Next: Návody na Scheme, Up: (dir) [Contents][Index]
Tento dokument obsahuje návody a podrobné príklady použitia GNU Guix, funkcionálneho správcu balíkov napísaného pre systém GNU. Získajte viac podrobností o systéme, jeho API a súvisiacich pojmoch v see GNU Guix reference manual.
Táto príručka je dostupná aj v angličtine (see GNU Guix Cookbook), francúzštine (see Livre de recettes de GNU Guix) a nemčine (see GNU-Guix-Kochbuch). Ak chcete pomôcť s prekladom tohto dokumentu do vášho rodného jazyka, pripojte sa k Weblate (see Translating Guix in GNU Guix reference manual).
• Návody na Scheme | Zoznámte sa s vašim novým najobľúbenejším jazykom! | |
• Zadávanie balíkov | Návody na zadávanie balíkov | |
• Nastavenie systému | Prispôsobenie systému GNU | |
• Containers | Isolated environments and nested systems | |
• Pokročilá správa balíkov | Moc pre používateľov! | |
• Správa prostredí | Kontrolné prostredie | |
• Installing Guix on a Cluster | High-performance computing. | |
• Poďakovanie | Ďakujeme! | |
• Licencia GNU Free Documentation | Licencia, ktorej podlieha tento dokument. | |
• Zoznam pojmov | Pojmy. | |
— Podrobný zoznam uzlov — Zadávanie balíkov | ||
• Návod na zadávanie balíkov | Návod na pridávanie balíkov do Guixu. | |
Nastavenie systému | ||
• Automatické pripojenie k určitému TTY | Automaticky pripojiť používateľa k určitému TTY | |
• Prispôsobenie jadra | Vytvorenie a používanie vlastného Linuxového jadra v systéme Guix. | |
• API pre vytváranie obrazov systému Guix | Prispôsobenie obrazov nezvyčajným platformám. | |
• Using security keys | How to use security keys with Guix System. | |
• Pripojenie k Wireguard VPN | Pripojenie k Wireguard VPN sieti. | |
• Prispôsobenie správcu okien | Spravovať prispôsobenie správcu okien v systéme Guix. | |
• Spúšťanie Guixu na serveri Linode | Spúšťanie Guixu na serveri Linode | |
• Nastavenie podvojného pripojenia | Nastavenie podvojného pripojenia v zadaní systému súborov. | |
• Získavanie náhrad prostredníctvom Tor | Nastavenie démona Guix na získavanie náhrad cez Tor. | |
• Nastavenia NGINX a Lua | Nastavenie web-servera NGINX na načítavanie Lua modulov. | |
• Music Server with Bluetooth Audio | Headless music player with Bluetooth output. | |
Containers | ||
• Guix Containers | Perfectly isolated environments | |
• Guix System Containers | A system inside your system | |
Pokročilá správa balíkov | ||
• Guix Profiles in Practice | Strategies for multiple profiles and manifests. | |
Správa prostredí | ||
• Guix environment via direnv | Setup Guix environment with direnv | |
Installing Guix on a Cluster | ||
• Setting Up a Head Node | The node that runs the daemon. | |
• Setting Up Compute Nodes | Client nodes. | |
• Cluster Network Access | Dealing with network access restrictions. | |
• Cluster Disk Usage | Disk usage considerations. | |
• Cluster Security Considerations | Keeping the cluster secure. | |
Next: Zadávanie balíkov, Previous: Top, Up: Top [Contents][Index]
GNU Guix je zapísaný v programovacom jazyku Scheme. K mnohým jeho súčastiam je možné pristupovať a upravovať ich prostredníctvom programovania. Pomocou jazyka Scheme môžete zadávať, upravovať a zostavovať balíky, nasadzovať celé operačné systémy, atď.
Poznať základy programovania v jazyku Scheme vám otvorí dvere k množstvu pokročilých súčastí, ktoré Guix ponúka — a to ani nemusíte byť skúseným vývojárom, aby ste ich mohli využívať!
Poďme na to!
• Zrýchlené školenie jazyka Scheme |
Up: Návody na Scheme [Contents][Index]
Guix používa Guile implementáciu jazyka Scheme. Ak si chcete tento jazyk
vyskúšať, nainštalujte si Guile pomocou guix install guile
a spustite
REPL,
tzv.
slučku čítaj-vykonaj-zobraz, zadaním guile
v príkazovom
riadku.
Alternatively you can also run guix shell guile -- guile
if you’d
rather not have Guile installed in your user profile.
Riadky v nasledovných príkladoch znázorňujú to, čo treba zadať v rámci REPL; riadky začínajúce na „⇒“ znázorňujú výsledok vykonania príkazu, zatiaľ čo riadky začínajúce na „-|“ znázorňujú to čo sa zobrazí na obrazovke. See Using Guile Interactively in GNU Guile Reference Manual, pre viac podrobností o REPL.
#true
a #false
(skrátene #t
a #f
)
znázorňujú logické hodnoty „pravda“ a „nepravda“.
Príklady platných výrazov:
"Ahoj svet!" ⇒ "Ahoj svet!" 17 ⇒ 17 (display (string-append "Ahoj " "Guix" "\n")) -| Ahoj Guix! ⇒ #<unspecified>
lambda
:
Vyššie uvedená funkcia vracia druhú mocninu hodnoty jej parametra. Keďže
všetko sa považuje za výraz, aj výraz lambda
vracia bezmennú funkciu,
ktorú je následne možné uplatniť na nejaký parameter:
((lambda (x) (* x x)) 3) ⇒ 9
define
:
(define a 3) (define druha-mocnina (lambda (x) (* x x))) (druha-mocnina a) ⇒ 9
(define (druha-mocnina x) (* x x))
list
:
(list 2 a 5 7) ⇒ (2 3 5 7)
'(display (string-append "Ahoj " "Guix" "\n")) ⇒ (display (string-append "Ahoj " "Guix" "\n")) '(2 a 5 7) ⇒ (2 a 5 7)
`(2 a 5 7 (2 ,a 5 ,(+ a 4))) ⇒ (2 a 5 7 (2 3 5 7))
Všimnite si, že hore uvedený výsledok je zoznam rôznorodých položiek: čísel,
znakov (a
) a posledná položka je tiež zoznam.
let
(see Local Bindings in GNU Guile Reference
Manual) môžeme zadať a pomenovať viacero miestnych premenných:
(define x 10) (let ((x 2) (y 3)) (list x y)) ⇒ (2 3) x ⇒ 10 y error→ In procedure module-lookup: Unbound variable: y
Ak chcete, aby bolo možné v neskorších zadaniach premenných odkazovať na
predtým zadané premenné, použite let*
.
#:
(mriežkou a dvojbodkou), po
ktorých nasledujú písmenové či číselné znaky:
#:takto
. See Keywords in GNU Guile Reference Manual.
%
je bežne používaný pre globálne premenné s prístupom
len na čítanie počas zostavovania. Všimnite si, že je to len všeobecným
zvykom, ako napr. _
v jazyku C. Scheme spracúva %
ako
hocijaký iný znak.
define-module
(see Creating Guile Modules in GNU Guile Reference Manual). Napríklad
(define-module (guix build-system ruby)
#:use-module (guix store)
#:export (ruby-build
ruby-build-system))
určuje modul guix build-system ruby
, ktorý má byť umiestnený v
guix/build-system/ruby.scm niekde vo vyhľadávacej ceste Guilu. Závisí
na module (guix store)
a určuje dve premenné, ruby-build
a
ruby-build-system
.
Going further: Scheme is a language that has been widely used to teach programming and you’ll find plenty of material using it as a vehicle. Here’s a selection of documents to learn more about Scheme:
- A Scheme Primer, by Christine Lemmer-Webber and the Spritely Institute.
- Scheme at a Glance, by Steve Litt.
- Structure and Interpretation of Computer Programs, by Harold Abelson and Gerald Jay Sussman, with Julie Sussman. Colloquially known as “SICP”, this book is a reference.
You can also install it and read it from your computer:
guix install sicp info-reader info sicpĎalšie knihy, návody ako aj iné druhy zdrojov nájdete na https://schemers.org/.
Next: Nastavenie systému, Previous: Návody na Scheme, Up: Top [Contents][Index]
Tento oddiel je zameraný na pridávanie nových balíkov do zbierky balíkov GNU Guix, čo zahŕňa zadávanie balíkov v Guile Scheme, ich usporadúvanie do modulov a zostavovanie.
• Návod na zadávanie balíkov | Návod na pridávanie balíkov do Guixu. |
Up: Zadávanie balíkov [Contents][Index]
GNU Guix sa vyznačuje ako prispôsobiteľný správca balíkov hlavne preto, že používa GNU Guile, výkonný vysokoúrovňový programovací jazyk, jedno z nárečí jazyka Scheme z jazykovej rodiny Lispu.
Zadania balíkov sú rovnako písané v jazyku Scheme, čo dáva Guixu jedinečnú výhodu v porovnaní s ostatnými správcami balíkov, ktoré používajú skripty shellu alebo jednoduché programovacie jazyky.
#:make-flags
"..."
do zoznamu balíkov. Tiež by nebolo od veci spomenúť
Gentoo príznak USE, ale to je
na dlhšie: tvorca balíkov nemusí vopred myslieť na tieto zmeny, pretože ich
môže neskôr naprogramovať koncový používateľ!
Nasledovný návod vysvetľuje základy vytvárania balíkov s Guixom. Nepredpokladá žiadnu znalosť systému Guix ani jazyka Lisp. Čitateľ by však mal byť oboznámený s príkazovým riadkom a mať aspoň základnú znalosť programovania.
• Balík „Vitaj svet“ | ||
• Nastavenie | ||
• Zložitejší príklad | ||
• Ďalšie zostavovacie systémy | ||
• Programovateľné a automatické zadávanie balíkov | ||
• Získavanie pomoci | ||
• Záver | ||
• Odkazy |
Next: Nastavenie, Up: Návod na zadávanie balíkov [Contents][Index]
Oddiel „Zadávanie balíkov“ v príručke obsahuje základy tvorby balíkov s Guixom (see Defining Packages in GNU Guix Reference Manual). V nasledovnom oddieli si tieto základy z časti pripomenieme.
GNU Hello je šablóna projektu, ktorá slúži ako základný príklad
zadávania balíkov. Využíva zostavovací systém GNU (./configure && make
&& make install
). Guix už obsahuje zadanie príslušného balíka, ktoré
predstavuje vhodný odrazový bod. Môžete si zadanie balíka prezrieť zadaním
guix edit hello
do príkazového riadku. Pozrime sa ako toto zadania
balíka vyzerá:
(define-public hello
(package
(name "hello")
(version "2.10")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/hello/hello-" version
".tar.gz"))
(sha256
(base32
"0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i"))))
(build-system gnu-build-system)
(synopsis "Hello, GNU world: An example GNU package")
(description
"GNU Hello prints the message \"Hello, world!\" and then exits. It
serves as an example of standard GNU coding practices. As such, it supports
command-line arguments, multiple languages, and so on.")
(home-page "https://www.gnu.org/software/hello/")
(license gpl3+)))
Ako môžete vidieť, tá najobsiahlejšia časť je dosť jednoduchá. Ale prejdime si spoločne jednotlivé polia:
Názov projektu. Podľa všeobecných zvyklostí ho zapisujeme malými písmenami, bez podčiarkovníkov a s použitím pomlčiek na oddelenie jednotlivých slov.
Toto pole obsahuje popis pôvodu zdrojového kódu. Záznam origin
obsahuje tieto polia:
url-fetch
pre stiahnutie prostredníctvom HTTP/FTP, ale poznáme
aj iné spôsoby, ako napr. git-fetch
pre Git repozitáre.
https://
pre url-fetch
. V tomto prípade
zvláštne „mirror://gnu“ odkazuje na súbor dobre známych umiestnení, ktoré
môžu byť všetky použité na získanie zdrojového kódu ak by niektoré z nich
nebolo dostupné.
sha256
požadovaného súboru. Je dôležitý pre zaistenie
celistvosti zdroja. Všimnite si, že Guix pracuje z base32 reťazcami, čo
vysvetľuje použitie funkcie base32
.
Práve tu má príležitosť zažiariť sila všeobecnosti jazyka Scheme: v tomto
prípade, gnu-build-system
je zovšeobecnenie známych príkazov shellu
./configure && make && make install
. Medzi ďalšie zostavovacie
systémy patrí trivial-build-system
, ktorý nerobí nič a necháva na
programátorovi, aby zadal všetky potrebné kroky zostavenia,
python-build-system
, emacs-build-system
a mnohé ďalšie
(see Build Systems in GNU Guix Reference Manual).
Toto by mal byť súhrnný popis toho, na čo balík slúži. Pri mnohých balíkoch je vhodné použiť slogan zo stránky príslušného projektu.
Podobne ako v prípade súhrnného popisu je vhodné použiť popis projektu z jeho domovskej stránky. Všimnite si, že Guix používa značkovanie Texinfo.
Použitie HTTPS prepojenie, ak je dostupné.
Viď guix/licenses.scm
v zdrojovom kóde projektu pre zoznam všetkých
dostupných licencií.
Nastal čas na zostavenie nášho prvého balíka! Zatiaľ nič zvláštne:
spoľahneme sa jednoducho na kópiu vyššie uvedeného zadania my-hello
.
Tak ako pri rituálnom „Ahoj svet“, ktorý sa vyučuje pri väčšine programovacích jazykov, toto bude ten „najručnejší“ spôsob zadávania balíka, ktorý použijete. Neskôr si ukážeme dokonalejší postup, no zatiaľ sa vyberieme tou najjednoduchšou cestou.
Uložte nasledujúci obsah do súboru s názvom my-hello.scm.
(use-modules (guix packages) (guix download) (guix build-system gnu) (guix licenses)) (package (name "my-hello") (version "2.10") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/hello/hello-" version ".tar.gz")) (sha256 (base32 "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i")))) (build-system gnu-build-system) (synopsis "Hello, Guix world: An example custom Guix package") (description "GNU Hello prints the message \"Hello, world!\" and then exits. It serves as an example of standard GNU coding practices. As such, it supports command-line arguments, multiple languages, and so on.") (home-page "https://www.gnu.org/software/hello/") (license gpl3+))
Dodatočné príkazy si vysvetlíme o chvíľu.
Neváhajte a vyskúšajte si, čo sa stane ak zmeníte hodnoty niektorých polí. Ak zmeníte zdroj balíka, budete musieť aktualizovať aj kontrolný súčet. Guix nezostaví nič ak daný kontrolný súčet neodpovedá kontrolnému súčtu zdrojového kódu. Pre získanie správneho kontrolného súčtu potrebujeme stiahnuť zdroj, vypočítať kontrolný súčet sha256 a previesť ho do base32.
Našťastie, Guix to môže urobiť za nás; všetko čo budeme potrebovať je prepojenie (URI) zdroja:
$ guix download mirror://gnu/hello/hello-2.10.tar.gz Starting download of /tmp/guix-file.JLYgL7 From https://ftpmirror.gnu.org/gnu/hello/hello-2.10.tar.gz... following redirection to `https://mirror.ibcp.fr/pub/gnu/hello/hello-2.10.tar.gz'... …10.tar.gz 709KiB 2.5MiB/s 00:00 [##################] 100.0% /gnu/store/hbdalsf5lpf01x4dcknwx6xbn6n5km6k-hello-2.10.tar.gz 0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i
V tomto konkrétnom prípade nám výstup hovorí, aké zrkadlo bolo vybraté. Ak
výsledok tohto príkazu nie je rovnaký ako v predchádzajúcom úryvku,
aktualizujte vaše zadanie my-hello
podľa potreby.
