[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How best to set host key in vm
From: |
Ludovic Courtès |
Subject: |
Re: How best to set host key in vm |
Date: |
Thu, 15 Feb 2018 15:51:43 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
George myglc2 Clemmer <address@hidden> skribis:
> On 02/09/2018 at 11:02 Ludovic Courtès writes:
>
>> George myglc2 Clemmer <address@hidden> skribis:
>>
>>> I want to set the host key in 'guix system vm-image' so that updating a
>>> VM config does not break that VM's host key entry in my client machine
>>> ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I
>>> tried this ...
>
>> The recommendation in this case is to use “out-of-band” storage—i.e.,
>> have the secrets stored in a place other than the store.
>>
>> For example, you could have an activation snippet that copies secret
>> files directly to /etc, along these lines (untested):
>>
>> (simple-service 'copy-private-key activation-service-type
>> (with-imported-modules '((guix build utils))
>> #~(begin
>> (use-modules (guix build utils))
>> (mkdir-p "/etc/ssh")
>> (copy-file "/root/secrets/ssh_host_ed25519_key"
>> "/etc/ssh/ssh_host_ed25519_key'))))
>>
>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
>> exist in the first place, but that’s pretty much all we can do.
>
> Thank you. So what is an easily-automated way to populate /root/secrets?
Guix doesn’t have any helper module/tool for that yet.
Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that
would copy a file from the host into the image. We’d have to be careful
with the implementation to make sure that it doesn’t end up in the host
store nor in the guest store.
Ludo’.