Progress on 'guix deploy'

[Jakob L. Kreuze]

Hello, Guix!

Apart from a few patches and my introductory email about a month ago,
I've been pretty silent. I feel it's time to finally break that silence,
let people know where progress has been made, and request some feedback
on the code I've written so far.

As a quick refresher, my GSoC project this summer is 'guix deploy', a
deployment automation tool for GuixSD that's been discussed more
thoroughly in [1] and [2]. Development has taken place on my personal
branch of Guix, specifically the 'wip-deploy' branch [3], and is
represented by three new Scheme source files:

- 'gnu/machine.scm', which provides an abstraction for /something/ that
  can be deployed to in a heterogeneous deployment. Currently, the only
  concrete implementation of this is the simple case of in-place updates
  to machines running SSH whose names and IP addresses we know.
- 'gnu/tests/machine.scm', which implements some tests for
  'gnu/machine.scm'. This is where I'm most interested in receiving
  feedback. More on that later.
- 'guix/scripts/deploy.scm', which implements the rudimentary
  command-line interface for 'guix deploy'.

The command-line interface hasn't really been fleshed out yet, but if
you'd like to play around with it, it takes a "deployment" file as a
parameter, which is a Scheme file looking something like the following:

#+BEGIN_SRC scheme
(use-modules ...)

(define %system
  (operating-system
   (host-name "gnu-deployed")
   (timezone "Etc/UTC")
   (bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/sda")
(terminal-outputs '(console
   (file-systems (cons (file-system
(mount-point "/")
(device "/dev/vda1")
(type "ext4"))
   %base-file-systems))
   (services
(append (list (service dhcp-client-service-type)
  (service openssh-service-type
   (openssh-configuration
(permit-root-login #t)
(allow-empty-passwords? #t
%base-services

(list (make 
#:host-name "localhost"
#:ssh-port 5556
#:system %system))
#+END_SRC

Basically, you attach an 'operating-system' declaration to a 'machine'.
In this case, 'sshable-machine' is the specific type of 'machine' that
we're deploying to (one that's running an SSH daemon and has a known IP
+ port + hostname).

I've found that the GuixSD QEMU images work well for playing around with
this, provided that you add the SSH service to the system configuration
and start it. In the case of this deployment file, I had a GuixSD guest
with port 22 forwarded to my host's port 5556. You'll also need to set
up some sort of public key auth in your SSH config. The current code
isn't capable of handling other forms of SSH authentication.

In terms of implementation, GOOPS feels like a bit of an unusual choice
when juxtaposed with the rest of the Guix codebase, but I've come to
really enjoy it. I'll roll with it for now, since I think it will make
it easier to flesh out the vocabulary for specifying deployments.

The implementation of '' is doing what
'switch-to-system' and 'install-bootloader' in 'guix/scripts/system.scm'
do, but in terms of data that can be sent with 'remote-eval'. I imagine
the code will make more sense if you read both simultaneously.

Okay, on to the test suite.

My understanding of the system test suite (tests run with 'check-system'
as opposed to those run with 'check') is that the meat of the test code
exists in a G-Expression and should _not_ be interacting with the store
of the machine running the test suite (i.e. that's the reason we're
using marionettes in the first place). 'gnu/tests/install.scm' seems to
be somewhat of an exception, and because the code in '(gnu machine)'
depends heavily on having access to a store, I've tried to extend what's
done in 'gnu/tests/install.scm' so that my tests have access to store
while instrumenting the marionettes.

To be specific, the chicken and egg scenario I'm working around is that
the SSH daemon on the marionette needs to be running in order for
'deploy-os' to work, but I can't call 'deploy-os' from the test
G-Expression because the store wouldn't be accessible then.

My gut is telling me that this is absolutely the wrong way to go about
it, though. 'call-with-marionette' is one of a couple red flags making
me feel that way -- I don't think marionettes were meant to be started
outside the context of a derivation...

If anyone has suggestions on how I might go about properly testing this
code, I would appreciate it very much.