Všimnite si, že archívy GNU balíkov sú poskytované spolu s OpenPGP podpisom, takže by ste si jednoznačne mali overiť podpis tohto archívu pomocou „gpg“ predtým než budete pokračovať:
$ guix download mirror://gnu/hello/hello-2.10.tar.gz.sig Starting download of /tmp/guix-file.03tFfb From https://ftpmirror.gnu.org/gnu/hello/hello-2.10.tar.gz.sig... following redirection to `https://ftp.igh.cnrs.fr/pub/gnu/hello/hello-2.10.tar.gz.sig'... ….tar.gz.sig 819B 1.2MiB/s 00:00 [##################] 100.0% /gnu/store/rzs8wba9ka7grrmgcpfyxvs58mly0sx6-hello-2.10.tar.gz.sig 0q0v86n3y38z17rl146gdakw9xc4mcscpk8dscs412j22glrv9jf $ gpg --verify /gnu/store/rzs8wba9ka7grrmgcpfyxvs58mly0sx6-hello-2.10.tar.gz.sig /gnu/store/hbdalsf5lpf01x4dcknwx6xbn6n5km6k-hello-2.10.tar.gz gpg: Podpis vytvorený Ne 16. november 2014, 13:08:37 CET gpg: pomocou RSA kľúča A9553245FDE9B739 gpg: Dobrý podpis od "Sami Kerola <kerolasa@iki.fi>" neznáme gpg: alias "Sami Kerola (http://www.iki.fi/kerolasa/) <kerolasa@iki.fi>" neznáme gpg: VAROVANIE: Tento kľúč nie certifikovaný dôveryhodným podpisom! gpg: Nič nenaznačuje tomu, že tento podpis patrí vlastníkovi kľúča. Primárny fingerprint kľúča: 8ED3 96E3 7E38 D471 A005 30D3 A955 3245 FDE9 B739
Potom môžete spokojne spustiť
$ guix package --install-from-file=my-hello.scm
Teraz by ste už mali mať my-hello
vo vašom profile!
$ guix package --list-installed=my-hello my-hello 2.10 out /gnu/store/f1db2mfm8syb8qvc357c53slbvf1g9m9-my-hello-2.10
Dostali sme sa tak ďaleko ako sa dalo bez znalosti Scheme. Predtým než prejdeme k zložitejším balíkom si dáme rýchlokurz jazyka Scheme. Na začiatok odporúčame see Zrýchlené školenie jazyka Scheme.
Next: Zložitejší príklad, Previous: Balík „Vitaj svet“, Up: Návod na zadávanie balíkov [Contents][Index]
V ďalších častiach tohto oddielu sa budeme spoliehať na vašu základnú znalosť jazyka Scheme. Teraz si predstavíme rôzne možnosti práce s balíkmi Guix.
Jestvuje viacero spôsobov nastavenia prostredia pre zadávanie balíkov Guix.
Odporúčame vám pracovať priamo v repozitári zdrojových súborov Guixu za účelom jednoduchšieho prispievania do projektu.
Ale najprv sa pozrime na ostatné možnosti.
• Miestny súbor | ||
• ‘GUIX_PACKAGE_PATH’ | ||
• Kanály Guix | ||
• Priamy zásah do git repozitára |
Next: ‘GUIX_PACKAGE_PATH’, Up: Nastavenie [Contents][Index]
Toto je spôsob, ktorý sme práve použili v prípade ‘my-hello’. Vďaka
základom Scheme, ktoré sme si predstavili, vám teraz môžeme vysvetliť tie
najdôležitejšie časti. Ako je uvedené v guix package --help
:
-f, --install-from-file=SÚBOR inštalovať balíky priamo definované v SÚBORE
Teda, posledný výraz musí vracať balík, čo pre náš skorší príklad aj platí.
Výraz use-modules
nám hovorí, ktoré moduly potrebujeme. Moduly
predstavujú zbierky hodnôt a funkcií. V iných programovacích jazykoch sa
všeobecne označujú ako „knižnice“ alebo „balíky“.
Next: Kanály Guix, Previous: Miestny súbor, Up: Nastavenie [Contents][Index]
Upozornenie: Počínajúc Guix 0.16 sú Guix channels uprednostňovaným spôsobom práce a nahrádzajú použitie ‘GUIX_PACKAGE_PATH’. Viď nasledujúci oddiel.
Uvádzanie súboru so zadaním balíka v príkazovom riadku namiesto použitia
guix package --install my-hello
, ako v prípade oficiálnych balíkov,
môže byť zdĺhavé.
Guix umožňuje zjednodušiť túto úlohu pridaním toľkých „priečinkov zadaní balíkov“, koľkých chcete.
Vytvorte priečinok, povedzme ~/guix-packages a pridajte cestu k nemu do premennej prostredia ‘GUIX_PACKAGE_PATH’:
$ mkdir ~/guix-packages $ export GUIX_PACKAGE_PATH=~/guix-packages
Pri pridávaní viacerých priečinkov oddeľte jednotlivé cesty k nim dvojbodkou
(:
).
Avšak, náš predchádzajúci príklad ‘my-hello’ vyžaduje niekoľko úprav:
(define-module (my-hello) #:use-module (guix licenses) #:use-module (guix packages) #:use-module (guix build-system gnu) #:use-module (guix download)) (define-public my-hello (package (name "my-hello") (version "2.10") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/hello/hello-" version ".tar.gz")) (sha256 (base32 "0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i")))) (build-system gnu-build-system) (synopsis "Hello, Guix world: An example custom Guix package") (description "GNU Hello prints the message \"Hello, world!\" and then exits. It serves as an example of standard GNU coding practices. As such, it supports command-line arguments, multiple languages, and so on.") (home-page "https://www.gnu.org/software/hello/") (license gpl3+)))
Všimnite si, že sme tentokrát zadanie balíka uložili do verejnej premennej
my-hello
pomocou define-public
, na ktorú je možné odkazovať,
medzi iným aj ako na závislosť v rámci zadania nejakého ďalšieho balíka.
Ak spustíte guix package --install-from-file=my-hello.scm
s použitím
vyššie uvedeného súboru, tak príkaz zlyhá, pretože posledný výraz,
define-public
, nevracia balík. Ak aj napriek tomu chcete v tomto
prípade použiť define-public
, uistite sa, že súbor končí vykonaním
my-hello
:
; ... (define-public my-hello ; ... ) my-hello
Tento posledný príklad nie je veľmi bežný.
Teraz by už mal byť ‘my-hello’ súčasťou zbierky balíkov ako všetky ostatné oficiálne balíky. Môžete si to overiť pomocou:
$ guix package --show=my-hello
Next: Priamy zásah do git repozitára, Previous: ‘GUIX_PACKAGE_PATH’, Up: Nastavenie [Contents][Index]
Guix 0.16 uvádza kanály, čo je mechanizmus veľmi podobný ‘GUIX_PACKAGE_PATH’, ale ponúka lepšie začlenenie a sledovanie pôvodu. Kanály nemusia byť miestne, môžu byť udržiavané, napríklad, vo forme verejných Git repozitárov. Je samozrejme možné použiť viacero kanálov naraz.
Viď See Channels in GNU Guix Reference Manual pre viac podrobností o používaní kanálov.
Previous: Kanály Guix, Up: Nastavenie [Contents][Index]
Odporúčame vám pracovať priamo v rámci projektu Guix: znižuje to čas potrebný na odoslanie a zapracovanie vašich zmien do oficiálnej verzie Guixu, aby aj ostatní mali úžitok z vašej ťažkej práce!
Na rozdiel od väčšiny softvérových distribúcií, repozitár Guixu obsahuje aj nástroje (vrátane správcu balíkov) aj zadania balíkov. Vývojárom je takto možné zaistiť pružnosť potrebnú pre upravovanie API bez toho, aby niečo pokazili. Všetky zadania balíkov sa po každej úprave samy aktualizujú, čím sa predíde zdržaniam vo vývoji.
Vytvorte si kópiu oficiálneho Git repozitára:
$ git clone https://git.savannah.gnu.org/git/guix.git
Vo zvyšku tohto príspevku použijeme pri odkazovaní na túto kópiu premennú ‘$GUIX_CHECKOUT’.
Pre nastavenie prostredia repozitára postupujte podľa pokynov v príručke (see Contributing in GNU Guix Reference Manual).
Keď budete pripravení, mali by ste byť schopní použiť zadania balíkov z prostredia repozitára.
Nebojte sa upravovať zadania balíkov v ‘$GUIX_CHECKOUT/gnu/packages’.
Skript ‘$GUIX_CHECKOUT/pre-inst-env’ vám umožňuje použiť ‘guix’ so zbierkou balíkov v repozitári (see Running Guix Before It Is Installed in GNU Guix Reference Manual).
$ cd $GUIX_CHECKOUT $ ./pre-inst-env guix package --list-available=ruby ruby 1.8.7-p374 out gnu/packages/ruby.scm:119:2 ruby 2.1.6 out gnu/packages/ruby.scm:91:2 ruby 2.2.2 out gnu/packages/ruby.scm:39:2
$ ./pre-inst-env guix build --keep-failed ruby@2.1 /gnu/store/c13v73jxmj2nir2xjqaz5259zywsa9zi-ruby-2.1.6
$ ./pre-inst-env guix package --install ruby@2.1
$ ./pre-inst-env guix lint ruby@2.1
Guix sa usiluje udržať vysokú úroveň zadávania balíkov; pri prispievaní do projektu Guix si zapamätajte, že je potrebné
Keď ste spokojní s výsledkom, privítame, ak nám zašlete váš príspevok, aby sa mohol stať súčasťou Guixu. Tento postup je tiež opísaný v príručke. (see Contributing in GNU Guix Reference Manual)
Guix závisí od spoločného úsilia, preto čím viac ľudí prispeje, tým bude Guix lepší!
Next: Ďalšie zostavovacie systémy, Previous: Nastavenie, Up: Návod na zadávanie balíkov [Contents][Index]
Vyššie uvedený príklad zadania balíka „Ahoj svet“ je taký jednoduchý ako sa len dá. Avšak, zadania balíkov môžu byť zložitejšie a Guix si poradí aj s omnoho náročnejšími balíkmi. Pozrime sa teda na iné, zložitejšie zadanie balíka (mierne upravené v porovnaní s pôvodným zadaním):
(define-module (gnu packages version-control) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix utils) #:use-module (guix packages) #:use-module (guix git-download) #:use-module (guix build-system cmake) #:use-module (gnu packages ssh) #:use-module (gnu packages web) #:use-module (gnu packages pkg-config) #:use-module (gnu packages python) #:use-module (gnu packages compression) #:use-module (gnu packages tls)) (define-public my-libgit2 (let ((commit "e98d0a37c93574d2c6107bf7f31140b548c6a7bf") (revision "1")) (package (name "my-libgit2") (version (git-version "0.26.6" revision commit)) (source (origin (method git-fetch) (uri (git-reference (url "https://github.com/libgit2/libgit2/") (commit commit))) (file-name (git-file-name name version)) (sha256 (base32 "17pjvprmdrx4h6bb1hhc98w9qi6ki7yl57f090n9kbhswxqfs7s3")) (patches (search-patches "libgit2-mtime-0.patch")) (modules '((guix build utils))) ;; Odstrániť pribalený softvér. (snippet '(delete-file-recursively "deps")))) (build-system cmake-build-system) (outputs '("out" "debug")) (arguments `(#:tests? #true ; Preveriť výsledok zostavenia (predvolené). #:configure-flags '("-DUSE_SHA1DC=ON") ; Zisťovanie rozporov v odtlačkoch SHA-1 #:phases (modify-phases %standard-phases (add-after 'unpack 'fix-hardcoded-paths (lambda _ (substitute* "tests/repo/init.c" (("#!/bin/sh") (string-append "#!" (which "sh")))) (substitute* "tests/clar/fs.h" (("/bin/cp") (which "cp")) (("/bin/rm") (which "rm"))))) ;; Bohatší výstup pri preverovaní zostavenia (replace 'check (lambda _ (invoke "./libgit2_clar" "-v" "-Q"))) (add-after 'unpack 'make-files-writable-for-tests (lambda _ (for-each make-file-writable (find-files "." ".*"))))))) (inputs (list libssh2 http-parser python-wrapper)) (native-inputs (list pkg-config)) (propagated-inputs ;; Tieto dve knižnice sa nachádzajú v „Requires.private“ v libgit2.pc. (list openssl zlib)) (home-page "https://libgit2.github.com/") (synopsis "Library providing Git core methods") (description "Libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings.") ;; GPLv2 s odkazovou výnimkou (license license:gpl2))))
(V prípade, že chcete zmeniť len pár polí v pôvodnom zadaní balíka by ste sa mali spoľahnúť na dedičnosť namiesto skopírovania celého zadania. Viď nižšie.)
Pozrime sa teraz na tieto polia zblízka.
git-fetch
Narozdiel od funkcie url-fetch
, git-fetch
vyžaduje
git-reference
, ktorú určuje Git repozitár a príslušná úprava. Úpravou
sa rozumie akýkoľvek odkaz Git ako napríklad značka. Teda, ak je
version
označená, tak je možné použiť priamo číslo verzie. Niekedy
majú značky verzií perdponu v
. V tomto prípade môžete použiť
(commit (string-append "v" version))
.
Aby sme sa uistili, že sa zdrojový kód z Git repozitára uloží do priečinka s
výstižným názvom, použijeme (file-name (git-file-name name version))
.
Keď zadávate balík pre program s určitým číslom úpravy, môžete pre odvodenie
správneho označenia verzie použiť funkciu git-version
podľa pokynov v
príručke prispievateľa do Guixu (see Version Numbers in GNU Guix
Reference Manual).
Pýtate sa ako získať správny odtlačok sha256
? Vyvolaním guix
hash
na miestnej kópii repozitára v požadovanej úprave, asi takto:
git clone https://github.com/libgit2/libgit2/ cd libgit2 git checkout v0.26.6 guix hash -rx .
guix hash -rx
vypočíta odtlačok SHA256 celého priečinka
nezahŕňajúc pod-priečinok .git (see Invoking guix hash in GNU Guix Reference Manual).
Do budúcna bude snáď guix download
schopný vykonávať tieto kroky
za vás, tak ako je tomu pri bežných sťahovaniach súborov.
Kusy kódu predstavujú malé časti Scheme kódu v úvodzovkách, t.j. bežne nevykonávané, ktoré sa používajú na plátanie zdrojových súborov. Je to taká Guixová náhrada za dobre známe .patch súbory. Vďaka úvodzovkám sa daný kód vykoná len vtedy, keď sa odošle démonovi Guixu na zostavenie. V praxi môžeme použiť toľko kusov kódu, koľko potrebujeme.
Kusy kódu môžu vyžadovať prídavné moduly Guilu, ktoré je možné načítať
pomocou poľa modules
.
Jestvujú tri rôzne druhy vstupov. V skratke:
Vyžadované pri zostavovaní ale nie pri spúšťaní. V prípade inštalácie balíka prostredníctvom náhrady sa tieto vstupy nebudú inštalovať.
Inštalované do úložiska ale nie do profilu a prítomné pri zostavovaní.
Inštalované do úložiska aj do profilu a prítomné pri zostavovaní.
See package Reference in GNU Guix Reference Manual for more details.
Správne rozlišovanie medzi jednotlivými druhmi vstupov je dôležité: ak je možné závislosť zaradiť ako input namiesto propagated input, tak by sa to tak malo urobiť. Inak bezdôvodne „znečistí“ používateľský profil.
Napríklad, ak inštalujete grafický program, ktorý závisí na nejakom nástroji spúšťanom v príkazovom riadku, tak vám pravdepodobne ide len o tú grafickú časť. Nie je teda potrebné siliť inštaláciu nástroja spúšťaného v príkazovom riadku do používateľského profilu. Závislosti sú spravované balíkmi a nie používateľmi. Vstupy umožňujú spravovať závislosti bez toho, aby to nejako zaťažovalo používateľov pridávaním neužitočných programov či knižníc do ich profilu.
Rovnako to platí aj pre native-inputs: po inštalácii programu môžu byť závislosti vyžadované pri zostavovaní bezpečne odstránené zberačom odpadkov. Okrem toho, ak je dostupná binárna náhrada, stiahnu sa len inputs a propagated inputs: native inputs nie sú pri inštalácii balíka prostredníctvom náhrady potrebné.
