[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
374/376: Add section on SSH substituter
From: |
Ludovic Courtès |
Subject: |
374/376: Add section on SSH substituter |
Date: |
Wed, 28 Jan 2015 22:06:17 +0000 |
civodul pushed a commit to tag 1.8
in repository guix.
commit 2142f47c0606aac6f0b66bc3fe25fe79fc85e7d8
Author: Eelco Dolstra <address@hidden>
Date: Sun Dec 14 03:19:15 2014 +0100
Add section on SSH substituter
---
doc/manual/expressions/simple-expression.xml | 4 +-
.../{sharing-packages.xml => copy-closure.xml} | 27 +++-----
doc/manual/packages/sharing-packages.xml | 43 +-----------
doc/manual/packages/ssh-substituter.xml | 73 ++++++++++++++++++++
4 files changed, 87 insertions(+), 60 deletions(-)
diff --git a/doc/manual/expressions/simple-expression.xml
b/doc/manual/expressions/simple-expression.xml
index a8eb96f..29fd872 100644
--- a/doc/manual/expressions/simple-expression.xml
+++ b/doc/manual/expressions/simple-expression.xml
@@ -4,7 +4,7 @@
version="5.0"
xml:id="ch-simple-expression">
-<title>Simple Nix Expression Use-Case</title>
+<title>A Simple Nix Expression</title>
<para>This section shows how to add and test the <link
xlink:href='http://www.gnu.org/software/hello/hello.html'>GNU Hello
@@ -44,4 +44,4 @@ need to do three things:
<xi:include href="simple-building-testing.xml" />
<xi:include href="generic-builder.xml" />
-</chapter>
\ No newline at end of file
+</chapter>
diff --git a/doc/manual/packages/sharing-packages.xml
b/doc/manual/packages/copy-closure.xml
similarity index 66%
copy from doc/manual/packages/sharing-packages.xml
copy to doc/manual/packages/copy-closure.xml
index 8fab15f..5ec7896 100644
--- a/doc/manual/packages/sharing-packages.xml
+++ b/doc/manual/packages/copy-closure.xml
@@ -1,16 +1,10 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
- xmlns:xlink="http://www.w3.org/1999/xlink"
- xmlns:xi="http://www.w3.org/2001/XInclude"
- version="5.0"
- xml:id="sec-sharing-packages">
+<section xmlns="http://docbook.org/ns/docbook"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ version="5.0"
+ xml:id="ssec-copy-closure">
-<title>Sharing Packages Between Machines</title>
-
-<para>Sometimes you want to copy a package from one machine to
-another. Or, you want to install some packages and you know that
-another machine already has some or all of those packages or their
-dependencies. In that case there are mechanisms to quickly copy
-packages between machines.</para>
+<title>Copying Closures</title>
<para>The command <command
linkend="sec-nix-copy-closure">nix-copy-closure</command> copies a Nix
@@ -49,9 +43,8 @@ another machine:
$ nix-store --export $(nix-store -qR $(type -p firefox)) | bzip2 | \
ssh address@hidden "bunzip2 | nix-store --import"</screen>
-But note that <command>nix-copy-closure</command> is generally more
-efficient in this example because it only copies paths that are not
-already present in the target Nix store.</para>
-
+However, <command>nix-copy-closure</command> is generally more
+efficient because it only copies paths that are not already present in
+the target Nix store.</para>
-</chapter>
+</section>
diff --git a/doc/manual/packages/sharing-packages.xml
b/doc/manual/packages/sharing-packages.xml
index 8fab15f..586363b 100644
--- a/doc/manual/packages/sharing-packages.xml
+++ b/doc/manual/packages/sharing-packages.xml
@@ -12,46 +12,7 @@ another machine already has some or all of those packages or
their
dependencies. In that case there are mechanisms to quickly copy
packages between machines.</para>
-<para>The command <command
-linkend="sec-nix-copy-closure">nix-copy-closure</command> copies a Nix
-store path along with all its dependencies to or from another machine
-via the SSH protocol. It doesn’t copy store paths that are already
-present on the target machine. For example, the following command
-copies Firefox with all its dependencies:
-
-<screen>
-$ nix-copy-closure --to address@hidden $(type -p firefox)</screen>
-
-See <xref linkend='sec-nix-copy-closure' /> for details.</para>
-
-<para>With <command linkend='refsec-nix-store-export'>nix-store
---export</command> and <command
-linkend='refsec-nix-store-import'>nix-store --import</command> you can
-write the closure of a store path (that is, the path and all its
-dependencies) to a file, and then unpack that file into another Nix
-store. For example,
-
-<screen>
-$ nix-store --export $(nix-store -qR $(type -p firefox)) >
firefox.closure</screen>
-
-writes the closure of Firefox to a file. You can then copy this file
-to another machine and install the closure:
-
-<screen>
-$ nix-store --import < firefox.closure</screen>
-
-Any store paths in the closure that are already present in the target
-store are ignored. It is also possible to pipe the export into
