software deployment with nix - github pages · tool support i deployment was (is) often done in an...

Software deployment with NixNLUUG meeting, 31/03/2006

Eelco [email protected]

Universiteit Utrecht, Faculty of Science,Department of Information and Computing Sciences

March 31, 2006

Overview

Nix

I Motivation: Existing package managers (like RPM, apt, ...)have lots of problems

I We set out to improve this

I Result: Nix — basically a package manager (but more!)

Deployment Problems

I Software deployment: the art of transferring software(packages) from one machine to another (and managing it).

I The hard part: packages should work the same on the targetmachine.

I “DLL hell”I “Dependency hell”

So why is this hard?

I Difficult to have multiple versions; but we want this toI Test upgradesI Deal with conflicting dependenciesI Support different user / service requirements

gtk+

wxGTK zapping

wxPython

BitTorrent



gtk+

wxGTK zapping

wxPython

BitTorrent

Requires gtk+-2.4



gtk+

wxGTK zapping

wxPython

BitTorrent

Fails with gtk+-2.4 Requires gtk+-2.4


I Unreliable dependency informationI What components are needed?I What versions?

gtk+

wxGTK

wxPython

BitTorrent

python


I Unreliable dependency informationI What components are needed?I What versions?

gtk+

wxGTK

wxPython

BitTorrent

python

Missing!


python-2.3.4

bittorrent-3.4.2

wxPython-2.4.2.4

zapping-0.7

coreutils-5.2.1

perl-5.8.5

glibc-2.3.3

gcc-3.4.2 zlib-1.2.1

wxGTK-2.4.2

libjpeg-6b

libpng-1.2.7 atk-1.2.4

gtk+-2.2.4

glib-2.2.3

libtiff-3.6.1 pango-1.2.5

libX11-6.2.1

libXft-2.1.6

fontconfig-2.2.3libXrender-0.8.4

expat-1.95.8freetype-2.1.5

libXext-6.4.3

libXau-0.1.1

libXt-0.1.4-cvs

libICE-6.3.3

libSM-6.0.3

libgnomecanvas-2.4.0

glib-2.4.7

libgnomeui-2.4.0.1

popt-1.7

libbonoboui-2.4.1

libXv-2.2.2

libxml2-2.6.13gtk+-2.4.13

libart_lgpl-2.3.16

ORBit2-2.8.3

libbonobo-2.4.2

gnome-vfs-2.4.2

esound-0.2.32

libgnome-2.0.6

GConf-2.4.0.1

pango-1.4.1

zvbi-0.2.8

rte-0.5.2

atk-1.6.1

libglade-2.0.1

libIDL-0.8.2audiofile-0.2.3

xlib-1.0

libXtrans-0.1 xproto-6.6.1xextensions-1.0.1

renderext-0.8

Zapping

BitTorrent

Tool Support

I Deployment was (is) often done in an ad hoc, undisciplinedfashion.

I Files installed in global locations (/usr/bin,C:/Windows/System32).

I “DLL Hell” — overwriting of shared components witholder/newer versions.

I “Dependency Hell” — components may have gazillions ofdependencies.

I Each application has its own (un)installer (so no unified viewon the system).

I Interactive installers ⇒ considered harmful (hard to automate).I Packaging = lots of work.

I Package managers manage software installations in a unifiedway: RPM, FreeBSD Ports/Packages, Depot, Debianapt-get/dpkg, ..., Nix.

Requirements on a Deployment System

I Support multiple versions, variants.

I Handle dependencies.

I Ensure safe upgrades / uninstalls.

I Atomic upgrades/downgrades (e.g., important in serverenvironments).

I Allow different “views” for multiple users.I Configuration management aspects:

I IdentificationI Reproducibility

The Nix Deployment System

I Central idea: store all components in isolation.

I Unique paths:

/nix/store/jjp9pirx8b3nqs9k...-firefox

which is an 160-bit cryptographic hash of all inputs used tobuild the component:

I SourcesI LibrariesI CompilersI Build scriptsI Build parametersI System typeI . . .

