Properly dealing with ML / CUDA / Python

sirati · March 3, 2026, 4:57pm

The current state of ML on nix and nixOS is an unbearable mess. We really do need to improve on that. I would like to use this topic to discuss solutions for how we should split up ML derivations, so that build servers do not have to do as much work.

Issues

I have worked on getting ML packages to work privately for the past month, and I do think I have gained some understanding on how the build process works. I have identified the following issues:

derivation do not properly check that the build environment is valid: CUDA is picky when it comes to compiler versions, using the wrong compiler creates crashes that are sporadic, hard to debug, and usually happen after 100% CPU add RAM utilisation of up-to multiple hours. We must fail early.
nix derivations sometimes depend on specific version of a dependency, even though they would support a never version. This fails because we end up pulling in the same dependency of different versions or worse same version but different derivation inputs. We must separate the nix derivation dependency tree and the python package dependency tree, so that this can be resolved without having to recompile expensive packages.
Currently only the main Cuda version supported by pytorch is available in nixpkgs, this unfortunately means that some GPUs are too old and cannot be used with NixOS for ML development
cudaPackages is not as straight forward as assumed in nixpkgs, some CUDA toolchain parts have their own restrictions in supported compute capability and supported architectures (yes they are separate, ik…)
while there is shared code for different python version, this completely lacks for CUDA specific differences, but because CUDA dependencies exist and are messy this is really required.
Updating part of the ML packages should not easily allow for making the current nixpkgs bugged, i.e. that the supported packages are incompatible with each other, as currently frequently happens and then requires manual intervention.

What I imagine the solution looks like:

Each python package derivation is split into four derivations:
a) source-only derivation
b) build derivation (this has two flavours: build from source, or use existing wheel/bin)
c) high-level derivation
d) python-level derivation

build derivation depend only on packages that they MUST have for building. this way we can avoid having to expensively recompile these (this is especially relevant to build servers as otherwise this exploded combinatorially). This means they may depend on other source-only derivations preferably, or if need be other build derivations. build derivation always depend on their own source’s source-only derivation

high-level derivation do not depend on anything but other high-level derivation. They do not do any hard work, perform fail-early validation if possible to do in a built-in-specific manner. They also by themselves do not provide any build results (as they cannot). In other words, to create a python environment, they must be passed to a function that concretises them.

python-level derivations are created by the concretise function that resolves high-level derivation into build derivation, and makes the specific instance of the python-level derivation depend on both its high-level derivation and concrete build derivation.

the concretise function is always called by the end user. It can only be called with a set of high-level derivations, cuda version (or absense of cuda support), compiler set, required compute capability, and python version. If possible if a expression contains packages created via two calls to the concretise function this should be detected, and result is an early-fail.

Other goals

Whenever possible we should support precompiled wheels

Relevant Links

github.com/NixOS/nixpkgs

python3.pkgs.buildPythonPackage: Separate runtime & build time dependencies

master ← adisbladis:python-runtime-build-time-sep

opened 05:34AM - 02 Dec 23 UTC

adisbladis

+84 -56

## Description of changes See #272178 for more context. ### Dependency sep…aration Adds a separation between Python runtime dependencies, Python build-time dependencies & non-Python dependencies arguments to `buildPythonPackage`. It's important to have these distinctions so we can solve our long standing issues re dependency propagation in Python. With this change in place it's possible to implement a solution for https://github.com/NixOS/nixpkgs/issues/170577. It's similar to https://github.com/NixOS/nixpkgs/pull/102613 (a subset, really) but with the notable changes that: - Uses PEP-621 standard names/idioms #102613 introduces the argument `requiredPythonModules`, but with Python metadata being standardised I'd like to be more closely aligned with that. - Only implements the API that enables changing the behaviour It's probably going to take a while to refactor all of nixpkgs to use the appropriate arguments. This change is purposely minimal in the hopes that we can move forward with it more quickly. For now `dependencies` are always mapped onto `propgatedBuildInputs`, so there is no change in behaviour in the immediate term. 2 packages are migrated as a PoC, one is using `format = "pyproject"` and the other is `setuptools`. ### Interface changes This also unifies regular dependencies with optional dependencies: ``` nix { passthru.optional-dependencies.socks = [ pysocks ]; nativeBuildInputs = [ poetry-core ]; propagatedBuildInputs = [ requests ]; } ``` becomes ``` nix { optional-dependencies.socks = [ pysocks ]; build-system = [ poetry-core ]; dependencies = [ requests ]; } ``` which looks much more like what a standard `pyproject.toml` file contains. I think the interface change alone is a pretty good improvement. ## Things done - Built on platform(s) - [ ] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [24.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) (or backporting [23.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2305.section.md) and [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md). ### Priorities Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc

This is a merged PR that impl separating python runtime and build deps. This seems extremely useful for this here, I am yet to properly investigate tho.