-another command, e.g. to copy and install a closure directly to/on
-another machine:
-
-<screen>
-$ nix-store --export $(nix-store -qR $(type -p firefox)) | bzip2 | \
- ssh address@hidden "bunzip2 | nix-store --import"</screen>
-
-But note that <command>nix-copy-closure</command> is generally more
-efficient in this example because it only copies paths that are not
-already present in the target Nix store.</para>
-
+<xi:include href="copy-closure.xml" />
+<xi:include href="ssh-substituter.xml" />
</chapter>
diff --git a/doc/manual/packages/ssh-substituter.xml
b/doc/manual/packages/ssh-substituter.xml
new file mode 100644
index 0000000..f24f354
--- /dev/null
+++ b/doc/manual/packages/ssh-substituter.xml
@@ -0,0 +1,73 @@
+<section xmlns="http://docbook.org/ns/docbook"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ version="5.0"
+ xml:id="ssec-ssh-substituter">
+
+<title>Serving a Nix store via SSH</title>
+
+<para>You can tell Nix to automatically fetch needed binaries from a
+remote Nix store via SSH. For example, the following installs Firefox,
+automatically fetching any store paths in Firefox’s closure if they
+are available on the server <literal>avalon</literal>:
+
+<screen>
+$ nix-env -i firefox --option ssh-substituter-hosts address@hidden
+</screen>
+
+This works similar to the binary cache substituter that Nix usually
+uses, only using SSH instead of HTTP: if a store path
+<literal>P</literal> is needed, Nix will first check if it’s available
+in the Nix store on <literal>avalon</literal>. If not, it will fall
+back to using the binary cache substituter, and then to building from
+source.</para>
+
+<note><para>The SSH substituter currently does not allow you to enter
+an SSH passphrase interactively. Therefore, you should use
+<command>ssh-add</command> to load the decrypted private key into
+<command>ssh-agent</command>.</para></note>
+
+<para>You can also copy the closure of some store path, without
+installing it into your profile, e.g.
+
+<screen>
+$ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --option
ssh-substituter-hosts address@hidden
+</screen>
+
+This is essentially equivalent to doing
+
+<screen>
+$ nix-copy-closure --from address@hidden /nix/store/m85bxg…-firefox-34.0.5
+</screen>
+
+</para>
+
+<para>You can use SSH’s <emphasis>forced command</emphasis> feature to
+set up a restricted user account for SSH substituter access, allowing
+read-only access to the local Nix store, but nothing more. For
+example, add the following lines to <filename>sshd_config</filename>
+to restrict the user <literal>nix-ssh</literal>:
+
+<programlisting>
+Match User nix-ssh
+ AllowAgentForwarding no
+ AllowTcpForwarding no
+ PermitTTY no
+ PermitTunnel no
+ X11Forwarding no
+ ForceCommand nix-store --serve
+Match All
+</programlisting>
+
+On NixOS, you can accomplish the same by adding the following to your
+<filename>configuration.nix</filename>:
+
+<programlisting>
+nix.sshServe.enable = true;
+nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... address@hidden" ];
+</programlisting>
+
+where the latter line lists the public keys of users that are allowed
+to connect.</para>
+
+</section>
- 365/376: Update .nixpkg description, (continued)
- 365/376: Update .nixpkg description, Ludovic Courtès, 2015/01/28
- 366/376: Rename files, Ludovic Courtès, 2015/01/28
- 371/376: Merge commit '36c67860363c93eb00cf5b8e2ad34f6f775e6901', Ludovic Courtès, 2015/01/28
- 363/376: Style, Ludovic Courtès, 2015/01/28
- 376/376: Grmbl, Ludovic Courtès, 2015/01/28
- 372/376: Merge branch 'cygwin-master' of https://github.com/ternaris/nix, Ludovic Courtès, 2015/01/28
- 364/376: ReiserFS -> ext4, Ludovic Courtès, 2015/01/28
- 375/376: Add a section on nix-serve, Ludovic Courtès, 2015/01/28
- 361/376: Document channel format and excise most mentions of manifests and nix-pull, Ludovic Courtès, 2015/01/28
- 370/376: Delete the stdenv section, Ludovic Courtès, 2015/01/28
- 374/376: Add section on SSH substituter,
Ludovic Courtès <=
- 373/376: Pedantry, Ludovic Courtès, 2015/01/28
- 368/376: Fix build, Ludovic Courtès, 2015/01/28
- 369/376: Bla, Ludovic Courtès, 2015/01/28
- 294/376: Clean up temp roots in a more C++ way, Ludovic Courtès, 2015/01/28
- 287/376: Don't use ADDR_LIMIT_3GB, Ludovic Courtès, 2015/01/28
- 255/376: binary download: Use $NIX_CURL_FLAGS, Ludovic Courtès, 2015/01/28
- 301/376: 'build-cache-failures' -> 'build-cache-failure' in nix.conf documentation., Ludovic Courtès, 2015/01/28
- 275/376: Revert "Revert "Revert "Temporarily disable darwin builds while hydra's darwin is borked""", Ludovic Courtès, 2015/01/28
- 302/376: Don't claim FreeBSD support, Ludovic Courtès, 2015/01/28
- 274/376: Don't pull in git when doing a nix-shell, Ludovic Courtès, 2015/01/28