Poznámka: Tu a tam nájdete úryvky, v ktorých sú vstupy zapísané pomerne odlišne, teda asi takto:
;; „Pôvodný tvar“ zápisu vstupov (inputs `(("libssh2" ,libssh2) ("http-parser" ,http-parser) ("python" ,python-wrapper)))Toto je „pôvodný tvar“, v ktorom má každá položka zoznamu vstupov pridelenú menovku (reťazec). Tento tvar je stále podporovaný ale odporúčame vám používať už len vyššie uvedený tvar. Viď See package Reference in GNU Guix Reference Manual pre viac podrobností.
Tak ako môže mať balík viacero vstupov, môže mať aj viacero výstupov.
Každý výstup má osobitný priečinok v úložisku.
Používateľ si môže vybrať, ktorý výstup nainštaluje; pomáha to šetriť úložné miesto a predchádzať znečisteniu používateľského profilu nechcenými programami či knižnicami.
Oddeľovanie výstupov je voliteľné. Ak sa pole outputs
vynechá,
predvoleným a jediným výstupom (celý balík) bude "out"
.
Často vidíme oddelené výstupy s názvom debug
alebo doc
.
Oddelené výstupy by ste mali používať len vtedy, keď sa to oplatí: ak je
výstup značne veľký (možno porovnať pomocou guix size
), alebo ak je
balík modulárny.
Pole arguments
obsahuje páry kľúč-hodnota používané pri nastavovaní
postupu zostavenia.
Ten najjednoduchší argument #:tests?
možno použiť na vynechanie
testov po zostavení balíka. Je to užitočné najmä v prípade, keď balík
neobsahuje žiadnu testovaciu súpravu. Je dôrazne odporúčané ponechať
testovaciu súpravu povolenú, ak je nejaká dostupná.
Ďalším bežným argumentom je :make-flags
určujúci zoznam dodatočných
príznakov, ktoré sa majú použiť pri spúšťaní nástroja make ako keby ste
pridali priamo do príkazového riadku. Napríklad, nasledovné príznaky
#:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")) "CC=gcc")
sú chápané ako
$ make CC=gcc prefix=/gnu/store/...-<out>
Toto nastaví prekladač jazyka C na gcc
a premennú prefix
(cieľový priečinok inštalácie v prípade nástroja Make) na (assoc-ref
%outputs "out")
, čo predstavuje globálnu premennú prítomnú pri zostavovaní,
ktorá udáva cestu k cieľovému priečinku v úložisku (niečo ako
/gnu/store/...-my-libgit2-20180408).
Podobným spôsobom môžete nastaviť aj príznaky nastavenia:
#:configure-flags '("-DUSE_SHA1DC=ON")
Dostupná je aj premenná %build-inputs
. Predstavuje tabuľku, ktorá
priraďuje názvy vstupov k ich priečinkom v úložisku.
Kľúčové slovo phases
predstavuje postupnosť krokov zostavovacieho
systému. Medzi bežné kroky patria unpack
, configure
,
build
, install
a check
. Ak chcete o týchto krokoch
zistiť viac, musíte nájsť to správne zadanie zostavovacieho systému v
‘$GUIX_CHECKOUT/guix/build/gnu-build-system.scm’:
(define %standard-phases
;; Standard build phases, as a list of symbol/procedure pairs.
(let-syntax ((phases (syntax-rules ()
((_ p ...) `((p . ,p) ...)))))
(phases set-SOURCE-DATE-EPOCH set-paths install-locale unpack
bootstrap
patch-usr-bin-file
patch-source-shebangs configure patch-generated-file-shebangs
build check install
patch-shebangs strip
validate-runpath
validate-documentation-location
delete-info-dir-file
patch-dot-desktop-files
install-license-files
reset-gzip-timestamps
compress-documentation)))
Alebo cez REPL:
(add-to-load-path "/path/to/guix/checkout") ,use (guix build gnu-build-system) (map first %standard-phases) ⇒ (set-SOURCE-DATE-EPOCH set-paths install-locale unpack bootstrap patch-usr-bin-file patch-source-shebangs configure patch-generated-file-shebangs build check install patch-shebangs strip validate-runpath validate-documentation-location delete-info-dir-file patch-dot-desktop-files install-license-files reset-gzip-timestamps compress-documentation)
Ak chcete vedieť čo sa počas jednotlivých krokov odohráva, preštudujte si príslušné funkcie.
Napríklad, v čase písania týchto riadkov, bolo zadanie kroku unpack
v
zostavovacom systéme GNU nasledovné:
(define* (unpack #:key source #:allow-other-keys)
"Unpack SOURCE in the working directory, and change directory within the
source. When SOURCE is a directory, copy it in a sub-directory of the current
working directory."
(if (file-is-directory? source)
(begin
(mkdir "source")
(chdir "source")
;; Preserve timestamps (set to the Epoch) on the copied tree so that
;; things work deterministically.
(copy-recursively source "."
#:keep-mtime? #true))
(begin
(if (string-suffix? ".zip" source)
(invoke "unzip" source)
(invoke "tar" "xvf" source))
(chdir (first-subdirectory "."))))
#true)
Všimnite si volanie chdir
: zmení súčasný priečinok na umiestnenie,
kde boli rozbalené zdrojové súbory. To znamená, že kroky nasledujúce po
unpack
použijú priečinok so zdrojovými súbormi ako ich pracovný
priečinok. Preto môžeme priamo narábať so zdrojovými súbormi. Teda aspoň
dovtedy, kým niektorý ďalší krok nezmení pracovný priečinok na iný.
Zoznam krokov %standard-phases
zostavovacieho systému upravujeme
pomocou makra modify-phases
určujúceho aké úpravy sa majú vykonať, čo
môže vyzerať asi takto:
(add-before krok novy-krok funkcia)
: Spustiť
funkcia s názvom novy-krok pred krok.
(add-after krok novy-krok funkcia)
: Tak isto, ale
za krok.
(replace krok funkcia)
.
(delete krok)
.
Funkcia prijíma parametre inputs
a outputs
v tvare
kľúčových slov. Každý vstup (či už pôvodný, rozšírený alebo
nie) a výstupný priečinok je označený svojim názvom v týchto premenných.
Takže (assoc-ref outputs "out")
predstavuje priečinok úložiska
hlavného výstupu balíka. Funkcia kroku vyzerá nasledovne:
(lambda* (#:key inputs outputs #:allow-other-keys)
(let ((bash-directory (assoc-ref inputs "bash"))
(output-directory (assoc-ref outputs "out"))
(doc-directory (assoc-ref outputs "doc")))
;; ...
#true))
Funkcia musí po úspešnom vykonaní vrátiť #true
. Nie je veľmi
spoľahlivé opierať sa o návratovú hodnotu posledného výrazu keďže nie je
isté, že to bude práve #true
. Koncové #true
zaisťuje, že bude
po úspešnom vykonaní vrátená správna hodnota.
Ak ste boli pozorní, mohli ste si všimnúť obrátenú úvodzovku a čiarku v poli parametrov. Vskutku, zdrojový kód zostavenia v zadaní balíka by sa nemal vykonávať na strane klienta, ale až vtedy, keď sa odovzdá démonovi Guixu. Toto odovzdávanie zdrojového kódu medzi dvoma procesmi nazývame oddialené vykonanie.
Pri prispôsobovaní phases
budete často potrebovať funkcie
zodpovedajúce systémovým volaniam (make
, mkdir
, cp
,
atď.), ktoré sú zvyčajne dostupné na Unixových systémoch.
Niektoré z nich, ako napríklad chmod
, sú priamo dostupné v jazyku
Guile. Viď úplný zoznam v See Guile reference manual.
Guix poskytuje ďalšie pomocné funkcie, užitočné najmä v súvislosti so správou balíkov.
Niektoré z týchto funkcií sa nachádzajú v ‘$GUIX_CHECKOUT/guix/guix/build/utils.scm’. Väčšinou napodobňujú správanie pôvodných Unixových systémových príkazov:
which
Rovnaká ako systémový príkaz ‘which’.
find-files
Podobná príkazu ‘find’.
mkdir-p
Rovnaká ako príkaz ‘mkdir -p’, ktorý v prípade potreby vytvorí aj všetky nadradené priečinky.
install-file
Podobná ako príkaz ‘install’ na inštaláciu súboru do priečinka (aj
nejestvujúceho). Guile má funkciu copy-file
, ktorá funguje ako príkaz
‘cp’.
copy-recursively
Ako ‘cp -r’.
delete-file-recursively
Ako ‘rm -rf’.
invoke
Vyvolať spustiteľný súbor. Toto by ste mali používať namiesto
system*
.
with-directory-excursion
Vykoná telo funkcie v odlišnom pracovnom priečinku a následne obnoví pôvodný pracovný priečinok.
substitute*
Funkcia podobná príkazu sed
.
Viď See Build Utilities in GNU Guix Reference Manual pre viac podrobností o pomocných funkciách.
Licencia v našom predošlom príklade je uvedená s predponou vzhľadom na
spôsob akým bol načítaný modul licenses
v tomto balíku:
#:use-module ((guix licenses) #:prefix license:)
. Spôsob načítavania
modulov v Guile (see Using Guile Modules in Guile reference
manual) používateľovi dáva úplnú kontrolu nad menným priestorom. Môže sa
tak predísť rozporom, povedzme, medzi premennou ‘zlib’ zo súboru
‘licenses.scm’ (názov licencie) a premennou ‘zlib’ zo
súboru ‘compression.scm’ (názov balíka).
Next: Programovateľné a automatické zadávanie balíkov, Previous: Zložitejší príklad, Up: Návod na zadávanie balíkov [Contents][Index]
To čo sme doteraz videli pokrýva väčšinu balíkov využívajúcich iný
zostavovací systém ako je trivial-build-system
, ktorý nič
neautomatizuje a nechá vás všetko zostaviť ručne. Tento postup môže byť
náročnejší a zatiaľ sa tu ním nebudeme zaoberať. Našťastie je nutné uchýliť
sa k nemu len zriedkavo.
Pri ostatných zostavovacích systémoch, ako sú ASDF, Emacs, Perl, Ruby a mnoho ďalších, je postup, okrem niekoľkých zvláštnych parametrov, veľmi podobný zostavovaciemu systému GNU.
Viď See Build Systems in GNU Guix Reference Manual alebo zdrojový kód v priečinkoch ‘$GUIX_CHECKOUT/guix/build’ a ‘$GUIX_CHECKOUT/guix/build-system’ pre viac podrobností o zostavovacích systémoch.
Next: Získavanie pomoci, Previous: Ďalšie zostavovacie systémy, Up: Návod na zadávanie balíkov [Contents][Index]
Nemôžme to nezdôrazniť: mať po ruke plnohodnotný programovací jazyk nám umožňuje oveľa viac než len bežnú správu balíkov.
Ukážme si to na príklade niekoľkých úžasných súčastí Guixu!
• Rekurzívne nahrávače | ||
• Automatické aktualizácie | ||
• Dedičnosť |
Next: Automatické aktualizácie, Up: Programovateľné a automatické zadávanie balíkov [Contents][Index]
Niektoré zostavovacie systémy sú natoľko dobré, že toho na zadanie balíka ani veľa netreba, a to až do takej miery, že sa vám zadávanie balíkov rýchlo zunuje. Jedným z dôvodov bytia počítačov je nahradiť ľudí pri vykonávaní týchto nudných činností. Nechajme teda Guix urobiť to za nás a vytvoriť zadanie nejakého balíka R pochádzajúceho z CRANu (výstup bol skrátený pre ušetrenie miesta):
$ guix import cran --recursive walrus (define-public r-mc2d ; ... (license gpl2+))) (define-public r-jmvcore ; ... (license gpl2+))) (define-public r-wrs2 ; ... (license gpl3))) (define-public r-walrus (package (name "r-walrus") (version "1.0.3") (source (origin (method url-fetch) (uri (cran-uri "walrus" version)) (sha256 (base32 "1nk2glcvy4hyksl5ipq2mz8jy4fss90hx6cq98m3w96kzjni6jjj")))) (build-system r-build-system) (propagated-inputs (list r-ggplot2 r-jmvcore r-r6 r-wrs2)) (home-page "https://github.com/jamovi/walrus") (synopsis "Robust Statistical Methods") (description "This package provides a toolbox of common robust statistical tests, including robust descriptives, robust t-tests, and robust ANOVA. It is also available as a module for 'jamovi' (see <https://www.jamovi.org> for more information). Walrus is based on the WRS2 package by Patrick Mair, which is in turn based on the scripts and work of Rand Wilcox. These analyses are described in depth in the book 'Introduction to Robust Estimation & Hypothesis Testing'.") (license gpl3)))
Rekurzívny nahrávač nahrá len balíky, pre ktoré Guix ešte nemá zadanie, okrem úplne prvého.
Takto vytvoriť zadania balíkov nie je možné pre všetky aplikácie, iba pre tie, ktoré sa opierajú o vybraný počet podporovaných systémov. Viď úplný zoznam nahrávačov v príslušnom oddiele príručky (see Invoking guix import in GNU Guix Reference Manual).
Next: Dedičnosť, Previous: Rekurzívne nahrávače, Up: Programovateľné a automatické zadávanie balíkov [Contents][Index]
Guix môže byť dostatočne múdry na to, aby vyhľadal aktualizácie v systémoch, ktoré pozná. To, ktoré balíky sú zastarané možno zistiť pomocou
$ guix refresh hello
Vo väčšine prípadov vyžaduje aktualizácia balíka na novšiu verziu len o niečo viac ako zmeniť číslo verzie a kontrolný súčet. Aj toto môže Guix vykonať automaticky:
$ guix refresh hello --update
Previous: Automatické aktualizácie, Up: Programovateľné a automatické zadávanie balíkov [Contents][Index]
Ak ste si už začali prezerať zadania jestvujúcich balíkov, možno ste si
všimli, že niektoré z nich obsahujú pole inherit
:
(define-public adwaita-icon-theme
(package (inherit gnome-icon-theme)
(name "adwaita-icon-theme")
(version "3.26.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnome/sources/" name "/"
(version-major+minor version) "/"
name "-" version ".tar.xz"))
(sha256
(base32
"17fpahgh5dyckgz7rwqvzgnhx53cx9kr2xw0szprc6bnqy977fi8"))))
(native-inputs (list `(,gtk+ "bin")))))
Všetky neupresnené polia sú zdedené z nadradeného balíka. Je to veľmi užitočné na vytváranie obmien balíkov, napr. s odlišným zdrojom, verziou alebo voľbami zostavenia.
Next: Záver, Previous: Programovateľné a automatické zadávanie balíkov, Up: Návod na zadávanie balíkov [Contents][Index]
Nanešťastie, zadanie balíka môže byť pre niektoré aplikácie veľmi zložité. Niekedy je potrebná záplata, aby mohla aplikácia fungovať v neobyčajnom systéme súborov úložiska. Niekedy sa zase sústava testov nespúšťa správne (môžete ich preskočiť ale neodporúča sa to). Inokedy nie je výsledný balík opakovateľný.
Keď už neviete ako ďalej a nie ste schopní prísť na to, ako vyriešiť nejakú ťažkosť so zadávaním balíka, neváhajte požiadať o pomoc spoločenstvo.
Viď Guix homepage pre podrobnosti o elektronických konferenciách, IRC, atď.
Next: Odkazy, Previous: Získavanie pomoci, Up: Návod na zadávanie balíkov [Contents][Index]
Tento návod vám predviedol vyumelkovanú správu balíkov, ktorou sa Guix
chváli. V tejto chvíli sme tento úvod zúžili na gnu-build-system
predstavujúci ústrednú abstrakčnú vrstvu, na ktorej sú založené
pokročilejšie abstrakčné vrstvy.
Kam teraz? Ďalej by sme si mali posvietiť na vnútorné fungovanie
zostavovacích systémov vynechajúc všetky abstrakčné vrstvy prostredníctvom
trivial-build-system
. Malo by nám to umožniť lepšie porozumieť
postupu zostavenia, skôr ako sa dostaneme k pokročilejším postupom a
výnimkám.
