diff options
Diffstat (limited to 'doc/guix.texi')
| -rw-r--r-- | doc/guix.texi | 119 |
1 files changed, 116 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index fcffa5a22b..93d1c2be3b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -10,7 +10,7 @@ @include version.texi @copying -Copyright @copyright{} 2012, 2013 Ludovic Courtès@* +Copyright @copyright{} 2012, 2013, 2014 Ludovic Courtès@* Copyright @copyright{} 2013 Andreas Enge@* Copyright @copyright{} 2013 Nikita Karetnikov @@ -213,7 +213,8 @@ Bash syntax and the @code{shadow} commands): do useradd -g guix-builder -G guix-builder \ -d /var/empty -s `which nologin` \ - -c "Guix build user $i" guix-builder$i; + -c "Guix build user $i" --system \ + guix-builder$i; done @end example @@ -236,6 +237,14 @@ case, shared memory support is unavailable in the chroot environment. The workaround is to make sure that @file{/dev/shm} is directly a @code{tmpfs} mount point.}. +Finally, you may want to generate a key pair to allow the daemon to +export signed archives of files from the store (@pxref{Invoking guix +archive}): + +@example +# guix archive --generate-key +@end example + Guix may also be used in a single-user setup, with @command{guix-daemon} running as an unprivileged user. However, to maximize non-interference of build processes, the daemon still needs to perform certain operations @@ -407,9 +416,10 @@ management tools it provides. @menu * Features:: How Guix will make your life brighter. * Invoking guix package:: Package installation, removal, etc. -* Packages with Multiple Outputs:: Single source package, multiple outputs. +* Packages with Multiple Outputs:: Single source package, multiple outputs. * Invoking guix gc:: Running the garbage collector. * Invoking guix pull:: Fetching the latest Guix and distribution. +* Invoking guix archive:: Exporting and importing store files. @end menu @node Features @@ -914,6 +924,103 @@ Use the bootstrap Guile to build the latest Guix. This option is only useful to Guix developers. @end table + +@node Invoking guix archive +@section Invoking @command{guix archive} + +The @command{guix archive} command allows users to @dfn{export} files +from the store into a single archive, and to later @dfn{import} them. +In particular, it allows store files to be transferred from one machine +to another machine's store. For example, to transfer the @code{emacs} +package to a machine connected over SSH, one would run: + +@example +guix archive --export emacs | ssh the-machine guix archive --import +@end example + +@noindent +However, note that, in this example, all of @code{emacs} and its +dependencies are transferred, regardless of what is already available in +the target machine's store. The @code{--missing} option can help figure +out which items are missing from the target's store. + +Archives are stored in the ``Nix archive'' or ``Nar'' format, which is +comparable in spirit to `tar'. When exporting, the daemon digitally +signs the contents of the archive, and that digital signature is +appended. When importing, the daemon verifies the signature and rejects +the import in case of an invalid signature or if the signing key is not +authorized. +@c FIXME: Add xref to daemon doc about signatures. + +The main options are: + +@table @code +@item --export +Export the specified store files or packages (see below.) Write the +resulting archive to the standard output. + +@item --import +Read an archive from the standard input, and import the files listed +therein into the store. Abort if the archive has an invalid digital +signature, or if it is signed by a public key not among the authorized +keys (see @code{--authorize} below.) + +@item --missing +Read a list of store file names from the standard input, one per line, +and write on the standard output the subset of these files missing from +the store. + +@item --generate-key[=@var{parameters}] +@cindex signing, archives +Generate a new key pair for the daemons. This is a prerequisite before +archives can be exported with @code{--export}. Note that this operation +usually takes time, because it needs to gather enough entropy to +generate the key pair. + +The generated key pair is typically stored under @file{/etc/guix}, in +@file{signing-key.pub} (public key) and @file{signing-key.sec} (private +key, which must be kept secret.) When @var{parameters} is omitted, it +is a 4096-bit RSA key. Alternately, @var{parameters} can specify +@code{genkey} parameters suitable for Libgcrypt (@pxref{General +public-key related Functions, @code{gcry_pk_genkey},, gcrypt, The +Libgcrypt Reference Manual}). + +@item --authorize +@cindex authorizing, archives +Authorize imports signed by the public key passed on standard input. +The public key must be in ``s-expression advanced format''---i.e., the +same format as the @file{signing-key.pub} file. + +The list of authorized keys is kept in the human-editable file +@file{/etc/guix/acl}. The file contains +@url{http://people.csail.mit.edu/rivest/Sexp.txt, ``advanced-format +s-expressions''} and is structured as an access-control list in the +@url{http://theworld.com/~cme/spki.txt, Simple Public-Key Infrastructure +(SPKI)}. +@end table + +To export store files as an archive to the standard output, run: + +@example +guix archive --export @var{options} @var{specifications}... +@end example + +@var{specifications} may be either store file names or package +specifications, as for @command{guix package} (@pxref{Invoking guix +package}). For instance, the following command creates an archive +containing the @code{gui} output of the @code{git} package and the main +output of @code{emacs}: + +@example +guix archive --export git:gui /nix/store/...-emacs-24.3 > great.nar +@end example + +If the specified packages are not built yet, @command{guix archive} +automatically builds them. The build process may be controlled with the +same options that can be passed to the @command{guix build} command +(@pxref{Invoking guix build}). + + @c ********************************************************************* @node Programming Interface @chapter Programming Interface @@ -1559,6 +1666,12 @@ packages locally. Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries. +@item --no-build-hook +Do not attempt to offload builds @i{via} the daemon's ``build hook''. +That is, always build things locally instead of offloading builds to +remote machines. +@c TODO: Add xref to build hook doc. + @item --max-silent-time=@var{seconds} When the build or substitution process remains silent for more than @var{seconds}, terminate it and report a build failure. |