[Replicant] Configuration management

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Mon Aug 12 16:23:01 UTC 2019


Hi,

I've been researching which configuration management tool could work
for Replicant, but the usual candidate had shortcomings:
- With Ansible, the configuration depends on the Ansible version, which
  is an issue when contributors have different distributions. Also, not
  being able to use only code to describe the machine configuration has
  many shortcomings[1].
- The development of the alternative[1] mentioned above has stopped,
  and it was not widely packaged anyway.
- I use Bundlewrap[2] extensively for my own machines. It's code-only
  but it doesn't have enough abstraction to work well for Replicant use
  cases:
  - It assumes that you have a machine that has somehow an already
    configured SSH, and that on your side you don't need a password to
    access it. This makes it hard to use it to create a vm image for
    instance.
  - It also has a very limited number of classes for configuring the
    system: It supports things like pushing templated files, managing
    users, running commands, etc. So you would need to use the basic
    building blocks and/or develop plugins to do more complex logic.
    This gives you a lot of flexibility but also a lot of work to do
    if you have uses cases that are complex to implement.
  - You execute code from the configuration in your laptop, and that
    code can be big.

However GuiX seem a very good candidate for that:
- Even if there are no Trisquel packages for it, and that Parabola
  packages are currently outdated, It can easily be installed in any
  GNU/Linux distribution.
- The configuration is done in scheme and it looks simple enough to
  understand.
- Guix has or will have tools to easily deploy a given configuration to
  a remote machine. It also has tools to do testing. I didn't look into
  theses yet.
- It can also create a vm out of a configuration which is great for
  testing things locally.
- The deployment from a (potentially signed) git push could easily be
  automatized.

I've already started working on a configuration file for hosting in a
vm what is hosted on the Replicant "ftp" at osuosl to evaluate GuiX,
as it's the most simple use case that would still be useful, especially
because when I ssh into ftp-osl.osuosl.org I get this message:
> *****************************************************************************
>                                NOTICE TO USERS
> 
> ftp-osl.osuosl.org is a computer system operated by the Oregon State
> University Open Source Lab. It is for authorized use only. Users
> (authorized or unauthorized) have no explicit or implicit expectation
> of privacy.
> 
> Any or all uses of this system and all files on this system may be
> intercepted, monitored, recorded, copied, audited, inspected, and
> disclosed to authorized site, Oregon State University, and law
> enforcement personnel, as well as authorized officials of other
> agencies, both domestic and foreign. By using this system, the user
> consents to such interception, monitoring, recording, copying,
> auditing, inspection, and disclosure at the discretion of authorized
> site or Oregon State University personnel.
> 
> Unauthorized or improper use of this system may result in
> administrative disciplinary action and civil and criminal penalties.
> By continuing to use this system you indicate your awareness of and
> consent to these terms and conditions of use. LOG OFF IMMEDIATELY if
> you do not agree to the conditions stated in this warning.
> 
> *****************************************************************************
If somehow, that also applies to the people downloading files from
https://ftp.osuosl.org/pub/replicant/ then we ought to fix it at some
point.

Even if it's more easy do that in the Trisquel vm we already have, it
would be a good starting point to switch Replicant infrastructure into
configuration management.

What do you think about the above:
- Is using GuiX for the Replicant infrastructure a good idea?
- If so, once I get a basic and useful configuration for the vm, we
  could ask the FSF for a new VM to run a GuiX-SD image. 

References:
-----------
[1]https://medium.com/@michaeldehaan/opsmop-building-the-next-generation-of-configuration-management-tooling-11268b7f21b6
[2]https://docs.bundlewrap.org/

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20190812/908cd21b/attachment.asc>


More information about the Replicant mailing list