Skip to content
Snippets Groups Projects
Unverified Commit 01cefb7a authored by Jan (janneke) Nieuwenhuizen's avatar Jan (janneke) Nieuwenhuizen
Browse files

services: childhurd: Support installing secrets from the host. 

* gnu/services/virtualization.scm (%hurd-vm-operating-system): Add
secret-service.
(hurd-vm-shepherd-service): Use it to install secrets.
* doc/guix.texi (The Hurd in a Virtual Machine): Document it.
parent ec32d4f2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
doc/guix.texi
+ 27
0
View file @ 01cefb7a
...@@ -25121,6 +25121,7 @@ Return the name of @var{platform}---a string such as @code{"arm"}. ...@@ -25121,6 +25121,7 @@ Return the name of @var{platform}---a string such as @code{"arm"}.
   
@cindex @code{hurd} @cindex @code{hurd}
@cindex the Hurd @cindex the Hurd
@cindex childhurd
   
Service @code{hurd-vm} provides support for running GNU/Hurd in a Service @code{hurd-vm} provides support for running GNU/Hurd in a
virtual machine (VM), a so-called ``Childhurd''. The virtual machine is virtual machine (VM), a so-called ``Childhurd''. The virtual machine is
...@@ -25193,15 +25194,41 @@ By default, it produces ...@@ -25193,15 +25194,41 @@ By default, it produces
@lisp @lisp
'("--device" "rtl8139,netdev=net0" '("--device" "rtl8139,netdev=net0"
"--netdev" "user,id=net0\ "--netdev" "user,id=net0\
,hostfwd=tcp:127.0.0.1:<secrets-port>-:1004\
,hostfwd=tcp:127.0.0.1:<ssh-port>-:2222\ ,hostfwd=tcp:127.0.0.1:<ssh-port>-:2222\
,hostfwd=tcp:127.0.0.1:<vnc-port>-:5900") ,hostfwd=tcp:127.0.0.1:<vnc-port>-:5900")
@end lisp @end lisp
with forwarded ports with forwarded ports
@example @example
<ssh-port>: @code{(+ 11004 (* 1000 @var{ID}))}
<ssh-port>: @code{(+ 10022 (* 1000 @var{ID}))} <ssh-port>: @code{(+ 10022 (* 1000 @var{ID}))}
<vnc-port>: @code{(+ 15900 (* 1000 @var{ID}))} <vnc-port>: @code{(+ 15900 (* 1000 @var{ID}))}
@end example @end example
   
@item @code{secret-root} (default: @file{/etc/childhurd})
The root directory with out-of-band secrets to be installed into the
childhurd once it runs. Childhurds are volatile which means that on
every startup, secrets such as the SSH host keys and Guix signing key
are recreated.
If the @file{/etc/childhurd} directory does not exist, the
@code{secret-service} running in the Childhurd will be sent an empty
list of secrets.
Typical use to populate @file{"/etc/childhurd"} with a tree of
non-volatile secrets, like so
@example
/etc/childhurd/etc/guix/signing-key.pub
/etc/childhurd/etc/guix/signing-key.sec
/etc/childhurd/etc/ssh/ssh_host_ed25519_key
/etc/childhurd/etc/ssh/ssh_host_ecdsa_key
/etc/childhurd/etc/ssh/ssh_host_ed25519_key.pub
/etc/childhurd/etc/ssh/ssh_host_ecdsa_key.pub
@end example
to be sent to the Childhurd, including permissions.
@end table @end table
@end deftp @end deftp
   