I Prevent undeclared build time dependencies.

I Scan for runtime dependencies.

I Deploy only closures under the depends-on relation.

Nix store

/nix/store

bd6593219f8dcb63...-gtk+-2.2.4

lib

libgtk-x11-2.0.so.0

ce2d7d2a41456bab...-wxGTK-2.4.2

libwx_gtk2-2.4.so

e889db0595672287...-wxPython-2.4.2.4

lib

9ed8c4231bfde4af...-bittorrent-3.4.2

btdownloadgui.py

bin

(lots of Python bindings)

300ccc1a41af3abc...-gtk+-2.4.13

lib

libgtk-x11-2.0.so.0

f51ec7d5663c735e-zapping-0.7.3

zapping

bin

Nix store

/nix/store

bd6593219f8dcb63...-gtk+-2.2.4

lib

libgtk-x11-2.0.so.0


libwx_gtk2-2.4.so

e889db0595672287...-wxPython-2.4.2.4

lib


btdownloadgui.py

bin


300ccc1a41af3abc...-gtk+-2.4.13

lib

libgtk-x11-2.0.so.0


zapping

bin

Unique paths fordifferent versions

Nix expressions

hello/default.nix

Packages are built using Nix expressions:

{stdenv, fetchurl, perl}:

stdenv.mkDerivation {name = "hello-2.1.1";builder = ./builder.sh;src = fetchurl {url =ftp://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz;

md5 = "70c9ccf9fac07f762c24f2df2290784d";};inherit perl;

}

Nix expressions

hello/default.nix





}

Function arguments

Nix expressions

hello/default.nix





}

Build attributes

Function arguments

Nix expressions

hello/builder.sh

source $stdenv/setup

PATH=$perl/bin:$PATH

tar xvfz $srccd hello-*./configure --prefix=$outmakemake install

Nix expressions

hello/builder.sh

source $stdenv/setup

PATH=$perl/bin:$PATH

tar xvfz $srccd hello-*./configure --prefix=$outmakemake install

Environment initially empty; pre-vents undeclared dependencies

Nix expressions

system/all-packages.nix

hello = (import ../applications/misc/hello/ex-1) {inherit fetchurl stdenv perl;

};

perl = (import ../development/interpreters/perl) {inherit fetchurl stdenv;

};

fetchurl = (import ../build-support/fetchurl) {inherit stdenv; ...

};

stdenv = ...;

Variability

bittorrent = (import ../tools/networking/bittorrent) {inherit fetchurl stdenv wxGTK;

};

wxGTK = (import ../development/libraries/wxGTK) {inherit fetchurl stdenv pkgconfig;gtk = gtkLibs22.gtk;

};

firefox = (import ../applications/browsers/firefox) {inherit fetchurl stdenv pkgconfig perl zip libIDL libXi;gtk = gtkLibs24.gtk;

};

Finding runtime dependencies

/nix/store

bd6593219f8dcb63...-gtk+-2.2.4

lib

libgtk-x11-2.0.so.0


libwx_gtk2-2.4.so

e889db0595672287...-wxPython-2.4.2.4

lib


btdownloadgui.py

bin


300ccc1a41af3abc...-gtk+-2.4.13

lib

libgtk-x11-2.0.so.0


zapping

bin


/nix/store

bd6593219f8dcb63...-gtk+-2.2.4

lib

libgtk-x11-2.0.so.0


libwx_gtk2-2.4.so

e889db0595672287...-wxPython-2.4.2.4

lib


btdownloadgui.py

bin


300ccc1a41af3abc...-gtk+-2.4.13

lib

libgtk-x11-2.0.so.0


zapping

bin

Contents of libwx gtk2-2.4.so

...

