AWS Cloud images for Guix

We had a good, inspiring orchestration meeting at the Guix day pre-FOSDEM and as part of that I've been working on making public AWS cloud images available for Guix. This post serves as a status report, since we're not quite there yet.

The code that runs the builds is available on Github. The idea behind this is, to facilitate people building their own customized Guix images for the cloud in addition to building a Golden Master.

The strategy I employ to get a working Guix image is very simple. I start up an Ubuntu 16.04 machine, then Download the latest binary Guix release and install it on Ubuntu. I run an improvised script that emulates the cow-store service from the Guix installer. When that's done, I run a guix system init config.scm /mnt to install on an additional attached disk.

This process ends up with a Guix system on the disk. I then make a snapshot of this disk and create an AMI from this snapshot.

All the AWS plumbing in this process is highly automated using Hashicorps Packer. In fact, about the only thing that needed additional automation is the formatting of the disks and the triggering of the Guix install process.

When this process has run the result is a bootable Guix image.

But there's more to it. AWS provides a way to inject SSH keys into newly created instances. Technically AWS provides the public key in the metadata store which can be queried by every instance. The instance is then supposed to include this key as part of it's ssh setup.

The most recent change I made to the images was to include a service that queries the metadata store at boot time of the machine and places the key in the ssh configuration for user alyssa.

You don't need to use this mechanism. In fact you can easily inject your own keys into the images at build time, disregarding the AWS provided public keys.

In some setups it might be required to build images with predefined or even no keys, in other cases the AWS provided functionality might be useful. In all cases this is a feature that people have come to expect from images on AWS.

This is where we stand now. Simply running packer in a guix-packer checkout will give you a working Guix cloud image. While being bootstrapped from Ubuntu might seem a bad idea, I actually prefer to do it this way. Building in the cloud is in many ways faster and easier than building at home and hulking an 8GiB image across a residential internet connection.

Towards public images

The next steps towards providing public images (just click on GuixSD and be done) will roughly follow the following paths.

I think we need a second provisioning step to do a guix pull && guix system reconfigure to get the latest package content into the image, especially because this might eat up a lot of time to do.

All ssh host keys need to be removed and a service that improves the availability of randomness needs to be built into the system.

We need a way to extend the Guix config to allow provisioning of additional disks, when these have been attached during instance creation.

There's much more to do, currently console screengrabs don't work, system logs are not displayed in the AWS console and much more. On the other hand the Elastic Network Adapter is supported by default in Linux Libre and we enable it as part of the packer config, leading to the ability to use the most recent AWS instance generation (e.g. C5 instances).

I hope to deliver public GuixSD images for AWS in the coming weeks.