this post was submitted on 19 Dec 2024
34 points (100.0% liked)

Linux

48721 readers
1074 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hey folks! After using Fedora Atomic for quite a while and really appreciating its approach, I've been eyeing one particular feature from NixOS: its congruent system management. Inspired from Graham Christensen's "Erase your darlings" post, I'd like to explore implementing something similar to NixOS' impermanence module on Fedora Atomic as one step towards better state management.

Why not just switch to NixOS? Well, while NixOS's package management and declarative approach are incredible, I specifically value Fedora's stringent package vetting and security practices. The nixpkgs repository, despite its impressive scope, operates more like a user repository in terms of security standards.

I've already made some progress with the following:

  • Fedora Atomic's shift to bootable OCI containers has helped with base system reproducibility when one creates their own images. This process has thankfully been streamlined by templates offered by either uBlue or BlueBuild
  • Using chezmoi for dotfiles (would've loved home-manager if it played nicer with SELinux)

My current (most likely naive and perhaps even wrong) approach involves tmpfs mounts and bind mounts to /persist, along with systemd-tmpfiles. I'm well aware this won't give me the declarative goodness of NixOS, nor will it make the system truly stateless - there's surely plenty of state I'm missing - but I'm hoping it might be another step in the right direction.

Particularly interested in:

  • Best practices for managing persistent vs temporary state
  • Working with rpm-ostree's (or bootc') assumptions
  • Tools or scripts that might help
  • Alternative approaches that achieve similar goals

Thanks in advance!

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 week ago (1 children)

I'm confused, isn't Fedora atomic immutable? Shouldn't that make it stateless automatically?

[–] [email protected] 2 points 1 week ago

You would have been right if the entire filesystem were to be immutable. However, for Fedora Atomic, /var and /etc are writable. Thankfully so, as most people wouldn't want a totally locked down operating system. Heck, no general-purpose distro (or OS otherwise) tries to achieve that level of immutability by default.

[–] [email protected] 3 points 1 week ago (1 children)

I'm a big fan of fedora atomic and derivatives, but haven't played around with nix or nixos yet. What's your goal with the impermanence module?

[–] [email protected] 6 points 6 days ago (1 children)

So, the basic premise of the impermanence module is to flush all state on (re)boot. By default, NixOS is already capable of rebuilding your entire system from the config file(s). The impermanence module simply aids in achieving the desired system workflow for no state without reinventing the wheel. In effect, It's as if you've just done a reinstall and setup everything as you like. But you get to experience this on every reboot. For someone that's perpetually disturbed by state, which has been the case since my Windows-days*, this would finally grant me a peace of mind that I've been yearning for years. So, to answer your question, it would help me get (at least one step) closer to stateless Fedora Atomic without giving up general usability.

[–] [email protected] 2 points 6 days ago (1 children)

Ohhh okay that's awesome actually

[–] [email protected] 2 points 4 days ago

I agree 😜.

[–] [email protected] 3 points 1 week ago (1 children)

Sorry, can't help you there since I've found out about that impermanence thing with this post, but I have a question, what is the problem that doesn't allow you to use Home Manager on Fedora Atomic? AFAIK you just run DeterminateSystems's Nix installer and everything is set up correctly, aside from maybe a couple of configurations, then you install Home Manager as usual, as the official documentation says

[–] [email protected] 2 points 6 days ago (1 children)

Honestly, you could be absolutely right. I haven't revisited Nix since Bazzite Buzz #12 informed us on the following:

"The Nix ujust script has also been removed due to conflicts with SELinux policies. Users can still install the Nix package manager manually if they so desire at their own risk."

However, the above could be outdated; I simply don't know. Are you aware of any developments that have changed things for the better?

[–] [email protected] 2 points 6 days ago (1 children)

I don't remember when this installer was declared stable for use on Fedora, I have installed it in May myself, so after that post.

In the issues tab there seems to be some problems still, like #1325, for me, at least, it's mostly all fine, the only issue I still have is that some things don't work due to the user's home directory being a synlink to /var/home/<username>, rare enough that I still use it

[–] [email protected] 2 points 6 days ago (1 children)

lol. I initially had a better written reply that I was about to send, but I clicked on cancel instead of reply. RIP.

First of all, thank you for sharing your own experiences!

Secondly, in short, looking at the discord servers that are related to the uBlue project, general folk seem to have moved past Nix and use flatpak and brew instead for GUI and CLI respectively. Though, some community members happily report to be content with Nix. So, perhaps I shouldn't be necessarily opposed to home-manager.

Finally, I didn't expect to find a crossover between brew and chezmoi to effectively become a quasi-home-manager.

[–] [email protected] 2 points 6 days ago (1 children)

clicked on cancel instead of reply

Aw man haha

moved past Nix and use flatpak and brew

That sounds a bit funny, when those technologies are just (despite me not liking to use this term) inferior, in terms of packaging, only flatpak really shines because of its embedded permission model, one of the reasons why I also still use it, though there are ways to use bubblewrap with Nix packages which I honestly haven't tried.

So, perhaps I shouldn't be necessarily opposed to home-manager

Yeah, I think you should at least give it a shot and see how you like it, it's not as easy right out of the box as the other 2 you mentioned, of course, so you should find out for yourself what you feel more comfortable using.

crossover between brew and chezmoi

That is kinda neat, but, to me, it really feels more like a last resort when you somehow can't access Nix, Nix is just that much more structurally sound than all the other 3rd party package managers that you can install alongside your system's, I say that mostly because of versioning that doesn't break, and package manager as well as configuration being all cohesively described with a single language, it's not exactly easy, so I won't say "what more could you want?", but look at the features of both to see what you really want first.

[–] [email protected] 2 points 4 days ago (1 children)

That sounds a bit funny, when those technologies are just (despite me not liking to use this term) inferior

Perhaps I should have worded that better 😅. It was meant as a textbook example of status quo bias; anything found by default on a 'product' that's deliberately opinionated will see its audience gravitate towards said defaults. Even if those defaults are inferior to other options.

So, in this case, uBlue initially had a script within ujust (or just) that installed the Nix package manager. It wasn't necessarily the perfect fit, but it definitely had its use cases:

  • Installation of CLI software was better handled by Nix than the alternatives (read: either Toolbx/Distrobox or layering with rpm-ostree)
  • Flatpak was even more restricted than today. So Nix offered an additional avenue for installing GUI software without layering.
  • The nixpkgs repository supersedes even Fedora's own repositories in terms of available packages, effectively making it their atomic AUR.

But then, not long after the troubling conflicts between Nix and SELinux, brew was inaugurated as the de facto alternative for CLI and the rest is history.

in terms of packaging, only flatpak really shines because of its embedded permission model

Yup, can't agree more.

Yeah, I think you should at least give it a shot and see how you like it, it’s not as easy right out of the box as the other 2 you mentioned, of course, so you should find out for yourself what you feel more comfortable using.

FWIW, I have actually used Nix sparingly in the past. IIRC, it broke on me at some point 😅. That could be on me, though. Unfortunately, I don't recall the details. It could also be related to the hardening found on secureblue.

[–] [email protected] 1 points 4 days ago

That's really insightful!

Also didn't know about secureblue, it looks really interesting, hopefully it can all work together