15 Oct 2021 |
David Arnold (blaggacao) | OCI containers have isolation, too. | 21:03:54 |
David Arnold (blaggacao) | so the only delta is systemd. | 21:04:02 |
David Arnold (blaggacao) | which nobody needs or wants when running containers. | 21:04:12 |
@timdeh:matrix.org | yeah exactly, but if you don't want to resuse the NixOS module ecosystem, then you really don't have to care too much | 21:04:38 |
@timdeh:matrix.org | It's only if you do | 21:04:43 |
David Arnold (blaggacao) | yeah, the nix-os module system's config database. | 21:05:29 |
David Arnold (blaggacao) | Otoh, a container would typically run only a binary... | 21:05:57 |
David Arnold (blaggacao) | or translated to the nixos module system: each systemd unit would sit in it's own container. | 21:06:30 |
David Arnold (blaggacao) | So the interop of services is even up to the operator if nixos modules are used to run those services as containers... | 21:07:25 |
@kraftnix:matrix.org | it does some isolation, but isolation is not considered to be for security (at least according to the notes of the old nixos-containers ) | 21:07:30 |
@kraftnix:matrix.org | for me it's that my nspawn containers are just mini nixos' and i can redeploy a basically identical config to bare metal. while in containers i can control inter-container networking + outside networking more than just running as regular processes on a single nixos box. | 21:07:30 |
David Arnold (blaggacao) | Yeah, I think they make great sense if the goal is to run a NixOs system as container. | 21:08:05 |
@timdeh:matrix.org | Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler | 21:09:01 |
@kraftnix:matrix.org | the security aspect is why i'm looking into firecracker/cloud-hypervisor microvms, with nspawn you are really relying on systemd security for container workloads :/ | 21:10:20 |
@kraftnix:matrix.org | In reply to @timdeh:matrix.org Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler so many modules use systemd specific notation in those ExecStarts + scripts | 21:10:53 |
@timdeh:matrix.org | yeah, it might be even more complicated actually 😅 | 21:11:23 |
@kraftnix:matrix.org | systemd is so embedded into nixos, it very possibly might be the most systemd integrated os? | 21:11:58 |
David Arnold (blaggacao) | In reply to @timdeh:matrix.org Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler That could work, but the benefits are thinning. A datacenter runtime (such as mesos, nomad, k8s) still needs to have all the configuration definedout of band". | 21:12:00 |
David Arnold (blaggacao) | In reply to @timdeh:matrix.org Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler * That could work, but the benefits are thinning. A datacenter runtime (such as mesos, nomad, k8s) still needs to have all the configuration defined "out of band". | 21:12:06 |
@timdeh:matrix.org | Maybe that's the reason it hasn't been done 🤷 | 21:12:44 |
David Arnold (blaggacao) | most binaries run just fine without an init system. and if they need one, because they better run in tandem and the runtime does not provide ipc groups, then maybe s6. | 21:13:29 |
David Arnold (blaggacao) | But config mgt is always a different part. I like RFC42 which makes the upstream config transparent & reduces "reimplementing the world" tendencies. | 21:14:31 |
@timdeh:matrix.org | yes that's what I liked about:
https://github.com/NixOS/nixpkgs/pull/137325 | 21:22:56 |
@kraftnix:matrix.org | that would definitely help make any transition easier, it also would be greatly helpful overall and help simplify projects like home-manager | 21:23:18 |
17 Oct 2021 |
yusdacra | Would anyone happen to know why trying to building my system now tries to build many rust projects and cargo 1.52.1? It also tries to build polkit and spidermonkey for some reason. I am using 70088dc29994c32f8520150e34c6e57e8453f895 for my latest nixpkgs and the release-21.05 for base. | 07:57:54 |
| mars joined the room. | 19:02:58 |
18 Oct 2021 |
@gytis-ivaskevicius:matrix.org | David Arnold (blaggacao): ive noticed you going through rfcs | 05:52:11 |
@gytis-ivaskevicius:matrix.org | formatting nixpkgs | 05:52:19 |
@gytis-ivaskevicius:matrix.org | would you be interested in pushing some formatting changes? I'd like if it were to be able to format nix in denser manner | 05:52:59 |
@gytis-ivaskevicius:matrix.org | { abc }: {
a1 = let
a = 123;
in {
b = 123;
};
a2 = let inherit (builtins) mapAttrs; in {
b = 123;
};
a3 = abc: let
xyz = 123;
in {
abc = 123;
};
a4 = let x = 5; in {
y = x;
};
a5 =
let x = 5;
in x + 5;
a5 = let
x = 5;
in if x == t then 10 else null;
a6 = obj: {
x = 5;
} // obj;
}
| 05:53:22 |