When running
propellor --spin newhost
I get (after installing gnupg, ghc, libghc-*, make)
....
Downloading the latest package list from hackage.haskell.org
Killed
Killed
Killed
maybe there is not enough memory, or propellor has a kind of timeout somewhere (newhost is a slow arm router), but I don't understand why propellor (cabal) needs this package list.
looking at newhost logs, I found:
Sep 8 18:02:44 newhost kernel: Out of memory: Kill process 31874 (cabal) score 824 or sacrifice child
Propellor needs to build itself from source on the host it's provisioning, and so it needs to install its haskell library dependencies.
It first does this by trying to apt-get install all the relevant packages. However, that might fail for some reason, including perhaps that new enough versions of some library is not available to apt-get. So, it then also asks cabal to install any missing dependencies. This is where the
cabal updatecomes in. I'd rather only do that if apt didn't install all necessary deps, but I don't currently know how to check that, so it does it always.It looks like cabal may be allocating too much memory to work on your arm router. This could be because of a problem in depenedency resolution, which sometimes runs cabal out of memory even on big boxes, or it could just be too memory hungry to be practical there.
The smallest system I've successfully run git-annex on had 500 mb of memory. IIRC, most memory is used when ghc is compiling propellor.
The host has 128Mo of RAM :-). All dependencies should be available to apt-get, though... as it runs debian jessie. I used propellor on several other hosts running jessie also, and (it seems that) they didn't download the package list.
Downloading anything from hackage is problematic because cabal uses insecure http (potential MITM), and a new version of a dependency may introduce security holes.
As side note, stack may be an alternative to cabal in the case where apt can't find all the dependencies: it downloads everything securely, and stackage allows to deal with dependencies issues: the build may probably fail if new incompatible versions of propellor dependencies are released to hackage. Or maybe using strict versioning would be a solution there. Or maybe building propellor (at least for host with the same architecture) before sending it to the host?
Cabal is going to download securely soon enough. There's already a branch of cabal that can do it.