Ďalšie funkcie, ktoré sa oplatí preskúmať, sú interaktívna úprava a možnosti ladenia Guixu poskytované cez Guile REPL.
Tieto pokročilé funkcie sú len doplnkové a môžu počkať. Teraz je ten správny čas na zaslúženú prestávku. S tým, čo sme si ukázali, by ste si mali vystačiť pri zadávaní balíkov pre mnoho programov. Môžete sa do toho hneď pustiť a dúfame, že nás vašim príspevkom potešíte už čoskoro!
Previous: Záver, Up: Návod na zadávanie balíkov [Contents][Index]
Next: Containers, Previous: Zadávanie balíkov, Up: Top [Contents][Index]
Guix ponúka všestranný jazyk na deklaratívne nastavenie vášho systému Guix. Táto všestrannosť sa môže niekedy zdať nadmerná. Účelom tohto oddielu je predstaviť niektoré pokročilé spôsoby nastavenia.
Viď úplnú odvolávku v see Nastavenie systému in GNU Guix Reference Manual.
• Automatické pripojenie k určitému TTY | Automaticky pripojiť používateľa k určitému TTY | |
• Prispôsobenie jadra | Vytvorenie a používanie vlastného Linuxového jadra v systéme Guix. | |
• API pre vytváranie obrazov systému Guix | Prispôsobenie obrazov nezvyčajným platformám. | |
• Using security keys | How to use security keys with Guix System. | |
• Pripojenie k Wireguard VPN | Pripojenie k Wireguard VPN sieti. | |
• Prispôsobenie správcu okien | Spravovať prispôsobenie správcu okien v systéme Guix. | |
• Spúšťanie Guixu na serveri Linode | Spúšťanie Guixu na serveri Linode | |
• Nastavenie podvojného pripojenia | Nastavenie podvojného pripojenia v zadaní systému súborov. | |
• Získavanie náhrad prostredníctvom Tor | Nastavenie démona Guix na získavanie náhrad cez Tor. | |
• Nastavenia NGINX a Lua | Nastavenie web-servera NGINX na načítavanie Lua modulov. | |
• Music Server with Bluetooth Audio | Headless music player with Bluetooth output. |
Next: Prispôsobenie jadra, Up: Nastavenie systému [Contents][Index]
Zatiaľ čo príručka pre Guix popisuje automatické prihlásenie jedného
používateľa ku všetkým TTY (see auto-login to TTY in GNU
Guix Reference Manual), mohol by vám viac vyhovovať stav, keď je jeden
používateľ pripojený k jednému TTY a ostatné TTY sú nastavené na
prihlasovanie ďalších používateľov alebo nikoho. Všimnite si, že jedného
používateľa je možné automaticky prihlásiť k akémukoľvek TTY. Avšak, je
lepšie vynechať tty1
, ktorý je predvolene využívaný na zobrazovanie
varovaných a chybových hlásení.
Takto je možné nastaviť automatické prihlásenie jedného používateľa k jednému TTY:
(define (auto-login-to-tty config tty user) (if (string=? tty (mingetty-configuration-tty config)) (mingetty-configuration (inherit config) (auto-login user)) config)) (define %my-services (modify-services %base-services ;; … (mingetty-service-type config => (auto-login-to-tty config "tty3" "alice")))) (operating-system ;; … (services %my-services))
Tiež je možné použiť compose
(see Higher-Order Functions in The Guile Reference Manual) s auto-login-to-tty
pre prihlásenie
viacerých používateľov k viacerým TTY.
Varovanie na koniec. Nastavenie automatického prihlásenia k TTY znamená, že ktokoľvek môže zapnúť váš počítač a spúšťať príkazy ako zvyčajný používateľ. Hoci, ak používate zašifrovaný koreňový systém a pri spustení systému je nutné zadať heslo, automatické prihlásenie predstavuje praktickú možnosť.
Next: API pre vytváranie obrazov systému Guix, Previous: Automatické pripojenie k určitému TTY, Up: Nastavenie systému [Contents][Index]
Guix je, vo svojom jadre, distribúcia založená na zdrojových súboroch a náhradách (see Substitutes in GNU Guix Reference Manual). Zostavovanie balíkov z ich zdrojových súborov je teda prirodzenou súčasťou inštalácie a aktualizácie balíkov. Vzhľadom na túto skutočnosť dáva zmysel snaha o zníženie množstva času potrebného na zostavenie balíkov a nedávne zmeny v zostavovaní a šírení náhrad sú aj naďalej súčasťou rozhovorov vrámci projektu Guix.
Aj keď nevyžaduje veľké množstvo pamäte RAM, zostavenie jadra na priemerných počítačoch môže trvať veľmi dlho. Oficiálne nastavenie jadra, tak ako je to v prípade mnohých iných distribúcií GNU/Linuxu, sa prikláňa k širšej ponuke súčastí a to je to, čo spôsobuje, že zostavenie jadra zo zdrojových súborov trvá tak dlho.
Avšak, aj samotné jadro Linuxu možno opísať ako balík a teda prispôsobiť ho rovnako ako hociktorý iný balík. Postup je mierne odlišný, aj keď hlavne kvôli tomu ako je zadanie balíka napísané.
Balík jadra linux-libre
je vlastne funkcia tvoriaca balík.
(define* (make-linux-libre* version gnu-revision source supported-systems
#:key
(extra-version #f)
;; Funkcia vyžadujúca označenie a druh architektúry.
;; Viď príklad v kernel-config.
(configuration-file #f)
(defconfig "defconfig")
(extra-options %default-extra-linux-options))
...)
Terajší balík linux-libre
pre vydania 5.15.x je zadaný nasledovne:
(define-public linux-libre-5.15
(make-linux-libre* linux-libre-5.15-version
linux-libre-5.15-gnu-revision
linux-libre-5.15-source
'("x86_64-linux" "i686-linux" "armhf-linux" "aarch64-linux" "riscv64-linux")
#:configuration-file kernel-config))
Kľúče, ktoré nemajú pridelenú hodnotu dedia ich predvolenú hodnotu zo
zadania make-linux-libre
. Pri porovnávaní vyššie uvedených úryvkov
zdrojového kódu si všimnite komentár odvolávajúci sa na
#:configuration-file
. Kvôli tomu vlastne nie je jednoduché zahrnúť
do zadania svoje vlastné nastavenie jadra, ale nezúfajte, pretože jestvujú
ďalšie spôsoby ako pracovať s tým čo máme.
Jestvujú dva spôsoby ako vytvoriť jadro s vlastným nastavením. Prvý je
poskytnúť zvyčajný súbor .config počas zostavenia zahrnutím tohto
súboru do pôvodných vstupov nášho vlastného jadra. Nižšie je uvedený úryvok
kódu vlastného 'configure
kroku zo zadania balíka
make-linux-libre
:
(let ((build (assoc-ref %standard-phases 'build))
(config (assoc-ref (or native-inputs inputs) "kconfig")))
;; Použiť vlastný alebo predvolený súbor
;; nastavenia jadra.
(if config
(begin
(copy-file config ".config")
(chmod ".config" #o666))
(invoke "make" ,defconfig)))
Tu je príklad balíka jadra. Balík linux-libre
nie je ničím výnimočný,
môžeme ho zdediť a nahradiť jeho pôvodné polia ako pri hociktorom inom
balíku:
(define-public linux-libre/E2140
(package
(inherit linux-libre)
(native-inputs
`(("kconfig" ,(local-file "E2140.config"))
,@(alist-delete "kconfig"
(package-native-inputs linux-libre))))))
V rovnakom priečinku, kde je súbor zadávajúci linux-libre-E2140
je aj
súbor s názvom E2140.config, ktorý predstavuje súbor nastavenia
jadra. Kľúčové slovo defconfig
funkcie make-linux-libre
je tu
ponechané prázdne, takže jediné nastavenie jadra v balíku je to, ktoré bolo
zahrnuté do poľa native-inputs
.
Druhý spôsob ako vytvoriť vlastné jadro je dať novú hodnotu kľúčovému slovu
extra-options
funkcie make-linux-libre
. Kľúčové slovo
extra-options
funguje s inou funkciou zadanou nižšie:
(define %default-extra-linux-options `(;; https://lists.gnu.org/archive/html/guix-devel/2014-04/msg00039.html ("CONFIG_DEVPTS_MULTIPLE_INSTANCES" . #true) ;; Moduly potrebné pre initrd: ("CONFIG_NET_9P" . m) ("CONFIG_NET_9P_VIRTIO" . m) ("CONFIG_VIRTIO_BLK" . m) ("CONFIG_VIRTIO_NET" . m) ("CONFIG_VIRTIO_PCI" . m) ("CONFIG_VIRTIO_BALLOON" . m) ("CONFIG_VIRTIO_MMIO" . m) ("CONFIG_FUSE_FS" . m) ("CONFIG_CIFS" . m) ("CONFIG_9P_FS" . m))) (define (config->string options) (string-join (map (match-lambda ((option . 'm) (string-append option "=m")) ((option . #true) (string-append option "=y")) ((option . #false) (string-append option "=n"))) options) "\n"))
A vo vlastnom „configure“ skripte balíka „make-linux-libre“:
;; Vkladanie na koniec funguje aj keď voľba v súbore nebola. ;; Pri viacnásobnom uvedení prevažuje to posledné. (let ((port (open-file ".config" "a")) (extra-configuration ,(config->string extra-options))) (display extra-configuration port) (close-port port)) (invoke "make" "oldconfig")
Takže, neposkytnutie súboru nastavenia spôsobí, že je súbor .config spočiatku prázdny. Potom doň zapíšeme voľby, ktoré chceme. Viď ďalšie vlastné zadanie jadra:
(define %macbook41-full-config (append %macbook41-config-options %file-systems %efi-support %emulation (@@ (gnu packages linux) %default-extra-linux-options))) (define-public linux-libre-macbook41 ;; XXX: Prístup k funkcii „make-linux-libre*“, ktorá je súkromná, ;; neexportuje sa a v budúcnosti by sa mohla zmeniť. ((@@ (gnu packages linux) make-linux-libre*) (@@ (gnu packages linux) linux-libre-version) (@@ (gnu packages linux) linux-libre-gnu-revision) (@@ (gnu packages linux) linux-libre-source) '("x86_64-linux") #:extra-version "macbook41" #:extra-options %macbook41-config-options))
V hore uvedenom príklade je %file-systems
zbierkou volieb
povoľujúcich podporu rôznych systémov súborov, %efi-support
povoľuje
podporu EFI a %emulation
povoľuje strojom x86_64-linux pracovať v
32-bitovom režime. Voľby %default-extra-linux-options
sú tie
citované vyššie, ktoré bolo treba pridať, keďže boli prepísané v kľúčovom
slove extra-options
.
Všetko toto znie veľmi dobre, ale ako zistiť, ktoré moduly vyžaduje určitý
systém? Na túto otázku nám môžu pomôcť odpovedať dva zdroje:
Príručka Gentoo a
dokumentácia samotného jadra. Podľa dokumentácie jadra sa zdá, že
make localmodconfig
je príkaz, ktorý hľadáme.
Skôr ako budeme môcť spustiť make localmodconfig
, musíme stiahnuť a
rozbaliť zdrojové súbory jadra:
tar xf $(guix build linux-libre --source)
V priečinku obsahujúcom zdrojové súbory spustite touch .config
pre
vytvorenie počiatočného prázdneho .config súboru. make
localmodconfig
funguje tak, že zistí, čo ste už zadali do .config a
povie vám, čo vám ešte chýba. Ak je súbor prázdny, tak vám chýba všetko.
Ďalším krokom je spustiť:
guix shell -D linux-libre -- make localmodconfig
a pozrite si výstup. Všimnite si, že súbor .config je stále prázdny. Výstup obvykle obsahuje dva druhy varovných správ. Prvá začína slovom „WARNING“ a v našom prípade si ju nemusíme všímať. Druhá správa nám hovorí, že:
module pcspkr did not have configs CONFIG_INPUT_PCSPKR
Pre každý z týchto riadkov skopírujte časť CONFIG_XXXX_XXXX
do
.config súboru priečinka a pridajte =m
tak, aby nakoniec
vyzeral takto:
CONFIG_INPUT_PCSPKR=m CONFIG_VIRTIO=m
Po skopírovaní všetkých volieb nastavenia znova spustite make
localmodconfig
, aby ste sa uistili, že výstup už neobsahuje žiadne správy
začínajúce slovom „module“. Okrem všetkých týchto modulov vzťahujúcich sa k
stroju nám ostáva ešte niekoľko ďalších dôležitých modulov.
CONFIG_MODULES
umožňuje zostavovať a načítavať moduly oddelene, aby
nemuseli byť zabudované do jadra. CONFIG_BLK_DEV_SD
umožňuje čítať
pevné disky. Je tiež možné, že budete potrebovať aj iné moduly.
Tento príspevok nemá za úlohu vás previesť nastavením vášho vlastného jadra. Ak sa rozhodnete zostaviť si vlastné jadro, budete si musieť nájsť iné návody na vytvorenie jadra, ktoré vám bude vyhovovať.
Druhý spôsob nastavenia jadra využíva funkcie Guixu vo väčšej miere a umožňuje vám zdieľať časti nastavenia medzi rôznymi jadrami. Napríklad, všetky stroje používajúce na zavádzanie EFI vyžadujú určitý počet volieb nastavenia EFI. Je tiež pravdepodobné, že viaceré jadrá budú zdieľať podporu niekoľkých súborových systémov. Použitím premenných je jednoduchšie spozorovať, ktoré súčasti sú povolené a uistiť sa, či nie sú niektoré z nich prítomné v jednom jadre ale v druhom chýbajú.
Nepozreli sme sa však na initrd a jeho prispôsobenie. Je pravdepodobné, že budete potrebovať prispôsobiť initrd na stroji s vlastným jadrom, keďže niektoré moduly nemusia byť dostupné pre zahrnutie do initrd.
Next: Using security keys, Previous: Prispôsobenie jadra, Up: Nastavenie systému [Contents][Index]
Z dejinného pohľadu je systém Guix sústredený okolo štruktúry
operating-system
. Táto štruktúra obsahuje rôzne polia počínajúc
zadaním zavádzača a jadra až k službám, ktoré sa majú nainštalovať.
Požiadavky na obraz sa môžu značne líšiť v závislosti na cieľovom stroji, čo
môže byť obvyklý x86_64
alebo malý jednodoskový počítač ako
Pine64. Výrobcovia technického vybavenia presadzujú rôzne formáty obrazov s
rôznymi veľkosťami a umiestneniami oddielov.
Na vytváranie obrazov vhodných pre všetky tieto stroje je nevyhnutné ďalšie
zovšeobecnenie, čo je cieľom záznamu image
. Tento záznam obsahuje
všetky potrebné údaje k premene na samostatný obraz, ktorý je možno priamo
zaviesť na hocijakom cieľovom stroji.
(define-record-type* <image>
image make-image
image?
(name image-name ;symbol
(default #f))
(format image-format) ;symbol
(target image-target
(default #f))
(size image-size ;size in bytes as integer
(default 'guess))
(operating-system image-operating-system ;<operating-system>
(default #f))
(partitions image-partitions ;list of <partition>
(default '()))
(compression? image-compression? ;boolean
(default #t))
(volatile-root? image-volatile-root? ;boolean
(default #t))
(substitutable? image-substitutable? ;boolean
(default #t)))
Tento záznam obsahuje operačný systém na zostavenie. Pole format
určuje druh obrazu a medzi jeho platné hodnoty patria efi-raw
,
qcow2
alebo iso9660
. V budúcnosti by sa mohli rozšíriť o
docker
a ďalšie druhy obrazov.
Na zadávanie obrazov bol spomedzi zdrojových súborov Guixu vyhradený nový priečinok. Zatiaľ sa v ňom nachádzajú štyri súbory:
Pozrime sa na pine64.scm. Obsahuje premennú
pine64-barebones-os
predstavujúcu najmenšie možné zadanie operačného
systému určeného pre dosku Pine A64 LTS.
