Re: Putting a file into system image ~user/ but not on reconfigure

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Putting a file into system image ~user/ but not on reconfigure

From:	Efraim Flashner
Subject:	Re: Putting a file into system image ~user/ but not on reconfigure
Date:	Sun, 13 Aug 2023 17:58:13 +0300

On Thu, Aug 10, 2023 at 02:38:24PM +0200, Hartmut Goebel wrote:
> Am 10.08.23 um 14:12 schrieb wolf:
> > 
> > I guess you could have a script that would use the existence of the key 
> > itself
> > as a marker.  In that case you would likely want to recreate it if the 
> > marker
> > (key) got deleted,
> 
> No! The key must not be recreated. The key is expected to be replaced by a
> new one when the box will become a machine. Thus, using the key as a marker
> is not possible, as the would recreate the insecure key on next reboot. The
> key must never ever be put into back into place.

I feel compelled to ask if the key must be in
~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant
is acceptable.

Also, could you use /etc/services or another file in /etc/static as a
marker that the system has been booted at least once before?

> > I do not have much experience with Vagrant, but I assumed the general idea 
> > for
> > these kind of systems declarative systems is to just recreate the when 
> > updates
> > are required.  Is it expected to actually run guix reconfigure inside the 
> > VM?
> 
> This depends on how one uses the virtual machines :-)
> 
> And even if it is not expected to run guix reconfigure on it: If one does,
> this but open a front door to the system - which is not what one wants.

I suppose if you did include an /etc/os-config file you could include a
custom one that doesn't include the file placed in ~vagrant and only
have it in the initial creation config. They could still extract the
actual file from `guix system describe` but I don't suppose there's much
you could do there other than leave a warning to remove those lines.

> 
> Anyhow, thanks for sharing thoughts,
> 
> -- 
> Regards
> Hartmut Goebel
> 
> | Hartmut Goebel          | h.goebel@crazy-compilers.com               |
> | www.crazy-compilers.com | compilers which you thought are impossible |
> 
> 

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Putting a file into system image ~user/ but not on reconfigure, Hartmut Goebel, 2023/08/09
- Re: Putting a file into system image ~user/ but not on reconfigure, wolf, 2023/08/10
  - Re: Putting a file into system image ~user/ but not on reconfigure, Hartmut Goebel, 2023/08/10
    - Re: Putting a file into system image ~user/ but not on reconfigure, Efraim Flashner <=
    - Re: Putting a file into system image ~user/ but not on reconfigure, Hartmut Goebel, 2023/08/17
    - Re: Putting a file into system image ~user/ but not on reconfigure, Efraim Flashner, 2023/08/18
    - Re: Putting a file into system image ~user/ but not on reconfigure, Hartmut Goebel, 2023/08/24

Prev by Date: Trying to understand why GUIX isn't reading configuration file?
Next by Date: Re: problem trying to install python module in python virtual environment on top of Guix
Previous by thread: Re: Putting a file into system image ~user/ but not on reconfigure
Next by thread: Re: Putting a file into system image ~user/ but not on reconfigure
Index(es):
- Date
- Thread