From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= Subject: Re: Thoughts on making Guix even better Date: Mon, 9 Mar 2020 07:18:31 +0100 Message-ID: References: <87o8t68t4o.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="0000000000009750ea05a065f985" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:56950) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jBBkW-0005ap-CA for guix-devel@gnu.org; Mon, 09 Mar 2020 02:18:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jBBkU-0000AK-QO for guix-devel@gnu.org; Mon, 09 Mar 2020 02:18:48 -0400 In-Reply-To: <87o8t68t4o.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: Guix-devel , Raghav Gururajan --0000000000009750ea05a065f985 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Ludovic Court=C3=A8s ezt =C3=ADrta (id=C5=91pont: 2020. m=C3= =A1rc. 8., Vas 21:54): > Hi, > > "Raghav Gururajan" skribis: > > > The guix system transactions are NON-MODULAR. That is, you cannot > selectively reconfigure certain parts of the system. For example, you > either reconfigure the system as a whole (or) you do not reconfigure the > system at all. > > > > IMPLICATIONS: > > > > Lets assume we have 5 packages in profile. Package 1, 3 and 5 has > non-critical updates. Package 4 has non-critical update but it breaks. > Package 2 has critical update (CVE). We can either upgrade all packages > except package 4 (or) we can upgrade only package 2. > > > > Lets assume we have 5 services/packages in system. Package/Service 1, 3 > and 5 has non-critical updates. Package/Service 4 has non-critical update > but it breaks. Package/Service 2 has critical update (CVE). Now, when we > reconfigure the system, all packages/services will upgrade, package/servi= ce > 4 will break the system. We can of course do '--roll-back' and take the > system to previous working state. But that will leave the system with > critical vulnerability. Therefore, we cannot reconfigure package/service = 2 > or any other parts of the system, until the package/service 4 is fixed. > This window/gap puts guix system at great risk and instability. > > On one hand, I agree that it=E2=80=99d be nice to be able to update just = parts > of the system, like you explain. > > On the other hand, that would lead to an unknown and possibly > unreproducible system state, which defeats what declarative > (=E2=80=9Cnon-modular=E2=80=9D) system upgrades bring. > > Besides, I don=E2=80=99t see how one could introduce this =E2=80=9Cimpera= tive=E2=80=9D approach > at the system level, technically. > > All in all, it would be best if the situations that make =E2=80=9Cmodular= system > upgrades=E2=80=9D appear necessary didn=E2=80=99t occur in the first plac= e. > > Thoughts? > I believe that there are two points where it would be possible to improve the situation. 1. Improve tooling to modularize the configurations: like allowing an inferior like feature for services, and adding tests to this (this is a way of service versioning), or even setting up a convention to include scheme files from a location, like ./services.d files get included, and the expression they evaluated to are added to the services field if something like this makes sense. Make it possible for services to specify upgrade actions to run when the version changes, or to fail when manual intervention is needed for a correct upgrade. 2. Allow post install action configuration, for example stating that this list of services should be restarted. Also allow to guess the right post install action if none specified, and allow the services to add features to this guessing mechanism, like which configuration changes require restart. Make it possible to reload services by arranging their configs in a way that reloads work. In both of these cases it might be needed to inspect the previous system, but the system provision information should be enough for that. Wdyt? > > Ludo=E2=80=99. > Best regards, g_bor > > --0000000000009750ea05a065f985 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

Ludovic Court=C3=A8s <ludo@gnu.org> ezt =C3=ADrta (id=C5=91pont: 2020. m=C3=A1rc.= 8., Vas 21:54):
Hi,

"Raghav Gururajan" <raghavgururajan@disroot.org&g= t; skribis:

> The guix system transactions are NON-MODULAR. That is, you cannot sele= ctively reconfigure certain parts of the system. For example, you either re= configure the system as a whole (or) you do not reconfigure the system at a= ll.
>
> IMPLICATIONS:
>
> Lets assume we have 5 packages in profile. Package 1, 3 and 5 has non-= critical updates. Package 4 has non-critical update but it breaks. Package = 2 has critical update (CVE). We can either upgrade all packages except pack= age 4 (or) we can upgrade only package 2.
>
> Lets assume we have 5 services/packages in system. Package/Service 1, = 3 and 5 has non-critical updates. Package/Service 4 has non-critical update= but it breaks. Package/Service 2 has critical update (CVE). Now, when we r= econfigure the system, all packages/services will upgrade, package/service = 4 will break the system. We can of course do '--roll-back' and take= the system to previous working state. But that will leave the system with = critical vulnerability. Therefore, we cannot reconfigure package/service 2 = or any other parts of the system, until the package/service 4 is fixed. Thi= s window/gap puts guix system at great risk and instability.

On one hand, I agree that it=E2=80=99d be nice to be able to update just pa= rts
of the system, like you explain.

On the other hand, that would lead to an unknown and possibly
unreproducible system state, which defeats what declarative
(=E2=80=9Cnon-modular=E2=80=9D) system upgrades bring.

Besides, I don=E2=80=99t see how one could introduce this =E2=80=9Cimperati= ve=E2=80=9D approach
at the system level, technically.

All in all, it would be best if the situations that make =E2=80=9Cmodular s= ystem
upgrades=E2=80=9D appear necessary didn=E2=80=99t occur in the first place.=

Thoughts?

I believe that there are two points where it would be possible to= improve the situation.
1. Improve tooling to modula= rize the=C2=A0 configurations: like allowing an inferior like feature for s= ervices, and adding tests to this (this is a way of service versioning), or= even setting up a convention to include scheme files from a location, like= ./services.d files get included, and the expression they evaluated to are = added to the services field if something like this makes sense.
Make it possible for services to specify upgrade actions to run= when the version changes, or to fail when manual intervention is needed fo= r a correct upgrade.
2. Allow post install action co= nfiguration, for example stating that this list of services should be resta= rted. Also allow to guess the right post install action if none specified, = and allow the services to add features to this guessing mechanism, like whi= ch configuration changes require restart. Make it possible to reload servic= es by arranging their configs in a way that reloads work.

In both of these cases it might be needed= to inspect the previous system, but the system provision information shoul= d be enough for that. Wdyt?

Ludo=E2=80=99.
Best regards,<= /div>
g_bor

--0000000000009750ea05a065f985--