machine: Automatically authorize the coordinator's signing key.

* guix/ssh.scm (remote-authorize-signing-key): New variable.
* gnu/machine/ssh.scm (deploy-managed-host): Authorize coordinator's
signing key before any invocations of 'remote-eval'.
(deploy-managed-host): Display an error if a signing key does not exist.
* doc/guix.texi (Invoking guix deploy): Remove section describing manual
signing key authorization.
(Invoking guix deploy): Add section describing the 'authorize?' field.
This commit is contained in:
Jakob L. Kreuze 2019-08-15 04:06:41 -04:00 committed by Christopher Lemmer Webber
parent 9c70c460a0
commit 3033d59ac9
No known key found for this signature in database
GPG Key ID: 4BC025925FF8F4D3
3 changed files with 52 additions and 7 deletions

View File

@ -25586,6 +25586,9 @@ with an @code{environment} of @code{managed-host-environment-type}.
@item @code{system} @item @code{system}
The Nix system type describing the architecture of the machine being deployed The Nix system type describing the architecture of the machine being deployed
to. This should look something like ``x86_64-linux''. to. This should look something like ``x86_64-linux''.
@item @code{authorize?} (default: @code{#t})
If true, the coordinator's signing key will be added to the remote's ACL
keyring.
@item @code{port} (default: @code{22}) @item @code{port} (default: @code{22})
@item @code{user} (default: @code{"root"}) @item @code{user} (default: @code{"root"})
@item @code{identity} (default: @code{#f}) @item @code{identity} (default: @code{#f})

View File

@ -28,13 +28,16 @@
#:use-module (guix i18n) #:use-module (guix i18n)
#:use-module (guix modules) #:use-module (guix modules)
#:use-module (guix monads) #:use-module (guix monads)
#:use-module (guix pki)
#:use-module (guix records) #:use-module (guix records)
#:use-module (guix remote) #:use-module (guix remote)
#:use-module (guix scripts system reconfigure) #:use-module (guix scripts system reconfigure)
#:use-module (guix ssh) #:use-module (guix ssh)
#:use-module (guix store) #:use-module (guix store)
#:use-module (guix utils) #:use-module (guix utils)
#:use-module (gcrypt pk-crypto)
#:use-module (ice-9 match) #:use-module (ice-9 match)
#:use-module (ice-9 textual-ports)
#:use-module (srfi srfi-1) #:use-module (srfi srfi-1)
#:use-module (srfi srfi-19) #:use-module (srfi srfi-19)
#:use-module (srfi srfi-26) #:use-module (srfi srfi-26)
@ -48,6 +51,7 @@
machine-ssh-configuration-host-name machine-ssh-configuration-host-name
machine-ssh-configuration-build-locally? machine-ssh-configuration-build-locally?
machine-ssh-configuration-authorize?
machine-ssh-configuration-port machine-ssh-configuration-port
machine-ssh-configuration-user machine-ssh-configuration-user
machine-ssh-configuration-session)) machine-ssh-configuration-session))
@ -70,17 +74,19 @@
make-machine-ssh-configuration make-machine-ssh-configuration
machine-ssh-configuration? machine-ssh-configuration?
this-machine-ssh-configuration this-machine-ssh-configuration
(host-name machine-ssh-configuration-host-name) ; string (host-name machine-ssh-configuration-host-name) ; string
(system machine-ssh-configuration-system) ; string (system machine-ssh-configuration-system) ; string
(build-locally? machine-ssh-configuration-build-locally? (build-locally? machine-ssh-configuration-build-locally? ; boolean
(default #t)) (default #t))
(port machine-ssh-configuration-port ; integer (authorize? machine-ssh-configuration-authorize? ; boolean
(default #t))
(port machine-ssh-configuration-port ; integer
(default 22)) (default 22))
(user machine-ssh-configuration-user ; string (user machine-ssh-configuration-user ; string
(default "root")) (default "root"))
(identity machine-ssh-configuration-identity ; path to a private key (identity machine-ssh-configuration-identity ; path to a private key
(default #f)) (default #f))
(session machine-ssh-configuration-session ; session (session machine-ssh-configuration-session ; session
(default #f))) (default #f)))
(define (machine-ssh-session machine) (define (machine-ssh-session machine)
@ -359,6 +365,19 @@ the 'should-roll-back' field set to SHOULD-ROLL-BACK?"
"Internal implementation of 'deploy-machine' for MACHINE instances with an "Internal implementation of 'deploy-machine' for MACHINE instances with an
environment type of 'managed-host." environment type of 'managed-host."
(maybe-raise-unsupported-configuration-error machine) (maybe-raise-unsupported-configuration-error machine)
(when (machine-ssh-configuration-authorize?
(machine-configuration machine))
(unless (file-exists? %public-key-file)
(raise (condition
(&message
(message (format #f (G_ "no signing key '~a'. \
have you run 'guix archive --generate-key?'")
%public-key-file))))))
(remote-authorize-signing-key (call-with-input-file %public-key-file
(lambda (port)
(string->canonical-sexp
(get-string-all port))))
(machine-ssh-session machine)))
(mlet %store-monad ((_ (check-deployment-sanity machine)) (mlet %store-monad ((_ (check-deployment-sanity machine))
(boot-parameters (machine-boot-parameters machine))) (boot-parameters (machine-boot-parameters machine)))
(let* ((os (machine-operating-system machine)) (let* ((os (machine-operating-system machine))

View File

@ -21,6 +21,7 @@
#:use-module (guix inferior) #:use-module (guix inferior)
#:use-module (guix i18n) #:use-module (guix i18n)
#:use-module ((guix utils) #:select (&fix-hint)) #:use-module ((guix utils) #:select (&fix-hint))
#:use-module (gcrypt pk-crypto)
#:use-module (ssh session) #:use-module (ssh session)
#:use-module (ssh auth) #:use-module (ssh auth)
#:use-module (ssh key) #:use-module (ssh key)
@ -40,6 +41,7 @@
remote-daemon-channel remote-daemon-channel
connect-to-remote-daemon connect-to-remote-daemon
remote-system remote-system
remote-authorize-signing-key
send-files send-files
retrieve-files retrieve-files
retrieve-files* retrieve-files*
@ -300,6 +302,27 @@ the machine on the other end of SESSION."
(inferior-remote-eval '(begin (use-modules (guix utils)) (%current-system)) (inferior-remote-eval '(begin (use-modules (guix utils)) (%current-system))
session)) session))
(define (remote-authorize-signing-key key session)
"Send KEY, a canonical sexp containing a public key, over SESSION and add it
to the system ACL file if it has not yet been authorized."
(inferior-remote-eval
`(begin
(use-modules (guix build utils)
(guix pki)
(guix utils)
(gcrypt pk-crypto)
(srfi srfi-26))
(define acl (current-acl))
(define key (string->canonical-sexp ,(canonical-sexp->string key)))
(unless (authorized-key? key)
(let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
(mkdir-p (dirname %acl-file))
(with-atomic-file-output %acl-file
(cut write-acl acl <>)))))
session))
(define* (send-files local files remote (define* (send-files local files remote
#:key #:key
recursive? recursive?