summaryrefslogtreecommitdiff
path: root/2016-01-20-guix-blu
diff options
context:
space:
mode:
Diffstat (limited to '2016-01-20-guix-blu')
-rw-r--r--2016-01-20-guix-blu/awesome-rating.pngbin0 -> 6359 bytes
-rw-r--r--2016-01-20-guix-blu/cons-cats.jpgbin0 -> 47743 bytes
-rw-r--r--2016-01-20-guix-blu/containers.jpgbin0 -> 317763 bytes
-rw-r--r--2016-01-20-guix-blu/contributor-graph.pngbin0 -> 16887 bytes
-rw-r--r--2016-01-20-guix-blu/docker-insecure.pngbin0 -> 40444 bytes
-rw-r--r--2016-01-20-guix-blu/guile-logo.pngbin0 -> 11808 bytes
-rw-r--r--2016-01-20-guix-blu/guix-blu-2016-01-20.org655
-rw-r--r--2016-01-20-guix-blu/guix-blu-2016-01-20.pdfbin0 -> 1465462 bytes
-rw-r--r--2016-01-20-guix-blu/guix-blu-2016-01-20.pdf.oldbin0 -> 1465462 bytes
-rw-r--r--2016-01-20-guix-blu/guix-logo.pngbin0 -> 12873 bytes
-rw-r--r--2016-01-20-guix-blu/guixsd-logo.pngbin0 -> 13869 bytes
-rw-r--r--2016-01-20-guix-blu/livestreamer-graph.pngbin0 -> 95079 bytes
-rw-r--r--2016-01-20-guix-blu/nsa-vw.pngbin0 -> 501503 bytes
-rw-r--r--2016-01-20-guix-blu/service-graph.pngbin0 -> 166069 bytes
-rw-r--r--2016-01-20-guix-blu/stats.pngbin0 -> 86885 bytes
15 files changed, 655 insertions, 0 deletions
diff --git a/2016-01-20-guix-blu/awesome-rating.png b/2016-01-20-guix-blu/awesome-rating.png
new file mode 100644
index 0000000..f05b352
--- /dev/null
+++ b/2016-01-20-guix-blu/awesome-rating.png
Binary files differ
diff --git a/2016-01-20-guix-blu/cons-cats.jpg b/2016-01-20-guix-blu/cons-cats.jpg
new file mode 100644
index 0000000..fd77ab8
--- /dev/null
+++ b/2016-01-20-guix-blu/cons-cats.jpg
Binary files differ
diff --git a/2016-01-20-guix-blu/containers.jpg b/2016-01-20-guix-blu/containers.jpg
new file mode 100644
index 0000000..fcf359a
--- /dev/null
+++ b/2016-01-20-guix-blu/containers.jpg
Binary files differ
diff --git a/2016-01-20-guix-blu/contributor-graph.png b/2016-01-20-guix-blu/contributor-graph.png
new file mode 100644
index 0000000..e248159
--- /dev/null
+++ b/2016-01-20-guix-blu/contributor-graph.png
Binary files differ
diff --git a/2016-01-20-guix-blu/docker-insecure.png b/2016-01-20-guix-blu/docker-insecure.png
new file mode 100644
index 0000000..068d296
--- /dev/null
+++ b/2016-01-20-guix-blu/docker-insecure.png
Binary files differ
diff --git a/2016-01-20-guix-blu/guile-logo.png b/2016-01-20-guix-blu/guile-logo.png
new file mode 100644
index 0000000..4edcc16
--- /dev/null
+++ b/2016-01-20-guix-blu/guile-logo.png
Binary files differ
diff --git a/2016-01-20-guix-blu/guix-blu-2016-01-20.org b/2016-01-20-guix-blu/guix-blu-2016-01-20.org
new file mode 100644
index 0000000..8f4547e
--- /dev/null
+++ b/2016-01-20-guix-blu/guix-blu-2016-01-20.org
@@ -0,0 +1,655 @@
+#+TITLE: Functional Package and Configuration Management with GNU Guix
+#+AUTHOR: David Thompson
+#+EMAIL: davet@gnu.org
+#+DATE: Wednesday, January 20th, 2016
+#+DESCRIPTION:
+#+KEYWORDS:
+#+LANGUAGE: en
+#+OPTIONS: H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
+#+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
+#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
+#+EXPORT_SELECT_TAGS: export
+#+EXPORT_EXCLUDE_TAGS: noexport
+#+LINK_UP:
+#+LINK_HOME:
+#+startup: beamer
+#+LaTeX_CLASS: beamer
+#+LaTeX_CLASS_OPTIONS: [bigger]
+#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra)
+#+LATEX_HEADER: \beamertemplatenavigationsymbolsempty
+#+BEAMER_THEME: metropolis
+
+* About me
+
+ GNU project volunteer
+
+ GNU Guile user and contributor since 2012
+
+ GNU Guix contributor since 2013
+
+ Day job: Ruby + JavaScript web development / “DevOps”
+
+* Overview
+
+ - Problems with application packaging and deployment
+ - Intro to functional package and configuration management
+ - Towards the future
+ - How you can help
+
+* User autonomy and control
+
+ It is becoming increasingly difficult to have control over your own
+ computing:
+
+ - GNU/Linux package managers not meeting user needs
+ - Self-hosting web applications requires too much time and effort
+ - Growing number of projects recommend installation via =curl | sudo
+ bash= [fn:2] or otherwise avoid using system package managers
+ - Users unable to verify that a given binary corresponds to the
+ source code
+
+* User autonomy and control
+
+ #+latex: \huge{
+ “Debian and other distributions are going to be that thing you run
+ Docker on, little more.” [fn:7]
+ #+latex: }
+
+* User autonomy and control
+
+ This is very bad for desktop users and system administrators alike.
+ We must regain control!
+
+* What’s wrong with Apt/Yum/Pacman/etc.?
+
+ Global state (=/usr=) that prevents *multiple versions* of a package
+ from coexisting.
+
+ *Non-atomic* installation, removal, upgrade of software.
+
+ No way to *roll back*.
+
+ *Nondeterminstic* package builds and maintainer-uploaded binaries.
+ (though this is changing!)
+
+ Reliance on pre-built binaries provided by a *single point of trust*.
+
+ Requires *superuser* privileges.
+
+* The problem is bigger
+
+ Proliferation of *language-specific package managers* and *binary
+ bundles* that complicate secure system maintenance.
+
+* Web applications
+
+ Web applications are particularly painful.
+
+* Web applications
+
+ It’s common for today’s web applications to require *two or more
+ package managers* to get all dependencies.
+
+* Web applications
+
+ Importing a web application available only for a language-specific
+ manager into a distribution proves difficult. NodeJS is
+ particularly frightening. [fn:6]
+
+* Web applications
+
+ There’s a growing number of popular web applications (Hadoop, Chef
+ Server, Cloudera, etc.) that *no one knows how to build from
+ source*! [fn:3]
+
+* Deployment
+
+ How do we automate application deployment without going crazy?
+
+* Chef/Puppet/Ansible/etc. are pretty good, right?
+
+ Building on top of mainstream package managers and distros yields an
+ unstable foundation.
+
+* Problems with configuration management software
+
+ - Imperative config management is overly-complex and brittle
+ (idempotence is hard)
+
+ - More reliable builds require spawning new machines and building
+ from scratch each time. (sledgehammer)
+
+ - Made primarily for developers for server maintenance, but all
+ types of users could benefit.
+
+* Docker?
+
+ Surely Docker addresses these issues?
+
+* Docker?
+
+ \center{I’m afraid not.}
+
+ \begin{center}
+ \includegraphics[height=7cm]{containers.jpg}
+ \end{center}
+
+* Problems with Docker
+
+ - Still imperative (though resulting images are immutable)
+
+ - Dockerfile DSL is not expressive
+
+ - Promotes one disk image per application to cover up underlying
+ package management mess [fn:4]
+
+ - No provenance
+
+ - Image layering is an ineffective caching strategy
+
+ - Does not compose (what about the host?)
+
+* Problems with Docker
+
+ Reliance on DockerHub binaries proves to be insecure [fn:5]
+
+ \begin{center}
+ \includegraphics[width=\textwidth]{docker-insecure.png}
+ \end{center}
+
+* Well that was pessimistic
+
+ Computers are hard. Let’s just look at cat pictures, instead.
+
+ \begin{center}
+ \includegraphics[width=8cm]{cons-cats.jpg}
+ \end{center}
+
+* Meet GNU Guix
+
+ \begin{center}
+ \includegraphics[width=5cm]{guix-logo.png}
+ \end{center}
+
+ Guix is the functional package management tool for the GNU system.
+
+ It is based on the pioneering work of the Nix project. [fn:8]
+
+* Meet GuixSD
+
+ \begin{center}
+ \includegraphics[width=4cm]{guixsd-logo.png}
+ \end{center}
+
+ GuixSD is the GNU/Linux distribution that uses Guix as its package
+ manager.
+
+* What does “functional” mean?
+
+ “Functional” in this context means treating package builds as
+ functions, in the mathematical sense.
+
+ =emacs = f(gcc,make,coreutils,…)=
+
+* Functional package management
+
+ Benefits:
+
+ - Build reproducibility
+
+ - No single point of trust
+
+ - Unprivileged package management
+
+ - Atomic upgrades and roll backs
+
+ - Multiple variants of the same software may coexist
+
+* Functional package management
+
+ The *complete dependency graph* is captured, precisely, down to the
+ *bootstrap binaries*.
+
+ No SAT solver or other complex algorithm for dependency resolution.
+
+* Functional package management
+
+ To view package builds this way, Guix performs builds in an
+ *isolated container* in which *only the specified dependencies* are
+ accessible.
+
+ Build results are *immutable*.
+
+ This maximizes *build reproducibility*.
+
+* Reproducible builds
+
+ Reproducible builds produce *bit-identical binaries* when performed
+ multiple times under the same conditions.
+
+ Requires fixing issues in upstream build systems that are
+ nondeterministic.
+
+* Why?
+
+ “With reproducible builds, multiple parties can *redo this process
+ independently* and ensure they *all get /exactly/ the same result*.
+ We can thus *gain confidence* that a distributed binary code is
+ indeed coming from a given source code.” [fn:9]
+
+* Use cases
+
+ \begin{center}
+ \includegraphics[width=\textwidth]{nsa-vw.png}
+ \end{center}
+
+* Transparent
+
+ Guix is a *source-based* package manager, but will *transparently*
+ download pre-built binaries from a trusted party, if available.
+
+ Otherwise, it will simply build from source.
+
+* Decentralized
+
+ In Guix, there is *no central point of trust* for receiving
+ pre-built binaries (substitutes).
+
+* Decentralized
+
+ Guix provides http://hydra.gnu.org, but it is optional.
+
+ Users may authorize zero or more substitute servers, or even publish
+ their own substitutes for others to use via =guix publish=.
+
+* Challenge authority
+
+ When builds are reproducible, users may *challenge* their substitute
+ providers by building locally and comparing the results.
+
+* Unprivileged
+
+ Users can build and install software *without root privileges*.
+
+* Unprivileged
+
+ Each user may have one or more “profiles”, a union of many packages.
+
+ Use cases:
+
+ - Alyssa and Ben use different versions of Emacs
+ - Alyssa hacks on 2 Ruby projects that require different versions
+
+* Atomic
+
+ Package installation/removal and full-system updates are *atomic*
+ operations, meaning that either the operation succeeds, or nothing
+ happens.
+
+* Roll back
+
+ /Any/ package transaction may be *rolled back*, likewise for
+ full-system upgrades.
+
+ If a full-system update goes wrong, just boot into the previous
+ working generation!
+
+* Coexistence
+
+ Each package has its own *unique* directory in the store that
+ contains its build artifacts.
+
+ You can have every version of Ruby, Python, and Perl under the sun
+ and that’s OK!
+
+* Demo!
+
+ =guix package=
+
+ =guix challenge=
+
+* Hacking
+
+ Guix is made to be maximally hackable, taking inspiration from
+ Emacs.
+
+ We seek to intentionally blur the line between user and developer.
+
+* Choice of language
+
+ Guix is rather special in its choice of implementation language.
+
+* Philosophy
+
+ It’s better to *extend an existing programming language* for package
+ recipes and configuration files rather than making a new,
+ domain-specific one.
+
+* Embedded vs. External DSLs
+
+ Using an extensible programming language as a host has several
+ advantages compared to external DSLs:
+
+ - No new parser, interpreter/compiler, editor tools, etc. to
+ maintain
+
+ - Access to all available libraries of the host language
+
+ - Extensions to the host language can be used as a library by
+ others
+
+ Not all general-purpose programming languages are suitable for
+ embedding new languages, [fn:1] so which did we choose?
+
+* Guile Scheme
+
+ \begin{center}
+ \includegraphics[width=4cm]{guile-logo.png}
+ \end{center}
+
+ GNU Guile is a Scheme implementation and the official extension
+ language of the GNU project.
+
+ It’s a great choice for EDSLs because of Scheme’s *hygienic macro
+ system*.
+
+ It’s a great choice for Guix because *purely functional*
+ programming is well-supported in Scheme.
+
+* Guile goes with everything
+
+ Guix uses Guile for nearly everything:
+
+ - Initial RAM disk
+
+ - Init system (GNU Shepherd, formerly GNU dmd)
+
+ - Package recipes (including build scripts!)
+
+ - Command line tools
+
+ - Low-level POSIX/Linux utilities (such as =call-with-container=)
+
+* Guix as a library
+
+ Guix is a big collection of Guile modules.
+
+ Packages are first-class Scheme objects.
+
+ Anyone can use Guix as a library to write new Guile programs that
+ manipulate package recipes, create new user interfaces (like a web
+ UI), etc.
+
+* Example package recipe
+
+ #+latex: \tiny{
+ #+BEGIN_SRC scheme
+ (define-public livestreamer
+ (package
+ (name "livestreamer")
+ (version "1.12.2")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append
+ "https://github.com/chrippa/livestreamer/archive/v"
+ version ".tar.gz"))
+ (file-name (string-append "livestreamer-" version ".tar.gz"))
+ (sha256
+ (base32
+ "1fp3d3z2grb1ls97smjkraazpxnvajda2d1g1378s6gzmda2jvjd"))))
+ (build-system python-build-system)
+ (arguments
+ '(#:tests? #f)) ; tests rely on external web servers
+ (native-inputs
+ `(("python-setuptools" ,python-setuptools)))
+ (propagated-inputs
+ `(("python-requests" ,python-requests)
+ ("python-singledispatch" ,python-singledispatch)))
+ (synopsis "Internet video stream viewer")
+ (description "Livestreamer is a command-line utility that extracts streams
+ from various services and pipes them into a video playing application.")
+ (home-page "http://livestreamer.io/")
+ (license license:bsd-2)))
+ #+END_SRC
+ #+latex: }
+
+* Dependency graph
+
+ \includegraphics[width=\textwidth]{livestreamer-graph.png}
+
+* Demo!
+
+ Emacs + Geiser
+
+* Other user interfaces
+
+ Besides the CLI, there’s also an Emacs interface, naturally.
+
+ Proof of concept web interface. (not in Guix core)
+
+* Demo!
+
+ Emacs
+
+* Importing packages
+
+ The =guix import= tool that can *automatically generate code
+ snippets* for packages found in foreign systems.
+
+ Supported systems include: PyPI, RubyGems, CPAN, Hackage, ELPA, and
+ CRAN.
+
+* Auto-updating
+
+ The =guix refresh= tool can automatically find the latest release of
+ certain software.
+
+ For example, Python packages can be updated by querying PyPI for
+ information on the latest release.
+
+* Demo!
+
+ =guix import=
+
+* Reproducible development environments
+
+ Getting the dependencies needed to create development environments
+ can be tough.
+
+ Many languages invent their own solution, but this is a general
+ problem.
+
+* Reproducible development environments
+
+ Guix has a tool for this: =guix environment=
+
+ Think of it like a language-agnostic version of Python’s
+ =virtualenv=.
+
+* Reproducible development environments
+
+ Environments can be *purified* via standard environment variables
+ or, for better isolation, Linux containers.
+
+ This allows developers to have confidence that potential
+ contributors will be able to build their software.
+
+* Demo!
+
+ =guix environment=
+
+* Full-system configuration
+
+ The Guix System Distribution supports a *consistent whole-system
+ configuration mechanism*.
+
+ All aspects of a system configuration are *declared* in a single
+ place.
+
+* Advantages
+
+ Easy to replicate configuration on different machines *without
+ resorting to additional tools* layered on top.
+
+ System upgrades are atomic and can be rolled back.
+
+* Example system configuration
+
+ #+latex: \tiny{
+ #+BEGIN_SRC scheme
+ (operating-system
+ (host-name "izanagi")
+ (timezone "America/New_York")
+ (locale "en_US.UTF-8")
+ (bootloader (grub-configuration (device "/dev/sda")))
+ (file-systems (cons (file-system
+ (device "root")
+ (title 'label)
+ (mount-point "/")
+ (type "ext4"))
+ %base-file-systems))
+ (users (list (user-account
+ (name "dave")
+ (comment "David Thompson")
+ (group "users")
+ (supplementary-groups '("wheel" "netdev" "audio"
+ "video" "cdrom"))
+ (home-directory "/home/dave"))))
+ (packages (cons* adwaita-icon-theme avahi dbus gnome-terminal
+ htop less man-db nss-certs openssh pulseaudio
+ wicd unzip rsync xfce
+ %base-packages))
+ (services %desktop-services)
+ (name-service-switch %mdns-host-lookup-nss))
+ #+END_SRC
+ #+latex: }
+
+* Service graph
+
+ \includegraphics[width=\textwidth]{service-graph.png}
+
+* Demo!
+
+ =guix system vm=
+
+* Project status
+
+ - Full-featured package manager
+ - 3,000 packages, 4 platforms
+ - Guix System Distribution in beta
+ - Binaries at http://hydra.gnu.org
+ - Variety of useful tools
+
+* Project status
+
+ \includegraphics[width=\textwidth]{stats.png}
+
+ \center\url{https://www.openhub.net/p/gnuguix}
+
+* Project status
+
+ \begin{center}
+ \includegraphics[width=\textwidth]{contributor-graph.png}
+ \end{center}
+
+* The people have spoken
+
+ \begin{center}
+ \includegraphics[width=4cm]{awesome-rating.png}
+ \end{center}
+
+* Project status
+
+ \approx200–500 new packages per release. *More needed!*
+
+* Future
+
+ I intend to focus on:
+
+ - A cluster deployment tool: =guix deploy=
+ - Improved support for GuixSD containers
+
+* Future
+
+ More generally:
+
+ - Stronger build farm
+ - More packages that are reproducible
+ - GNOME
+ - LVM
+ - Encrypted root for everyone
+
+* Join us!
+
+ - Use Guix on top of your existing distro
+ - Use the distribution
+ - Add new packages or upgrade existing ones
+ - Write system services
+ - Add new translations
+ - Tell us your ideas!
+
+* Join us!
+
+ We are currently collecting donations via the FSF to purchase new
+ servers for our build farm!
+
+ Since mid-Decemeber, $8,200 USD has been raised.
+
+ https://gnu.org/software/guix/donate/
+
+* Join us!
+
+ Chat with us in the =#guix= channel on Freenode or on the
+ =guix-devel@gnu.org= and =help-guix@gnu.org= mailing lists.
+
+* LibrePlanet 2016
+
+ Christopher Webber of the GNU MediaGoblin project and myself will be
+ co-presenting “Solving the Deployment Crisis with GNU Guix” at
+ LibrePlanet 2016 on March 19th or 20th.
+
+ Visit https://libreplanet.org/2016 for full details.