Purpose of this thread

please help me scrutinise these ideas, link other relevant discussion related to this, and provide the insides you have.

randomizedcoder · March 3, 2026, 5:12pm

G’day,

Will you be at SCALE this week? Happy to chat about your challenges.

nix derivations sometimes depend on specific version of a dependency, even though they would support a never version. This fails because we end up pulling in the same dependency of different versions or worse same version but different derivation inputs

Nix is designed to pin everything to make it 100% reproducible. This is a feature, not a bug.

Nix PhD thesis 
https://edolstra.github.io/pubs/phd-thesis.pdf

Nix original paper
https://edolstra.github.io/pubs/nspfssd-lisa2004-final.pdf

NixOS paper
https://edolstra.github.io/pubs/nixos-jfp-final.pdf

However, if you do want to use newer version of libraries, you absolutely can. In your flake you can do something like this:

{ pkgs ? import <nixpkgs> {} }:

pkgs.stdenv.mkDerivation {
  pname = "my-project";
  version = "1.0.0";

  src = pkgs.fetchFromGitHub {
    owner = "owner";
    repo = "repo";
    rev = "v1.0.0";  # tag, branch, or commit
    sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
  };

  buildPhase = "true";
  installPhase = ''
    mkdir -p $out
    cp -r * $out/
  '';
}

And of course if you do find an older package in nixpkgs, once you have your flake version working, it would be awesome if you can submit the pull request for nixpkgs

sirati · March 3, 2026, 5:20pm

I am not aware of this event. I am located in Munich/Germany though. Where is it?

I am aware, and that is fine. What I am saying is often we do not need to recompile, as we actually do not depend on variables, but as it is currently we indirectly do, but by splitting this up, we can be reproducible while reusing some compilation derivations, as in this context they depend only on the exact same.

Just depending on a specific git commit is fine, and I know this can work. However, for nearly all common ML libraries wheels are already provided.
Just saying I know how Nix works, and I do read the nixpkgs source. I am doing the same as is done there, to use pre-build wheels and that works. But that is not the issue that I am talking about. The issue is that there are so many cases where stuff doesnt work, and I end up having to fix most packages, in the same way. i.e. repetitive work, that can be generalised

NobbZ · March 3, 2026, 5:34pm

It’s an US event, I think California.

randomizedcoder · March 3, 2026, 6:00pm

The issue is that there are so many cases where stuff doesnt work, and I end up having to fix most packages, in the same way. i.e. repetitive work, that can be generalised

yeah, i mean, nixpkgs is hard. There are tones of broken packages. Would be great with unlimited resources and time, to constantly scan the repo, mark broken ones, and use some automation to create pull requests to fix them. Similarly, some LLM help on nixpkgs pull request reviews would be great also.

But it’s all a matter of priorities and resources. For example, is fixing broken packages more important than fixing broken runners? e.g. This PR stuck waiting for runners for >24 hours

github.com/NixOS/nixpkgs

pcp: init at 7.1.1-unstable-2026-03-01, nixos/pcp: init module, nixos…

master ← randomizedcoder:pcp

opened 11:31PM - 01 Mar 26 UTC

randomizedcoder

+1180 -1

pcp: init at 7.1.1-unstable-2026-03-01, nixos/pcp: init module, nixosTests.pcp: …init Adds [Performance Co-Pilot (PCP)](https://pcp.io), a system performance monitoring toolkit from the Linux Foundation. PCP provides a framework for collecting, archiving, and analyzing system-level performance metrics. To create this pull request, flake.nix and extensive ./nix/ has been added via https://github.com/performancecopilot/pcp/pull/2501 YouTube video: https://youtu.be/u3iUcqkcpNY This is the nixpkgs version, to allow people on NixOS to easily use Performance Co Pilot (pcp) **Package** (`pkgs/by-name/pc/pcp/package.nix`): - Builds from upstream main branch (pinned commit); upstream does not tag releases consistently - Feature flags: `withSystemd`, `withPfm`, `withBpf` (default off to avoid LLVM closure), `withSnmp` - Three outputs: `out`, `man`, `doc` - Five patches for Nix/NixOS compatibility (GNUmakefile ownership flags, Perl install paths, Python ctypes library discovery, shell pwd portability, pmapi reconnect fix) - Replaces a previously removed/archived `pcp` alias (different project) **NixOS module** (`nixos/modules/services/monitoring/pcp.nix`): - `services.pcp.enable` with presets: `standalone` (full suite), `minimal` (pmcd only), `custom` - Four services: pmcd (collector daemon), pmlogger (archive logger), pmie (inference engine), pmproxy (REST API gateway) - Daily maintenance timers for pmlogger and pmie - Configurable PMDA registration, firewall rules, IP filtering, and systemd hardening - BCC PMDA support with appropriate capability grants **NixOS test** (`nixos/tests/pcp.nix`): - Starts pmcd and pmproxy, verifies ports 44321/44322, queries kernel metrics via `pminfo` ## Things done - Built on platform: - [x] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - Tested, as applicable: - [x] [NixOS tests] in [nixos/tests]. - [x] [Package tests] at `passthru.tests`. - [ ] Tests in [lib/tests] or [pkgs/test] for functions and "core" functionality. - [ ] Ran `nixpkgs-review` on this PR. See [nixpkgs-review usage]. - [x] Tested basic functionality of all binary files, usually in `./result/bin/`. - Nixpkgs Release Notes - [ ] Package update: when the change is major or breaking. - NixOS Release Notes - [x] Module addition: when adding a new NixOS module. - [ ] Module update: when the change is significant. - [x] Fits [CONTRIBUTING.md], [pkgs/README.md], [maintainers/README.md] and other READMEs. [NixOS tests]: https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests [Package tests]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests [nixpkgs-review usage]: https://github.com/Mic92/nixpkgs-review#usage [CONTRIBUTING.md]: https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md [lib/tests]: https://github.com/NixOS/nixpkgs/blob/master/lib/tests [maintainers/README.md]: https://github.com/NixOS/nixpkgs/blob/master/maintainers/README.md [nixos/tests]: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests [pkgs/README.md]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md [pkgs/test]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/test