Another point about the test suite: the 'ssh-deploy-os' test fails, but
it's a reproducible version of the issue outlined in [2]. I'd like to
conscript some help from those more familiar with guile-ssh before
breaking out the ol' RFCs myself.

...

So, if anyone's in the mood to peek at what's 

Re: SELinux log

[Laura Lazzati]

--8<---cut here---start->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0 auid=1000
ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=pts/1 res=failed'UID="root"
AUID="laura"
type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
lsm=selinux res=1AUID="laura"

type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received
policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received
policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1559947746.785:39285): avc:  denied { relabelto } for
 pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0 tclass=dir
permissive=0
type=AVC msg=audit(1559947746.787:39286): avc:  denied { relabelto } for
 pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=file permissive=0
--8<---cut here---end--->8---

Re: SELinux log

[Laura Lazzati]

Sorry, my mail client apparently hates me, it is somewhat formatting
my mails after sending them ¬¬

Re: SELinux log

[Laura Lazzati]

Hi!

> Thank you, the log is helpful (even though it looks like your mail
> client reformatted it, which makes it very hard to read).
Sorry for that :/

> Did you run “restorecon” on the store to recursively label all files?
I did, but I have just found that you are right, looking at the log
that it is not labeling properly (I am running the commands like they
are in the manual, with the proper path to the policy, and `restorecon
-r /`), weird, see:

--8<---cut here---start->8---
type=FS_RELABEL msg=audit(1559947443.686:26389): pid=2658 uid=0
auid=1000 ses=3
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=mass relabel exe="/usr/sbin/setfiles"
hostname=localhost.localdomain addr=? terminal=pts/1
res=failed'UID="root" AUID="laura"
type=MAC_POLICY_LOAD msg=audit(1559947618.423:26390): auid=1000 ses=3
lsm=selinux res=1AUID="laura"
addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1559947745.466:39283): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc:  received policyload notice (seqno=3)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'UID="root" AUID="unset" SAUID="root"
type=USER_AVC msg=audit(1559947745.467:39284): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc:  received policyload notice (seqno=4)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'UID="root" AUID="unset" SAUID="root"
type=AVC msg=audit(1559947746.785:39285): avc:  denied { relabelto }
for  pid=2688 comm="restorecon" name="guix" dev="dm-0" ino=311508
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=dir permissive=0
type=AVC msg=audit(1559947746.787:39286): avc:  denied { relabelto }
for  pid=2688 comm="restorecon" name="acl" dev="dm-0" ino=306189
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:guix_daemon.guix_daemon_conf_t:s0
tclass=file permissive=0
--8<---cut here---end--->8---

And taking a look at /gnu I get:

d??   ? ???? gnu
 :S

Regards :)
Laura

Re: [ANNOUNCE] ganeti-instance-guix 0.3

[Ludovic Courtès]

Hi Marius,

Marius Bakke  skribis:

> I am happy to announce a new version of 'instance-guix', a Ganeti OS
> provider that creates Guix systems.  It is a <100 line shell script.

Congrats!

> Guix is a functional package manager that can be installed on any
> GNU/Linux distribution, and offers a declarative operating system
> interface.  Ganeti is an API-driven clustered virtual machine manager
> with strong consistency guarantees.  Together they form a very powerful
> abstraction for building infrastructure with code.

I think you should write a blog article about the use cases and how this
fits together, for someone not familiar with Ganeti (like me!) or with
Guix.

Thanks,
Ludo’.

Re: Lightning talk at IPFS camp

[Ludovic Courtès]

Konrad Hinsen  skribis:

> Ludovic Courtès  writes:
>
>> (They could have chosen Guile instead of a custom Lisp, but that’s an
>> “implementation detail”.  :-))
>
> From my reading of the whitepaper, no. They have pretty strict
> constraints on their language because they send live code updates
> to running instances and want to be able to make certain guarantees.
> Guile, or any other Scheme, would be too flexible.

