services: childhurd: Support installing secrets from the host.
* gnu/services/virtualization.scm (%hurd-vm-operating-system): Add secret-service. (hurd-vm-shepherd-service): Use it to install secrets. * doc/guix.texi (The Hurd in a Virtual Machine): Document it.master
Jan (janneke) Nieuwenhuizen
parent
ec32d4f291
commit
01cefb7a57
|
|
@ -25121,6 +25121,7 @@ Return the name of @var{platform}---a string such as @code{"arm"}.
|
||||||
|
|
||||||
@cindex @code{hurd}
|
@cindex @code{hurd}
|
||||||
@cindex the Hurd
|
@cindex the Hurd
|
||||||
|
@cindex childhurd
|
||||||
|
|
||||||
Service @code{hurd-vm} provides support for running GNU/Hurd in a
|
Service @code{hurd-vm} provides support for running GNU/Hurd in a
|
||||||
virtual machine (VM), a so-called ``Childhurd''. The virtual machine is
|
virtual machine (VM), a so-called ``Childhurd''. The virtual machine is
|
||||||
|
|
@ -25193,15 +25194,41 @@ By default, it produces
|
||||||
@lisp
|
@lisp
|
||||||
'("--device" "rtl8139,netdev=net0"
|
'("--device" "rtl8139,netdev=net0"
|
||||||
"--netdev" "user,id=net0\
|
"--netdev" "user,id=net0\
|
||||||
|
,hostfwd=tcp:127.0.0.1:<secrets-port>-:1004\
|
||||||
,hostfwd=tcp:127.0.0.1:<ssh-port>-:2222\
|
,hostfwd=tcp:127.0.0.1:<ssh-port>-:2222\
|
||||||
,hostfwd=tcp:127.0.0.1:<vnc-port>-:5900")
|
,hostfwd=tcp:127.0.0.1:<vnc-port>-:5900")
|
||||||
@end lisp
|
@end lisp
|
||||||
with forwarded ports
|
with forwarded ports
|
||||||
@example
|
@example
|
||||||
|
<ssh-port>: @code{(+ 11004 (* 1000 @var{ID}))}
|
||||||
<ssh-port>: @code{(+ 10022 (* 1000 @var{ID}))}
|
<ssh-port>: @code{(+ 10022 (* 1000 @var{ID}))}
|
||||||
<vnc-port>: @code{(+ 15900 (* 1000 @var{ID}))}
|
<vnc-port>: @code{(+ 15900 (* 1000 @var{ID}))}
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
|
@item @code{secret-root} (default: @file{/etc/childhurd})
|
||||||
|
The root directory with out-of-band secrets to be installed into the
|
||||||
|
childhurd once it runs. Childhurds are volatile which means that on
|
||||||
|
every startup, secrets such as the SSH host keys and Guix signing key
|
||||||
|
are recreated.
|
||||||
|
|
||||||
|
If the @file{/etc/childhurd} directory does not exist, the
|
||||||
|
@code{secret-service} running in the Childhurd will be sent an empty
|
||||||
|
list of secrets.
|
||||||
|
|
||||||
|
Typical use to populate @file{"/etc/childhurd"} with a tree of
|
||||||
|
non-volatile secrets, like so
|
||||||
|
|
||||||
|
@example
|
||||||
|
/etc/childhurd/etc/guix/signing-key.pub
|
||||||
|
/etc/childhurd/etc/guix/signing-key.sec
|
||||||
|
/etc/childhurd/etc/ssh/ssh_host_ed25519_key
|
||||||
|
/etc/childhurd/etc/ssh/ssh_host_ecdsa_key
|
||||||
|
/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
|
||||||
|
@end example
|
||||||
|
|
||||||
|
to be sent to the Childhurd, including permissions.
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
@end deftp
|
@end deftp
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,7 @@
|
||||||
#:use-module (gnu system)
|
#:use-module (gnu system)
|
||||||
#:use-module (guix derivations)
|
#:use-module (guix derivations)
|
||||||
#:use-module (guix gexp)
|
#:use-module (guix gexp)
|
||||||
|
#:use-module (guix modules)
|
||||||
#:use-module (guix monads)
|
#:use-module (guix monads)
|
||||||
#:use-module (guix packages)
|
#:use-module (guix packages)
|
||||||
#:use-module (guix records)
|
#:use-module (guix records)
|
||||||
|
|
@ -61,7 +62,10 @@
|
||||||
hurd-vm-configuration-options
|
hurd-vm-configuration-options
|
||||||
hurd-vm-configuration-id
|
hurd-vm-configuration-id
|
||||||
hurd-vm-configuration-net-options
|
hurd-vm-configuration-net-options
|
||||||
|
hurd-vm-configuration-secrets
|
||||||
|
|
||||||
hurd-vm-disk-image
|
hurd-vm-disk-image
|
||||||
|
hurd-vm-port
|
||||||
hurd-vm-net-options
|
hurd-vm-net-options
|
||||||
hurd-vm-service-type
|
hurd-vm-service-type
|
||||||
|
|
||||||
|
|
@ -846,6 +850,8 @@ can only be accessed by their host.")))
