!UUqahLbShAYkkrXmKs:matrix.org

DevOS

37 Members
Seeking help and geeking out together on https://github.com/divnix/devos & https://github.com/divnix/digga10 Servers

Load older messages


SenderMessageTime
15 Oct 2021
@blaggacao:matrix.orgDavid Arnold (blaggacao)OCI containers have isolation, too.21:03:54
@blaggacao:matrix.orgDavid Arnold (blaggacao)so the only delta is systemd.21:04:02
@blaggacao:matrix.orgDavid Arnold (blaggacao)which nobody needs or wants when running containers.21:04:12
@timdeh:matrix.org@timdeh:matrix.orgyeah exactly, but if you don't want to resuse the NixOS module ecosystem, then you really don't have to care too much21:04:38
@timdeh:matrix.org@timdeh:matrix.orgIt's only if you do21:04:43
@blaggacao:matrix.orgDavid Arnold (blaggacao)yeah, the nix-os module system's config database.21:05:29
@blaggacao:matrix.orgDavid Arnold (blaggacao)Otoh, a container would typically run only a binary...21:05:57
@blaggacao:matrix.orgDavid Arnold (blaggacao)or translated to the nixos module system: each systemd unit would sit in it's own container.21:06:30
@blaggacao:matrix.orgDavid Arnold (blaggacao)So the interop of services is even up to the operator if nixos modules are used to run those services as containers...21:07:25
@kraftnix:matrix.org@kraftnix:matrix.org it does some isolation, but isolation is not considered to be for security (at least according to the notes of the old nixos-containers) 21:07:30
@kraftnix:matrix.org@kraftnix:matrix.orgfor me it's that my nspawn containers are just mini nixos' and i can redeploy a basically identical config to bare metal. while in containers i can control inter-container networking + outside networking more than just running as regular processes on a single nixos box.21:07:30
@blaggacao:matrix.orgDavid Arnold (blaggacao)Yeah, I think they make great sense if the goal is to run a NixOs system as container.21:08:05
@timdeh:matrix.org@timdeh:matrix.org Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler 21:09:01
@kraftnix:matrix.org@kraftnix:matrix.orgthe security aspect is why i'm looking into firecracker/cloud-hypervisor microvms, with nspawn you are really relying on systemd security for container workloads :/21:10:20
@kraftnix:matrix.org@kraftnix:matrix.org
In reply to @timdeh:matrix.org
Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler
so many modules use systemd specific notation in those ExecStarts + scripts
21:10:53
@timdeh:matrix.org@timdeh:matrix.orgyeah, it might be even more complicated actually 😅21:11:23
@kraftnix:matrix.org@kraftnix:matrix.orgsystemd is so embedded into nixos, it very possibly might be the most systemd integrated os?21:11:58
@blaggacao:matrix.orgDavid Arnold (blaggacao)
In reply to @timdeh:matrix.org
Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler
That could work, but the benefits are thinning. A datacenter runtime (such as mesos, nomad, k8s) still needs to have all the configuration definedout of band".
21:12:00
@blaggacao:matrix.orgDavid Arnold (blaggacao)
In reply to @timdeh:matrix.org
Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler
* That could work, but the benefits are thinning. A datacenter runtime (such as mesos, nomad, k8s) still needs to have all the configuration defined "out of band".
21:12:06
@timdeh:matrix.org@timdeh:matrix.orgMaybe that's the reason it hasn't been done 🤷21:12:44
@blaggacao:matrix.orgDavid Arnold (blaggacao)most binaries run just fine without an init system. and if they need one, because they better run in tandem and the runtime does not provide ipc groups, then maybe s6.21:13:29
@blaggacao:matrix.orgDavid Arnold (blaggacao)But config mgt is always a different part. I like RFC42 which makes the upstream config transparent & reduces "reimplementing the world" tendencies.21:14:31
@timdeh:matrix.org@timdeh:matrix.orgyes that's what I liked about: https://github.com/NixOS/nixpkgs/pull/13732521:22:56
@kraftnix:matrix.org@kraftnix:matrix.orgthat would definitely help make any transition easier, it also would be greatly helpful overall and help simplify projects like home-manager21:23:18
17 Oct 2021
@yusdacra:nixos.devyusdacra Would anyone happen to know why trying to building my system now tries to build many rust projects and cargo 1.52.1? It also tries to build polkit and spidermonkey for some reason. I am using 70088dc29994c32f8520150e34c6e57e8453f895 for my latest nixpkgs and the release-21.05 for base. 07:57:54
@mars:jupiterbroadcasting.commars joined the room.19:02:58
18 Oct 2021
@gytis-ivaskevicius:matrix.org@gytis-ivaskevicius:matrix.org David Arnold (blaggacao): ive noticed you going through rfcs 05:52:11
@gytis-ivaskevicius:matrix.org@gytis-ivaskevicius:matrix.orgformatting nixpkgs05:52:19
@gytis-ivaskevicius:matrix.org@gytis-ivaskevicius:matrix.orgwould you be interested in pushing some formatting changes? I'd like if it were to be able to format nix in denser manner05:52:59
@gytis-ivaskevicius:matrix.org@gytis-ivaskevicius:matrix.org
{ abc }: {

  a1 = let
    a = 123;
  in {
    b = 123;
  };

  a2 = let inherit (builtins) mapAttrs; in {
    b = 123;
  };

  a3 = abc: let
    xyz = 123;
  in {
    abc = 123;
  };

  a4 = let x = 5; in {
    y = x;
  };

  a5 =
    let x = 5;
    in x + 5;

  a5 = let
    x = 5;
  in if x == t then 10 else null;


  a6 = obj: {
    x = 5;
  } // obj;

}

05:53:22

Show newer messages


Back to Room ListRoom Version: 6