I was just kicked out of my own server due to this PAM/SSH issue. It
happens quite frequently here. Time for a fix :).
Regarding the two potential solutions that you proposed in 2018, are
they still actual? If yes, I could maybe try to implement the second
suggestion: introducing service chain-loading.
Thanks,
Mathieu
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.Received: (at 52533) by debbugs.gnu.org; 16 Dec 2021 15:02:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 16 10:02:43 2021 Received: from localhost ([127.0.0.1]:36406 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mxsHL-0001jU-AR for submit <at> debbugs.gnu.org; Thu, 16 Dec 2021 10:02:43 -0500 Received: from eggs.gnu.org ([209.51.188.92]:35838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1mxsHJ-0001jH-20 for 52533 <at> debbugs.gnu.org; Thu, 16 Dec 2021 10:02:41 -0500 Received: from [2001:470:142:3::e] (port=37824 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1mxsHD-0001sI-QP; Thu, 16 Dec 2021 10:02:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=F5l2nadBSeAhyy8TReABhnHLsrjQO9JdJ3nRzCQv5zU=; b=FbOjoZ9vwBK3W49QPoeg TIYDT7OiVK0qVXVfx7CAQlZCTdCRzsnbwagZCZSY7q4mNnvVhfEWotcW/1nFES5n4G2fU/45Ra3f+ xZ44mZQgy9F7TZGsJdiqWLMLETORyHzyjyOiQ0rWPgQfOq1/KdA5nG2911+CJD4q9qTZm1HeoHHfv 86Fu0cswrzi5TCqFjIIjmzg+IpP8eLTV3z8ioMNED+MGIbg0XEkRoIsF9s2nRZmPtCRqoxeWQlYj+ r7zIVZmblCHo0oolVTG8roVXqrEzyeffDTzUrdDAxv7ElsQ9Dmeq5MgZHuZhHvK6EFxMjSFy4/2X5 H20exTlc3P43tg==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:63553 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1mxsHD-0008Tl-PG; Thu, 16 Dec 2021 10:02:36 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Subject: Re: bug#52533: guix deploy breaks SSH access with a PAM error References: <87czlx88ez.fsf@HIDDEN> Date: Thu, 16 Dec 2021 16:02:32 +0100 In-Reply-To: <87czlx88ez.fsf@HIDDEN> (Maxim Cournoyer's message of "Wed, 15 Dec 2021 23:45:24 -0500") Message-ID: <87ilvor3sn.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 52533 Cc: 52533 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi, Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis: > Following the big merge of the core-updates-frozen branch into master, > I've noticed now on two counts the following: running 'guix deploy' > leaves the remote machine unreachable by SSH. The connection passes > authentication but then gets closed immediately. /var/log/messages > reveals the following error: > > sshd[29578]: error: PAM: pam_open_session(): Module is unknown > > > The machines updated were running Guix System revisions predating the > core-updates-frozen merge. This sounds a lot like this: https://issues.guix.gnu.org/32182#1 WDYT? Ludo=E2=80=99.
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.Mathieu Othacehe <mathieu@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 52533) by debbugs.gnu.org; 16 Dec 2021 05:27:59 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 16 00:27:59 2021 Received: from localhost ([127.0.0.1]:34241 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mxjJ9-0004X4-ED for submit <at> debbugs.gnu.org; Thu, 16 Dec 2021 00:27:59 -0500 Received: from mail-qt1-f182.google.com ([209.85.160.182]:33441) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1mxjJ7-0004Wr-Ms for 52533 <at> debbugs.gnu.org; Thu, 16 Dec 2021 00:27:58 -0500 Received: by mail-qt1-f182.google.com with SMTP id n15so24394697qta.0 for <52533 <at> debbugs.gnu.org>; Wed, 15 Dec 2021 21:27:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:references:date:in-reply-to:message-id:user-agent :mime-version; bh=1/5D2XMOtdgfB6pXBHH6H0FhU3cebn6QIEwFHE13S4U=; b=CUQYD8gInpYnBrHod3dLWvgzJe4G8GSnEzrYblwsF/duxiVn301lquJR86DJDXgAyX sSFvR5AeNleXB+worxSrd75pmTvykY60mSmZjHrUX968kgxYROtXVJUwQppG5zTZ5zPG MSO+VGZMIbtiVcilVgxqJ+jJO9VFIBHBB92kScdiWz35eVVGLTWL3PtWfVUkr0kKdw/u 2mmAU28mQm1Vz2D2PlXwZ1kV+Aij86OV7tGuEoRSjiOL2coEvKLsR3LYcbcWIInxLN/W uPtQRpk+yUgZt996M6jbn/snGWGYvtZJdctu3emlV+qpwbT7XaHowJwqO5PE15ILb4Q0 mbdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=1/5D2XMOtdgfB6pXBHH6H0FhU3cebn6QIEwFHE13S4U=; b=aRUpWIzfcicBGbUgCgFa3kvIaH43bzQovF1DCxNcq7tewVXL6AqGm9k0NI0Kq/8nnU O7C6s8l67mz778wunnevMjbfGjFBBddio+KR06wUhfaNPRrraRlpCsGhObTMm88VspQd n2zqjuHBM1qt+iZWDJObKbcuHN6NWUJLgsc+gDG6caVsG337Pl/dSLT+eEktJidBQpVa eKUE1pJI9nkdLXgJdy/ZcBFEfoTC544uXOwpC5vOQ+NKvKqiuD0IFjMSOC4+NtRMeJRU WO2iSpJgEnjd1Qb9NSruR1m5+1pxogdh+Tf4MjESOfWXeESYAXjF8oJhHHjXAfI9z6tB ykiQ== X-Gm-Message-State: AOAM531E4hroS80H2H6XgvgfmSb3fATkKeyfTI3KWatxAL/pW+nQ73mD 6GLtuH2Dyky+kDQHLm3PTtso9E6GEIk= X-Google-Smtp-Source: ABdhPJzjolceWnv0XKL/Ve7wMLdObXfRxQjT58WbXDw+J0wqS/Ub2wcrBNc/t62ZXGnNINxJAytvxA== X-Received: by 2002:ac8:5781:: with SMTP id v1mr15854879qta.254.1639632471696; Wed, 15 Dec 2021 21:27:51 -0800 (PST) Received: from hurd (dsl-10-146-110.b2b2c.ca. [72.10.146.110]) by smtp.gmail.com with ESMTPSA id e13sm2021264qte.51.2021.12.15.21.27.50 for <52533 <at> debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Dec 2021 21:27:51 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> To: 52533 <at> debbugs.gnu.org Subject: [PATCH] bug#52533: guix deploy breaks SSH access with a PAM error References: <87czlx88ez.fsf@HIDDEN> Date: Thu, 16 Dec 2021 00:27:50 -0500 In-Reply-To: <87czlx88ez.fsf@HIDDEN> (Maxim Cournoyer's message of "Wed, 15 Dec 2021 23:45:24 -0500") Message-ID: <878rwl86g9.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 52533 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello, I've found a workaround: disabling PAM for the remote machine ssh-daemon. This is not done as part of 'guix deploy', so needs to be fiddled with manually; I did it this way: 1. take note of the command line and sshd_config file: --8<---------------cut here---------------start------------->8--- ps -eFww | grep sshd --8<---------------cut here---------------end--------------->8--- 2. Copy the sshd_config file from /gnu/store to somewhere writable and edit it so tha UsePAM is "no" instead of "yes". 3. Stop the Shepherd service with 'sudo herd stop ssh-daemon' 4. Start the ssh daemon manually (with sudo) by using the command found in 1. but with the edited config from 2. Then you should be able to 'guix deploy' successfully. Reading 'man sshd_config', it says the default for UsePAM is no. Considering this, and the issue it caused reported here, perhaps we should disable it by default in Guix? What do others think? Thank you, Maxim
bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.Received: (at submit) by debbugs.gnu.org; 16 Dec 2021 04:45:35 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Dec 15 23:45:35 2021 Received: from localhost ([127.0.0.1]:34223 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mxie6-0003KX-PQ for submit <at> debbugs.gnu.org; Wed, 15 Dec 2021 23:45:35 -0500 Received: from lists.gnu.org ([209.51.188.17]:44718) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1mxie4-0003KQ-Fb for submit <at> debbugs.gnu.org; Wed, 15 Dec 2021 23:45:32 -0500 Received: from eggs.gnu.org ([209.51.188.92]:49586) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>) id 1mxie4-0002PJ-5b for bug-guix@HIDDEN; Wed, 15 Dec 2021 23:45:32 -0500 Received: from [2607:f8b0:4864:20::834] (port=40913 helo=mail-qt1-x834.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>) id 1mxie1-0001Ln-Ke for bug-guix@HIDDEN; Wed, 15 Dec 2021 23:45:30 -0500 Received: by mail-qt1-x834.google.com with SMTP id t34so24253988qtc.7 for <bug-guix@HIDDEN>; Wed, 15 Dec 2021 20:45:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:mime-version; bh=jeHqo5+i6D6n4LpHpLK/pkoeEniJ9zgxswDzI5s65ow=; b=SktdOdrUJqJjAaPOYuQh/st1gKWs9y/JKGSA+K1hf1oI9SEa3jtSUkFzR45I7hJCSi N9o026HTnJrXp0Q+/CpPFfhXc34lSZjLgWl0VO1QZuVEgDqPaLMmTn6HffPM9a45rOJC TGbjfYT3KCwILw8yXn4lAE3nKwqnIJmIB103r3gEw9WEQVuVXHArXoqHvLIPZmPnw4kK 2i1wjUgW2ncE2zNdENy9bRB3KKgQ7dGDjTX6ym38OpBNdynz9zJMKKN7DGhCdYK1cTr2 pSBlUc7nT84qZxZoO3NfPiN8lORs03Sg9+x8C5RO0D95dPrxnW18XbhTX7bN0vzLnRIf GYHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=jeHqo5+i6D6n4LpHpLK/pkoeEniJ9zgxswDzI5s65ow=; b=Xu/qguEkDDkFWpLLPTIJF2Vxi2ATtHVhGDG4/tkgEWeApJElUgpIe/3gb1K89ZAn/a