Half a presentation I had in my company about NixOS

We have a nice thing called ‘Day of Learning’ here in Red Hat where we learn new stuff on our own and/or present neat things to our colleagues. I’ve taken NixOS as one of the two topics to popularize among the fellow builders of what might be a solid contender for the un-NixOS-iest distro:

It’s available here, suggestions for a video hosting service are welcome.

These are cozy internal events that are not shared outside at all, yet I tried to make that one as shareable as possible.

Unfortunately there was bound to be some indiscriminate, yet heavy distro-building-practices bashing to happen, so I’ve made a hard decision to record neither the second part of the presentation nor the ensuing drawn-out debates so that we could speak our minds freely. I’ll just say I’m happy that I’ve ignited their mixed interest and that the alien new NixOS ways have been treated with the about the same respect as our established practices.

As for the first part, y’all probably know the Nix world even better than me, yet you might still be interested in my story of diving into it, who knows.

‘how Nixos does distro-building right’ .

your certainly not pulling any punches with that title. LMAO.

I really enjoyed it.

I really liked the ending where you had “$DISTRO has X feature, NixOS has…”, and then proceeded to describe how NixOS just avoids the need to have “these cool” features that work around FHS.

I would have really like to hear the discussion afterwards.

i’d like to hear this discussion too. Great to peak engineers interests in the market leader for business linux solutions.

Maybe next year there will be more red hat linux + blue flake linux

One thing red hat doesn’t lack is $$$$ , we need more $$$$ here, so hardworking , dedicated nixers (maintainers, developers, testers, contributors etc etc etc) outside of the umbrella of tweage can get some of the $$$$ too. I think that a fair, reasonable and positive thing to address. (this is definitely easier said than done)

As someone who is new to Nix, I’d like to compliment you on how engaging your presentation was. Time certainly not wasted!

i got around to watching… .brilliant!

Never in all my history have i even seen slides that are null/empty/nothing nix! … that is a first LMAO

Incredibly well thought out presentation , no chaff or waffe, with great real world examples.

This really needs pinning to the nixos.org home page @garbas

all hail the new red-flake linux (maybe next year).

home page

Heh, no, as much as I am flattered, it certainly lacks the home-page grade polish. Though if anyone gets to making a video introduction course marketing NixOS to newcomers, I could help with the writing part.

all hail the new red-flake linux (maybe next year)

Pff, you wish. But if 30 more people know NixOS exists that can’t be bad.

“A shiny transparent mineral with the highest hardness in the world”. Diamonds are hard, describing them isn’t.

And NixOS is a Linux distro. Neither describing nor even scientifically defining diamonds should be hard, explaining what’s the deal with them is.

“Diamonds are minerals” (correct, but not enough)

Here’s how I would elevator-pitch NixOS:

“A Linux distro with reproducible package builds and easy rollbacks”.

(There’s other features, but you don’t want to obscure what’s important)

You can watch the recording to find out why I wouldn’t take either of these properties as an explanation of NixOS. This or take Debian and install that apt hook that creates btrfs snapshots of / on every transaction. =)

Sometimes I put Nix talks on for background noise or to settle down at the end of the day, as a way of keeping an eye on how and where Nix is received in the wider tech community. I’ve seen a lot of intro-to-Nix talks. This is one of my absolute favorites.

I’ve been daydreaming lately about how if NixOS could sustain LTS releases, it would allow for a nice workstation OS with escape hatches, kind of similar to Fedora Silverblue. You could link each LTS release into a location like /lts/1.0, or into a bunch of directories like /usr/1.0, /lib/1.0, etc. The versions of libraries in an LTS are supposed to be ABI compatible and have identical behavior across updates, so users could link against and refer to paths in those locations ‘from outside the Nix world’ without running into trouble. SIlverblue has Flatpak as an escape hatch, but a similar system built around Nix would also naturally have Nixpkgs (which is nice because Flatpak is a little heavyweight, Flathub doesn’t contain many (any?) CLI utilities, and sandboxing is unnatural for a lot of common CLI utilities).

This would be really nice for allowing Nix-at-your-own-pace, like users get on macOS and non-NixOS Linux, on top of a base system built and managed like NixOS. It would confer the additional advantage of allowing multiple versions of the stable base system to be installed side-by-side, which might be interesting to companies like Red Hat and their customers as a way of easing transitions between major releases.

There’s also another possibility with such a system, probably of little interest to Acolytes of The Nix Way™ like us, of ports systems that target individual stable releases as their base systems. For people who just want a stable OS that works (and may or may not be interested in functional-style package management) and enjoy a clear separation between the base system and user software, like you get on macOS or *BSD, this could be a real benefit. What some people like about Homebrew or MacPorts or Pkgsrc is that they’re ‘simple’ to use (in a familiar, imperative way), and packages are not isolated, but those systems don’t (or try not to) affect the base OS, and if they misbehave you can easily blast them away entirely. One of the pains users of such ports systems go through is that they can break and/or require lots of rebuilding when the base system is upgraded. With a base system based on stabilized/long-lived releases of Nixpkgs, much of that breakage could be ameliorated. At the same time, the isolation that Nix packages have would help immunize the base system against meddling by those kinds of ports systems, even when the base OS relies on a runtime (say, Python) that users of ports systems might want to manage via those ports systems. Immutable root filesystems that still rely on the FHS, like current applications of OSTree, are cool, but they don’t share that virtue.

The missing piece for all this, of course, is a (probably smaller) fork of Nixpkgs with long-lived branches where stable releases of software get backported security patches.

Maybe it’ll never happen, but imo applying Nix or a deeply Nix-like approach to distros with long-lived releases like RHEL would allow for some really cool downstream possibilities.

This doesn’t make Debian reproducible. And isn’t btrfs still a bit unstable?

Agreed, that doesn’t make Debian reproducible in the NixOS meaning of it (not even close) and btrfs could have better data recovery and raid stability. Yet my point was that you’ve specifically picked “reproducible builds” and “easy rollbacks”, two qualities of NixOS that just don’t add up to NixOS. So you can’t just give these two to my audience of that day and expect them to arrive at NixOS and not Debian with snapshots. =(

I like that Nix leaves rollbacks open no matter what filesystem you use.

I think btrfs is pretty good these days, though with the only remaining stability concern being the RAID 5 write hole. On NixOS, OS files (the contents of /nix/store) are protected from partial writes in two ways:

1. Switching to a new config is an atomic filesystem operation, since it’s a symlink change; even if there is a partial write due to a power outage, the partial write wil
2. Nix provides tools good tools for verifying and repairing the contents of the Nix store

I’ve actually lost power during a nixos-rebuild switch. My Nix DB was corrupted (I just rm’d it and then everything was fine), but every single program on the system was in working order. And you get this on a system that, unlike OSTree, doesn’t strictly require a reboot for any update to take effect.

So there is a way forward from that conversation about how NixOS brings you different benefits and even protects you from some kinds of filesystem corruption no matter what filesystem you use (my power loss during upgrade was on ext4). But the way forward is a rabbithole, and layer after layer of ‘but it’s more than that! here’s an example’ doesn’t still doesn’t necessarily provide a compelling overview in the end.

Looks like there’s already some awareness of/interest in NixOS on the OSTree side. Do you have any idea how many Nixers there are at Red Hat, or how many people there are interested in experimenting with NixOS or a functional package management approach?

how many Nixers there are at Red Hat

A handful, which is less than I’d love to see.

how many people there are interested in experimenting with NixOS or a functional package management approach?

IDK, that’s pretty general. Hopefully more now then last week? I was presenting mostly to my peers from the Linux Security crowd though.

How would Debian with snapshots achieve reproducible builds?

Debian’s effort to achieve reproducible builds is orthogonal.

4chan’s /g/ is arguing about NixOS all the time (If you don’t know what it is, don’t google and click on it willy-nilly – it’s pretty NSFW)