SCALE has the sub-event PlanetNix, so there will be a lot of “nix” people there

sirati · March 3, 2026, 6:04pm

this is exactly what I am suggesting, create infrastructure that makes maintaining LLM stuff easier, and catches broken derivation asap

anyway, what i described above is the endgoal. I have been working on this for my own use, and will share what I have once it works for the packages I use.

it may even make sense to maintain LLM outside of the nixpkgs tree, as for LLM dev is important that I can use the packages that I need and work together, not the latest packages. and it should not matter what recent version of nix/nixOS one is on

randomizedcoder · March 3, 2026, 6:29pm

Awesome. I’ve been thinking the same thing. I’d love to help.

I don’t know much about the nixpkgs CI systems. I feel like it would be great of have llama.cpp running with a local GPU that would use a open model for the analysis to keep the costs low. ( Speaking of which, what to review a pull request nixos/llama-cpp: add multi-instance support by randomizedcoder · Pull Request #488117 · NixOS/nixpkgs · GitHub )

sirati · March 3, 2026, 6:35pm

rn I am focussing exclusively at the interplay of cuda, torch, python, and torch dependent packages

but I do plan in the future to make sure that local llm runners also work, because i will need that in about 2 months time

neither do I, but this mostly would become relevant once stuff is upstreamed into nixpkgs. before that it would essentially just building the nix derivations locally. I have some root servers with alotta ram, so my own builds will probably be build there. then there is cachix and as far as I understand they provide a nix cache for free for open source nix derivations, so the build artefacts would be pushed there and available for the general public to use

SergeK · March 3, 2026, 7:40pm

Do we though? Who are “we”? I can tell you who pays - virtually every single Nixpkgs team -, but who’s to gain?

This has already been implemented in WIP: Python: wrap and patch using `requiredPythonModules` instead of `propagatedBuildInputs` by FRidh · Pull Request #102613 · NixOS/nixpkgs · GitHub and in Introduction - Pyproject.nix, and there have been preliminary attempts at preparing python3XPackages for migration to such a “late-binding” approach. This indeed “needs” to be done and is a blocker for a lot of other work, and this will require a lot of coordination. This can be done. I’m not sure how big of a priority this is outside the ML ecosystem though.

…Yes, is five years of non-stop merging of technical debt, after half a decade of dormant zombie-like existence.

There’s nothing there to be supported, you already can use them as is, e.g. with nix-ld, as well as with python3XPackages and with autoPatchelf. They are no more broken on nixos than on an ubuntu.

sirati · March 4, 2026, 11:42am

absolutely amazing! i will take a look at this, and hope I didnt reimpl half of what is done there, because I did not find this preexisting work!

What I meant to say is, that pulling in the wheels i.e. have a -bin variant of a pypkg should be standard and the infrastructure should make it easy to maintain such derivations. of course you can always write your own derivation and add it.
What I have done so far, is to write a python script that based on github release tags, parses all wheels and their hashes, and generates a binary-hashes.nix that encodes all the parsed information and easily allows resolving the wheels to then be used with autoPatchelf, similar how its done in nixpkgs for torch-bin

sirati · March 5, 2026, 7:48pm

I have now impl quite a lot of the above goal (yes i use LLMs, but I do read the code afterwards, still rn this is WIP so this is only on a best-effort bases)

i am now able to build from bin or source a compatible set of torch, flash-attn, mamba-ssm, and causal-conv1d, while being able to specify the python, cuda, torch, and a special cuda-packages version for pascal gpus.

github.com/sirati/nix-torch-bin-pascal

example/default.nix

5789b6d37


      
          # result.env already contains them without an extra extendEnv call.
          result = torchPackages.concretise {
            inherit pkgs;
          
            mlPackages = with torchPackages; [
              torch
              flash-attn
              causal-conv1d
            ];
          
            python                  = "3.13";
            cuda                    = "12.8";
            torch                   = "2.10";
            pascal                  = false;
            allowBuildingFromSource = true;
          
            extraPythonPackages = ps: with ps; [
              pandas
              numpy
            ];
          };

(comment says otherwise but cuda 13.0 is supported technically, just missing cuda-packages v13 to be provided)

for now I will just have this so stuff works for myself, meaning the packages that I use.