GNU bug report logs - #71238
Installer image consistently fails to run system init due to TLS error

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 4 Sep 2024 22:02:59 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 04 18:02:59 2024
Received: from localhost ([127.0.0.1]:35605 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sly5a-00022Y-OV
	for submit <at> debbugs.gnu.org; Wed, 04 Sep 2024 18:02:59 -0400
Received: from lab.riabenko.com ([185.143.146.30]:57348)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <roman@HIDDEN>) id 1sly5Y-00022J-Nt
 for 71238 <at> debbugs.gnu.org; Wed, 04 Sep 2024 18:02:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=riabenko.com; s=selector; h=MIME-Version:Content-Type:Date:To:From:Subject:
 Message-ID:From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=pp1oeE/FyyjYU4mH9iQ0txNDVpUS1OB7pMLhdZfqRqE=; b=YieG0S/5mQ6UVIJZvRSzbKCldY
 NfRmqC8k0ufOFbiYXZcA+dIOTqe13O9dU+ZQ/ZIvOqH9/wBTNMTR4NDXDzprAv2Qzp//H4pSnqYQr
 3ctDxbxDBEXbUW7wcp2TWOpchyj84Bp6hJb3JHGdC4T/eGIdD8Aee8loi8i7ndxbVGE8slu3rRyg3
 s2tDA6McstKEOHnXbsD8UBHo79IEgLWohDOV76atE6/p8d4A9aEr85iKN0DW/GLGHCMkUWdgZbXo9
 ru/gOaC6OWCay+mAwUCwff0R5LZyMVGElAYKFFxmqaylO/pcv8z0iIA5mukYl2GmjIGMdsEMKPMtq
 v43pm9QQ==;
Received: from [192.168.33.1] (helo=[192.168.88.18])
 by lab.riabenko.com with esmtpsa (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98)
 (envelope-from <roman@HIDDEN>) id 1sly4Q-000000000HC-1HdF
 for 71238 <at> debbugs.gnu.org; Thu, 05 Sep 2024 01:01:47 +0300
Message-ID: <f8a54bfc0ca0b90087943da0ba4c3cb1c6043fd6.camel@HIDDEN>
Subject: Re: Installer image consistently fails to run system init due to
 TLS error
From: Roman Riabenko <roman@HIDDEN>
To: 71238 <at> debbugs.gnu.org
Date: Thu, 05 Sep 2024 01:01:36 +0300
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-PkvC8z4CcTPW7838dJL9"
User-Agent: Evolution 3.38.3-1+deb11u2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71238
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-PkvC8z4CcTPW7838dJL9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello

I had a similar issue with a 6to4 tunnel but I guess that the same
cause may be relevant to a VPN or some other type of connection that
affects the MTU.

The pull operation would fail sporadically, usually on the same package
=E2=80=94 most of the time that would be a relatively large package like th=
e
kernel but not necessarily. The failure would often be a TLS failure
but I found it to be a common failure when there is a connectivity
issue because it is the TLS that tries to establish or restore the
connection.

I admit that I had similar issues with connecting to just a few
seemingly random websites over the tunnel, but the download of
substitutes from the bordeaux server seemed to be the most affected.
The tunnel customer support suggested that it is an MTU issue. I tried
a lot of different MTU values. Some of the values I tried fixed all my
connection issues except for the pull operation until I found how to
set up the tunnel in a way that automatically discovers and changes the
MTU dynamically.

I thought it was too specific to my router, so I posted my findings
elsewhere: "How can I set up 6to4 on MikroTik and configure MTU to fix
connection failures and update guix?"
https://superuser.com/q/1808662/1203531

I recently followed a link to this bug report from a help mailing list
thread:
"guix pull/guix upgrade often fails over VPN with TLS error message"
https://lists.gnu.org/archive/html/help-guix/2024-09/msg00014.html
I found the descriptions of the issue familiar, so I am sharing an idea
that it might be related to the MTU of the connection to the substitute
server.

Roman

--=-PkvC8z4CcTPW7838dJL9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEbyuIUwJNVUrtp3hK60bLvjKDmmkFAmbY2MAACgkQ60bLvjKD
mmmsEBAAnJ5hoqbTNcoX/cle5W7SjXG1hp4/c0LitAnTC/k7W6piOrH0cJtqeKHp
v03HQiy1FSMBa+p4SO73RM82lP2pKEziTqXHkF4wkdw0SmKsZVDDnwazczaCM0yj
nMP/yOe3PjJ5k2AkjVhEXeaR3maiLsNslYbXYBnzdP6da0D0L5mQXRSkGGpJif/S
RJaefh8kclRWxEyT9M2bvzZZq4ihruYAxqF4NVbWkfgCuSeyhnAEzbHqW3RXXggw
wotwIJ6tNtBtgKQkOTZAPS5R2uLcdk6A3bvXSfa1I5QrG6freCZqpNpitn+bjwWO
rxWfoLH2uMEyy51dEx4Dmg15npDcZpdtZ+4sh0StbkhjyPOtDrf4yMYBA/DFv1GS
xlTG1KCkWlrrBw9qpnGNzQZx/syUhy9kFDL4wFdW/U9TdlWbk7vo3xpK1DMaG5y/
ewnCwOsvpSuUkX0npSqAfUKkLC2ONdQ0RFjI4TDdVHoGukoQ5xplALhy0WHiyp43
wHFnwwzzEsAFhMXBGa29ich5PuTv4KxEn9eMOgYQcQFWf8zEky47a33KVM0IOtkk
LniK2zFZgSvlbWiJ7GD4jOymJniY2GMHWKjdgoJSMDGy6neX7nlNcKVewXpyYKFy
MjIIj6nZOPxzDgatMsiX0aqyeFhBjQDCHkP3heO55cUCTuEC0dQ=
=6W2U
-----END PGP SIGNATURE-----