(define pine64-barebones-os
(operating-system
(host-name "vignemale")
(timezone "Europe/Bratislava")
(locale "sk_SK.utf8")
(bootloader (bootloader-configuration
(bootloader u-boot-pine64-lts-bootloader)
(targets '("/dev/vda"))))
(initrd-modules '())
(kernel linux-libre-arm64-generic)
(file-systems (cons (file-system
(device (file-system-label "moj-korenovy-system"))
(mount-point "/")
(type "ext4"))
%base-file-systems))
(services (cons (service agetty-service-type
(agetty-configuration
(extra-options '("-L")) ; bez zisťovania nosného signálu
(baud-rate "115200")
(term "vt100")
(tty "ttyS0")))
%base-services))))
Polia kernel
a bootloader
odkazujú na balíky určené pre túto
dosku.
Tesne pod nimi je zadaná aj premenná pine64-image-type
.
(define pine64-image-type
(image-type
(name 'pine64-raw)
(constructor (cut image-with-os arm64-disk-image <>))))
Využíva záznam, o ktorom sme ešte nehovorili, a teda image-type
,
zadaný nasledovne:
(define-record-type* <image-type> image-type make-image-type image-type? (name image-type-name) ; znak (constructor image-type-constructor)) ; <operating-system> -> <image>
Hlavným účelom tohto záznamu je priradiť názov funkcii pretvárajúcej
operating-system
na obraz. Aby sme pochopili, prečo je to dôležité,
pozrime sa na príkaz vytvárajúci obraz zo súboru nastavení
operating-system
:
guix system image moj-os.scm
Tento príkaz očakáva nastavenie druhu operating-system
, ale ako by
sme mali určiť, že chceme obraz pre dosku Pine64? Musíme poskytnúť
doplňujúci údaj, image-type
, pomocou voľby --image-type
alebo
-t
a to takto:
guix system image --image-type=pine64-raw moj-os.scm
This image-type
parameter points to the pine64-image-type
defined above. Hence, the operating-system
declared in
my-os.scm
will be applied the (cut image-with-os
arm64-disk-image <>)
procedure to turn it into an image.
The resulting image looks like:
(image
(format 'disk-image)
(target "aarch64-linux-gnu")
(operating-system my-os)
(partitions
(list (partition
(inherit root-partition)
(offset root-offset)))))
which is the aggregation of the operating-system
defined in
my-os.scm
to the arm64-disk-image
record.
But enough Scheme madness. What does this image API bring to the Guix user?
One can run:
mathieu@cervin:~$ guix system --list-image-types The available image types are: - pinebook-pro-raw - pine64-raw - novena-raw - hurd-raw - hurd-qcow2 - qcow2 - uncompressed-iso9660 - efi-raw - arm64-raw - arm32-raw - iso9660
and by writing an operating-system
file based on
pine64-barebones-os
, you can customize your image to your preferences
in a file (my-pine-os.scm) like this:
(use-modules (gnu services linux) (gnu system images pine64)) (let ((base-os pine64-barebones-os)) (operating-system (inherit base-os) (timezone "America/Indiana/Indianapolis") (services (cons (service earlyoom-service-type (earlyoom-configuration (prefer-regexp "icecat|chromium"))) (operating-system-user-services base-os)))))
run:
guix system image --image-type=pine64-raw my-pine-os.scm
or,
guix system image --image-type=hurd-raw my-hurd-os.scm
to get an image that can be written directly to a hard drive and booted from.
Without changing anything to my-hurd-os.scm
, calling:
guix system image --image-type=hurd-qcow2 my-hurd-os.scm
will instead produce a Hurd QEMU image.
Next: Pripojenie k Wireguard VPN, Previous: API pre vytváranie obrazov systému Guix, Up: Nastavenie systému [Contents][Index]
The use of security keys can improve your security by providing a second authentication source that cannot be easily stolen or copied, at least for a remote adversary (something that you have), to the main secret (a passphrase – something that you know), reducing the risk of impersonation.
The example configuration detailed below showcases what minimal configuration needs to be made on your Guix System to allow the use of a Yubico security key. It is hoped the configuration can be useful for other security keys as well, with minor adjustments.
To be usable, the udev rules of the system should be extended with
key-specific rules. The following shows how to extend your udev rules with
the lib/udev/rules.d/70-u2f.rules udev rule file provided by the
libfido2
package from the (gnu packages security-token)
module
and add your user to the ‘"plugdev"’ group it uses:
(use-package-modules ... security-token ...) ... (operating-system ... (users (cons* (user-account (name "your-user") (group "users") (supplementary-groups '("wheel" "netdev" "audio" "video" "plugdev")) ;<- added system group (home-directory "/home/your-user")) %base-user-accounts)) ... (services (cons* ... (udev-rules-service 'fido2 libfido2 #:groups '("plugdev")))))
After re-configuring your system and re-logging in your graphical session so that the new group is in effect for your user, you can verify that your key is usable by launching:
guix shell ungoogled-chromium -- chromium chrome://settings/securityKeys
and validating that the security key can be reset via the “Reset your security key” menu. If it works, congratulations, your security key is ready to be used with applications supporting two-factor authentication (2FA).
Next: Prispôsobenie správcu okien, Previous: Using security keys, Up: Nastavenie systému [Contents][Index]
To connect to a Wireguard VPN server you need the kernel module to be loaded
in memory and a package providing networking tools that support it (e.g.
wireguard-tools
or network-manager
).
Here is a configuration example for Linux-Libre < 5.6, where the module is out of tree and need to be loaded manually—following revisions of the kernel have it built-in and so don’t need such configuration:
(use-modules (gnu)) (use-service-modules desktop) (use-package-modules vpn) (operating-system ;; … (services (cons (simple-service 'wireguard-module kernel-module-loader-service-type '("wireguard")) %desktop-services)) (packages (cons wireguard-tools %base-packages)) (kernel-loadable-modules (list wireguard-linux-compat)))
After reconfiguring and restarting your system you can either use Wireguard tools or NetworkManager to connect to a VPN server.
To test your Wireguard setup it is convenient to use wg-quick
.
Just give it a configuration file wg-quick up ./wg0.conf
; or put
that file in /etc/wireguard and run wg-quick up wg0
instead.
Poznámka: Be warned that the author described this command as a: “[…] very quick and dirty bash script […]”.
Thanks to NetworkManager support for Wireguard we can connect to our VPN
using nmcli
command. Up to this point this guide assumes that
you’re using Network Manager service provided by %desktop-services
.
Ortherwise you need to adjust your services list to load
network-manager-service-type
and reconfigure your Guix system.
To import your VPN configuration execute nmcli import command:
# nmcli connection import type wireguard file wg0.conf Connection 'wg0' (edbee261-aa5a-42db-b032-6c7757c60fde) successfully added
This will create a configuration file in /etc/NetworkManager/wg0.nmconnection. Next connect to the Wireguard server:
$ nmcli connection up wg0 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
By default NetworkManager will connect automatically on system boot. To change that behaviour you need to edit your config:
# nmcli connection modify wg0 connection.autoconnect no
For more specific information about NetworkManager and wireguard see this post by thaller.
Next: Spúšťanie Guixu na serveri Linode, Previous: Pripojenie k Wireguard VPN, Up: Nastavenie systému [Contents][Index]
• StumpWM | ||
• Session lock |
Next: Session lock, Up: Prispôsobenie správcu okien [Contents][Index]
You could install StumpWM with a Guix system by adding stumpwm
and
optionally `(,stumpwm "lib")
packages to a system configuration file,
e.g. /etc/config.scm.
An example configuration can look like this:
(use-modules (gnu)) (use-package-modules wm) (operating-system ;; … (packages (append (list sbcl stumpwm `(,stumpwm "lib")) %base-packages)))
By default StumpWM uses X11 fonts, which could be small or pixelated on your
system. You could fix this by installing StumpWM contrib Lisp module
sbcl-ttf-fonts
, adding it to Guix system packages:
(use-modules (gnu)) (use-package-modules fonts wm) (operating-system ;; … (packages (append (list sbcl stumpwm `(,stumpwm "lib")) sbcl-ttf-fonts font-dejavu %base-packages)))
Then you need to add the following code to a StumpWM configuration file ~/.stumpwm.d/init.lisp:
(require :ttf-fonts) (setf xft:*font-dirs* '("/run/current-system/profile/share/fonts/")) (setf clx-truetype:+font-cache-filename+ (concat (getenv "HOME") "/.fonts/font-cache.sexp")) (xft:cache-fonts) (set-font (make-instance 'xft:font :family "DejaVu Sans Mono" :subfamily "Book" :size 11))
Previous: StumpWM, Up: Prispôsobenie správcu okien [Contents][Index]
Depending on your environment, locking the screen of your session might come built in or it might be something you have to set up yourself. If you use a desktop environment like GNOME or KDE, it’s usually built in. If you use a plain window manager like StumpWM or EXWM, you might have to set it up yourself.
• Xorg |
Up: Session lock [Contents][Index]
If you use Xorg, you can use the utility xss-lock to lock the screen of your session. xss-lock is triggered by DPMS which since Xorg 1.8 is auto-detected and enabled if ACPI is also enabled at kernel runtime.
To use xss-lock, you can simple execute it and put it into the background before you start your window manager from e.g. your ~/.xsession:
xss-lock -- slock & exec stumpwm
In this example, xss-lock uses slock
to do the actual locking of the
screen when it determines it’s appropriate, like when you suspend your
device.
For slock to be allowed to be a screen locker for the graphical session, it needs to be made setuid-root so it can authenticate users, and it needs a PAM service. This can be achieved by adding the following service to your config.scm:
(screen-locker-service slock)
If you manually lock your screen, e.g. by directly calling slock when you
want to lock your screen but not suspend it, it’s a good idea to notify
xss-lock about this so no confusion occurs. This can be done by executing
xset s activate
immediately before you execute slock.
Next: Nastavenie podvojného pripojenia, Previous: Prispôsobenie správcu okien, Up: Nastavenie systému [Contents][Index]
To run Guix on a server hosted by Linode, start with a recommended Debian server. We recommend using the default distro as a way to bootstrap Guix. Create your SSH keys.
ssh-keygen
Be sure to add your SSH key for easy login to the remote server. This is trivially done via Linode’s graphical interface for adding SSH keys. Go to your profile and click add SSH Key. Copy into it the output of:
cat ~/.ssh/<username>_rsa.pub
Power the Linode down.
In the Linode’s Storage tab, resize the Debian disk to be smaller. 30 GB free space is recommended. Then click "Add a disk", and fill out the form with the following:
In the Configurations tab, press "Edit" on the default Debian profile. Under "Block Device Assignment" click "Add a Device". It should be /dev/sdc and you can select the "Guix" disk. Save Changes.
Now "Add a Configuration", with the following:
Now power it back up, booting with the Debian configuration. Once it’s
running, ssh to your server via ssh
root@<your-server-IP-here>
. (You can find your server IP address in
your Linode Summary section.) Now you can run the "install guix from
see Binary Installation in GNU Guix" steps:
sudo apt-get install gpg wget https://sv.gnu.org/people/viewgpg.php?user_id=15145 -qO - | gpg --import - wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh chmod +x guix-install.sh ./guix-install.sh guix pull
Now it’s time to write out a config for the server. The key information is below. Save the resulting file as guix-config.scm.
(use-modules (gnu) (guix modules)) (use-service-modules networking ssh) (use-package-modules admin certs package-management ssh tls) (operating-system (host-name "my-server") (timezone "America/New_York") (locale "en_US.UTF-8") ;; This goofy code will generate the grub.cfg ;; without installing the grub bootloader on disk. (bootloader (bootloader-configuration (bootloader (bootloader (inherit grub-bootloader) (installer #~(const #true)))))) (file-systems (cons (file-system (device "/dev/sda") (mount-point "/") (type "ext4")) %base-file-systems)) (swap-devices (list "/dev/sdb")) (initrd-modules (cons "virtio_scsi" ; Needed to find the disk %base-initrd-modules)) (users (cons (user-account (name "janedoe") (group "users") ;; Adding the account to the "wheel" group ;; makes it a sudoer. (supplementary-groups '("wheel")) (home-directory "/home/janedoe")) %base-user-accounts)) (packages (cons* nss-certs ;for HTTPS access openssh-sans-x %base-packages)) (services (cons* (service dhcp-client-service-type) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (password-authentication? #false) (authorized-keys `(("janedoe" ,(local-file "janedoe_rsa.pub")) ("root" ,(local-file "janedoe_rsa.pub")))))) %base-services)))
Replace the following fields in the above configuration:
(host-name "my-server") ; replace with your server name ; if you chose a linode server outside the U.S., then ; use tzselect to find a correct timezone string (timezone "America/New_York") ; if needed replace timezone (name "janedoe") ; replace with your username ("janedoe" ,(local-file "janedoe_rsa.pub")) ; replace with your ssh key ("root" ,(local-file "janedoe_rsa.pub")) ; replace with your ssh key
The last line in the above example lets you log into the server as root and set the initial root password (see the note at the end of this recipe about root login). After you have done this, you may delete that line from your configuration and reconfigure to prevent root login.
Copy your ssh public key (eg: ~/.ssh/id_rsa.pub) as <your-username-here>_rsa.pub and put guix-config.scm in the same directory. In a new terminal run these commands.
sftp root@<remote server ip address> put /path/to/files/<username>_rsa.pub . put /path/to/files/guix-config.scm .
In your first terminal, mount the guix drive:
mkdir /mnt/guix mount /dev/sdc /mnt/guix
Due to the way we set up the bootloader section of the guix-config.scm, only the grub configuration file will be installed. So, we need to copy over some of the other GRUB stuff already installed on the Debian system:
mkdir -p /mnt/guix/boot/grub cp -r /boot/grub/* /mnt/guix/boot/grub/
Now initialize the Guix installation:
guix system init guix-config.scm /mnt/guix
Ok, power it down! Now from the Linode console, select boot and select "Guix".
Once it boots, you should be able to log in via SSH! (The server config will have changed though.) You may encounter an error like:
$ ssh root@<server ip address> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:0B+wp33w57AnKQuHCvQP0+ZdKaqYrI/kyU7CfVbS7R4. Please contact your system administrator. Add correct host key in /home/joshua/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/joshua/.ssh/known_hosts:3 ECDSA host key for 198.58.98.76 has changed and you have requested strict checking. Host key verification failed.
Either delete ~/.ssh/known_hosts file, or delete the offending line starting with your server IP address.
Be sure to set your password and root’s password.
ssh root@<remote ip address> passwd ; for the root password passwd <username> ; for the user password
You may not be able to run the above commands at this point. If you have issues remotely logging into your linode box via SSH, then you may still need to set your root and user password initially by clicking on the “Launch Console” option in your linode. Choose the “Glish” instead of “Weblish”. Now you should be able to ssh into the machine.
Hooray! At this point you can shut down the server, delete the Debian disk, and resize the Guix to the rest of the size. Congratulations!
By the way, if you save it as a disk image right at this point, you’ll have an easy time spinning up new Guix images! You may need to down-size the Guix image to 6144MB, to save it as an image. Then you can resize it again to the max size.
Next: Získavanie náhrad prostredníctvom Tor, Previous: Spúšťanie Guixu na serveri Linode, Up: Nastavenie systému [Contents][Index]
To bind mount a file system, one must first set up some definitions before
the operating-system
section of the system definition. In this
example we will bind mount a folder from a spinning disk drive to
/tmp, to save wear and tear on the primary SSD, without dedicating an
entire partition to be mounted as /tmp.
First, the source drive that hosts the folder we wish to bind mount should be defined, so that the bind mount can depend on it.
(define source-drive ;; "source-drive" can be named anything you want. (file-system (device (uuid "UUID goes here")) (mount-point "/path-to-spinning-disk-goes-here") (type "ext4"))) ;; Make sure to set this to the appropriate type for your drive.
The source folder must also be defined, so that guix will know it’s not a regular block device, but a folder.
(define (%source-directory) "/path-to-spinning-disk-goes-here/tmp") ;; "source-directory" can be named any valid variable name.
