doc: Augment offloading documentation.
* doc/guix.texi (Daemon Offload Setup): Mention that we're using lsh. Mention GUILE_LOAD_PATH settings on the target machine. Explain that machines must authorize each other.
This commit is contained in:
parent
b19649a132
commit
c4fdfd6f90
@ -589,7 +589,7 @@ The @file{/etc/guix/machines.scm} file typically looks like this:
|
|||||||
(user "alice")
|
(user "alice")
|
||||||
(private-key
|
(private-key
|
||||||
(string-append (getenv "HOME")
|
(string-append (getenv "HOME")
|
||||||
"/.ssh/id-rsa-for-guix"))))
|
"/.lsh/identity-for-guix"))))
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@noindent
|
@noindent
|
||||||
@ -635,6 +635,10 @@ Port number of the machine's SSH server (default: 22).
|
|||||||
@item private-key
|
@item private-key
|
||||||
The SSH private key file to use when connecting to the machine.
|
The SSH private key file to use when connecting to the machine.
|
||||||
|
|
||||||
|
Currently offloading uses GNU@tie{}lsh as its SSH client
|
||||||
|
(@pxref{Invoking lsh,,, GNU lsh Manual}). Thus, the key file here must
|
||||||
|
be an lsh key file. This may change in the future, though.
|
||||||
|
|
||||||
@item parallel-builds
|
@item parallel-builds
|
||||||
The number of builds that may run in parallel on the machine (1 by
|
The number of builds that may run in parallel on the machine (1 by
|
||||||
default.)
|
default.)
|
||||||
@ -654,22 +658,40 @@ name, and they will be scheduled on matching build machines.
|
|||||||
|
|
||||||
The @code{guix} command must be in the search path on the build
|
The @code{guix} command must be in the search path on the build
|
||||||
machines, since offloading works by invoking the @code{guix archive} and
|
machines, since offloading works by invoking the @code{guix archive} and
|
||||||
@code{guix build} commands.
|
@code{guix build} commands. In addition, the Guix modules must be in
|
||||||
|
@code{$GUILE_LOAD_PATH} on the build machine---you can check whether
|
||||||
|
this is the case by running:
|
||||||
|
|
||||||
|
@example
|
||||||
|
lsh build-machine guile -c '(use-modules (guix config))'
|
||||||
|
@end example
|
||||||
|
|
||||||
There's one last thing to do once @file{machines.scm} is in place. As
|
There's one last thing to do once @file{machines.scm} is in place. As
|
||||||
explained above, when offloading, files are transferred back and forth
|
explained above, when offloading, files are transferred back and forth
|
||||||
between the machine stores. For this to work, you need to generate a
|
between the machine stores. For this to work, you first need to
|
||||||
key pair to allow the daemon to export signed archives of files from the
|
generate a key pair on each machine to allow the daemon to export signed
|
||||||
store (@pxref{Invoking guix archive}):
|
archives of files from the store (@pxref{Invoking guix archive}):
|
||||||
|
|
||||||
@example
|
@example
|
||||||
# guix archive --generate-key
|
# guix archive --generate-key
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@noindent
|
@noindent
|
||||||
Thus, when receiving files, a machine's build daemon can make sure they
|
Each build machine must authorize the key of the master machine so that
|
||||||
are genuine, have not been tampered with, and that they are signed by an
|
it accepts store items it receives from the master:
|
||||||
authorized key.
|
|
||||||
|
@example
|
||||||
|
# guix archive --authorize < master-public-key.txt
|
||||||
|
@end example
|
||||||
|
|
||||||
|
@noindent
|
||||||
|
Likewise, the master machine must authorize the key of each build machine.
|
||||||
|
|
||||||
|
All the fuss with keys is here to express pairwise mutual trust
|
||||||
|
relations between the master and the build machines. Concretely, when
|
||||||
|
the master receives files from a build machine (and @i{vice versa}), its
|
||||||
|
build daemon can make sure they are genuine, have not been tampered
|
||||||
|
with, and that they are signed by an authorized key.
|
||||||
|
|
||||||
|
|
||||||
@node Invoking guix-daemon
|
@node Invoking guix-daemon
|
||||||
|
Loading…
Reference in New Issue
Block a user