--=-PkvC8z4CcTPW7838dJL9--

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 13 Aug 2024 11:39:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Aug 13 07:39:09 2024
Received: from localhost ([127.0.0.1]:44543 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sdpro-000440-VJ
	for submit <at> debbugs.gnu.org; Tue, 13 Aug 2024 07:39:09 -0400
Received: from mout.web.de ([217.72.192.78]:45379)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jonathan.brielmaier@HIDDEN>) id 1sdprn-00043N-9C
 for 71238 <at> debbugs.gnu.org; Tue, 13 Aug 2024 07:39:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=web.de;
 s=s29768273; t=1723549100; x=1724153900;
 i=jonathan.brielmaier@HIDDEN;
 bh=ShCN0R6lfhsu3+SXvDlHJW/HH7fTKqPMBodYjcRUtqM=;
 h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:To:From:Cc:
 Subject:Content-Type:Content-Transfer-Encoding:cc:
 content-transfer-encoding:content-type:date:from:message-id:
 mime-version:reply-to:subject:to;
 b=EGPlCtCa/8Pn7q/baI5yNDLcJhtNRdYeyZ+TLJdWd/oGw+voHR1k50TNaqzBnFwq
 /+uMPDDv1VyV4zB2OxQShUUybBys5h4oKF45g4KQApLXz9EEgg5cIw+UHeCl97Tee
 TTlxuHAR6fcAJFyjZefm5iBnvfZW1xvgjIZOkEqX6sq/A90nJTSF6J8dro2k7aUkD
 D9L6P+lSDm6WQmdetZJCbMHYkIPlBSMCykAQArgcaOSZldHM7lal14EdqrU6R+U8J
 eX069UhLNbVSDiFCy7SgSObGu0Zi3KsgXhrdjdlbXgSWrLHUCqMT+cWWyRjF6HcEI
 DvH32EKdhvOU//jydg==
X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6
Received: from [192.168.178.158] ([31.25.46.97]) by smtp.web.de (mrweb106
 [213.165.67.124]) with ESMTPSA (Nemesis) id 1N7gbY-1s8bqo2rkA-016UFA; Tue, 13
 Aug 2024 13:38:20 +0200
Message-ID: <96e0f564-2816-b9bc-9f48-544be8e665fc@HIDDEN>
Date: Tue, 13 Aug 2024 13:38:16 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.0
To: 71238 <at> debbugs.gnu.org
Content-Language: de-DE, en-US
From: Jonathan Brielmaier <jonathan.brielmaier@HIDDEN>
Subject: Installer image consistently fails to run system init due to TLS error
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:KNT5qA3B5P4Frortn1F8GGwlrwO1cxfWUKSWe7ESyZ6lyfQNswE
 DAX8L7sGKWs24agf++UxwJD1C5UuPZFxD8IsSx5JDZ7WWe0gxo9RZDb0/VEbtWC68motFI/
 5D+kueuJ1q1UpSrcqerVXCcUXRuxgbcxPe0oFsRGZjz+Mrg6nsUGWKsZ7GK2tRBWrCI4GyH
 Y5f4mE+8npNkT9dP8HNyA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:BifOGpDhu5w=;ACRDLkzj5JeCh4KEzLJpEuPYmeB
 OhY9I4uqanExCgDY0gcfTVcnuddjxipbGSyh4lVBTvOBnm8yIZigIneT5cygRA5L23viJmTYd
 LQXhEInT5tRnzy9WHKdNSw/5Rfbw5vhRUfTGJUdTtMFb6O/pH9bFTEYFOh+OJj3rRX/oLupEC
 OphQkSq7Ih9k9FfhtXAxmzaMxrsrSyY9ddvBhFOqrAwI3fGnCYraf6ovE7+4aEiFthcsEvyzr
 OCS6SNCY6SBZVj6AnruxPtINnU/GHmQ4p8D4UbMtjIbElwPbowO6xRBA5n7S9K4gGcKwwzDgx
 M64gFKm36e56i5tHTOX2MJ5gWYyJCqKAte5ib8jFAFpFKOJlE2WxgF8ywmq56y7yMCjMJY+/7
 0WCIgcueR/4qXor1WXgNhS9uJaWM8VF+Ho81GZcJUzSQWf/0VCsXDvPwKPxoaQoXxVkAIfykt
 cfI62JsOB4P9lddgBWz2KZQGAE6BQltlxDfFaoLOgP7AQIazp1FS+qQjLFsJ5QhJTgMc+8P8D
 Hq0ZcZu7V+0AGzgLqifxktQkcyaI/BXmF+enZ8nRN41FzNGwV3ZrRUCaHtHh1v90PWrmdZl6l
 zhzsAkmTagKoemOgp2I+2vPtOLAwaXOS3N1x2SWzg10pDwBkZgoP1mho2XwgfbhEgjM3BZ3I6
 YTjclPgSxtZDa/lOxMZPysZOZb/8PdJ7fCWY48K3IAc1TkZAfGasoNE+7/WFgsX+M0qLkTCS/
 /FYsbMf45t+MP1XHZudUurauSKY0nxbC5xRqkEpP3yIO1gWYt56zzYptRdlGXf7WkQW4TLu5m
 +Z7uqRm+9RrDx9sB4RlUH6RQ==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 71238
Cc: Christopher Baines <mail@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[CC'ing Chris as bordeaux expert]

I'm affected by this issue as well. On both my desktop machines with
Guix System installed for quite a while (so not in the installer).