Finally, inside the file-systems
definition, we must add the mount
itself.
(file-systems (cons*
...<other drives omitted for clarity>...
source-drive ;; Must match the name you gave the source drive in the earlier definition.
(file-system
(device (%source-directory)) ;; Make sure "source-directory" matches your earlier definition.
(mount-point "/tmp")
(type "none") ;; We are mounting a folder, not a partition, so this type needs to be "none"
(flags '(bind-mount))
(dependencies (list source-drive)) ;; Ensure "source-drive" matches what you've named the variable for the drive.
)
...<other drives omitted for clarity>...
))
Next: Nastavenia NGINX a Lua, Previous: Nastavenie podvojného pripojenia, Up: Nastavenie systému [Contents][Index]
Guix daemon can use a HTTP proxy to get substitutes, here we are configuring it to get them via Tor.
Upozornenie: Not all Guix daemon’s traffic will go through Tor! Only HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections will still go through the clearnet. Again, this configuration isn’t foolproof some of your traffic won’t get routed by Tor at all. Use it at your own risk.
Also note that the procedure described here applies only to package substitution. When you update your guix distribution with
guix pull
, you still need to usetorsocks
if you want to route the connection to guix’s git repository servers through Tor.
Guix’s substitute server is available as a Onion service, if you want to use it to get your substitutes through Tor configure your system as follow:
(use-modules (gnu)) (use-service-module base networking) (operating-system … (services (cons (service tor-service-type (tor-configuration (config-file (plain-file "tor-config" "HTTPTunnelPort 127.0.0.1:9250")))) (modify-services %base-services (guix-service-type config => (guix-configuration (inherit config) ;; ci.guix.gnu.org's Onion service (substitute-urls "https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion") (http-proxy "http://localhost:9250")))))))
This will keep a tor process running that provides a HTTP CONNECT tunnel
which will be used by guix-daemon
. The daemon can use other
protocols than HTTP(S) to get remote resources, request using those
protocols won’t go through Tor since we are only setting a HTTP tunnel
here. Note that substitutes-urls
is using HTTPS and not HTTP or it
won’t work, that’s a limitation of Tor’s tunnel; you may want to use
privoxy
instead to avoid such limitations.
If you don’t want to always get substitutes through Tor but using it just
some of the times, then skip the guix-configuration
. When you want
to get a substitute from the Tor tunnel run:
sudo herd set-http-proxy guix-daemon http://localhost:9250 guix build \ --substitute-urls=https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion …
Next: Music Server with Bluetooth Audio, Previous: Získavanie náhrad prostredníctvom Tor, Up: Nastavenie systému [Contents][Index]
NGINX could be extended with Lua scripts.
Guix provides NGINX service with ability to load Lua module and specific Lua packages, and reply to requests by evaluating Lua scripts.
The following example demonstrates system definition with configuration to evaluate index.lua Lua script on HTTP request to http://localhost/hello endpoint:
local shell = require "resty.shell" local stdin = "" local timeout = 1000 -- ms local max_size = 4096 -- byte local ok, stdout, stderr, reason, status = shell.run([[/run/current-system/profile/bin/ls /tmp]], stdin, timeout, max_size) ngx.say(stdout)
(use-modules (gnu)) (use-service-modules #;… web) (use-package-modules #;… lua) (operating-system ;; … (services ;; … (service nginx-service-type (nginx-configuration (modules (list (file-append nginx-lua-module "/etc/nginx/modules/ngx_http_lua_module.so"))) (lua-package-path (list lua-resty-core lua-resty-lrucache lua-resty-signal lua-tablepool lua-resty-shell)) (lua-package-cpath (list lua-resty-signal)) (server-blocks (list (nginx-server-configuration (server-name '("localhost")) (listen '("80")) (root "/etc") (locations (list (nginx-location-configuration (uri "/hello") (body (list #~(format #f "content_by_lua_file ~s;" #$(local-file "index.lua"))))))))))))))
Previous: Nastavenia NGINX a Lua, Up: Nastavenie systému [Contents][Index]
MPD, the Music Player Daemon, is a flexible server-side application for playing music. Client programs on different machines on the network — a mobile phone, a laptop, a desktop workstation — can connect to it to control the playback of audio files from your local music collection. MPD decodes the audio files and plays them back on one or many outputs.
By default MPD will play to the default audio device. In the example below we make things a little more interesting by setting up a headless music server. There will be no graphical user interface, no Pulseaudio daemon, and no local audio output. Instead we will configure MPD with two outputs: a bluetooth speaker and a web server to serve audio streams to any streaming media player.
Bluetooth is often rather frustrating to set up. You will have to pair your
Bluetooth device and make sure that the device is automatically connected as
soon as it powers on. The Bluetooth system service returned by the
bluetooth-service
procedure provides the infrastructure needed to set
this up.
Reconfigure your system with at least the following services and packages:
(operating-system
;; …
(packages (cons* bluez bluez-alsa
%base-packages))
(services
;; …
(dbus-service #:services (list bluez-alsa))
(bluetooth-service #:auto-enable? #t)))
Start the bluetooth
service and then use bluetoothctl
to
scan for Bluetooth devices. Try to identify your Bluetooth speaker and pick
out its device ID from the resulting list of devices that is indubitably
dominated by a baffling smorgasbord of your neighbors’ home automation
gizmos. This only needs to be done once:
$ bluetoothctl [NEW] Controller 00:11:22:33:95:7F BlueZ 5.40 [default] [bluetooth]# power on [bluetooth]# Changing power on succeeded [bluetooth]# agent on [bluetooth]# Agent registered [bluetooth]# default-agent [bluetooth]# Default agent request successful [bluetooth]# scan on [bluetooth]# Discovery started [CHG] Controller 00:11:22:33:95:7F Discovering: yes [NEW] Device AA:BB:CC:A4:AA:CD My Bluetooth Speaker [NEW] Device 44:44:FF:2A:20:DC My Neighbor's TV … [bluetooth]# pair AA:BB:CC:A4:AA:CD Attempting to pair with AA:BB:CC:A4:AA:CD [CHG] Device AA:BB:CC:A4:AA:CD Connected: yes [My Bluetooth Speaker]# [CHG] Device AA:BB:CC:A4:AA:CD UUIDs: 0000110b-0000-1000-8000-00xxxxxxxxxx [CHG] Device AA:BB:CC:A4:AA:CD UUIDs: 0000110c-0000-1000-8000-00xxxxxxxxxx [CHG] Device AA:BB:CC:A4:AA:CD UUIDs: 0000110e-0000-1000-8000-00xxxxxxxxxx [CHG] Device AA:BB:CC:A4:AA:CD Paired: yes Pairing successful [CHG] Device AA:BB:CC:A4:AA:CD Connected: no [bluetooth]# [bluetooth]# trust AA:BB:CC:A4:AA:CD [bluetooth]# [CHG] Device AA:BB:CC:A4:AA:CD Trusted: yes Changing AA:BB:CC:A4:AA:CD trust succeeded [bluetooth]# [bluetooth]# connect AA:BB:CC:A4:AA:CD Attempting to connect to AA:BB:CC:A4:AA:CD [bluetooth]# [CHG] Device AA:BB:CC:A4:AA:CD RSSI: -63 [CHG] Device AA:BB:CC:A4:AA:CD Connected: yes Connection successful [My Bluetooth Speaker]# scan off [CHG] Device AA:BB:CC:A4:AA:CD RSSI is nil Discovery stopped [CHG] Controller 00:11:22:33:95:7F Discovering: no
Congratulations, you can now automatically connect to your Bluetooth speaker!
It is now time to configure ALSA to use the bluealsa Bluetooth
module, so that you can define an ALSA pcm device corresponding to your
Bluetooth speaker. For a headless server using bluealsa with a fixed
Bluetooth device is likely simpler than configuring Pulseaudio and its
stream switching behavior. We configure ALSA by crafting a custom
alsa-configuration
for the alsa-service-type
. The
configuration will declare a pcm
type bluealsa
from the
bluealsa
module provided by the bluez-alsa
package, and then
define a pcm
device of that type for your Bluetooth speaker.
All that is left then is to make MPD send audio data to this ALSA device. We also add a secondary MPD output that makes the currently played audio files available as a stream through a web server on port 8080. When enabled a device on the network could listen to the audio stream by connecting any capable media player to the HTTP server on port 8080, independent of the status of the Bluetooth speaker.
What follows is the outline of an operating-system
declaration that
should accomplish the above-mentioned tasks:
(use-modules (gnu)) (use-service-modules audio dbus sound #;… etc) (use-package-modules audio linux #;… etc) (operating-system ;; … (packages (cons* bluez bluez-alsa %base-packages)) (services ;; … (service mpd-service-type (mpd-configuration (user "your-username") (music-dir "/path/to/your/music") (address "192.168.178.20") (outputs (list (mpd-output (type "alsa") (name "MPD") (extra-options ;; Use the same name as in the ALSA ;; configuration below. '((device . "pcm.btspeaker")))) (mpd-output (type "httpd") (name "streaming") (enabled? #false) (always-on? #true) (tags? #true) (mixer-type 'null) (extra-options '((encoder . "vorbis") (port . "8080") (bind-to-address . "192.168.178.20") (max-clients . "0") ;no limit (quality . "5.0") (format . "44100:16:1")))))))) (dbus-service #:services (list bluez-alsa)) (bluetooth-service #:auto-enable? #t) (service alsa-service-type (alsa-configuration (pulseaudio? #false) ;we don't need it (extra-options #~(string-append "\ # Declare Bluetooth audio device type \"bluealsa\" from bluealsa module pcm_type.bluealsa { lib \"" #$(file-append bluez-alsa "/lib/alsa-lib/libasound_module_pcm_bluealsa.so") "\" } # Declare control device type \"bluealsa\" from the same module ctl_type.bluealsa { lib \"" #$(file-append bluez-alsa "/lib/alsa-lib/libasound_module_ctl_bluealsa.so") "\" } # Define the actual Bluetooth audio device. pcm.btspeaker { type bluealsa device \"AA:BB:CC:A4:AA:CD\" # unique device identifier profile \"a2dp\" } # Define an associated controller. ctl.btspeaker { type bluealsa } "))))))
Enjoy the music with the MPD client of your choice or a media player capable of streaming via HTTP!
Next: Pokročilá správa balíkov, Previous: Nastavenie systému, Up: Top [Contents][Index]
The kernel Linux provides a number of shared facilities that are available to processes in the system. These facilities include a shared view on the file system, other processes, network devices, user and group identities, and a few others. Since Linux 3.19 a user can choose to unshare some of these shared facilities for selected processes, providing them (and their child processes) with a different view on the system.
A process with an unshared mount
namespace, for example, has its own
view on the file system — it will only be able to see directories that
have been explicitly bound in its mount namespace. A process with its own
proc
namespace will consider itself to be the only process running on
the system, running as PID 1.
Guix uses these kernel features to provide fully isolated environments and even complete Guix System containers, lightweight virtual machines that share the host system’s kernel. This feature comes in especially handy when using Guix on a foreign distribution to prevent interference from foreign libraries or configuration files that are available system-wide.
• Guix Containers | Perfectly isolated environments | |
• Guix System Containers | A system inside your system |
Next: Guix System Containers, Up: Containers [Contents][Index]
The easiest way to get started is to use guix shell
with the
--container option. See Invoking guix shell in GNU Guix
Reference Manual for a reference of valid options.
The following snippet spawns a minimal shell process with most namespaces unshared from the system. The current working directory is visible to the process, but anything else on the file system is unavailable. This extreme isolation can be very useful when you want to rule out any sort of interference from environment variables, globally installed libraries, or configuration files.
guix shell --container
It is a bleak environment, barren, desolate. You will find that not even the GNU coreutils are available here, so to explore this deserted wasteland you need to use built-in shell commands. Even the usually gigantic /gnu/store directory is reduced to a faint shadow of itself.
$ echo /gnu/store/* /gnu/store/…-gcc-10.3.0-lib /gnu/store/…-glibc-2.33 /gnu/store/…-bash-static-5.1.8 /gnu/store/…-ncurses-6.2.20210619 /gnu/store/…-bash-5.1.8 /gnu/store/…-profile /gnu/store/…-readline-8.1.1
There isn’t much you can do in an environment like this other than exiting
it. You can use ^D or exit
to terminate this limited shell
environment.
You can make other directories available inside of the container environment; use --expose=DIRECTORY to bind-mount the given directory as a read-only location inside the container, or use --share=DIRECTORY to make the location writable. With an additional mapping argument after the directory name you can control the name of the directory inside the container. In the following example we map /etc on the host system to /the/host/etc inside a container in which the GNU coreutils are installed.
$ guix shell --container --share=/etc=/the/host/etc coreutils $ ls /the/host/etc
Similarly, you can prevent the current working directory from being mapped into the container with the --no-cwd option. Another good idea is to create a dedicated directory that will serve as the container’s home directory, and spawn the container shell from that directory.
On a foreign system a container environment can be used to compile software
that cannot possibly be linked with system libraries or with the system’s
compiler toolchain. A common use-case in a research context is to install
packages from within an R session. Outside of a container environment there
is a good chance that the foreign compiler toolchain and incompatible system
libraries are found first, resulting in incompatible binaries that cannot be
used by R. In a container shell this problem disappears, as system
libraries and executables simply aren’t available due to the unshared
mount
namespace.
Let’s take a comprehensive manifest providing a comfortable development environment for use with R:
(specifications->manifest
(list "r-minimal"
;; base packages
"bash-minimal"
"glibc-locales"
"nss-certs"
;; Common command line tools lest the container is too empty.
"coreutils"
"grep"
"which"
"wget"
"sed"
;; R markdown tools
"pandoc"
;; Toolchain and common libraries for "install.packages"
"gcc-toolchain@10"
"gfortran-toolchain"
"gawk"
"tar"
"gzip"
"unzip"
"make"
"cmake"
"pkg-config"
"cairo"
"libxt"
"openssl"
"curl"
"zlib"))
Let’s use this to run R inside a container environment. For convenience we
share the net
namespace to use the host system’s network interfaces.
Now we can build R packages from source the traditional way without having
to worry about ABI mismatch or incompatibilities.
$ guix shell --container --network --manifest=manifest.scm -- R R version 4.2.1 (2022-06-23) -- "Funny-Looking Kid" Copyright (C) 2022 The R Foundation for Statistical Computing … > e <- Sys.getenv("GUIX_ENVIRONMENT") > Sys.setenv(GIT_SSL_CAINFO=paste0(e, "/etc/ssl/certs/ca-certificates.crt")) > Sys.setenv(SSL_CERT_FILE=paste0(e, "/etc/ssl/certs/ca-certificates.crt")) > Sys.setenv(SSL_CERT_DIR=paste0(e, "/etc/ssl/certs")) > install.packages("Cairo", lib=paste0(getwd())) … * installing *source* package 'Cairo' ... … * DONE (Cairo) The downloaded source packages are in '/tmp/RtmpCuwdwM/downloaded_packages' > library("Cairo", lib=getwd()) > # success!
Using container shells is fun, but they can become a little cumbersome when you want to go beyond just a single interactive process. Some tasks become a lot easier when they sit on the rock solid foundation of a proper Guix System and its rich set of system services. The next section shows you how to launch a complete Guix System inside of a container.
Previous: Guix Containers, Up: Containers [Contents][Index]
The Guix System provides a wide array of interconnected system services that are configured declaratively to form a dependable stateless GNU System foundation for whatever tasks you throw at it. Even when using Guix on a foreign distribution you can benefit from the design of Guix System by running a system instance as a container. Using the same kernel features of unshared namespaces mentioned in the previous section, the resulting Guix System instance is isolated from the host system and only shares file system locations that you explicitly declare.
A Guix System container differs from the shell process created by
guix shell --container
in a number of important ways. While in a
container shell the containerized process is a Bash shell process, a Guix
System container runs the Shepherd as PID 1. In a system container all
system services (see Services in GNU Guix Reference Manual) are
set up just as they would be on a Guix System in a virtual machine or on
bare metal—this includes daemons managed by the GNU Shepherd
(see Shepherd Services in GNU Guix Reference Manual) as well as
other kinds of extensions to the operating system (see Service Composition in GNU Guix Reference Manual).
The perceived increase in complexity of running a Guix System container is easily justified when dealing with more complex applications that have higher or just more rigid requirements on their execution contexts—configuration files, dedicated user accounts, directories for caches or log files, etc. In Guix System the demands of this kind of software are satisfied through the deployment of system services.
• A Database Container | ||
• Container Networking |
Next: Container Networking, Up: Guix System Containers [Contents][Index]
A good example might be a PostgreSQL database server. Much of the complexity of setting up such a database server is encapsulated in this deceptively short service declaration:
(service postgresql-service-type
(postgresql-configuration
(postgresql postgresql-14)))
A complete operating system declaration for use with a Guix System container would look something like this:
(use-modules (gnu)) (use-package-modules databases) (use-service-modules databases) (operating-system (host-name "container") (timezone "Europe/Berlin") (file-systems (cons (file-system (device (file-system-label "does-not-matter")) (mount-point "/") (type "ext4")) %base-file-systems)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sdX")))) (services (cons* (service postgresql-service-type (postgresql-configuration (postgresql postgresql-14) (config-file (postgresql-config-file (log-destination "stderr") (hba-file (plain-file "pg_hba.conf" "\ local all all trust host all all 10.0.0.1/32 trust")) (extra-config '(("listen_addresses" "*") ("log_directory" "/var/log/postgresql"))))))) (service postgresql-role-service-type (postgresql-role-configuration (roles (list (postgresql-role (name "test") (create-database? #t)))))) %base-services)))
With postgresql-role-service-type
we define a role “test” and
create a matching database, so that we can test right away without any
further manual setup. The postgresql-config-file
settings allow a
client from IP address 10.0.0.1 to connect without requiring
authentication—a bad idea in production systems, but convenient for this
example.
Let’s build a script that will launch an instance of this Guix System as a
container. Write the operating-system
declaration above to a file
os.scm and then use guix system container
to build the
launcher. (see Invoking guix system in GNU Guix Reference
Manual).
$ guix system container os.scm The following derivations will be built: /gnu/store/…-run-container.drv … building /gnu/store/…-run-container.drv... /gnu/store/…-run-container
Now that we have a launcher script we can run it to spawn the new system
with a running PostgreSQL service. Note that due to some as yet unresolved
limitations we need to run the launcher as the root user, for example with
sudo
.
$ sudo /gnu/store/…-run-container system container is running as PID 5983 …
Background the process with Ctrl-z followed by bg
. Note the
process ID in the output; we will need it to connect to the container
later. You know what? Let’s try attaching to the container right now. We
will use nsenter
, a tool provided by the util-linux
package:
$ guix shell util-linux $ sudo nsenter -a -t 5983 root@container /# pgrep -a postgres 49 /gnu/store/…-postgresql-14.4/bin/postgres -D /var/lib/postgresql/data --config-file=/gnu/store/…-postgresql.conf -p 5432 51 postgres: checkpointer 52 postgres: background writer 53 postgres: walwriter 54 postgres: autovacuum launcher 55 postgres: stats collector 56 postgres: logical replication launcher root@container /# exit
The PostgreSQL service is running in the container!
Previous: A Database Container, Up: Guix System Containers [Contents][Index]
What good is a Guix System running a PostgreSQL database service as a container when we can only talk to it with processes originating in the container? It would be much better if we could talk to the database over the network.
The easiest way to do this is to create a pair of connected virtual Ethernet
devices (known as veth
). We move one of the devices
(ceth-test
) into the net
namespace of the container and leave
the other end (veth-test
) of the connection on the host system.
pid=5983 ns="guix-test" host="veth-test" client="ceth-test" # Attach the new net namespace "guix-test" to the container PID. sudo ip netns attach $ns $pid # Create the pair of devices sudo ip link add $host type veth peer name $client # Move the client device into the container's net namespace sudo ip link set $client netns $ns
Then we configure the host side:
sudo ip link set $host up sudo ip addr add 10.0.0.1/24 dev $host
…and then we configure the client side:
sudo ip netns exec $ns ip link set lo up sudo ip netns exec $ns ip link set $client up sudo ip netns exec $ns ip addr add 10.0.0.2/24 dev $client
At this point the host can reach the container at IP address 10.0.0.2, and the container can reach the host at IP 10.0.0.1. This is all we need to talk to the database server inside the container from the host system on the outside.
$ psql -h 10.0.0.2 -U test psql (14.4) Type "help" for help. test=> CREATE TABLE hello (who TEXT NOT NULL); CREATE TABLE test=> INSERT INTO hello (who) VALUES ('world'); INSERT 0 1 test=> SELECT * FROM hello; who ------- world (1 row)
Now that we’re done with this little demonstration let’s clean up:
sudo kill $pid sudo ip netns del $ns sudo ip link del $host
Next: Správa prostredí, Previous: Containers, Up: Top [Contents][Index]
Guix is a functional package manager that offers many features beyond what more traditional package managers can do. To the uninitiated, those features might not have obvious use cases at first. The purpose of this chapter is to demonstrate some advanced package management concepts.
see Package Management in GNU Guix Reference Manual for a complete reference.
• Guix Profiles in Practice | Strategies for multiple profiles and manifests. |
Guix provides a very useful feature that may be quite foreign to newcomers: profiles. They are a way to group package installations together and all users on the same system are free to use as many profiles as they want.
Whether you’re a developer or not, you may find that multiple profiles bring you great power and flexibility. While they shift the paradigm somewhat compared to traditional package managers, they are very convenient to use once you’ve understood how to set them up.
If you are familiar with Python’s ‘virtualenv’, you can think of a profile as a kind of universal ‘virtualenv’ that can hold any kind of software whatsoever, not just Python software. Furthermore, profiles are self-sufficient: they capture all the runtime dependencies which guarantees that all programs within a profile will always work at any point in time.
Multiple profiles have many benefits:
Concretely, here follows some typical profiles:
Let’s dive in the set up!
• Basic setup with manifests | ||
• Požadované balíky | ||
• Default profile | ||
• The benefits of manifests | ||
• Reproducible profiles |
Next: Požadované balíky, Up: Guix Profiles in Practice [Contents][Index]
A Guix profile can be set up via a manifest. A manifest is a snippet of Scheme code that specifies the set of packages you want to have in your profile; it looks like this:
(specifications->manifest
'("package-1"
;; Version 1.3 of package-2.
"package-2@1.3"
;; The "lib" output of package-3.
"package-3:lib"
; ...
"package-N"))
See Writing Manifests in GNU Guix Reference Manual, for more information about the syntax.
We can create a manifest specification per profile and install them this way:
GUIX_EXTRA_PROFILES=$HOME/.guix-extra-profiles mkdir -p "$GUIX_EXTRA_PROFILES"/my-project # if it does not exist yet guix package --manifest=/path/to/guix-my-project-manifest.scm --profile="$GUIX_EXTRA_PROFILES"/my-project/my-project
Here we set an arbitrary variable ‘GUIX_EXTRA_PROFILES’ to point to the directory where we will store our profiles in the rest of this article.
Placing all your profiles in a single directory, with each profile getting its own sub-directory, is somewhat cleaner. This way, each sub-directory will contain all the symlinks for precisely one profile. Besides, “looping over profiles” becomes obvious from any programming language (e.g. a shell script) by simply looping over the sub-directories of ‘$GUIX_EXTRA_PROFILES’.
Note that it’s also possible to loop over the output of
guix package --list-profiles
although you’ll probably have to filter out ~/.config/guix/current.
To enable all profiles on login, add this to your ~/.bash_profile (or similar):
for i in $GUIX_EXTRA_PROFILES/*; do profile=$i/$(basename "$i") if [ -f "$profile"/etc/profile ]; then GUIX_PROFILE="$profile" . "$GUIX_PROFILE"/etc/profile fi unset profile done
Note to Guix System users: the above reflects how your default profile ~/.guix-profile is activated from /etc/profile, that latter being loaded by ~/.bashrc by default.
You can obviously choose to only enable a subset of them:
for i in "$GUIX_EXTRA_PROFILES"/my-project-1 "$GUIX_EXTRA_PROFILES"/my-project-2; do profile=$i/$(basename "$i") if [ -f "$profile"/etc/profile ]; then GUIX_PROFILE="$profile" . "$GUIX_PROFILE"/etc/profile fi unset profile done
When a profile is off, it’s straightforward to enable it for an individual shell without "polluting" the rest of the user session:
GUIX_PROFILE="path/to/my-project" ; . "$GUIX_PROFILE"/etc/profile
The key to enabling a profile is to source its ‘etc/profile’ file. This file contains shell code that exports the right environment variables necessary to activate the software contained in the profile. It is built automatically by Guix and meant to be sourced. It contains the same variables you would get if you ran:
guix package --search-paths=prefix --profile=$my_profile"
Once again, see (see Invoking guix package in GNU Guix Reference Manual) for the command line options.
To upgrade a profile, simply install the manifest again:
guix package -m /path/to/guix-my-project-manifest.scm -p "$GUIX_EXTRA_PROFILES"/my-project/my-project
To upgrade all profiles, it’s easy enough to loop over them. For instance, assuming your manifest specifications are stored in ~/.guix-manifests/guix-$profile-manifest.scm, with ‘$profile’ being the name of the profile (e.g. "project1"), you could do the following in Bourne shell:
for profile in "$GUIX_EXTRA_PROFILES"/*; do guix package --profile="$profile" --manifest="$HOME/.guix-manifests/guix-$profile-manifest.scm" done
Each profile has its own generations:
guix package -p "$GUIX_EXTRA_PROFILES"/my-project/my-project --list-generations
You can roll-back to any generation of a given profile:
guix package -p "$GUIX_EXTRA_PROFILES"/my-project/my-project --switch-generations=17
Finally, if you want to switch to a profile without inheriting from the current environment, you can activate it from an empty shell:
env -i $(which bash) --login --noprofile --norc . my-project/etc/profile
Next: Default profile, Previous: Basic setup with manifests, Up: Guix Profiles in Practice [Contents][Index]
Activating a profile essentially boils down to exporting a bunch of environmental variables. This is the role of the ‘etc/profile’ within the profile.
Note: Only the environmental variables of the packages that consume them will be set.
For instance, ‘MANPATH’ won’t be set if there is no consumer application for man pages within the profile. So if you need to transparently access man pages once the profile is loaded, you’ve got two options:
export MANPATH=/path/to/profile${MANPATH:+:}$MANPATH
The same is true for ‘INFOPATH’ (you can install ‘info-reader’), ‘PKG_CONFIG_PATH’ (install ‘pkg-config’), etc.
Next: The benefits of manifests, Previous: Požadované balíky, Up: Guix Profiles in Practice [Contents][Index]
What about the default profile that Guix keeps in ~/.guix-profile?
You can assign it the role you want. Typically you would install the manifest of the packages you want to use all the time.
Alternatively, you could keep it “manifest-less” for throw-away packages that you would just use for a couple of days. This way makes it convenient to run
guix install package-foo guix upgrade package-bar
without having to specify the path to a profile.
Next: Reproducible profiles, Previous: Default profile, Up: Guix Profiles in Practice [Contents][Index]
Manifests are a convenient way to keep your package lists around and, say, to synchronize them across multiple machines using a version control system.
A common complaint about manifests is that they can be slow to install when they contain large number of packages. This is especially cumbersome when you just want get an upgrade for one package within a big manifest.
This is one more reason to use multiple profiles, which happen to be just perfect to break down manifests into multiple sets of semantically connected packages. Using multiple, small profiles provides more flexibility and usability.
Manifests come with multiple benefits. In particular, they ease maintenance:
guix package --upgrade
always tries to update the packages that have
propagated inputs, even if there is nothing to do. Guix manifests remove
this problem.
guix install
, guix upgrade
, etc. do not, since they
produce different profiles every time even when they hold the same
packages. See the related
discussion on the matter.
guix weather -m manifest.scm
to see how many
substitutes are available, which can help you decide whether you want to try
upgrading today or wait a while. Another example: you can run guix
pack -m manifest.scm
to create a pack containing all the packages in the
manifest (and their transitive references).
It’s important to understand that while manifests can be used to declare profiles, they are not strictly equivalent: profiles have the side effect that they “pin” packages in the store, which prevents them from being garbage-collected (see Invoking guix gc in GNU Guix Reference Manual) and ensures that they will still be available at any point in the future.
Let’s take an example:
guix environment -m manifest.scm
. So far so good.
guix pull
in the mean
time. Maybe a dependency from our manifest has been updated; or we may have
run guix gc
and some packages needed by our manifest have been
garbage-collected.
guix shell
-m manifest.scm
. But now we have to wait for Guix to build and install
stuff!
Ideally, we could spare the rebuild time. And indeed we can, all we need is
to install the manifest to a profile and use
GUIX_PROFILE=/the/profile; . "$GUIX_PROFILE"/etc/profile
as explained
above: this guarantees that our hacking environment will be available at all
times.
Security warning: While keeping old profiles around can be convenient, keep in mind that outdated packages may not have received the latest security fixes.
Previous: The benefits of manifests, Up: Guix Profiles in Practice [Contents][Index]
To reproduce a profile bit-for-bit, we need two pieces of information:
Indeed, manifests alone might not be enough: different Guix versions (or different channels) can produce different outputs for a given manifest.
You can output the Guix channel specification with ‘guix describe --format=channels’. Save this to a file, say ‘channel-specs.scm’.
On another computer, you can use the channel specification file and the manifest to reproduce the exact same profile:
GUIX_EXTRA_PROFILES=$HOME/.guix-extra-profiles GUIX_EXTRA=$HOME/.guix-extra mkdir -p "$GUIX_EXTRA"/my-project guix pull --channels=channel-specs.scm --profile="$GUIX_EXTRA/my-project/guix" mkdir -p "$GUIX_EXTRA_PROFILES/my-project" "$GUIX_EXTRA"/my-project/guix/bin/guix package --manifest=/path/to/guix-my-project-manifest.scm --profile="$GUIX_EXTRA_PROFILES"/my-project/my-project
It’s safe to delete the Guix channel profile you’ve just installed with the channel specification, the project profile does not depend on it.
Next: Installing Guix on a Cluster, Previous: Pokročilá správa balíkov, Up: Top [Contents][Index]
Guix provides multiple tools to manage environment. This chapter demonstrate such utilities.
• Guix environment via direnv | Setup Guix environment with direnv |
Up: Správa prostredí [Contents][Index]
Guix provides a ‘direnv’ package, which could extend shell after directory change. This tool could be used to prepare a pure Guix environment.
The following example provides a shell function for ~/.direnvrc file, which could be used from Guix Git repository in ~/src/guix/.envrc file to setup a build environment similar to described in see Building from Git in GNU Guix Reference Manual.
Create a ~/.direnvrc with a Bash code:
# Thanks <https://github.com/direnv/direnv/issues/73#issuecomment-152284914> export_function() { local name=$1 local alias_dir=$PWD/.direnv/aliases mkdir -p "$alias_dir" PATH_add "$alias_dir" local target="$alias_dir/$name" if declare -f "$name" >/dev/null; then echo "#!$SHELL" > "$target" declare -f "$name" >> "$target" 2>/dev/null # Notice that we add shell variables to the function trigger. echo "$name \$*" >> "$target" chmod +x "$target" fi } use_guix() { # Set GitHub token. export GUIX_GITHUB_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # Unset 'GUIX_PACKAGE_PATH'. export GUIX_PACKAGE_PATH="" # Recreate a garbage collector root. gcroots="$HOME/.config/guix/gcroots" mkdir -p "$gcroots" gcroot="$gcroots/guix" if [ -L "$gcroot" ] then rm -v "$gcroot" fi # Miscellaneous packages. PACKAGES_MAINTENANCE=( direnv git git:send-email git-cal gnupg guile-colorized guile-readline less ncurses openssh xdot ) # Environment packages. PACKAGES=(help2man guile-sqlite3 guile-gcrypt) # Thanks <https://lists.gnu.org/archive/html/guix-devel/2016-09/msg00859.html> eval "$(guix environment --search-paths --root="$gcroot" --pure guix --ad-hoc ${PACKAGES[@]} ${PACKAGES_MAINTENANCE[@]} "$@")" # Predefine configure flags. configure() { ./configure --localstatedir=/var --prefix= } export_function configure # Run make and optionally build something. build() { make -j 2 if [ $# -gt 0 ] then ./pre-inst-env guix build "$@" fi } export_function build # Predefine push Git command. push() { git push --set-upstream origin } export_function push clear # Clean up the screen. git-cal --author='Your Name' # Show contributions calendar. # Show commands help. echo " build build a package or just a project if no argument provided configure run ./configure with predefined parameters push push to upstream Git repository " }
Every project containing .envrc with a string use guix
will
have predefined environment variables and procedures.
