#+TITLE: Solving the Deployment Crisis with GNU\nobreak{ }Guix #+AUTHOR: Christopher Allan Webber & David Thompson #+EMAIL: cwebber@creativecommons.org, davet@gnu.org #+DATE: Saturday, March 19th, 2016 #+LANGUAGE: en #+OPTIONS: H:2 num:t toc:nil \n:nil @:t ::t |:t ^:nil -:nil f:t *:t <:t #+OPTIONS: TeX:t LaTeX:t skip:nil d:nil todo:t pri:nil tags:not-in-toc #+startup: beamer #+LaTeX_CLASS: beamer #+LaTeX_CLASS_OPTIONS: [presentation] #+BEAMER_THEME: metropolis #+BEAMER_FRAME_LEVEL: 2 #+LATEX_HEADER: \beamertemplatenavigationsymbolsempty #+BEGIN_LATEX \newcommand{\wideimage}[1] { \begin{center} \includegraphics[width=\textwidth]{#1} \end{center} } #+END_LATEX #+BEGIN_LATEX \newcommand{\heightimage}[2] { \begin{center} \includegraphics[height=#2]{#1} \end{center} } #+END_LATEX * Setting the stage ** Who are we? # TODO: Fun image of Dave here? Or maybe replace with mascot images :) # Ascii art portraits of us both? :) - Who is David Thompson? - Who is Christopher Webber? # \heightimage{../../network_freedom/static/libreplanet_toon_chris.png}{5cm} ** The web we want \wideimage{../static/gmg_campaign_healthy_internet.png} ** The sad reality (centralization) \wideimage{../static/gmg_campaign_fragile_internet.png} ** The sad reality (censorship) \wideimage{../../mediagoblin/static/censor_scan.png} ** The sad reality (surveillance) \wideimage{../static/gmg_campaign_infected_node.png} ** The sad reality (fragility) \wideimage{../static/gmg_campaign_fragile_internet.png} ** The sad reality (fragility) \wideimage{../static/gmg_campaign_fragile_internet_breaking.png} ** The sad reality (fragility) \wideimage{../static/gmg_campaign_fragile_internet_broken.png} ** The sad reality (fragility) \wideimage{../static/gmg_campaign_fragile_internet_gone.png} ** Sounds great! But??? \wideimage{../../network_freedom/static/mediagoblin_revolution.png} ** Stuff is complex to run \wideimage{../static/upgrade_softwares.png} ** Dependent on phase of the moon \heightimage{../static/Le_Voyage_dans_la_lune.jpg}{7cm} ** One Language Package Manager Per Child \heightimage{../static/universal_install_script.png}{7cm} # - Almost nothing is packaged for distros anymore # - Each language has its own package manager # - None of them work together # - If it breaks, I hope you’re an expert! ** Have fun managing configuration \wideimage{../static/ray_bouknight-tar_pit_exhibit-scaled.jpg} ** So... docker??? (Or something like it?) : __ : __|II| ,. : __|II|II|__ ( \_,/\ : -.-'-.-'-.-'- __|II|II|II|II|___/ __/ -'-.-'-.-'- : ------------ | [Docker] / -------------- : ------------ : / --------------- : ------------- \____, o ,' ---------------- : -------------- '--,___________,' ----------------- : Easy for users! “I already built this for you, just pull it down and use it!” ** Maybe not :( \heightimage{../static/nzdefenceforce_containers.jpg}{7cm} ** Distro-sized static compiling considered hazardous - Extremely heavy: throws away dynamic linking - Hard to introspect, rebuild - Analysis of Docker Hub: over 70% have medium vulnerabilities, 30-40% high (shellshock, heartbleed) vulnerabilities [fn:3] - Reproducible? Not in the sense of https://reproducible-builds.org/ - Docker’s DSL is not expressive - Still dependent on “phase of the moon” of distributions! ** Unfortunately, it’s not just Docker - CoreOS - xdg-app - Qubes - Snappy - egads! We are losing the ability to reason about free software! A policy issue disguised as a technical issue? If it’s too hard to build, run and modify software, what does this this mean for user freedom? ** And so here we are \heightimage{../static/nonfree/docker_failwhale-cropped.png}{7cm} * Enter Guix & GuixSD! ** Enter Guix & GuixSD! \heightimage{../static/guixsd_logo.png}{6.75cm} ** Functional package management \heightimage{../../guix/chicagolug_2015/static/function.png}{3.5cm} - Precisely specified dependencies - Reproducible builds (same input, same output) - Built packages are immutable - Unprivileged package management - Atomic upgrades and roll backs ** Packages capture the *full* dependency graph \heightimage{../../guix/chicagolug_2015/static/graphs/coreutils-dag.png}{7cm} ** Your profile, my profile - Unpriviliged package management (no root privileges needed!) - Each user may install software *without conflicting* with other users or the system - Each user may have *many* profiles Guix gives users *practical freedom* to use different sets of packages for different tasks. ** Transactional upgrades and rollbacks Bad upgrade? No problem! : guix package --roll-back Congratulations, you are now a time wizard! \heightimage{../static/nonfree/dr_sussman.png}{5cm} ** Like Git, for your operating system! \heightimage{../static/profiles-and-stores.png}{6.8cm} ** Keep the history until you don’t need it \heightimage{../static/generations-with-diff.png}{6.8cm} ** Development environments The =guix environment= tool can be used to quickly create development environments. Like Python’s =virtualenv=, but for *anything*. ** Development environments #+BEGIN_SRC sh $ which irb which: no irb in (/run/current-system/profile/bin) $ guix environment --ad-hoc ruby ruby-nokogiri $ which irb /gnu/store/q2ldaivsnfdmvlxnc7hlw5skc9f9xw5g-profile/bin/irb $ irb irb(main):001:0> require 'nokogiri' => true irb(main):002:0> Nokogiri => Nokogiri #+END_SRC ** Guix is written in Scheme \heightimage{../static/guix-scheme.png}{6.8cm} ** Guix is a library All data structures, procedures, etc. are exposed as Guile APIs. Using these APIs, we’ve implemented: - Declarative config management (Puppet, Chef, Salt, Ansible, etc.) - Universal language packaging (PyPI, RubyGems, ELPA, CRAN, etc.) - Local dev environments (virtualenv, rvm, rbenv, nvm, etc.) - Local VM creation (Vagrant) - Linux containers (Docker, rkt, lxc, etc.) The world is yours to hack! ** Full system configuration management \wideimage{../static/os-config.png} ** Package importers # NOTE: why does this render with bad indentation? #+latex: \scriptsize{ #+BEGIN_SRC scheme $ guix import pypi pyglet (package (name "python-pyglet") (version "1.2.4") (source (origin (method url-fetch) (uri (pypi-uri "pyglet" version)) (sha256 (base32 "0i9la03pm51swv2z8f17bx7qz2yjfxg6hn7i9c42s81bryxzyqlz")))) (build-system python-build-system) (inputs `(("python-setuptools" ,python-setuptools))) (home-page "http://pyglet.readthedocs.org/en/pyglet-1.2-maintenance/") (synopsis "Cross-platform windowing and multimedia library") (description "Cross-platform windowing and multimedia library") (license bsd-3)) #+END_SRC #+latex: } * What’s in =(/gnu/)store=? ** =guix deploy= - Remote cluster management tool - Provision bare metal, VMs, containers - Complete replacement for Chef, Puppet, Ansible, Salt, etc. ** Recipe based deployments? With a GUI? - Select pre-built recipes for MediaGoblin, Wordpress, etc. - “Don’t repeat yourself“ configuration - Could we make a simple web interface for this? ** Sandboxed applications - Why should Solitaire have access to your GPG/SSH keys? - Limit web browser’s access to your home directory ** Easy installs? - Graphical distro installer - Graphical interface for: - system configuration - user-specific packaging - easy roll-backs ** Support for difficult languages that web developers use NodeJS, we’re looking at you! [fn:1] Also, Java. [fn:2] Send help. * Wrapping up ** State of Guix - “It’s still beta!” - But probably more stable than most devops stuff - A delight to run (we use it!) - Easy to develop and get involved in - \approx3350 packages - \approx20-30 contributors per month and increasing ** There’s more to do (and you can help!) - Test drive Guix or GuixSD and send feedback - Write GuixSD system services - Improve documentation - Improve containers, add packages, add importers, … Talk with the developers via IRC at =#guix= on Freenode or via email at =guix-devel@gnu.org= or =help-guix@gnu.org= ** A short story # Notes to Dave: # This is the story I tell about the warehouse full of black # box containers, and then the foreman comes in warning about a # # Maybe this image instead? https://pixabay.com/en/container-cargo-freight-harbor-489933/ \heightimage{../static/warehouse-pixabay.jpg}{7cm} ** Credits (p.1) #+latex: \small{ - Moon image from /Le Voyage dans la lune/ (A Trip to the Moon), public domain. Retrieved from: https://en.wikipedia.org/wiki/A_Trip_to_the_Moon#/media/File:Le_Voyage_dans_la_lune.jpg - Tar pit image by Ray Bouknight, CC BY 2.0: https://www.flickr.com/photos/raybouk/8341369957 - Rena runs aground (container fail image), CC BY 2.0 https://www.flickr.com/photos/nzdefenceforce/6386334175/ #+latex: } ** Credits (p.2) #+latex: \small{ - Caminandes video screenshot by Blender Institute, CC BY 4.0 http://www.caminandes.com/ - Chemical warehouse image from Pixabay, CC0 https://pixabay.com/en/warehouse-chemistry-industry-629641/ - GuixSD logos by Luis Felipe López Acevedo, CC BY-SA 4.0 http://www.gnu.org/software/guix/graphics/ - Docker + Twitter image by Karen Rustad - Slight snippet from Guix (grep package), GPLv3 or later #+latex: } ** Thanks! Questions? # Shameless self-promotion? \heightimage{../static/mediagoblin_mesh.png}{4cm} © 2016 Christopher Allan Webber == © 2016 David Thompson == This presentation is licensed under the [[https://creativecommons.org/licenses/by-sa/4.0/][Creative Commons Attribution Share-Alike 4.0 International]] license. More on Guix: https://gnu.org/software/guix * Footnotes [fn:1] http://dustycloud.org/blog/javascript-packaging-dystopia/ [fn:2] http://lists.gnu.org/archive/html/guix-devel/2016-02/msg01396.html [fn:3] [[http://www.banyanops.com/blog/analyzing-docker-hub/]]