[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Putting a file into system image ~user/ but not on reconfigure
From: |
Efraim Flashner |
Subject: |
Re: Putting a file into system image ~user/ but not on reconfigure |
Date: |
Sun, 13 Aug 2023 17:58:13 +0300 |
On Thu, Aug 10, 2023 at 02:38:24PM +0200, Hartmut Goebel wrote:
> Am 10.08.23 um 14:12 schrieb wolf:
> >
> > I guess you could have a script that would use the existence of the key
> > itself
> > as a marker. In that case you would likely want to recreate it if the
> > marker
> > (key) got deleted,
>
> No! The key must not be recreated. The key is expected to be replaced by a
> new one when the box will become a machine. Thus, using the key as a marker
> is not possible, as the would recreate the insecure key on next reboot. The
> key must never ever be put into back into place.
I feel compelled to ask if the key must be in
~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant
is acceptable.
Also, could you use /etc/services or another file in /etc/static as a
marker that the system has been booted at least once before?
> > I do not have much experience with Vagrant, but I assumed the general idea
> > for
> > these kind of systems declarative systems is to just recreate the when
> > updates
> > are required. Is it expected to actually run guix reconfigure inside the
> > VM?
>
> This depends on how one uses the virtual machines :-)
>
> And even if it is not expected to run guix reconfigure on it: If one does,
> this but open a front door to the system - which is not what one wants.
I suppose if you did include an /etc/os-config file you could include a
custom one that doesn't include the file placed in ~vagrant and only
have it in the initial creation config. They could still extract the
actual file from `guix system describe` but I don't suppose there's much
you could do there other than leave a warning to remove those lines.
>
> Anyhow, thanks for sharing thoughts,
>
> --
> Regards
> Hartmut Goebel
>
> | Hartmut Goebel | h.goebel@crazy-compilers.com |
> | www.crazy-compilers.com | compilers which you thought are impossible |
>
>
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature