1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
|
#+TITLE: Functional Package and Configuration Management with GNU Guix
#+AUTHOR: David Thompson
#+EMAIL: davet@gnu.org
#+DATE: Wednesday, January 20th, 2016
#+DESCRIPTION:
#+KEYWORDS:
#+LANGUAGE: en
#+OPTIONS: H:1 num:t toc:nil \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
#+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc
#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
#+EXPORT_SELECT_TAGS: export
#+EXPORT_EXCLUDE_TAGS: noexport
#+LINK_UP:
#+LINK_HOME:
#+startup: beamer
#+LaTeX_CLASS: beamer
#+LaTeX_CLASS_OPTIONS: [bigger]
#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra)
#+LATEX_HEADER: \beamertemplatenavigationsymbolsempty
#+BEAMER_THEME: metropolis
* About me
- GNU project volunteer
- GNU Guile user and contributor since 2012
- GNU Guix contributor since 2013
- Day job: Ruby + JavaScript web development / “DevOps”
* Overview
- Problems with application packaging and deployment
- Intro to functional package and configuration management
- Towards the future
- How you can help
* User autonomy and control
It is becoming increasingly difficult to have control over your own
computing:
- GNU/Linux package managers not meeting user needs
- Self-hosting web applications requires too much time and effort
- Growing number of projects recommend installation via =curl | sudo
bash= [fn:2] or otherwise avoid using system package managers
- Users unable to verify that a given binary corresponds to the
source code
* User autonomy and control
“Debian and other distributions are going to be that thing you run
Docker on, little more.” [fn:7]
* User autonomy and control
This is very bad for desktop users and system administrators alike.
We must regain control!
* What’s wrong with Apt/Yum/Pacman/etc.?
- Global state (=/usr=) that prevents multiple versions of a package
from coexisting
- Non-atomic installation, removal, upgrade of software
- No way to roll back
- Nondeterminstic package builds (though this is changing!)
- Reliance on pre-built binaries provided by a single point of trust
- Requires superuser privileges
* The problem is bigger
Proliferation of *language-specific package managers* and *binary
bundles* that complicate secure system maintenance.
* Web applications
Web applications are particularly painful.
* Web applications
It’s common for today’s web applications to require *two or more
package managers* to get all dependencies.
* Web applications
Integrating a web application packaged only for a language-specific
manager into a system package manager proves difficult. NodeJS is
particularly frightening. [fn:6]
* Web applications
There’s a growing number of popular web applications (Hadoop, Chef
Server, Cloudera, etc.) that *no one knows how to build from
source*! [fn:3]
* Deployment
How do we automate application deployment without going crazy?
* Chef/Puppet/Ansible/etc. are pretty good, right?
Building on top of mainstream package managers and distros yields an
unstable foundation.
* Problems with configuration management software
- Imperative config management makes is overly-complex and brittle
(idempotence is hard)
- More reliable builds require spawning new machines and building
from scratch each time (sledgehammer)
- Made primarily for developers for server maintenance, but all
users could benefit
* Docker?
Surely Docker addresses these issues?
* Docker?
I’m afraid not.
* Problems with Docker
- Still imperative (though resulting images are immutable)
- Dockerfile DSL is not expressive
- Promotes one disk image per application to cover up underlying
package management mess [fn:4]
- No provenance
- Image layering is an ineffective caching strategy
- Does not compose (containers are only one important use-case)
* Problems with Docker
- Reliance on DockerHub binaries proves to be insecure [fn:5]
* Well that was pessimistic
Computers are hard. Maybe we should just farm potatoes instead.
* Meet GNU Guix
Guix is the functional package management tool for the GNU system.
It is based on the pioneering work of the Nix project. [fn:8]
* What does “functional” mean?
“Functional” in this context means treating package builds as
functions, in the mathematical sense.
=emacs = f(gcc,make,coreutils,…)=
* Functional package management
Benefits:
- Build reproducibility
- Atomic upgrades and roll backs
- No single point of trust
- Unprivileged package management
- Multiple variants of the same software may coexist
* Functional package management
The *complete dependency graph* is captured, precisely, down to the
*bootstrap binaries*.
No SAT solver or other complex algorithm for dependency resolution.
* Functional package management
To view package builds this way, Guix performs builds in an
*isolated container* in which *only the specified dependencies* are
accessible.
This maximizes *build reproducibility*.
* Reproducible builds
Reproducible builds produce *bit-identical binaries* when performed
multiple times under the same conditions.
Allows for *independent verification* that a given binary
corresponds to its alleged source code.
* Why?
WRITEME
Mention reproducible-builds.org
* Demo
guix package
guix challenge
* Hacking
Guix is made to be maximally hackable, taking inspiration from
Emacs.
We seek to intentionally blur the line between user and developer.
* Choice of language
Guix is rather special in its choice of implementation language.
* Philosophy
It’s better to extend an existing language for package recipes and
configuration files rather than making a new, domain-specific one.
* Embedded vs. External DSLs
Using an extensible programming language as a host has several
advantages compared to external DSLs:
- No new parser, interpreter/compiler, editor tools, etc. to
maintain
- Access to all available libraries of the host language
- Extensions to the host language can be used as a library by
others
Not all general-purpose programming languages are suitable for
embedding new languages, [fn:1] so which did we choose?
* Guile Scheme
- GNU Guile is a Scheme implementation and the official extension
language of the GNU project
- It’s a great choice for EDSLs because of Scheme’s hygienic macro
system
- It’s a great choice for Guix because purely functional
programming is well-supported in Scheme
* Guile goes with everything
Guix uses Guile for nearly everything:
- Initial RAM disk
- Init system (GNU Shepherd, formerly GNU dmd)
- Package recipes (including build scripts!)
- Command line tools
- Low-level POSIX/Linux utilities (such as =call-with-container=)
* Guix as a library
- Guix is a big collection of Guile modules
- Packages are first-class Scheme objects
- Anyone can use Guix as a library to write new Guile programs that
manipulate package recipes, create new user interfaces (like a web
UI), etc.
* Example package recipe
WRITEME
* Demo
build package at the REPL in Emacs
* Other user interfaces
Demo Emacs UI, web prototype
* Importing packages from elsewhere
guix import
guix refresh
* Demo
Import a package from PyPI
* Development environments
guix environment
* Full-system configuration
WRITEME
* Example system configuration
WRITEME
* Demo
guix system vm
* Project status
WRITEME
* Future
WRITEME
* Join us!
We need interested hackers to help us:
- Add new packages
- Upgrade existing packages
- Write system services
- Improve the UI
- Add new tools
- Translate to new languages
- Maintain the web site
- Other stuff!
* Join us!
We are currently collecting donations via the FSF to purchase new
servers for our build farm!
https://gnu.org/software/guix/donate/
* Join us!
Chat with us in the =#guix= channel on Freenode or on the
=guix-devel@gnu.org= and =help-guix@gnu.org= mailing lists.
* Thank you!
Visit https://gnu.org/software/guix for source code, documentation,
past talks, etc.
\begin{center}
\huge{Questions?}
\end{center}
* Legal
© 2016 David Thompson =<davet@gnu.org>=
This presentation is licensed under the Creative Common Attribute
Share-Alike 4.0 International license.
* Footnotes
[fn:1] “How to be a good host: miniKanren as a case study”
https://www.youtube.com/watch?v=b9C3r3dQnNY
[fn:2] http://curlpipesh.tumblr.com/
[fn:3] “Your big data toolchain is a big security risk!”
http://www.vitavonni.de/blog/201504/2015042601-big-data-toolchains-are-a-security-risk.html
[fn:4] “The sad state of sysadmin in the age of containers”
http://www.vitavonni.de/blog/201503/2015031201-the-sad-state-of-sysadmin-in-the-age-of-containers.html
[fn:5] “Over 30% of Official Images in Docker Hub Contain High
Priority Security Vulnerabilities”
http://www.banyanops.com/blog/analyzing-docker-hub/
[fn:6] “Let’s Package jQuery: A Javascript Packaging Dystopian Novella” http://dustycloud.org/blog/javascript-packaging-dystopia/
[fn:7] “ownCloud and distribution packaging” http://lwn.net/Articles/670566/
[fn:8] http://nixos.org/nix/
|