It also happens at different ISPs:
* Telefonica O2 DSL, Germany
* NetCom BW (ASN 47297)

On one machine I removed the bordeaux server from the substitutes
servers as this is super annoying. On the other I'm in the proccess of
removing it...

~Jonathan

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 10 Jun 2024 06:00:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 10 02:00:36 2024
Received: from localhost ([127.0.0.1]:35886 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sGY55-0001se-Mj
	for submit <at> debbugs.gnu.org; Mon, 10 Jun 2024 02:00:36 -0400
Received: from mail-qv1-f45.google.com ([209.85.219.45]:51333)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <adanskana@HIDDEN>) id 1sGY4z-0001sA-1t
 for 71238 <at> debbugs.gnu.org; Mon, 10 Jun 2024 02:00:34 -0400
Received: by mail-qv1-f45.google.com with SMTP id
 6a1803df08f44-6b064c4857dso10065816d6.2
 for <71238 <at> debbugs.gnu.org>; Sun, 09 Jun 2024 23:00:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1717999146; x=1718603946; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:references:subject:to:from
 :user-agent:mime-version:date:message-id:from:to:cc:subject:date
 :message-id:reply-to;
 bh=dIwzYNCiE9pGWXm3v5dr/gs3lCOlfVWn/Z2Ym7wZ+T8=;
 b=B1ywpVGWmwe4Nz0EzEef+IKrguJDJbarotAagSI2PDHYuumQkJRQJf5YbtuXGmUScY
 jihbTJEq7Ghez5pO3GhJyiOS+cgcv9ZTZc5GYqk6OHcmlFEcu1zvmLycJpxV31qA4l41
 vT6r15aYYckYikpH97IyGJf3hLXLaiQiN4gYndE5RdLIyS5JPJgyxkHAd1RxrQK10JKV
 qeRFgPaU1YUmHIOyTZtEarVLjr4v630rqjOOD/zKOaHkXx+XZhWrsyJEOWIuS+b0Kx25
 pvNW74NrCoU2y7YMdK+FIMHjIN/Zzw4aFr9A/XfBaqS/aSqjPg8c8pMgHIjVCGnEfgK5
 lpFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1717999146; x=1718603946;
 h=content-transfer-encoding:in-reply-to:references:subject:to:from
 :user-agent:mime-version:date:message-id:x-gm-message-state:from:to
 :cc:subject:date:message-id:reply-to;
 bh=dIwzYNCiE9pGWXm3v5dr/gs3lCOlfVWn/Z2Ym7wZ+T8=;
 b=nXhSrZmITnT9CXZGPZGfzJ3mKnBGNUhmFO+1jAXaH0UdQjZxy3QwKx2eRlgBC3nRvt
 7V7fKJDrNgfzvF9tqIOVzH7tTqq394z7Cw1fyOfmjGIXa2Qa8b/8ZQSrWq0ql1G4dBnN
 4FnRv1eGhLYAGxyxI8MJOJtUI34RM6t1S3vPnCSIbr0HW1F9XSg1zIUD56WPOvsan+/V
 zTXbI2v/AkwfcMe2OAlUnliK5Fm4V6GWgUneE/ty1YNoBHc/2j4gTmmL/m+FQgUUvgks
 Z5UlrSSTdL8wFa+ONGFDvhEZ79CwGEwEatwojUGhW03GP1CkSSN4mUjMuhAcfs4DwWzJ
 IxdA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWfFRG1nDx3Li/aSjyX/bIuOGXfw4o4H2YzS3FohXcwqgeXhupy4ylL669cJN2kPD/+3NVidalnsx5U4a/7Uj39aNVysxY=
X-Gm-Message-State: AOJu0YxRR305z2KqeVNsPLYLNiVg/FvtjeNqRTKj7qWY19K5Yp1hlb6d
 +EI3b2fR3R/y4T6CW9DaY4Y40ig4jH32MPVE/VgpYsGfTlJH6ZYfCKMRpxSA
X-Google-Smtp-Source: AGHT+IHWN4V5HnHbpPqyopUMCbXn+8UffY6EXYIKWH7uQyZcFuLKWONESL6gje26oUtAuqr+JOQyng==
X-Received: by 2002:a05:6a20:d80f:b0:1b5:ecc:a964 with SMTP id
 adf61e73a8af0-1b50eccab24mr5192344637.31.1717997636515; 
 Sun, 09 Jun 2024 22:33:56 -0700 (PDT)
Received: from [10.143.113.222] ([130.95.40.103])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7059534a4c4sm1090737b3a.36.2024.06.09.22.33.53
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sun, 09 Jun 2024 22:33:56 -0700 (PDT)
Message-ID: <0c00df03-8ba7-c5d2-3a16-afb5175fb00e@HIDDEN>
Date: Mon, 10 Jun 2024 05:33:50 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.0
From: adanskana@HIDDEN
To: Richard Sent <richard@HIDDEN>, 71238 <at> debbugs.gnu.org,
 lars.bilke@HIDDEN, ludo@HIDDEN, ekaitz@HIDDEN
Subject: Re: bug#71238: Installer image consistently fails to run system init
 due to TLS error
References: <87plt692ky.fsf@HIDDEN>
 <87a5ka8y5e.fsf@HIDDEN> <87y17u7dfu.fsf@HIDDEN>
 <87h6ehl7db.fsf@HIDDEN>
In-Reply-To: <87h6ehl7db.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 71238
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi all, 