gnu/services/virtualization.scm
+ 49
11
View file @ 01cefb7a
...@@ -39,6 +39,7 @@ (define-module (gnu services virtualization) ...@@ -39,6 +39,7 @@ (define-module (gnu services virtualization)
#:use-module (gnu system) #:use-module (gnu system)
#:use-module (guix derivations) #:use-module (guix derivations)
#:use-module (guix gexp) #:use-module (guix gexp)
#:use-module (guix modules)
#:use-module (guix monads) #:use-module (guix monads)
#:use-module (guix packages) #:use-module (guix packages)
#:use-module (guix records) #:use-module (guix records)
...@@ -61,7 +62,10 @@ (define-module (gnu services virtualization) ...@@ -61,7 +62,10 @@ (define-module (gnu services virtualization)
hurd-vm-configuration-options hurd-vm-configuration-options
hurd-vm-configuration-id hurd-vm-configuration-id
hurd-vm-configuration-net-options hurd-vm-configuration-net-options
hurd-vm-configuration-secrets
hurd-vm-disk-image hurd-vm-disk-image
hurd-vm-port
hurd-vm-net-options hurd-vm-net-options
hurd-vm-service-type hurd-vm-service-type
...@@ -846,6 +850,8 @@ (define %hurd-vm-operating-system ...@@ -846,6 +850,8 @@ (define %hurd-vm-operating-system
(target "/dev/vda") (target "/dev/vda")
(timeout 0))) (timeout 0)))
(services (cons* (services (cons*
;; Receive secret keys on port 1004, TCP.
(service secret-service-type 1004)
(service openssh-service-type (service openssh-service-type
(openssh-configuration (openssh-configuration
(openssh openssh-sans-x) (openssh openssh-sans-x)
...@@ -876,7 +882,9 @@ (define-record-type* <hurd-vm-configuration> ...@@ -876,7 +882,9 @@ (define-record-type* <hurd-vm-configuration>
(default #f)) (default #f))
(net-options hurd-vm-configuration-net-options ;list of string (net-options hurd-vm-configuration-net-options ;list of string
(thunked) (thunked)
(default (hurd-vm-net-options this-record)))) (default (hurd-vm-net-options this-record)))
(secret-root hurd-vm-configuration-secret-root ;string
(default "/etc/childhurd")))
(define (hurd-vm-disk-image config) (define (hurd-vm-disk-image config)
"Return a disk-image for the Hurd according to CONFIG." "Return a disk-image for the Hurd according to CONFIG."
...@@ -888,15 +896,27 @@ (define (hurd-vm-disk-image config) ...@@ -888,15 +896,27 @@ (define (hurd-vm-disk-image config)
(size disk-size) (size disk-size)
(operating-system os))))) (operating-system os)))))
(define (hurd-vm-net-options config) (define (hurd-vm-port config base)
"Return the forwarded vm port for this childhurd config."
(let ((id (or (hurd-vm-configuration-id config) 0))) (let ((id (or (hurd-vm-configuration-id config) 0)))
(define (qemu-vm-port base) (+ base (* 1000 id))))
(number->string (+ base (* 1000 id)))) (define %hurd-vm-secrets-port 11004)
`("--device" "rtl8139,netdev=net0" (define %hurd-vm-ssh-port 10022)
"--netdev" ,(string-append (define %hurd-vm-vnc-port 15900)
"user,id=net0"
",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 10022) "-:2222" (define (hurd-vm-net-options config)
",hostfwd=tcp:127.0.0.1:" (qemu-vm-port 15900) "-:5900")))) `("--device" "rtl8139,netdev=net0"
"--netdev"
,(string-append "user,id=net0"
",hostfwd=tcp:127.0.0.1:"
(number->string (hurd-vm-port config %hurd-vm-secrets-port))
"-:1004"
",hostfwd=tcp:127.0.0.1:"
(number->string (hurd-vm-port config %hurd-vm-ssh-port))
"-:2222"
",hostfwd=tcp:127.0.0.1:"
(number->string (hurd-vm-port config %hurd-vm-vnc-port))
"-:5900")))
(define (hurd-vm-shepherd-service config) (define (hurd-vm-shepherd-service config)
"Return a <shepherd-service> for a Hurd in a Virtual Machine with CONFIG." "Return a <shepherd-service> for a Hurd in a Virtual Machine with CONFIG."
...@@ -927,8 +947,26 @@ (define vm-command ...@@ -927,8 +947,26 @@ (define vm-command
(string->symbol (number->string id))) (string->symbol (number->string id)))
provisions) provisions)
provisions)) provisions))
(requirement '(networking)) (requirement '(loopback networking user-processes))
(start #~(make-forkexec-constructor #$vm-command)) (start
(with-imported-modules
(source-module-closure '((gnu build secret-service)
(guix build utils)))
#~(let ((spawn (make-forkexec-constructor #$vm-command)))
(lambda _
(let ((pid (spawn))
(port #$(hurd-vm-port config %hurd-vm-secrets-port))
(root #$(hurd-vm-configuration-secret-root config)))
(catch #t
(lambda _
(secret-service-send-secrets port root))
(lambda (key . args)
(kill (- pid) SIGTERM)
(apply throw key args)))
pid)))))
(modules `((gnu build secret-service)
(guix build utils)
,@%default-modules))
(stop #~(make-kill-destructor)))))) (stop #~(make-kill-destructor))))))
(define hurd-vm-service-type (define hurd-vm-service-type
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment