Next: SELinux的支持, Previous: 设置构建环境, Up: 设置后台进程 [Contents][Index]
When desired, the build daemon can offload derivation builds to other
machines running Guix, using the offload
build
hook8.
When that feature is enabled, a list of user-specified build machines is
read from /etc/guix/machines.scm; every time a build is requested,
for instance via guix build
, the daemon attempts to offload it to one
of the machines that satisfy the constraints of the derivation, in
particular its system types—e.g., x86_64-linux
. A single machine
can have multiple system types, either because its architecture natively
supports it, via emulation (see Transparent
Emulation with QEMU), or both. Missing prerequisites for the build are
copied over SSH to the target machine, which then proceeds with the build;
upon success the output(s) of the build are copied back to the initial
machine. The offload facility comes with a basic scheduler that attempts to
select the best machine. The best machine is chosen among the available
machines based on criteria such as:
parallel-builds
field of its
build-machine
object.
speed
field of its
build-machine
object.
overload-threshold
field of its
build-machine
object.
/etc/guix/machines.scm文件通常是这样的:
(list (build-machine
(name "eightysix.example.org")
(systems (list "x86_64-linux" "i686-linux"))
(host-key "ssh-ed25519 AAAAC3Nza…")
(user "bob")
(speed 2.)) ;incredibly fast!
(build-machine
(name "armeight.example.org")
(systems (list "aarch64-linux"))
(host-key "ssh-rsa AAAAB3Nza…")
(user "alice")
;; Remember 'guix offload' is spawned by
;; 'guix-daemon' as root.
(private-key "/root/.ssh/identity-for-guix")))
In the example above we specify a list of two build machines, one for the
x86_64
and i686
architectures and one for the aarch64
architecture.
事实上,这个文件–并不意外地–是一个Scheme文件,当下发
钩子被启动时执行。它的返回值必须是一个包含build-machine
对象的列表。虽然这个例子展示的是一个固定的列表,你可以想象,使用DNS-SD来返回一个包含从局域网内发现的构建机器的列表,see Guile-Avahi in 在Guile
Scheme程序里使用Avahi。build-machine
数据类型的详细信息如下。
这个数据类型表示后台进程可以下发构建任务的构建机器。重要的项有:
名字
远程机器的主机名。
systems
The system types the remote machine supports—e.g., (list
"x86_64-linux" "i686-linux")
.
用户
The user account on the remote machine to use when connecting over SSH. Note that the SSH key pair must not be passphrase-protected, to allow non-interactive logins.
主机公钥
这必须是机器的OpenSSH格式的SSH公钥。这是用来在连接机器时认证身份的。它是一个像这样的长字符串:
ssh-ed25519 AAAAC3NzaC…mde+UhL hint@example.org
如果这个机器正在运行OpenSSH后台进程,sshd
,那么主机公钥可以在/etc/ssh/ssh_host_ed25519_key.pub找到。
如果这个机器正在运行GNU lsh,lshd
,那么主机公钥可以在/etc/lsh/host-key.pub或类似的位置找到。它可以通过lsh-export-key
命令转换成OpenSSH格式(see Converting
keys in LSH用户手册):
$ lsh-export-key --openssh < /etc/lsh/host-key.pub ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV…
一些可选的项:
port
(默认值:22
)机器上的SSH服务器的端口号。
private-key
(默认值:~root/.ssh/id_rsa)连接机器时使用的SSH私钥,OpenSSH格式。这个私钥不能被密码保护。
注意,默认值是root帐号的私钥。使用默认值时请确保它存在。
compression
(默认值:"zlib@openssh.com,zlib"
)compression-level
(默认值:3
)SSH压缩算法和压缩级别。
下发任务依赖SSH压缩来减少传输文件到构建机器时使用的带宽。
daemon-socket
(默认值:"/var/guix/daemon-socket/socket"
)那台机器上的guix-daemon
监听的Unix套接字文件名。
overload-threshold
(default: 0.8
)The load threshold above which a potential offload machine is disregarded by
the offload scheduler. The value roughly translates to the total processor
usage of the build machine, ranging from 0.0 (0%) to 1.0 (100%). It can
also be disabled by setting overload-threshold
to #f
.
parallel-builds
(默认值:1
)那台机器上可以并行运行的构建任务数量。
speed
(默认值:1.0
)一个相对的速度值。下发调度器会偏好速度更快的机器。
features
('()
)一个表示机器支持的功能的字符串列表。例如,"kvm"
表示机器有KVM
Linux模块和相关的硬件支持。Derivation可以通过名字请求需要的功能,然后被分发到匹配的机器的任务队列里。
注: On Guix System, instead of managing /etc/guix/machines.scm independently, you can choose to specify build machines directly in the
operating-system
declaration, in thebuild-machines
field ofguix-configuration
. Seebuild-machines
field ofguix-configuration
.
guix
命令必须在构建机器的搜素路径里。你可以通过这个命令检查:
ssh build-machine guix repl --version
machines.scm到位后,还有一件要做的事。如上所述,下发任务时会在机器的仓库之间传输文件。为此,你需要在每台机器上生成一个密钥对,以使后台进程可以从仓库导出签名后的文件包(see Invoking guix archive
):
# guix archive --generate-key
注: This key pair is not related to the SSH key pair that was previously mentioned in the description of the
build-machine
data type.
每台构建机器都必须认证主机器的公钥,从而接收从主机器接收的仓库文件:
# guix archive --authorize < master-public-key.txt
类似的,主机器必须认证每台构建机器的公钥:
所有这些有关公钥的繁琐事宜都是为了表达主服务器和构建服务器之间成对的互相信任关系。具体地,当主机器从构建机器接收文件时(反之亦然),它的构建后台进程可以确保文件是原样的,没有被篡改,并且被认证的公钥签名过。
为了测试你的设置是否能正常工作,在主节点上运行这个命令:
# guix offload test
This will attempt to connect to each of the build machines specified in /etc/guix/machines.scm, make sure Guix is available on each machine, attempt to export to the machine and import from it, and report any error in the process.
如果你希望用别的文件测试,只需要在命令行指定它:
# guix offload test machines-qualif.scm
最后,你可以像这样只测试机器列表里名字匹配某个正则表达式的子集:
# guix offload test machines.scm '\.gnu\.org$'
若想展示所有构建主机的当前负载,在主节点上运行这个命令:
# guix offload status
Next: SELinux的支持, Previous: 设置构建环境, Up: 设置后台进程 [Contents][Index]