On 29/05/2024 01:44, Richard Sent <richard@HIDDEN> wrote:
> Richard Sent <richard@HIDDEN> writes:
> 
> > 1. There was a transient network issue for ~3 hours when I attempted to
> > install Guix ~4 times using different installation media that caused a
> > specific TLS handshake to fail.
> >
> > 2. A specific TLS handshake Guix undertakes during the installation
> > process fails to pass one of the built-in firewall rules shipped with
> > opnsense.
> >
> > 3. Some other odd aspect of my network messes things up for a specific
> > TLS handshake.
> >
> > My money is on 2 given how this is a seemingly common issue on
> > enterprise networks [1] and the rules I have added seem irrelevant. (I'd
> > rather not talk openly about my firewall rules in an archived public
> > forum, but can discuss off-list). However, there is another comment in
> > that thread that says IT didn't notice any firewall blocking.
> 
> I ran the 1.4.0 installer again today behind my opnsense router and it
> completed successfully, which is horrifying. I was hoping starting from
> a constant image would make the error reproducible but that doesn't seem
> to be the case. Even with a consistent system image and network, it's
> only reproducible for somewhere between a few hours and one day. Perhaps
> server load plays a part?
> 
> (Technically my process was a little bit different. Instead of fully
> completing the graphical installer I swapped to a TTY after activating
> the wired connection, mounted the root fs, and run $ guix system build
> /mnt/etc/config.scm, where config.scm was unmodified since initial
> installation. I'd be stunned if this caused the change in behavior but
> figured I'd mention for completeness.)
> 
> 

I've mananged to reproduce this bug. First, I run `sudo guix gc delete-generations && guix gc -d 2w` to clear my store. Then I run `guix upgrade && sudo guix system -L /home/ada/dotfiles/guix/ reconfigure --fallback /home/ada/dotfiles/guix/ada/system/kissakoira.scm` to redownload all of those deleted store items. The process 9/10 will fail halfway through the upgrade process. Then, a retry will work without a hitch. Even re-gc-ing my system will not let me reproduce the bug - I need to restart my system. Then, the likelyhood it works is 7/10 until the next day (just my perception). By the way, this is on my university's network.

I managed to capture the problem happening under strace using this command `strace -ff -tt -o log_up.strace -s 500 guix upgrade && sudo strace -ff -tt -o log_sr.strace -s 500 sudo guix system -L /home/ada/dotfiles/guix/ reconfigure --fallback /home/ada/dotfiles/guix/ada/system/kissakoira.scm`. I've uploaded the logs to my Google Drive[1]. You can use `strace-log-merge log_up.strace` to view to merged logs. 

As I can reproduce this error fairly consistently now, please let me know if you want me to run any more tools to capture more data.

Warmly,
Ada

[1] https://drive.google.com/file/d/104DVqyMLGRi4imWzvFQ6TahAiRRKdR4_/view?usp=drive_link

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 29 May 2024 01:44:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 28 21:44:46 2024
Received: from localhost ([127.0.0.1]:39314 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sC8Mw-0006fD-3X
	for submit <at> debbugs.gnu.org; Tue, 28 May 2024 21:44:46 -0400
Received: from mail-108-mta88.mxroute.com ([136.175.108.88]:36679)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1sC8Mu-0006f4-Gu
 for 71238 <at> debbugs.gnu.org; Tue, 28 May 2024 21:44:45 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta88.mxroute.com (ZoneMTA) with ESMTPSA id 18fc20528a3000efce.001
 for <71238 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 29 May 2024 01:44:29 +0000
X-Zone-Loop: 5505f23ea5e67f6101096d06ce6940f857329472fc6e
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=ZhXwP+J+MGt/Zj/gKo41hTwhcSKkaTmh+JAoyLlnAhk=; b=Lsdtf0a8M2FjAFQ2xDO7YxBD2/
 eTv6oR3B6hrrLFHVQYqjhh7uwLkYlvNH/JIfxwNMylBf4hmPKJFtgqDk7f9+Gwu3Ggr3OgTx27+Oh
 /TLL/lDJUNrNuOB1zmpkerIahgroilqNrtljO+1YCx+9YGvwDpNmchjc12+hBe0m3yfP0J7IxtA31
 1OE2Jkf3gWUuFJwN8qBW5Jk7nhffVaqQJmoWl4TeUn3uza9UWfJcinpTpsKtOEZQEUifLioIIQmfA
 ghf5nW1zntsv2hKPME1fk3XVtmXCWLseyc6HJq0KQHMnTLs7iNgfVu4nZbrxMh4XJblheJk9oaVR5
 9+wNG/2w==;
From: Richard Sent <richard@HIDDEN>
To: 71238 <at> debbugs.gnu.org
Subject: Re: bug#71238: Installer image consistently fails to run system
 init due to TLS error
In-Reply-To: <87y17u7dfu.fsf@HIDDEN> (Richard Sent's message of
 "Tue, 28 May 2024 00:44:37 -0400")
References: <87plt692ky.fsf@HIDDEN>
 <87a5ka8y5e.fsf@HIDDEN>
 <87y17u7dfu.fsf@HIDDEN>
Date: Tue, 28 May 2024 21:44:16 -0400
Message-ID: <87h6ehl7db.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71238
Cc: adanskana@HIDDEN, lars.bilke@HIDDEN, ludo@HIDDEN, ekaitz@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Richard Sent <richard@HIDDEN> writes:

> 1. There was a transient network issue for ~3 hours when I attempted to
> install Guix ~4 times using different installation media that caused a
> specific TLS handshake to fail.
>
> 2. A specific TLS handshake Guix undertakes during the installation
> process fails to pass one of the built-in firewall rules shipped with
> opnsense.
>
> 3. Some other odd aspect of my network messes things up for a specific
> TLS handshake.
>
> My money is on 2 given how this is a seemingly common issue on
> enterprise networks [1] and the rules I have added seem irrelevant. (I'd
> rather not talk openly about my firewall rules in an archived public
> forum, but can discuss off-list). However, there is another comment in
> that thread that says IT didn't notice any firewall blocking.

