nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

doc: Augment offloading documentation. 

* doc/guix.texi (Daemon Offload Setup): Mention that we're using lsh.  Mention
  GUILE_LOAD_PATH settings on the target machine.  Explain that machines must
  authorize each other.
This commit is contained in:
Ludovic Courtès 2015-07-09 10:47:02 +02:00
parent b19649a132
commit c4fdfd6f90
1 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
doc/guix.texi
View File

@ -589,7 +589,7 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
(user "alice") (user "alice")
(private-key (private-key
(string-append (getenv "HOME") (string-append (getenv "HOME")
"/.ssh/id-rsa-for-guix")))) "/.lsh/identity-for-guix"))))
@end example @end example
@noindent @noindent
@ -635,6 +635,10 @@ Port number of the machine's SSH server (default: 22).
@item private-key @item private-key
The SSH private key file to use when connecting to the machine. The SSH private key file to use when connecting to the machine.
Currently offloading uses GNU@tie{}lsh as its SSH client
(@pxref{Invoking lsh,,, GNU lsh Manual}). Thus, the key file here must
be an lsh key file. This may change in the future, though.
@item parallel-builds @item parallel-builds
The number of builds that may run in parallel on the machine (1 by The number of builds that may run in parallel on the machine (1 by
default.) default.)
@ -654,22 +658,40 @@ name, and they will be scheduled on matching build machines.
The @code{guix} command must be in the search path on the build The @code{guix} command must be in the search path on the build
machines, since offloading works by invoking the @code{guix archive} and machines, since offloading works by invoking the @code{guix archive} and
@code{guix build} commands. @code{guix build} commands. In addition, the Guix modules must be in
@code{$GUILE_LOAD_PATH} on the build machine---you can check whether
this is the case by running:
@example
lsh build-machine guile -c '(use-modules (guix config))'
@end example
There's one last thing to do once @file{machines.scm} is in place. As There's one last thing to do once @file{machines.scm} is in place. As
explained above, when offloading, files are transferred back and forth explained above, when offloading, files are transferred back and forth
between the machine stores. For this to work, you need to generate a between the machine stores. For this to work, you first need to
key pair to allow the daemon to export signed archives of files from the generate a key pair on each machine to allow the daemon to export signed
store (@pxref{Invoking guix archive}): archives of files from the store (@pxref{Invoking guix archive}):
@example @example
# guix archive --generate-key # guix archive --generate-key
@end example @end example
@noindent @noindent
Thus, when receiving files, a machine's build daemon can make sure they Each build machine must authorize the key of the master machine so that
are genuine, have not been tampered with, and that they are signed by an it accepts store items it receives from the master:
authorized key.
@example
# guix archive --authorize < master-public-key.txt
@end example
@noindent
Likewise, the master machine must authorize the key of each build machine.
All the fuss with keys is here to express pairwise mutual trust
relations between the master and the build machines. Concretely, when
the master receives files from a build machine (and @i{vice versa}), its
build daemon can make sure they are genuine, have not been tampered
with, and that they are signed by an authorized key.
@node Invoking guix-daemon @node Invoking guix-daemon