[bug#29467] [PATCH] web: Don't error about missing ssl related files.

[julien lepiller]

Le 2017-12-05 12:14, address@hidden a écrit :
> Hi,
>
> julien lepiller <address@hidden> skribis:
>
> > Le 2017-11-27 09:26, Christopher Baines a écrit :
> > > Erroring here prevents doing things like building a system using
> > > nginx on a
> > > different machine from where it's intended to be deployed, or 
> > > creating
> > > containers and VMs that use the ssl-certificate parts of the nginx
> > > configuration, without also getting these files to exist.
> > >
> > > * gnu/services/web.scm (emit-nginx-server-config): Don't error on
> > > missing ssl
> > >   related files.
> > > ---
> > >  gnu/services/web.scm | 10 ----------
> > >  1 file changed, 10 deletions(-)
> > >
> > > diff --git a/gnu/services/web.scm b/gnu/services/web.scm
> > > index 9d713003c..1af32278c 100644
> > > --- a/gnu/services/web.scm
> > > +++ b/gnu/services/web.scm
> > > @@ -191,16 +191,6 @@ of index files."
> > >              (syntax-parameterize ((<> (identifier-syntax x*)))
> > >                (list tail ...))
> > >              '())))
> > > -    (for-each
> > > -     (match-lambda
> > > -      ((record-key . file)
> > > -       (if (and file (not (file-exists? file)))
>
> There’s another problem: ‘file-exists?’ checks the current machine,
> under the current root file system.  That check doesn’t work if you do
> “guix system init config.scm /some/other/root”, or if you create a
> container, or with the envisioned “guix system reconfigure --remote”.
>
> > Hi, when configuring nginx for the first time, users will probably
> > forget to
> > configure ssl properly. The default is to enable ssl and find
> > certificates in
> > /etc/nginx. When these files don't exist, nginx will fail to start and
> > at least
> > one user complained it was hard to debug. This code was introduced to
> > prevent
> > such a mistake.
>
> Yes, I agree that it’s nice to have early error reports.
>
> > Maybe we should set the default to #f (but then users would have to
> > configure
> > more fields to enable https). Maybe we should add a configuration
> > option like
> > warn-only? (default to #f) to only warn about missing files. Or maybe
> > there's
> > a way to show nginx that another service is providing that file?
>
> Good questions.
>
> We cannot check for file existence at configuration time for the 
> reasons
> above.
>
> We cannot check for file existence at build time because certificates
> may be part of the machine’s state; they are typically managed in a
> stateful fashion, outside of GuixSD.
>
> So the only option we’re left with is checking at run time, when we
> start the service.  But that’s something nginx already does, I think?
>
> As for the default, I would be in favor of setting it to #f, because I
> can’t really think of a default that would work for everyone.
>
> WDYT?

Having it default to #f is fine with me. Nginx does this check at 
runtime
and will refuse to start if these files are missing. Keeping https-port
to 443 and certificates to #f means it will not be able to establish a
connection to the client, but the http website will be available. So 
just
setting the key and the certificate to #f by default should be OK.

> Ludo’.