|
||||||
(target "/dev/vda")
|
(target "/dev/vda")
|
||||||
(timeout 0)))
|
(timeout 0)))
|
||||||
(services (cons*
|
(services (cons*
|
||||||
|
;; Receive secret keys on port 1004, TCP.
|
||||||
|
(service secret-service-type 1004)
|
||||||
(service openssh-service-type
|
(service openssh-service-type
|
||||||
(openssh-configuration
|
(openssh-configuration
|
||||||
(openssh openssh-sans-x)
|
(openssh openssh-sans-x)
|
||||||
|
|
@ -876,7 +882,9 @@ can only be accessed by their host.")))
|
||||||
(default #f))
|
(default #f))
|
||||||
(net-options hurd-vm-configuration-net-options ;list of string
|
(net-options hurd-vm-configuration-net-options ;list of string
|
||||||
(thunked)
|
(thunked)
|
||||||
(default (hurd-vm-net-options this-record))))
|
(default (hurd-vm-net-options this-record)))
|
||||||
|
(secret-root hurd-vm-configuration-secret-root ;string
|
||||||
|
(default "/etc/childhurd")))
|
||||||
|
|
||||||
(define (hurd-vm-disk-image config)
|
(define (hurd-vm-disk-image config)
|
||||||
"Return a disk-image for the Hurd according to CONFIG."
|
"Return a disk-image for the Hurd according to CONFIG."
|
||||||
|
|
@ -888,15 +896,27 @@ can only be accessed by their host.")))
|
||||||
(size disk-size)
|
(size disk-size)
|
||||||
(operating-system os)))))
|
(operating-system os)))))
|
||||||
|
|
||||||
(define (hurd-vm-net-options config)
|
(define (hurd-vm-port config base)
|
||||||
|
"Return the forwarded vm port for this childhurd config."
|
||||||
(let ((id (or (hurd-vm-configuration-id config) 0)))
|
(let ((id (or (hurd-vm-configuration-id config) 0)))
|
||||||
(define (qemu-vm-port base)
|
(+ base (* 1000 id))))
|
||||||
(number->string (+ base (* 1000 id))))
|
(define %hurd-vm-secrets-port 11004)
|
||||||
`("--device" "rtl8139,netdev=net0"
|
(define %hurd-vm-ssh-port 10022)
|
||||||
"--netdev" ,(string-append
|
(define %hurd-vm-vnc-port 15900)
|
||||||
"user,id=net0"
|
|
||||||
",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 10022) "-:2222"
|
(define (hurd-vm-net-options config)
|
||||||
",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 15900) "-:5900"))))
|
`("--device" "rtl8139,netdev=net0"
|
||||||
|
"--netdev"
|
||||||
|
,(string-append "user,id=net0"
|
||||||
|
",hostfwd=tcp:127.0.0.1:"
|
||||||
|
(number->string (hurd-vm-port config %hurd-vm-secrets-port))
|
||||||
|
"-:1004"
|
||||||
|
",hostfwd=tcp:127.0.0.1:"
|
||||||
|
(number->string (hurd-vm-port config %hurd-vm-ssh-port))
|
||||||
|
"-:2222"
|
||||||
|
",hostfwd=tcp:127.0.0.1:"
|
||||||
|
(number->string (hurd-vm-port config %hurd-vm-vnc-port))
|
||||||
|
"-:5900")))
|
||||||
|
|
||||||
(define (hurd-vm-shepherd-service config)
|
(define (hurd-vm-shepherd-service config)
|
||||||
"Return a <shepherd-service> for a Hurd in a Virtual Machine with CONFIG."
|
"Return a <shepherd-service> for a Hurd in a Virtual Machine with CONFIG."
|
||||||
|
|
@ -927,8 +947,26 @@ can only be accessed by their host.")))
|
||||||
(string->symbol (number->string id)))
|
(string->symbol (number->string id)))
|
||||||
provisions)
|
provisions)
|
||||||
provisions))
|
provisions))
|
||||||
(requirement '(networking))
|
(requirement '(loopback networking user-processes))
|
||||||
(start #~(make-forkexec-constructor #$vm-command))
|
(start
|
||||||
|
(with-imported-modules
|
||||||
|
(source-module-closure '((gnu build secret-service)
|
||||||
|
(guix build utils)))
|
||||||
|
#~(let ((spawn (make-forkexec-constructor #$vm-command)))
|
||||||
|
(lambda _
|
||||||
|
(let ((pid (spawn))
|
||||||
|
(port #$(hurd-vm-port config %hurd-vm-secrets-port))
|
||||||
|
(root #$(hurd-vm-configuration-secret-root config)))
|
||||||
|
(catch #t
|
||||||
|
(lambda _
|
||||||
|
(secret-service-send-secrets port root))
|
||||||
|
(lambda (key . args)
|
||||||
|
(kill (- pid) SIGTERM)
|
||||||
|
(apply throw key args)))
|
||||||
|
pid)))))
|
||||||
|
(modules `((gnu build secret-service)
|
||||||
|
(guix build utils)
|
||||||
|
,@%default-modules))
|
||||||
(stop #~(make-kill-destructor))))))
|
(stop #~(make-kill-destructor))))))
|
||||||
|
|
||||||
(define hurd-vm-service-type
|
(define hurd-vm-service-type
|
||||||
|
|
|
||||||
Reference in New Issue