| 15 Oct 2021 |
 @timdeh:matrix.org | Maybe, or maybe this project was abandoned 3 years ago for a reason? 😅 | 20:56:15 |
 David Arnold (blaggacao) | In reply to @timdeh:matrix.org
It is at risk of being horribly outdated though it seems I assume because a better solution exists, already. | 20:56:21 |
| @timdeh:matrix.org | I hope you are right | 20:56:31 |
| @timdeh:matrix.org | 🤞 | 20:56:35 |
| David Arnold (blaggacao) | In reply to @timdeh:matrix.org
Maybe, or maybe this project was abandoned 3 years ago for a reason? 😅 I think it was attempted for a reason. :sm | 20:57:21 |
| David Arnold (blaggacao) | In reply to @timdeh:matrix.org
Maybe, or maybe this project was abandoned 3 years ago for a reason? 😅 * I think it was attempted for a reason. :smile: | 20:57:27 |
| @timdeh:matrix.org | Oh yeah definitely | 20:57:43 |
| @timdeh:matrix.org | I would love it if NixOS containers were OCI compliant, for obvious, work reasons 😛
And I'm sure I'm not the only one. | 20:58:11 |
| David Arnold (blaggacao) | Doesn't seem too outdated: https://github.com/projectatomic/oci-systemd-hook/releases/tag/v0.2.0 | 21:00:16 |
| @timdeh:matrix.org | There have been 6 or 7 systemd releases since then though, and given how little they seem to care for backwards compat at times, that may be an issue | 21:02:52 |
| David Arnold (blaggacao) | What's the benefit of using nixos containers then, at all? | 21:03:27 |
| @timdeh:matrix.org | isolation I guess? | 21:03:42 |
| @timdeh:matrix.org | false sense of security maybe 😛 | 21:03:51 |
| David Arnold (blaggacao) | OCI containers have isolation, too. | 21:03:54 |
| David Arnold (blaggacao) | so the only delta is systemd. | 21:04:02 |
| David Arnold (blaggacao) | which nobody needs or wants when running containers. | 21:04:12 |
| @timdeh:matrix.org | yeah exactly, but if you don't want to resuse the NixOS module ecosystem, then you really don't have to care too much | 21:04:38 |
| @timdeh:matrix.org | It's only if you do | 21:04:43 |
| David Arnold (blaggacao) | yeah, the nix-os module system's config database. | 21:05:29 |
| David Arnold (blaggacao) | Otoh, a container would typically run only a binary... | 21:05:57 |
| David Arnold (blaggacao) | or translated to the nixos module system: each systemd unit would sit in it's own container. | 21:06:30 |
| David Arnold (blaggacao) | So the interop of services is even up to the operator if nixos modules are used to run those services as containers... | 21:07:25 |
 @kraftnix:matrix.org | it does some isolation, but isolation is not considered to be for security (at least according to the notes of the old nixos-containers) | 21:07:30 |
| @kraftnix:matrix.org | for me it's that my nspawn containers are just mini nixos' and i can redeploy a basically identical config to bare metal. while in containers i can control inter-container networking + outside networking more than just running as regular processes on a single nixos box. | 21:07:30 |
| David Arnold (blaggacao) | Yeah, I think they make great sense if the goal is to run a NixOs system as container. | 21:08:05 |
| @timdeh:matrix.org | Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler | 21:09:01 |
| @kraftnix:matrix.org | the security aspect is why i'm looking into firecracker/cloud-hypervisor microvms, with nspawn you are really relying on systemd security for container workloads :/ | 21:10:20 |
| @kraftnix:matrix.org | In reply to @timdeh:matrix.org
Maybe we could do it the other way around? Figure out a way to wrap any ExecStart binary from a systemd service in an OCI container. Although that may not be much simpler so many modules use systemd specific notation in those ExecStarts + scripts | 21:10:53 |
| @timdeh:matrix.org | yeah, it might be even more complicated actually 😅 | 21:11:23 |
| @kraftnix:matrix.org | systemd is so embedded into nixos, it very possibly might be the most systemd integrated os? | 21:11:58 |