2e 36 00 6c 69 62 73 74 64 63 2b 2b 2e 73 6f 2e |.6.libstdc++.so.|

36 00 6c 69 62 67 63 63 5f 73 2e 73 6f 2e 31 00 |6.libgcc_s.so.1.|

6c 69 62 70 74 68 72 65 61 64 2e 73 6f 2e 30 00 |libpthread.so.0.|

6c 69 62 63 2e 73 6f 2e 36 00 5f 5f 63 78 61 5f |libc.so.6.__cxa_|

61 74 65 78 69 74 00 5f 65 64 61 74 61 00 5f 5f |atexit._edata.__|

62 73 73 5f 73 74 61 72 74 00 2f 6e 69 78 2f 73 |bss_start./nix/s|

74 6f 72 65 2f 62 64 36 35 39 33 32 31 39 66 38 |tore/bd6593219f8|

64 63 62 36 33 30 61 34 35 35 62 31 61 35 37 66 |dcb630a455b1a57f|

36 34 36 33 33 2d 67 74 6b 2b 2d 32 2e 32 2e 34 |64633-gtk+-2.2.4|

2f 6c 69 62 3a 2f 6e 69 78 2f 73 74 6f 72 65 2f |/lib:/nix/store/|

62 37 65 62 34 37 36 64 36 32 62 61 65 38 62 63 |b7eb476d62bae8bc|

...


/nix/store

bd6593219f8dcb63...-gtk+-2.2.4

lib

libgtk-x11-2.0.so.0


libwx_gtk2-2.4.so

e889db0595672287...-wxPython-2.4.2.4

lib


btdownloadgui.py

bin


300ccc1a41af3abc...-gtk+-2.4.13

lib

libgtk-x11-2.0.so.0


zapping

bin

User operations

I To build and install Hello:

$ nix-env -if .../all-packages.nix hello

I When a new version comes along:

$ nix-env -uf .../all-packages.nix hello

I If it doesn’t work:

$ nix-env --rollback

I Delete unused components:

$ nix-collect-garbage

User environments

I Users can havedifferent sets ofinstalled applications.

I nix-env operationscreate new userenvironments in thestore.

I We can atomicallyswitch between them.

I These are roots of thegarbage collector.

PATH

/nix/links

current

42

/nix/store

eb3266df5c1a...-user-envbin

firefoxhello

90d0d25ee157...-hello-2.1.1bin

helloe7cb4be9e7c4...-firefox-1.0

binfirefox

User environments





PATH

/nix/links

current

42

/nix/store


firefoxhello



binfirefox

d0b3495e5c73...-hello-2.1.2bin

hello

(nix-env -u hello)

User environments





PATH

/nix/links

current

42

/nix/store


firefoxhello



binfirefox


hello83ca061e32cd...-user-env

binhellofirefox

(nix-env -u hello)

User environments





PATH

/nix/links

current

42

43

/nix/store


firefoxhello



binfirefox



binhellofirefox

(nix-env -u hello)

User environments





PATH

/nix/links

current

43

/nix/store


firefoxhello



binfirefox



binhellofirefox

(nix-env –remove-generations old)

User environments





PATH

/nix/links

current

43

/nix/store

e7cb4be9e7c4...-firefox-1.0bin

firefoxd0b3495e5c73...-hello-2.1.2

binhello

83ca061e32cd...-user-envbin

hellofirefox

(nix-collect-garbage)

Deployment using Nix

I This is conceptually a source deployment model.

I We get binary deployment by sharing pre-built components.

I On the producer side:

$ nix-push $(nix-instantiate .../all-packages.nix) \http://server/cache

I On the client side:

$ nix-pull http://server/cache$ nix-env -if .../all-packages.nix hello

I Installation will now reuse pre-built components, iff they areexactly the same.

An example deployment policy: channels

I Channels allow Nix expressions to be updated automatically.