Run direnv allow
to setup the environment for the first time.
Next: Poďakovanie, Previous: Správa prostredí, Up: Top [Contents][Index]
Guix is appealing to scientists and HPC (high-performance computing) practitioners: it makes it easy to deploy potentially complex software stacks, and it lets you do so in a reproducible fashion—you can redeploy the exact same software on different machines and at different points in time.
In this chapter we look at how a cluster sysadmin can install Guix for system-wide use, such that it can be used on all the cluster nodes, and discuss the various tradeoffs1.
Poznámka: Here we assume that the cluster is running a GNU/Linux distro other than Guix System and that we are going to install Guix on top of it.
• Setting Up a Head Node | The node that runs the daemon. | |
• Setting Up Compute Nodes | Client nodes. | |
• Cluster Network Access | Dealing with network access restrictions. | |
• Cluster Disk Usage | Disk usage considerations. | |
• Cluster Security Considerations | Keeping the cluster secure. |
Next: Setting Up Compute Nodes, Up: Installing Guix on a Cluster [Contents][Index]
The recommended approach is to set up one head node running
guix-daemon
and exporting /gnu/store over NFS to compute
nodes.
Remember that guix-daemon
is responsible for spawning build
processes and downloads on behalf of clients (see Invoking guix-daemon in GNU Guix Reference Manual), and more generally accessing
/gnu/store, which contains all the package binaries built by all the
users (see The Store in GNU Guix Reference Manual). “Client”
here refers to all the Guix commands that users see, such as guix
install
. On a cluster, these commands may be running on the compute nodes
and we’ll want them to talk to the head node’s guix-daemon
instance.
To begin with, the head node can be installed following the usual binary installation instructions (see Binary Installation in GNU Guix Reference Manual). Thanks to the installation script, this should be quick. Once installation is complete, we need to make some adjustments.
Since we want guix-daemon
to be reachable not just from the head node
but also from the compute nodes, we need to arrange so that it listens for
connections over TCP/IP. To do that, we’ll edit the systemd startup file
for guix-daemon
, /etc/systemd/system/guix-daemon.service,
and add a --listen
argument to the ExecStart
line so that it
looks something like this:
ExecStart=/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild --listen=/var/guix/daemon-socket/socket --listen=0.0.0.0
For these changes to take effect, the service needs to be restarted:
systemctl daemon-reload systemctl restart guix-daemon
Poznámka: The
--listen=0.0.0.0
bit means thatguix-daemon
will process all incoming TCP connections on port 44146 (see Invoking guix-daemon in GNU Guix Reference Manual). This is usually fine in a cluster setup where the head node is reachable exclusively from the cluster’s local area network—you don’t want that to be exposed to the Internet!
The next step is to define our NFS exports in /etc/exports by adding something along these lines:
/gnu/store *(ro) /var/guix *(rw, async) /var/log/guix *(ro)
The /gnu/store directory can be exported read-only since only
guix-daemon
on the master node will ever modify it.
/var/guix contains user profiles as managed by guix
package
; thus, to allow users to install packages with guix package
,
this must be read-write.
Users can create as many profiles as they like in addition to the default
profile, ~/.guix-profile. For instance, guix package -p
~/dev/python-dev -i python
installs Python in a profile reachable from the
~/dev/python-dev
symlink. To make sure that this profile is
protected from garbage collection—i.e., that Python will not be removed
from /gnu/store while this profile exists—, home directories
should be mounted on the head node as well so that guix-daemon
knows
about these non-standard profiles and avoids collecting software they refer
to.
It may be a good idea to periodically remove unused bits from
/gnu/store by running guix gc
(see Invoking guix gc in GNU Guix Reference Manual). This can be done by adding a crontab
entry on the head node:
root@master# crontab -e
... with something like this:
# Every day at 5AM, run the garbage collector to make sure # at least 10 GB are free on /gnu/store. 0 5 * * 1 /usr/local/bin/guix gc -F10G
We’re done with the head node! Let’s look at compute nodes now.
Next: Cluster Network Access, Previous: Setting Up a Head Node, Up: Installing Guix on a Cluster [Contents][Index]
First of all, we need compute nodes to mount those NFS directories that the head node exports. This can be done by adding the following lines to /etc/fstab:
head-node:/gnu/store /gnu/store nfs defaults,_netdev,vers=3 0 0 head-node:/var/guix /var/guix nfs defaults,_netdev,vers=3 0 0 head-node:/var/log/guix /var/log/guix nfs defaults,_netdev,vers=3 0 0
... where head-node is the name or IP address of your head node. From there on, assuming the mount points exist, you should be able to mount each of these on the compute nodes.
Next, we need to provide a default guix
command that users can run
when they first connect to the cluster (eventually they will invoke
guix pull
, which will provide them with their “own”
guix
command). Similar to what the binary installation script did
on the head node, we’ll store that in /usr/local/bin:
mkdir -p /usr/local/bin ln -s /var/guix/profiles/per-user/root/current-guix/bin/guix \ /usr/local/bin/guix
We then need to tell guix
to talk to the daemon running on our master
node, by adding these lines to /etc/profile
:
GUIX_DAEMON_SOCKET="guix://head-node" export GUIX_DAEMON_SOCKET
To avoid warnings and make sure guix
uses the right locale, we need
to tell it to use locale data provided by Guix (see Application Setup in GNU Guix Reference Manual):
GUIX_LOCPATH=/var/guix/profiles/per-user/root/guix-profile/lib/locale export GUIX_LOCPATH # Here we must use a valid locale name. Try "ls $GUIX_LOCPATH/*" # to see what names can be used. LC_ALL=fr_FR.utf8 export LC_ALL
For convenience, guix package
automatically generates
~/.guix-profile/etc/profile, which defines all the environment
variables necessary to use the packages—PATH
,
C_INCLUDE_PATH
, PYTHONPATH
, etc. Thus it’s a good idea to
source it from /etc/profile
:
GUIX_PROFILE="$HOME/.guix-profile" if [ -f "$GUIX_PROFILE/etc/profile" ]; then . "$GUIX_PROFILE/etc/profile" fi
Last but not least, Guix provides command-line completion notably for Bash
and zsh. In /etc/bashrc
, consider adding this line:
. /var/guix/profiles/per-user/root/current-guix/etc/bash_completion.d/guix
Voilà!
You can check that everything’s in place by logging in on a compute node and running:
guix install hello
The daemon on the head node should download pre-built binaries on your
behalf and unpack them in /gnu/store, and guix install
should create ~/.guix-profile containing the
~/.guix-profile/bin/hello command.
Next: Cluster Disk Usage, Previous: Setting Up Compute Nodes, Up: Installing Guix on a Cluster [Contents][Index]
Guix requires network access to download source code and pre-built binaries. The good news is that only the head node needs that since compute nodes simply delegate to it.
It is customary for cluster nodes to have access at best to a white
list of hosts. Our head node needs at least ci.guix.gnu.org
in this
white list since this is where it gets pre-built binaries from by default,
for all the packages that are in Guix proper.
Incidentally, ci.guix.gnu.org
also serves as a
content-addressed mirror of the source code of those packages.
Consequently, it is sufficient to have only ci.guix.gnu.org
in
that white list.
Software packages maintained in a separate repository such as one of the
various HPC channels are of course
unavailable from ci.guix.gnu.org
. For these packages, you may want
to extend the white list such that source and pre-built binaries (assuming
this-party servers provide binaries for these packages) can be downloaded.
As a last resort, users can always download source on their workstation and
add it to the cluster’s /gnu/store, like this:
GUIX_DAEMON_SOCKET=ssh://compute-node.example.org \ guix download http://starpu.gforge.inria.fr/files/starpu-1.2.3/starpu-1.2.3.tar.gz
The above command downloads starpu-1.2.3.tar.gz
and sends it
to the cluster’s guix-daemon
instance over SSH.
Air-gapped clusters require more work. At the moment, our suggestion would
be to download all the necessary source code on a workstation running Guix.
For instance, using the --sources option of guix build
(see Invoking guix build in GNU Guix Reference Manual), the
example below downloads all the source code the openmpi
package
depends on:
$ guix build --sources=transitive openmpi … /gnu/store/xc17sm60fb8nxadc4qy0c7rqph499z8s-openmpi-1.10.7.tar.bz2 /gnu/store/s67jx92lpipy2nfj5cz818xv430n4b7w-gcc-5.4.0.tar.xz /gnu/store/npw9qh8a46lrxiwh9xwk0wpi3jlzmjnh-gmp-6.0.0a.tar.xz /gnu/store/hcz0f4wkdbsvsdky3c0vdvcawhdkyldb-mpfr-3.1.5.tar.xz /gnu/store/y9akh452n3p4w2v631nj0injx7y0d68x-mpc-1.0.3.tar.gz /gnu/store/6g5c35q8avfnzs3v14dzl54cmrvddjm2-glibc-2.25.tar.xz /gnu/store/p9k48dk3dvvk7gads7fk30xc2pxsd66z-hwloc-1.11.8.tar.bz2 /gnu/store/cry9lqidwfrfmgl0x389cs3syr15p13q-gcc-5.4.0.tar.xz /gnu/store/7ak0v3rzpqm2c5q1mp3v7cj0rxz0qakf-libfabric-1.4.1.tar.bz2 /gnu/store/vh8syjrsilnbfcf582qhmvpg1v3rampf-rdma-core-14.tar.gz …
(In case you’re wondering, that’s more than 320 MiB of compressed source code.)
We can then make a big archive containing all of this (see Invoking guix archive in GNU Guix Reference Manual):
$ guix archive --export \ `guix build --sources=transitive openmpi` \ > openmpi-source-code.nar
… and we can eventually transfer that archive to the cluster on removable storage and unpack it there:
$ guix archive --import < openmpi-source-code.nar
This process has to be repeated every time new source code needs to be brought to the cluster.
As we write this, the research institutes involved in Guix-HPC do not have air-gapped clusters though. If you have experience with such setups, we would like to hear feedback and suggestions.
Next: Cluster Security Considerations, Previous: Cluster Network Access, Up: Installing Guix on a Cluster [Contents][Index]
A common concern of sysadmins’ is whether this is all going to eat a lot of disk space. If anything, if something is going to exhaust disk space, it’s going to be scientific data sets rather than compiled software—that’s our experience with almost ten years of Guix usage on HPC clusters. Nevertheless, it’s worth taking a look at how Guix contributes to disk usage.
First, having several versions or variants of a given package in
/gnu/store does not necessarily cost much, because
guix-daemon
implements deduplication of identical files, and
package variants are likely to have a number of common files.
As mentioned above, we recommend having a cron job to run guix gc
periodically, which removes unused software from
/gnu/store. However, there’s always a possibility that users will
keep lots of software in their profiles, or lots of old generations of their
profiles, which is “live” and cannot be deleted from the viewpoint of
guix gc
.
The solution to this is for users to regularly remove old generations of their profile. For instance, the following command removes generations that are more than two-month old:
guix package --delete-generations=2m
Likewise, it’s a good idea to invite users to regularly upgrade their profile, which can reduce the number of variants of a given piece of software stored in /gnu/store:
guix pull guix upgrade
As a last resort, it is always possible for sysadmins to do some of this on behalf of their users. Nevertheless, one of the strengths of Guix is the freedom and control users get on their software environment, so we strongly recommend leaving users in control.
Previous: Cluster Disk Usage, Up: Installing Guix on a Cluster [Contents][Index]
On an HPC cluster, Guix is typically used to manage scientific software.
Security-critical software such as the operating system kernel and system
services such as sshd
and the batch scheduler remain under control of
sysadmins.
The Guix project has a good track record delivering security updates in a
timely fashion (see Security Updates in GNU Guix Reference
Manual). To get security updates, users have to run guix pull &&
guix upgrade
.
Because Guix uniquely identifies software variants, it is easy to see if a vulnerable piece of software is in use. For instance, to check whether the glibc 2.25 variant without the mitigation patch against “Stack Clash”, one can check whether user profiles refer to it at all:
guix gc --referrers /gnu/store/…-glibc-2.25
This will report whether profiles exist that refer to this specific glibc variant.
Next: Licencia GNU Free Documentation, Previous: Installing Guix on a Cluster, Up: Top [Contents][Index]
Guix is based on the Nix package manager, which was designed and implemented by Eelco Dolstra, with contributions from other people (see the nix/AUTHORS file in Guix.) Nix pioneered functional package management, and promoted unprecedented features, such as transactional package upgrades and rollbacks, per-user profiles, and referentially transparent build processes. Without this work, Guix would not exist.
The Nix-based software distributions, Nixpkgs and NixOS, have also been an inspiration for Guix.
GNU Guix itself is a collective work with contributions from a number of people. See the AUTHORS file in Guix for more information on these fine people. The THANKS file lists people who have helped by reporting bugs, taking care of the infrastructure, providing artwork and themes, making suggestions, and more—thank you!
This document includes adapted sections from articles that have previously been published on the Guix blog at https://guix.gnu.org/blog and on the Guix-HPC blog at https://hpc.guix.info/blog.
Next: Zoznam pojmov, Previous: Poďakovanie, Up: Top [Contents][Index]
Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. https://fsf.org/ Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
The purpose of this License is to make a manual, textbook, or other functional and useful document free in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.
This License is a kind of “copyleft”, which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The “Document”, below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as “you”. You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.
A “Modified Version” of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.
A “Secondary Section” is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.
The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.
The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.
A “Transparent” copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not “Transparent” is called “Opaque”.
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.
The “Title Page” means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, “Title Page” means the text near the most prominent appearance of the work’s title, preceding the beginning of the body of the text.
The “publisher” means any person or entity that distributes copies of the Document to the public.
A section “Entitled XYZ” means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as “Acknowledgements”, “Dedications”, “Endorsements”, or “History”.) To “Preserve the Title” of such a section when you modify the Document means that it remains a section “Entitled XYZ” according to this definition.
The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version’s license notice. These titles must be distinct from any other section titles.
You may add a section Entitled “Endorsements”, provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled “History” in the various original documents, forming one section Entitled “History”; likewise combine any sections Entitled “Acknowledgements”, and any sections Entitled “Dedications”. You must delete all sections Entitled “Endorsements.”
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an “aggregate” if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document’s Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.
If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.
You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See https://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License “or any later version” applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy’s public statement of acceptance of a version permanently authorizes you to choose that version for the Document.
“Massive Multiauthor Collaboration Site” (or “MMC Site”) means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A “Massive Multiauthor Collaboration” (or “MMC”) contained in the site means any set of copyrightable works thus published on the MMC site.
“CC-BY-SA” means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.
“Incorporate” means to publish or republish a Document, in whole or in part, as part of another Document.
An MMC is “eligible for relicensing” if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:
Copyright (C) year your name. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License''.
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with…Texts.” line with this:
with the Invariant Sections being list their titles, with the Front-Cover Texts being list, and with the Back-Cover Texts being list.
If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.
If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.
Previous: Licencia GNU Free Documentation, Up: Top [Contents][Index]
Jump to: | 2
A B C D E H L M N S U W Z |
---|
Jump to: | 2
A B C D E H L M N S U W Z |
---|