Oh right, I had overlooked that aspect of the project.  Interesting!

Ludo’.

Re: New SLiM theme.

[Ludovic Courtès]

Hello!

Diego Nicola Barbato  skribis:

> From bfa773e0907ebe4f89bb5614a09d23d3e692d8d5 Mon Sep 17 00:00:00 2001
> From: Diego Nicola Barbato 
> Date: Mon, 3 Jun 2019 16:21:25 +0200
> Subject: [PATCH v2] slim: Add 1.x theme.

Pushed!  Thanks for fixing this omission!  :-)

You’re welcome to update (gnu artwork) now.

Ludo’.

Re: Lightning talk at IPFS camp

[Konrad Hinsen]

Ludovic Courtès  writes:

> (They could have chosen Guile instead of a custom Lisp, but that’s an
> “implementation detail”.  :-))

>From my reading of the whitepaper, no. They have pretty strict
constraints on their language because they send live code updates
to running instances and want to be able to make certain guarantees.
Guile, or any other Scheme, would be too flexible.

Konrad.

Re: Lightning talk at IPFS camp

[Konrad Hinsen]

Ludovic Courtès  writes:

> Hey!
>
> I stumbled upon this:
>
>   https://github.com/ipfs/package-managers#readme

And I just stumbled on this one:

   https://github.com/ipfs/roadmap

Quote:

   2019 Priority

   We will be focusing our efforts into a single (lazer focus)
   priority.  Package Managers

This looks like just the right moment to tell them about the one true
package manager ;-)

Konrad.

Re: Lightning talk at IPFS camp

[Ludovic Courtès]

Hi!

Pierre Neidhardt  skribis:

> Konrad Hinsen  writes:

[...]

>> For human input, Git would be OK, with repositories stored in IPFS
>> (there's already some support for that, see
>> https://github.com/ipfs/go-ipld-git). A more radical redesign is
>> Radicle (http://www.radicle.xyz/), which uses IPFS as a collaboration
>> platform (still at the git level). I guess Radicle could be used for
>> much more than that in Guix, but I haven't looked at that in detail.
>
> Didn't know Radicle, it looks fantabulous!  And... it uses (or plans to)
> a Scheme-based language! :)

It looks like the “right” design, or at least one that I find super
interesting!

(They could have chosen Guile instead of a custom Lisp, but that’s an
“implementation detail”.  :-))

Ludo’.

Re: Lightning talk at IPFS camp

[Ludovic Courtès]

Hey!

I stumbled upon this:

  https://github.com/ipfs/package-managers#readme

Hopefully that’s something you’ll discuss at IPFS Camp!

Ludo’.

Reviewing KDE Plasma state on Guix System

[Félicien Pillot]

Hi Guix,

First, I would like to congratulate and thank you for the excellent work you 
are doing in the development of both Guix and this community.

Then, I'm writing today because I would be interested to have the KDE Plasma 
desktop running on Guix System.
I am willing to participate in its integration; I have already seen —roughly— 
that a good part of kde-frameworks was already packaged in the Guix depots; I 
also saw that some core parts for the desktop are currently missing.
Before I start a full diagnosis of the current situation, I would like to know: 
does someone in the team already have done so? or would perhaps be responsible 
for integrating the KDE packages? in short, have we now a good overview of the 
current situation, on where the KDE packaging process is currently at?
If there isn't any "global vision" of the state-of-the-art for the Plasma 
desktop yet, I would be happy to take care of it, by searching on the mailing 
list, testing the different parts already integrated, the necessary 
dependencies, the missing parts, etc. I'm a newby in Guile and Guix, so it 
would probably take time (and questions)

Thanks and happy hacking,
-- 
Félicien Pillot
2C7C ACC0 FBDB ADBA E7BC  50D9 043C D143 6C87 9372
felic...@gnu.org - felicien.pil...@riseup.net


pgpzmhiNwJW7X.pgp
Description: Signature digitale OpenPGP