[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Putting a file into system image ~user/ but not on reconfigure

From: Efraim Flashner
Subject: Re: Putting a file into system image ~user/ but not on reconfigure
Date: Sun, 13 Aug 2023 17:58:13 +0300

On Thu, Aug 10, 2023 at 02:38:24PM +0200, Hartmut Goebel wrote:
> Am 10.08.23 um 14:12 schrieb wolf:
> > 
> > I guess you could have a script that would use the existence of the key 
> > itself
> > as a marker.  In that case you would likely want to recreate it if the 
> > marker
> > (key) got deleted,
> No! The key must not be recreated. The key is expected to be replaced by a
> new one when the box will become a machine. Thus, using the key as a marker
> is not possible, as the would recreate the insecure key on next reboot. The
> key must never ever be put into back into place.

I feel compelled to ask if the key must be in
~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant
is acceptable.

Also, could you use /etc/services or another file in /etc/static as a
marker that the system has been booted at least once before?

> > I do not have much experience with Vagrant, but I assumed the general idea 
> > for
> > these kind of systems declarative systems is to just recreate the when 
> > updates
> > are required.  Is it expected to actually run guix reconfigure inside the 
> > VM?
> This depends on how one uses the virtual machines :-)
> And even if it is not expected to run guix reconfigure on it: If one does,
> this but open a front door to the system - which is not what one wants.

I suppose if you did include an /etc/os-config file you could include a
custom one that doesn't include the file placed in ~vagrant and only
have it in the initial creation config. They could still extract the
actual file from `guix system describe` but I don't suppose there's much
you could do there other than leave a warning to remove those lines.

> Anyhow, thanks for sharing thoughts,
> -- 
> Regards
> Hartmut Goebel
> | Hartmut Goebel          |               |
> | | compilers which you thought are impossible |

Efraim Flashner   <>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]