+
+* Thank you!
+
+ Visit https://gnu.org/software/guix for source code, documentation,
+ past talks, etc.
+
+ \begin{center}
+ \huge{Questions?}
+ \end{center}
+
+* Legal
+
+ © 2016 David Thompson =<davet@gnu.org>=
+
+ This presentation is licensed under the Creative Common Attribute
+ Share-Alike 4.0 International license.
+
+ GNU Guix and GuixSD logo, GFDL, http://gnu.org/s/guix/graphics
+
+ Copyright of other images included in this document is held by their
+ respective owners.
+
+* Footnotes
+
+[fn:1] “How to be a good host: miniKanren as a case study”
+https://www.youtube.com/watch?v=b9C3r3dQnNY
+
+[fn:2] http://curlpipesh.tumblr.com/
+
+[fn:3] “Your big data toolchain is a big security risk!”
+http://www.vitavonni.de/blog/201504/2015042601-big-data-toolchains-are-a-security-risk.html
+
+[fn:4] “The sad state of sysadmin in the age of containers”
+http://www.vitavonni.de/blog/201503/2015031201-the-sad-state-of-sysadmin-in-the-age-of-containers.html
+
+[fn:5] http://www.banyanops.com/blog/analyzing-docker-hub/
+
+[fn:6] “Let’s Package jQuery: A Javascript Packaging Dystopian Novella” http://dustycloud.org/blog/javascript-packaging-dystopia/
+
+[fn:7] “ownCloud and distribution packaging” http://lwn.net/Articles/670566/
+
+[fn:8] http://nixos.org/nix/
+
+[fn:9] https://reproducible-builds.org/
diff --git a/2016-01-20-guix-blu/guix-blu-2016-01-20.pdf b/2016-01-20-guix-blu/guix-blu-2016-01-20.pdf
new file mode 100644
index 0000000..f582402
--- /dev/null
+++ b/2016-01-20-guix-blu/guix-blu-2016-01-20.pdf
Binary files differ
diff --git a/2016-01-20-guix-blu/guix-blu-2016-01-20.pdf.old b/2016-01-20-guix-blu/guix-blu-2016-01-20.pdf.old
new file mode 100644
index 0000000..e15c3f4
--- /dev/null
+++ b/2016-01-20-guix-blu/guix-blu-2016-01-20.pdf.old
Binary files differ
diff --git a/2016-01-20-guix-blu/guix-logo.png b/2016-01-20-guix-blu/guix-logo.png
new file mode 100644
index 0000000..0b93dd4
--- /dev/null
+++ b/2016-01-20-guix-blu/guix-logo.png
Binary files differ
diff --git a/2016-01-20-guix-blu/guixsd-logo.png b/2016-01-20-guix-blu/guixsd-logo.png
new file mode 100644
index 0000000..a390759
--- /dev/null
+++ b/2016-01-20-guix-blu/guixsd-logo.png
Binary files differ
diff --git a/2016-01-20-guix-blu/livestreamer-graph.png b/2016-01-20-guix-blu/livestreamer-graph.png
new file mode 100644
index 0000000..7942d85
--- /dev/null
+++ b/2016-01-20-guix-blu/livestreamer-graph.png
Binary files differ
diff --git a/2016-01-20-guix-blu/nsa-vw.png b/2016-01-20-guix-blu/nsa-vw.png
new file mode 100644
index 0000000..3ce7cab
--- /dev/null
+++ b/2016-01-20-guix-blu/nsa-vw.png
Binary files differ
diff --git a/2016-01-20-guix-blu/service-graph.png b/2016-01-20-guix-blu/service-graph.png
new file mode 100644
index 0000000..d6fe654
--- /dev/null
+++ b/2016-01-20-guix-blu/service-graph.png
Binary files differ
diff --git a/2016-01-20-guix-blu/stats.png b/2016-01-20-guix-blu/stats.png
new file mode 100644
index 0000000..f3ece4d
--- /dev/null
+++ b/2016-01-20-guix-blu/stats.png
Binary files differ