I ran the 1.4.0 installer again today behind my opnsense router and it
completed successfully, which is horrifying. I was hoping starting from
a constant image would make the error reproducible but that doesn't seem
to be the case. Even with a consistent system image and network, it's
only reproducible for somewhere between a few hours and one day. Perhaps
server load plays a part?

(Technically my process was a little bit different. Instead of fully
completing the graphical installer I swapped to a TTY after activating
the wired connection, mounted the root fs, and run $ guix system build
/mnt/etc/config.scm, where config.scm was unmodified since initial
installation. I'd be stunned if this caused the change in behavior but
figured I'd mention for completeness.)

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 28 May 2024 05:59:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 28 01:59:15 2024
Received: from localhost ([127.0.0.1]:45574 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sBpre-0000jf-Mq
	for submit <at> debbugs.gnu.org; Tue, 28 May 2024 01:59:15 -0400
Received: from mail-pf1-f176.google.com ([209.85.210.176]:53447)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <adanskana@HIDDEN>) id 1sBpWc-0000Ct-75
 for 71238 <at> debbugs.gnu.org; Tue, 28 May 2024 01:37:31 -0400
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-6f69422c090so317388b3a.2
 for <71238 <at> debbugs.gnu.org>; Mon, 27 May 2024 22:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1716874575; x=1717479375; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:references:subject:to:from
 :user-agent:mime-version:date:message-id:from:to:cc:subject:date
 :message-id:reply-to;
 bh=9zfbEh1o0wYmlXoGKpop1cd7dYhWEvyx4b7htLvbRYs=;
 b=GTL0ravpg/5FEyBVQvC9RmBmv1/iVsBcd+APIP5LuVE1UWpRAiU6krpPCz7mC3/Vts
 N+uMmNStRHz5LuUIZhOqsHnywF1nA0Z0ppkLJv7pwN5zZjDSIm+VZICMdYCd5mYeoAjX
 qlh3LLvgeSI1+1U+21Roxn7Wvpv0L26wLqAVapNHQUXuD0dtgPA6CNxZOL/eh+D2+bAe
 qPqHy4NxqHz7EbeCIhvRrwCTeQvmO8SrTbrZjCPY72VU5FatY73wlLh2E+CQdIGnWJMu
 tScoZ0BwbqoZo2gohspbD1MF0cXyqHI4oZgVWue7JxyeQpwiANeeBha++ZqM4P2yz6ez
 Y/Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1716874575; x=1717479375;
 h=content-transfer-encoding:in-reply-to:references:subject:to:from
 :user-agent:mime-version:date:message-id:x-gm-message-state:from:to
 :cc:subject:date:message-id:reply-to;
 bh=9zfbEh1o0wYmlXoGKpop1cd7dYhWEvyx4b7htLvbRYs=;
 b=TqQ6JcXUd+j38yZ5fpKTFMFZ83tWSgWo5BhD+TNS1bpaslxJ+9AQx4TZpP+ufhrAsn
 8qVNP+80+pHwi5jv3YeALsFIDFGMPBjqr29Q+vYPXvkVECuGCr+kZEW9cuz2JxxPk2EQ
 0rHXMnb4jFB8imxXvF3WzrngfpGzk/ztWElEyrLp8YELoAhu94KuPfxisys7+94xYE3g
 i1VZUo5J77CGDF4XIF3qzoIbyxLOm7CND6DmnQFOXjGpH9m9YlVic/L7MKbhx0MTXfA6
 xHpo3pZw40XdlkHOcQJmaEBNx2BLJNDxD+0z4ra+4gM7neWKH963BUjwB6TctSre6N9F
 ENsg==
X-Forwarded-Encrypted: i=1;
 AJvYcCVJiAkWPYDQFv/0jdNNxXQ+CqTbLQcDX6b6jrp7edlzN15j0Tfy/xdI8th5EVcoj2OQ3e6INdtX8JeeZcwHpVrNzafXK04=
X-Gm-Message-State: AOJu0YxTqx+QXKPd64i0ADkOwIMK6J7lBFU4kB2z5UPFTheo+LEsbZai
 JKqWd21qtehWm7RHw+C1e6OYqdeR1Q6VMpOj07nI/DQa+F/Z1iaf
X-Google-Smtp-Source: AGHT+IHAeuTMx6dESxKShm9cD6thOQR3XdnTp5neJzgaWw73HoIGRr2h4qPmdgyB1YSa43hJFVJqgw==
X-Received: by 2002:a05:6a20:6a1f:b0:1af:8fa8:3126 with SMTP id
 adf61e73a8af0-1b212cc7643mr12667040637.6.1716874574772; 
 Mon, 27 May 2024 22:36:14 -0700 (PDT)
Received: from [10.143.113.222] ([130.95.40.104])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-1f44c97104fsm71633445ad.144.2024.05.27.22.36.12
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 27 May 2024 22:36:14 -0700 (PDT)
Message-ID: <e69e8246-5835-5e56-a0f8-c7b54ec4b3b1@HIDDEN>
Date: Tue, 28 May 2024 05:36:09 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.0
From: adanskana@HIDDEN
To: Richard Sent <richard@HIDDEN>, 71238 <at> debbugs.gnu.org,
 ekaitz@HIDDEN, lars.bilke@HIDDEN, ludo@HIDDEN
Subject: Re: bug#71238: Installer image consistently fails to run system init
 due to TLS error
References: <87plt692ky.fsf@HIDDEN>
 <87a5ka8y5e.fsf@HIDDEN> <87y17u7dfu.fsf@HIDDEN>
In-Reply-To: <87y17u7dfu.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -3.4 (---)
X-Debbugs-Envelope-To: 71238
X-Mailman-Approved-At: Tue, 28 May 2024 01:59:13 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.4 (----)

