[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Status of "GuixOps"?
Re: Status of "GuixOps"?
Fri, 06 Oct 2017 15:18:28 +0200
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
"Thompson, David" <address@hidden> skribis:
> On Sun, Sep 17, 2017 at 2:34 PM, Hartmut Goebel
> <address@hidden> wrote:
>> Q1: I did not follow the development closely, but I seem to recall that
>> there is some guix sub-command for configuring a remote system. But
>> grepping the manual for "remote", I did not find it, neither one of the
>> commands did attract me. How is it called?
> I haven't tried it but I think Ludo said that it was going to be a
> flag to 'guix system'. Has that code been merged? Not being able to
> easily connect to a remote daemon is what blocked me when I first
> tried writing 'guix deploy'.
The idea that I had in mind is to support:
guix system reconfigure --target=host.example.org config.scm
which would build locally and send the new system (or build it directly
on the target), and then run remotely the effectful bits of
‘reconfigure’: running activation scripts, upgrading Shepherd services.
To get there, the idea I have is to:
1. Isolate the effectful bits in (guix scripts system) and wrap them
2. Provide ‘eval-gexp’ (which would combine ‘build-derivations’ and
‘eval’) and ‘eval-gexp-remotely’ (likewise, but it would use
Guile-SSH’s ‘node-eval’ to evaluate the gexp remotely.)
3. Change (guix scripts system) to use ‘eval-gexp’ or
‘eval-gexp-remotely’ depending on whether --target was found.
This is just a subset of the functionality in you envision for ‘guix
deploy’, David, but it’s a good building block and useful in its own.
> I don't think that is the best approach, or at least it should not be
> an approach that GuixSD users *have to* use. I use Chef at work, and
> the equivalent technology there is called "encrypted data bags"
> (terrible name, I know). They are a pain and thus we do not manage
> secrets with it. You're right, everything in the store is
> world-readable, therefore you should never store secrets there. The
> most important thing to know is that secrets are stateful, which
> contrasts with many things in Guix that are stateless. Secrets can't
> be configured at build-time, it has to be done at runtime. So how do
> we get secrets onto machines? I think this is a job for GuixSD system
> services. Let's take for example a web application that connects to a
> MariaDB database. When the web application service starts, it will
> fetch the database password from the secret store and initialize the
> application with it by whatever means is supported (command line flag,
> environment variable, etc.). The secrets store could be a local
> GPG-encrypted file (getting the decryption key onto the machine is
> non-trivial, of course) or an external service. To give you an idea
> of the possibilities available when it comes to secrets management,
> I'll give a more complex example. All of my experience with this is
> with Amazon web services, so if you don't know AWS stuff you can skip
> this part but I'll describe it anyway for people that might be
> interested: EC2 instances are assigned an IAM role that allows them to
> decrypt a set of secrets that have been encrypted using a KMS key.
> The encrypted secrets happen to be stored in a DynamoDB table. A
> command line tool for fetching the secrets is installed on the
> instances and is integrated into the application startup processes
> that need secrets. When we want to rotate a key, we replace the
> DynamoDB record with a new one and restart the relevant services.
> Whether the secrets are stored in an encrypted file on each machine or
> in some external database, the basic process is the same: applications
> will receive their secrets when they are started, not when the system
> is configured.
Sounds interesting. We don’t have a good story on how to deal with
secrets currently, and this is problematic for deployments.
>> Q3: One of DepOps' main features for me is easy use and the automatic
>> refresh of Let's Encrypt certificates. Basically I just say: "Create
>> certificates for hostnames A, B, C" and everything happens
>> automatically: Configuration of nginx, creating the CSR, requesting the
>> certificate, renewal, etc. What is the status for something like this
>> for GuixSD?
> We have an nginx service, so you can write a configuration that points
> to certs generated by Let's Encrypt. The cron service could be
> configured to periodically run the Let's Encrypt tool that refreshes
> the certificates periodically. The pieces are all there, you just
> need to put them together. This is what I plan to do when I finally
> get around to switching my VPS from Debian to GuixSD. Since this is
> all just Scheme code, we could write abstractions that make this
> common use-case "just work" for people so they don't have to worry
> about the details. One step at a time. :)
There’s even a patch that brings a Cerbot service!
People commented on it but the patch still needs love to reach its final
form. Maybe you can help? :-)
|[Prev in Thread]
||[Next in Thread]|
- Re: Status of "GuixOps"?,
Ludovic Courtès <=