Can guix deploy prevent a lockout?

Thu, 26 Feb 2026 03:31:23 -0800 

Hi help-guix,
I am wanting to try out the `guix deploy` command, but I am a little scared to use it. If I make a mistake in my OS config (such as removing a public key by mistake, or breaking the network configuration) then I might lock myself out. Of course, since this is a guix system, it is trivial to roll back to a previous generation, so long as I can still issue the command to roll back. 


I am looking for a mechanism whereby the system can be made to 
automatically issue a rollback command if the deployment fails somehow. 
Obviously, if your operating system config is badly broken (e.g. invalid 
syntax) then it will not build and the deployment will not proceed. I am 
thinking of the case where the OS is validly configured, but does not 
satisfy certain desired properties (like permitting SSH from a certain key).



Of course, since deploying a full guix system image can alter the OS in 
more or less arbitrary ways, not everything can be guaranteed. The 
simplest thing I can think of that might work is to include a shepherd 
service in your OS config which will automatically issue a guix system 
roll-back (and perhaps also rebooting) unless a certain post-release 
"deploy succeeded" signal is received. For instance, you could configure 
your deployment script to halt this service via ssh, and if you don't do 
this within 30 seconds, the rollback occurs. As long as this service 
remains in your OS config, you could screw up everything else and it 
should remain accessible (after waiting for the timeout, at least).



I could not see any evidence from the manual that `guix deploy` does 
something like this automatically. I can see the flags --timeout and 
--max-silent-time, but I think these are to guard against slow builds, 
rather than mistakes necessarily. There is also guix deploy --roll-back, 
which would not work in the scenario I'm imagining.



I will probably attempt to write something, unless I find out somebody 
else has. So if you are interested in this, even if you don't have an 
answer, let me know.


Dan
























					Reply via email to