Hi Richard

On 5/28/24 4:44 AM, Richard Sent <richard@HIDDEN> wrote:
> Richard Sent <richard@HIDDEN> writes:
> 
> > What the heck is going on here? Those two images are wildly different
> > and are downloading wildly different sets of substitutes.
> 
> Bad news. I connected my device to a different network with just an
> ordinary consumer router and the installation succeeded (using the guix
> 00384aed media). Ordinary my devices are behind a opnsense router with a
> /very/ lightly-customized firewall. To me, this means there are three
> possibilities, none of which is particularly comforting:
> 
> 1. There was a transient network issue for ~3 hours when I attempted to
> install Guix ~4 times using different installation media that caused a
> specific TLS handshake to fail.
> 
> 2. A specific TLS handshake Guix undertakes during the installation
> process fails to pass one of the built-in firewall rules shipped with
> opnsense.
> 
> 3. Some other odd aspect of my network messes things up for a specific
> TLS handshake.
> 
> My money is on 2 given how this is a seemingly common issue on
> enterprise networks [1] and the rules I have added seem irrelevant. (I'd
> rather not talk openly about my firewall rules in an archived public
> forum, but can discuss off-list). However, there is another comment in
> that thread that says IT didn't notice any firewall blocking.
> 
> >> Sometimes, usually when I'm on an enterprise network like my
> >> university's of library's wifi, the `guix substitute` process dies
> >> with a "TLS error in procedure 'write_to_session_record_port': Error
> >> in the push function" error message. My connection is rock-solid
> >> otherwise, and sometimes it doesn't happen at all.
I was actually going to reopen this issue, as I'm still encountering this bug in the exact same scenarios. Nothing has changed at all. 
> > I get the same error on guix pull almost always when I am on my
> > enterprise network. Re-running guix pull a second time also almost
> > always then runs fine. I checked with our IT: nothing suspicious on
> > the network, i.e. no firewall blocking.
> 
> Running Guix pull to work around the problem is great...... unless
> you're trying to install Guix via the guided installer! :) In my case it
> also wasn't guix pull that was failing.
> 
> I want to emphasize that the error occured in the same phase of the
> installer every time, it was not the first handshake, no other machine
> has ever had this issue, and the installer was (3/4 times) on a commit
> that should include the fix described in [1].
> 
> I'm happy to assist with debugging this, although I'm not some TLS
> networking genius so trying to solve it outright is probably beyond me.
> I'd also LOVE to hear if other people using a largely stock opnsense or
> other firewall software encountered this issue, particularly with the
> installation media.
Same, I'm happy to assist. The test that Ludo' provided to try and reproduce the bug doesn't work as referenced in previous emails. Is there some way I can attatch a debugger to a guile process running `guix upgrade` or something like that? 
> 
> At some point I'll attempt to gradually "de-enterprise" parts of my
> network and see exactly when (if ever) the problem is resolved. Due to
> the nature of the problem, reliably reproducing it in the future will be
> a challenge.
> 
> CC'ing people involved in [1] because this is just so weird and I don't
> want it to be consigned to the dustbins of history. I don't think we
> heard anyone with the issue explicitly say the fix resolved or at least
> mitigated the problem.
Thanks for CC'ing me. Yes, the problem was never resolved. For someone just upgrading their system, it's annoying, but can be mitigated pretty easily. For someone trying to install Guix, on the other hand, this is a intensely annoying problem. After my exams are finished in a couple weeks I want to try and fix this problem and also upgrade GRUB to fix issues with it recognising ext4 partitons with certain features enabled properly. 
> 
> [1]: https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00150.html
> 
> 
Anyway, please let me know how I can help. If someone could help me attaching some sort of debugger, I can reproduce the error fairly easily on my uni's wifi if I do a `guix gc -d 2w && guix upgrade && sudo guix system reconfigure config.scm`. The sheer number of substitutes downloaded seems to be enough for it to happen at least once.

Warmly, 
Ada

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 28 May 2024 04:45:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 28 00:45:13 2024
Received: from localhost ([127.0.0.1]:45534 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sBoi1-00077E-1R
	for submit <at> debbugs.gnu.org; Tue, 28 May 2024 00:45:13 -0400
Received: from mail-108-mta195.mxroute.com ([136.175.108.195]:40087)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1sBohy-000771-3U
 for 71238 <at> debbugs.gnu.org; Tue, 28 May 2024 00:45:11 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta195.mxroute.com (ZoneMTA) with ESMTPSA id
 18fbd840406000efce.001 for <71238 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 28 May 2024 04:44:56 +0000
X-Zone-Loop: cf4578001fc44c7e31fadf81839a149cd7427d3f9ef8
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date:CC:
 References:In-Reply-To:Subject:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=H4kN0o2951uPhi9djB4EziXi1S/SopNUP+/FstUFjjo=; b=E1ueFHMfHRTFAOhaJWW+g5rvbK
 b6WaXSwQ7i3XCKumjmgKp1v1Hx/Kpyu8hmoO+J5AXed/6q5/fnb9KfGA78VILsko4QRSgFQoxwo5G
 EloFQWpSvABJbNBBecRC5YpOgjv8t9jelFccInF7V/eRuKtSfWozMybvnqRO0bVavxm3SmP6EOcxu
 6MOoY3HPS2dmCEsaeHUjjxinJRa36IWEEx7jZ4qAEdQDM0bUNP2sFEIhgQeKtSZxnyIwXN0/7IHQG
 JuA0wJSvMrUqUvF7bVFtKtPgHNBtYws574SyfR6cIW9vKshjiJAfvD/cRh4UDcKbj3nh0PhlfYKTw
 9gqTZgAQ==;
From: Richard Sent <richard@HIDDEN>
To: 71238 <at> debbugs.gnu.org
Subject: Re: bug#71238: Installer image consistently fails to run system
 init due to TLS error
In-Reply-To: <87a5ka8y5e.fsf@HIDDEN> (Richard Sent's message of
 "Mon, 27 May 2024 22:31:57 -0400")
References: <87plt692ky.fsf@HIDDEN>
 <87a5ka8y5e.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Tue, 28 May 2024 00:44:37 -0400
Message-ID: <87y17u7dfu.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71238
Cc: adanskana@HIDDEN, lars.bilke@HIDDEN, ludo@HIDDEN, ekaitz@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Richard Sent <richard@HIDDEN> writes:

