diff mbox series

[bug#43155] hydra//build-machines: Update childhurd-net-options for secret-service.

Message ID 87h7sha71o.fsf@gnu.org
State New
Headers show
Series [bug#43155] hydra//build-machines: Update childhurd-net-options for secret-service. | expand

Checks

Context Check Description
cbaines/applying patch fail View Laminar job

Commit Message

Jan Nieuwenhuizen Sept. 1, 2020, 2:46 p.m. UTC
Hi!

With bug https://bugs.gnu.org/43106 just closed we now have a nice way
to inject secrets into the Childhurds.

Using the attached patch, which needs a fresh pull and reconfigure on
berlin (at least the nodes 101,102 that run Childhurds), we can create a
tree of childhurd secrets like so

--8<---------------cut here---------------start------------->8---
/etc/childhurd/etc/guix/signing-key.pub
/etc/childhurd/etc/guix/signing-key.sec
/etc/childhurd/etc/ssh/ssh_host_ed25519_key
/etc/childhurd/etc/ssh/ssh_host_ecdsa_key
/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
--8<---------------cut here---------------end--------------->8---

...and then we should be able to start offloading builds for the Hurd.
(I guess we then also need to add a cuirass jobs for the Hurd?)

Janneke

Comments

Ludovic Courtès Sept. 1, 2020, 9:19 p.m. UTC | #1
Hi!

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

> With bug https://bugs.gnu.org/43106 just closed we now have a nice way
> to inject secrets into the Childhurds.
>
> Using the attached patch, which needs a fresh pull and reconfigure on
> berlin (at least the nodes 101,102 that run Childhurds), we can create a
> tree of childhurd secrets like so
>
> /etc/childhurd/etc/guix/signing-key.pub
> /etc/childhurd/etc/guix/signing-key.sec
> /etc/childhurd/etc/ssh/ssh_host_ed25519_key
> /etc/childhurd/etc/ssh/ssh_host_ecdsa_key
> /etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
> /etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
>
> ...and then we should be able to start offloading builds for the Hurd.

Yup!  Probably we’ll create /etc/childhurd/HOST for each VM, so we also
need to adjust <hurd-vm-configuration> accordingly, right?

(I realize that the current code will silently keep going if we forget
to put the secret files in place; IOW, the service config doesn’t show
the files we intended to push as secrets.  Oh well, we’ll see that
later.)

> (I guess we then also need to add a cuirass jobs for the Hurd?)

Yes, or maybe just change ‘systems’ in the Cuirass specs for
‘guix-master’, but then it’ll try to build everything for GNU/Hurd,
which doesn’t sound like a great idea for now.  Perhaps we can simply
add a separate jobset pulling from ‘master’ but building only for
i586-gnu and only the “core” package set?

>>From 6d1c388ed82c260af27b556c0677e780ee410b05 Mon Sep 17 00:00:00 2001
> From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
> Date: Tue, 1 Sep 2020 16:31:42 +0200
> Subject: [PATCH] hydra//build-machines: Update childhurd-net-options for
>  secret-service.
> Content-Transfer-Encoding: 8bit
> Content-Type: text/plain; charset=UTF-8
>
> * hydra/modules/sysadmin/build-machines.scm (berlin-new-build-machine-os)
> [childhurd-net-options]: Include secret-service local QEMU forwarding.
> Use variables from (gnu services virtualization).

LGTM, thanks!

Ludo’.
diff mbox series

Patch

From 6d1c388ed82c260af27b556c0677e780ee410b05 Mon Sep 17 00:00:00 2001
From: "Jan (janneke) Nieuwenhuizen" <janneke@gnu.org>
Date: Tue, 1 Sep 2020 16:31:42 +0200
Subject: [PATCH] hydra//build-machines: Update childhurd-net-options for
 secret-service.
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8

* hydra/modules/sysadmin/build-machines.scm (berlin-new-build-machine-os)
[childhurd-net-options]: Include secret-service local QEMU forwarding.
Use variables from (gnu services virtualization).
---
 hydra/modules/sysadmin/build-machines.scm | 31 ++++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/hydra/modules/sysadmin/build-machines.scm b/hydra/modules/sysadmin/build-machines.scm
index b4afcbe..0385b6a 100644
--- a/hydra/modules/sysadmin/build-machines.scm
+++ b/hydra/modules/sysadmin/build-machines.scm
@@ -120,15 +120,28 @@  EMULATED-ARCHITECTURES, unless it's empty."
 
   (define (childhurd-net-options . config)
     "Expose SSH and VNC ports on 0.0.0.0; for first Childhurd VM those
-are 10022 and 15900."
-    (let ((id 0))
-      (define (qemu-vm-port base)
-        (number->string (+ base (* 1000 id))))
-      `("--device" "rtl8139,netdev=net0"
-        "--netdev" ,(string-append
-                     "user,id=net0"
-                     ",hostfwd=tcp:0.0.0.0:" (qemu-vm-port 10022) "-:2222"
-                     ",hostfwd=tcp:0.0.0.0:" (qemu-vm-port 15900) "-:5900"))))
+are 10022 and 15900.  Keep secret-service port local."
+    `("--device" "rtl8139,netdev=net0"
+      "--netdev" ,(string-append
+                   "user,id=net0"
+                   ",hostfwd=tcp:127.0.0.1:"
+                   (number->string (hurd-vm-port
+                                    config
+                                    (@@ (gnu services virtualization)
+                                        %hurd-vm-secrets-port)))
+                   "-:1004"
+                   ",hostfwd=tcp:0.0.0.0:"
+                   (number->string (hurd-vm-port
+                                    config
+                                    (@@ (gnu services virtualization)
+                                        %hurd-vm-ssh-port)))
+                   "-:2222"
+                   ",hostfwd=tcp:0.0.0.0:"
+                   (number->string (hurd-vm-port
+                                    config
+                                    (@@ (gnu services virtualization)
+                                        %hurd-vm-vnc-port)))
+                   "-:5900")))
 
   (define sysadmins
     (list (sysadmin (name "ludo")
-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com