[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How best to set host key in vm
From: |
George myglc2 Clemmer |
Subject: |
Re: How best to set host key in vm |
Date: |
Thu, 15 Feb 2018 10:21:01 -0500 |
User-agent: |
mu4e 1.0; emacs 25.3.1 |
Hi Ludo’,
On 02/15/2018 at 14:51 Ludovic Courtès writes:
> George myglc2 Clemmer <address@hidden> skribis:
>
>> On 02/09/2018 at 11:02 Ludovic Courtès writes:
>>
>>> George myglc2 Clemmer <address@hidden> skribis:
>>>
>>>> I want to set the host key in 'guix system vm-image' so that updating a
>>>> VM config does not break that VM's host key entry in my client machine
>>>> ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I
>>>> tried this ...
>>
>>> The recommendation in this case is to use “out-of-band” storage—i.e.,
>>> have the secrets stored in a place other than the store.
>>>
>>> For example, you could have an activation snippet that copies secret
>>> files directly to /etc, along these lines (untested):
>>>
>>> (simple-service 'copy-private-key activation-service-type
>>> (with-imported-modules '((guix build utils))
>>> #~(begin
>>> (use-modules (guix build utils))
>>> (mkdir-p "/etc/ssh")
>>> (copy-file "/root/secrets/ssh_host_ed25519_key"
>>> "/etc/ssh/ssh_host_ed25519_key'))))
>>>
>>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
>>> exist in the first place, but that’s pretty much all we can do.
>>
>> Thank you. So what is an easily-automated way to populate /root/secrets?
>
> Guix doesn’t have any helper module/tool for that yet.
>
> Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that
> would copy a file from the host into the image. We’d have to be careful
> with the implementation to make sure that it doesn’t end up in the host
> store nor in the guest store.
How about a '--copy-image=<imagefile>' option that copies the image out
of the store? Then the ‘--copy’ could operate on <imagefile> and fail
if it isn't specified.
- George