R0RPgq6PMvJAwKpkTjKtmsYJntoZNn2WqGWAdRUcsJ/aXjmVVvhapY4rQuV8xeC0RXQ2 FGlF3oq3UooqdHBWCeUc6mhOhsnULIcs9FOLvVCIJNnCg2lHiOW/s3FPtj/f7oWBcTuB MEfHlRRWls7ZW7yNy3AEvpOIjIytA3x35aZDzxu5B8Axp/djQclDdE9nN9PdlLOrS5Vt 5ONacPWwRwJmEzGsdsNQvFmeCSEn6wONM44niMmvPqcP2gs/gispV19/3tcnN9X/0Oz4 unzA== X-Gm-Message-State: AOAM533xWSjKhv66taYg0DBlUBvgbdQ5V/Xf/Zn8nlKM5VxU50qwVthH yUcPgaVyEfc3v14r+Wt3Mo4vC4WExtM= X-Google-Smtp-Source: ABdhPJzXdmffLz6QCnWYD9qvHrHI+Q5JfxfB17+kIt72WV7JsMHMHgEQ62fb7o16pXNH8ES16/FtFg== X-Received: by 2002:a05:622a:1056:: with SMTP id f22mr15422957qte.429.1639629927707; Wed, 15 Dec 2021 20:45:27 -0800 (PST) Received: from hurd (dsl-10-146-110.b2b2c.ca. [72.10.146.110]) by smtp.gmail.com with ESMTPSA id r20sm2268882qkp.21.2021.12.15.20.45.26 for <bug-guix@HIDDEN> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Dec 2021 20:45:27 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> To: bug-guix <bug-guix@HIDDEN> Subject: guix deploy breaks SSH access with a PAM error Date: Wed, 15 Dec 2021 23:45:24 -0500 Message-ID: <87czlx88ez.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::834 (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qt1-x834.google.com X-Spam_score_int: 0 X-Spam_score: -0.1 X-Spam_bar: / X-Spam_report: (-0.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) Hello Guix! Following the big merge of the core-updates-frozen branch into master, I've noticed now on two counts the following: running 'guix deploy' leaves the remote machine unreachable by SSH. The connection passes authentication but then gets closed immediately. /var/log/messages reveals the following error: --8<---------------cut here---------------start------------->8--- sshd[29578]: error: PAM: pam_open_session(): Module is unknown --8<---------------cut here---------------end--------------->8--- The machines updated were running Guix System revisions predating the core-updates-frozen merge. The 'guix deploy' command doesn't succeed due to SSH starting to fail at 99% completion or similar; the bootloader configuration is not updated so rebooting boots into the same old system generation (and SSH works again): --8<---------------cut here---------------start------------->8--- guix deploy: deploying to x200... guix deploy: sending 0 store items (0 MiB) to 'x200.local'... guix deploy: sending 0 store items (0 MiB) to 'x200.local'... substitute: updating substitutes from 'http://127.0.0.1:8181'... 100.0% substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% The following derivations will be built: /gnu/store/049wr939gjpgl3471wrk8b1waqgswrdi-remote-exp.scm.drv /gnu/store/y1mgddpa2qkrmc01knpdam917b60yxlq-switch-to-system.scm.drv /gnu/store/vgadszcfklbhr7d8yl8jprzipjy6b0vj-system.drv /gnu/store/ypyaf6ib1w5nc4kr0xgjm4par407cnzk-provenance.drv building /gnu/store/ypyaf6ib1w5nc4kr0xgjm4par407cnzk-provenance.drv... building /gnu/store/vgadszcfklbhr7d8yl8jprzipjy6b0vj-system.drv... building /gnu/store/y1mgddpa2qkrmc01knpdam917b60yxlq-switch-to-system.scm.drv... building /gnu/store/049wr939gjpgl3471wrk8b1waqgswrdi-remote-exp.scm.drv... guix deploy: sending 5 store items (0 MiB) to 'x200.local'... guix deploy: error: failed to deploy x200: failed to start 'guix repl' on 'x200.local' $ guix deploy ~/stow/guix/machines/x200.scm --no-offload The following 1 machine will be deployed: x200 guix deploy: deploying to x200... guix deploy: error: failed to deploy x200: remote command '/run/setuid-programs/sudo -n -- guix repl -t machine' failed with status 254 $ ssh x200 Last login: Wed Dec 15 23:28:02 2021 from 192.168.10.15 Connection to x200.local closed. --8<---------------cut here---------------end--------------->8--- This is obviously embarrassing in scenarios where the SSH connection is the main way to reach to the remote machine. Ideas? Thank you, Maxim
Maxim Cournoyer <maxim.cournoyer@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#52533; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.