> What the heck is going on here? Those two images are wildly different
> and are downloading wildly different sets of substitutes.

Bad news. I connected my device to a different network with just an
ordinary consumer router and the installation succeeded (using the guix
00384aed media). Ordinary my devices are behind a opnsense router with a
/very/ lightly-customized firewall. To me, this means there are three
possibilities, none of which is particularly comforting:

1. There was a transient network issue for ~3 hours when I attempted to
install Guix ~4 times using different installation media that caused a
specific TLS handshake to fail.

2. A specific TLS handshake Guix undertakes during the installation
process fails to pass one of the built-in firewall rules shipped with
opnsense.

3. Some other odd aspect of my network messes things up for a specific
TLS handshake.

My money is on 2 given how this is a seemingly common issue on
enterprise networks [1] and the rules I have added seem irrelevant. (I'd
rather not talk openly about my firewall rules in an archived public
forum, but can discuss off-list). However, there is another comment in
that thread that says IT didn't notice any firewall blocking.

>> Sometimes, usually when I'm on an enterprise network like my
>> university's of library's wifi, the `guix substitute` process dies
>> with a "TLS error in procedure 'write_to_session_record_port': Error
>> in the push function" error message. My connection is rock-solid
>> otherwise, and sometimes it doesn't happen at all.
> I get the same error on guix pull almost always when I am on my
> enterprise network. Re-running guix pull a second time also almost
> always then runs fine. I checked with our IT: nothing suspicious on
> the network, i.e. no firewall blocking.

Running Guix pull to work around the problem is great...... unless
you're trying to install Guix via the guided installer! :) In my case it
also wasn't guix pull that was failing.

I want to emphasize that the error occured in the same phase of the
installer every time, it was not the first handshake, no other machine
has ever had this issue, and the installer was (3/4 times) on a commit
that should include the fix described in [1].

I'm happy to assist with debugging this, although I'm not some TLS
networking genius so trying to solve it outright is probably beyond me.
I'd also LOVE to hear if other people using a largely stock opnsense or
other firewall software encountered this issue, particularly with the
installation media.

At some point I'll attempt to gradually "de-enterprise" parts of my
network and see exactly when (if ever) the problem is resolved. Due to
the nature of the problem, reliably reproducing it in the future will be
a challenge.

CC'ing people involved in [1] because this is just so weird and I don't
want it to be consigned to the dustbins of history. I don't think we
heard anyone with the issue explicitly say the fix resolved or at least
mitigated the problem.

[1]: https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00150.html

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Message received at 71238 <at> debbugs.gnu.org:

Received: (at 71238) by debbugs.gnu.org; 28 May 2024 02:32:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 27 22:32:17 2024
Received: from localhost ([127.0.0.1]:45503 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sBmdN-0003kF-B8
	for submit <at> debbugs.gnu.org; Mon, 27 May 2024 22:32:17 -0400
Received: from mail-108-mta28.mxroute.com ([136.175.108.28]:35881)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1sBmdL-0003k7-Du
 for 71238 <at> debbugs.gnu.org; Mon, 27 May 2024 22:32:16 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta28.mxroute.com (ZoneMTA) with ESMTPSA id 18fbd0a527c000efce.001
 for <71238 <at> debbugs.gnu.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 28 May 2024 02:32:01 +0000
X-Zone-Loop: b5aa27bae5323fbaadb24ae70f4f089494f772f6e6a5
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:To:From:Sender:Reply-To:Cc:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=eKTY7HBxw1r9FpNYTUFGEPZwyoTsHym/iOEwdY0+PV0=; b=du2pwCNztZFtaUrhQwtngv2moq
 93xwjiOkMaTs+y1zZZ6QKZXMNi6/sUgTZx1Nm5pRTb9zeNrmpfh0h6MajdbdTEWCw5o+9A1PgfmLM
 RiA3btzRYBAOdmHWeGGpv7Ov/6vDoScO57F0mrFeNHfXMnEIyNmFXy2lqq9S7KAZFIU0bkSdaften
 lv7L7yIZ7OOi8f4xTHmqSrcbYletFPKSn0gfFP9gEMo3QUDQhBPSvN9j6NmFhOwbqiFW3igJwXYGS
 47qwnUwq/fJoTfEuJ/DnCRYDo7Qwwhm6nakvQxAtYgi4NzRQbYmNAhHkQONY2/8BL5WbvaKMtZVr1
 IwzjRNIQ==;
From: Richard Sent <richard@HIDDEN>
To: 71238 <at> debbugs.gnu.org
Subject: Re: bug#71238: Installer image consistently fails to run system
 init due to TLS error
In-Reply-To: <87plt692ky.fsf@HIDDEN> (Richard Sent's message of
 "Mon, 27 May 2024 20:56:13 -0400")
References: <87plt692ky.fsf@HIDDEN>
Date: Mon, 27 May 2024 22:31:57 -0400
Message-ID: <87a5ka8y5e.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Authenticated-Id: richard@HIDDEN
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 71238
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> Curiously this does NOT occur the first time substitutes are fetched. I
> observed it occur three times when substitutes were fetched after Ruby
> was substituted. I don't mean to say that Ruby is the problem (that'd be
> crazy), just that the TLS error occurs at the same stage in the
> installation every time. NOT randomly.
>
> I've never encountered this error before on any other Guix machine on my
> network. The installation machine was using a wired connection.

