Purely Functional Configuration Management with Nix and NixOS (infoq.com)
Configuration management is the foundation that makes modern infrastructure possible. Tools that enable configuration management are required in the toolbox of any operations team, and many development teams as well. Although all the tools aim to solve the same basic set of problems, they adhere to different visions and exhibit different characteristics. The issue is how to choose the tool that best fits each organization's scenarios.
22 comments
[ 3.1 ms ] story [ 54.0 ms ] threadRight now, versions are just loosely selected so it would be (eg: there's a ruby193 and ruby20). If one version gets dropped in nigpkgs or the selector is not specific enough breakage would easily happen.
What you describe would be fairly easy to script. I'm playing around with similar ideas. It's not exposed by default, but the included script `nix-prefetch-git` dumps a git repo into the nix store, and when you run it from your shell, you have access to ssh keys and ssl certs (that are unavailable within a normal nix build).
The next step is harder like you say, you'd either need to include nix expressions for all dependencies on down through libc and gcc, or just assume/hope that "whatever happens to be in the local nixpkgs" is appropriate, but then you kinda lose out on a lot of the point of nix. It'd be nice if there were some way to reference a version of nixpkgs from which the expressions for "ruby20" and its dependencies would be drawn (but then you'd end up with hundreds of slightly different versions of nixpkgs tarballs from every github project with no easy way to update).
If we imagine a scenario where our bootstrap package already contains a .nixpkg in its root directory, and we augmented git with a pre-commit hook which mechanically extracted nixpkgs from all submodules, and we introduced a chain of git repositories where submodules are ubiquitously used for our entire system, maybe we could automatically produce the required .nixpkg for each commit (might require us to insert a "package template" into the root of each repository).
https://bitbucket.org/cofarrell/one-build-tool/src/master/RE...
Would love to hear any feedback people have about the idea.
Does use of Nix encourage insecurity by making it easy to use several outdated copies of each piece of software simultaneously?
I've been an Ubuntu user for some years now, and feel pretty comfortable with the terminal, but haven't setup xwindows or ALSA manually or anything like that for example.
It uses upstream Nix, but replaces the programming language with Scheme. Like NixOS, Guix is also a distribution: a fully free distribution of the GNU system.
If the day to day details come anywhere close to the high level promise, this seems like it'll be totally amazing.
* How hard is it to use?
* How easy is it to break?
It's difficult to break because packages are immutable, and the /nix/store where they are held is read-only - it can only be modified by a user with root privileges (which should be never), or the nix daemon (which runs as root).
The caveat is that packages have identities - you can't simply swap out a dependency for an equivalent version which has a different identity, without also updating all of the dependents of that package. "Swapping out" is the wrong term, since all versions can live alongside each other - it's more that, applications at the bottom of the chain will not automatically receive the updates of dependencies (for bug-fixes, etc) - you must also update all dependents to make use of such bug-fixes. For a bug-fix in the compiler for instance, that effectively means updating the entire distribution.
This could open up significant challenges in the area of live-patching on running systems, as the current research and tooling for this is built on the assumption that you can overwrite packages. On the other hand, I actually think Nix provides a better model for live-updating, because immutability is much more suited to making the kind of transactions we really need to perform them.
Arguably, shared libraries could be obsoleted and everything could be statically linked too, which could provide performance gains at the cost of memory/storage.
The packaging system is very friendly to beginners since it is straight forward to experiment with writing new packages installing them and then reverting if it does not work quite right. Or even better switching to a different profile with a different set of packages installed and coming back to your experiment later.
> How easy is it to break?
In the sense that the packages start conflicting with each other? The packages that come with nixpkgs rarely if every caused a conflict with other packages in nixpkgs. When they do I can simply roll back and make changes to the package.
If you explicitly mount the read only /nix/store as read/write and alter packages manually you can cause yourself some trouble, but it is something that is explicitly marked as dangerous and nearly unnecessary.
This one seems to be solving the right problems. But I hope they didn't get too carried away with solving the problem of being functional... that's not a real problem.
Similar experience with ubuntu and upgrading to different versions was my motivation to use nix. It was made worse by my efforts to install cutting edge versions of numpy and scipy at the time.
> But I hope they didn't get too carried away with solving the problem of being functional... that's not a real problem.
Heh, they are practical bunch, well at least good chunks of nix, nixos, hydra are written in perl and nixops is written in python. I think the main argument for the former was they all knew perl at the time and want to make sure it was reasonable to port to several systems including cygwin on windows thought it is no longer has tier one support.