I have now tried the v1.4.0 installer and get a failure at (seemingly)
the same point in the install, although the actual error is different.
See installer-dump-22e789d5.

What the heck is going on here? Those two images are wildly different
and are downloading wildly different sets of substitutes.

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 28 May 2024 00:56:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 27 20:56:58 2024
Received: from localhost ([127.0.0.1]:45452 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sBl98-0006rB-2o
	for submit <at> debbugs.gnu.org; Mon, 27 May 2024 20:56:58 -0400
Received: from lists.gnu.org ([209.51.188.17]:57748)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <richard@HIDDEN>) id 1sBl95-0006r3-FQ
 for submit <at> debbugs.gnu.org; Mon, 27 May 2024 20:56:56 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <richard@HIDDEN>)
 id 1sBl8v-0004OG-N2
 for bug-guix@HIDDEN; Mon, 27 May 2024 20:56:45 -0400
Received: from mail-108-mta244.mxroute.com ([136.175.108.244])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <richard@HIDDEN>)
 id 1sBl8t-0003yL-Lx
 for bug-guix@HIDDEN; Mon, 27 May 2024 20:56:45 -0400
Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta244.mxroute.com (ZoneMTA) with ESMTPSA id
 18fbcb2f2f5000efce.001 for <bug-guix@HIDDEN>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 28 May 2024 00:56:35 +0000
X-Zone-Loop: a0dfeb453bdaecde6f114bdc98eef742cc7f86766ee0
X-Originating-IP: [136.175.111.3]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=freakingpenguin.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date:
 Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=iuqzcPjVU76M2ngA2rjf2OH4ICzOqdycQokJ1zaKJNs=; b=XpL+ZrEPCm1Y9VvP8BQoLDVqX2
 Mn7G1gc4SIMciGw+dOr51NLCGhH/pczTQrPV8nHrmrZzXSn9CidgKe58WeA+ljDtAD3RLijcUsNi3
 HK1M2RGcKT5CGXMI+lZk/bYCLlbCXbyKOTNCIOSYXJtIBQkOotKSPTxM7r3y6B1zbbBVxMPKiziQf
 FzP6Z7EI6pJlh8yUT2f1kbq2nlCWAvPBls5Y451Taeqd9vtnHvcxsydeevMLeFyQNL1xnHpExm3nS
 E/+QySGBIiXWIt7cipc+UbSvsd9ar25560PDUPTe9O76xIAB5yP0uVlPAIFjgVnXui/IcnXPA7LB/
 /A1rGUGQ==;
From: Richard Sent <richard@HIDDEN>
To: bug-guix@HIDDEN
Subject: Installer image consistently fails to run system init due to TLS error
Date: Mon, 27 May 2024 20:56:13 -0400
Message-ID: <87plt692ky.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Authenticated-Id: richard@HIDDEN
Received-SPF: pass client-ip=136.175.108.244;
 envelope-from=richard@HIDDEN; helo=mail-108-mta244.mxroute.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Hi Guix!

The dump was uploaded as installer-dump-2e7b5f8f. Here's the installer's
error message:

--8<---------------cut here---------------start------------->8---
May 27 22:15:49 localhost installer[708]: substitute: ^[[Kupdating substitutes from 'https://bordeaux.guix.gnu.org'...   0.0%guix substitute: error: TLS error in procedure 'write_to_session_record_port': Error in the push function. 
May 27 22:15:49 localhost installer[708]: guix system: ^[[1;31merror: ^[[0m`/gnu/store/rdjjpch9m9xv4rdhhr6sv044qd322pj8-guix-command substitute' died unexpectedly 
--8<---------------cut here---------------end--------------->8---

A Guix system installation generated via the following method
consistently fails to install due to a TLS error when updating
substitutes.

--8<---------------cut here---------------start------------->8---
gibraltar :( guix$ guix time-machine -q -- describe
  guix 00384ae
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 00384aedbc6a371aaf90ca344a446952fdd5a6b3
gibraltar :) guix$ guix time-machine -q -- system image --image-type=iso9660 -e '(@ (gnu system install) installation-os)'
guix system: warning: Consider running 'guix pull' followed by
'guix system reconfigure' to get up-to-date packages and security updates.

Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
Computing Guix derivation for 'x86_64-linux'... \
/gnu/store/x9a2nflpnfpr8i3n1759hw7wg2qv5mm8-image.iso
--8<---------------cut here---------------end--------------->8---

Curiously this does NOT occur the first time substitutes are fetched. I
observed it occur three times when substitutes were fetched after Ruby
was substituted. I don't mean to say that Ruby is the problem (that'd be
crazy), just that the TLS error occurs at the same stage in the
installation every time. NOT randomly.

I've never encountered this error before on any other Guix machine on my
network. The installation machine was using a wired connection.

Possibly related: [1], [2], [3], [4]

Notably [3] claims to have a fix that was merged into Guix, but 00384ae
is after said fix was merged (and yes, $ guix describe on the installer
image does report 00384ae)

[1]: https://issues.guix.gnu.org/66786
[2]: https://issues.guix.gnu.org/48903
[3]: https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00150.html
[4]: https://issues.guix.gnu.org/70244

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.