I Subscribe to a channel:

$ nix-channel --add http://.../channels/nixpkgs-stable

I Fetch latest channel instance:

$ nix-channel --update

I Update all installed packages:

$ nix-env -u ’*’

Nix Packages collection

Nixpkgs

I Contains Nix expressions for 716 existing Unix packages.I Development tools: GCC, Perl, Mono, ...I Libraries: Glibc, GTK, Qt, X11, ...I Applications: Firefox, Xine, Quake 3, ...I Servers: httpd, PostgreSQL, ...

I On Linux/x86, fully bootstrapped (no external dependencies).

Service deployment

Services: sets of running programs that provide some usefulfacility on a system or network.

Example: Subversion service

Example: Issue tracking service

Service deployment is hard

Service deployment involves a number of steps:

I Deploy software components (e.g., Apache, PostgreSQL,Subversion)

I Edit configuration files (e.g., httpd.conf, viewcvs.conf)

I Initialise state (e.g., logging directories, database tables)

I Start/stop processes

I ... and all of this possibly on multiple machines / platforms

Problems

I Poor reproducibility (bad CM)

I Hard to support parallel configurations

I Cross-cutting configuration choices

Problem 1: Poor reproducibility

I Goal: it should be possible to realise a service by running asingle command.

I E.g., to move it to another machineI So no manual installing of missing software components,

tweaking of configuration files, creating missing directories, etc.

I Why is reproducibility hard?I Admins often manually edit configuration files and initialise

stateI Service configuration doesn’t express software component

dependencies

Example

software

dataconfiguration

subversion

openssl db4

perl

expat

apache

perlBerkeleyDB

viewcvs

/data/subversion/

httpd.conf

control

Gap between package management and serviceconfiguration

I Software components are typically deployed through packagemanagers such as RPM

I Service configuration is typically kept under versionmanagement

I However, there is no good way to express the dependencies ofthe service on the software components

Problem 2: Parallel configurations

I It should be easy to create different instances of a serviceI Test vs. production servers (running on different ports, using

different databases, etc.)I Instantiations for different usersI Evolution through time (rollbacks)

I This is hard to support because there are typically lots ofconfiguration files and control scripts that refer to lots ofpaths for components, state, static data files, etc.

I /etc/apache/httpd.conf,/etc/init.d/apache,/etc/apache/viewcvs.conf, ...

Example

/etc/apache/httpd.conf for Subversion service (fragment)

ServerRoot "/var/httpd"ServerName svn.cs.uu.nl:8080LoadModule dav_svn_module /usr/lib/modules/mod_dav_svn.so<Location /repos>

AuthType BasicAuthDBMUserFile /data/subversion/db/svn-users...SVNParentPath /data/subversion/repos

</Location>ScriptAlias /viewcvs /usr/viewcvs/www/cgi/viewcvs.cgi

Example

/etc/init.d/httpd for Subversion service (fragment)

/usr/sbin/apachectl -k start -f /etc/apache/httpd.conf

Use cases

I Try out with a different set of repositories.

I Try out a different Apache.

I Try out a different Subversion module.

Problem 3: Cross-cutting configuration choices

I Many configuration choices are cross-cutting, i.e., impactmany different (parts of) configuration files, scripts, etc.

I Examples:I Port numbersI Host namesI Paths (major source of problems!)

I So a change to the configuration choices must be realised inmany different places

I Lots of work

I Danger of inconsistency

Example: port number

In /etc/init.d/httpd.conf

ServerName www.example.org:12443Listen 12443<VirtualHost _default_:12443>

In repoman.pl

my $url = "https://www.example.org:12443/"print "... <a href=’$url/repos/$repoName’> ...";

Solution

Treat all the static parts of configurations as Nix components:

I Software

I Configuration files

I Control scripts

I Static data files (e.g., static web pages)

But not mutable state, e.g. databases

Advantages

I Support multiple configurations side-by-side

I Nix’s functional language: can easily support multipleconfigurations

I Atomic upgrades / rollbacksI SCM support:

I Full knowledge of dependenciesI Reproducibility (easy to move to another machine)

Example

Nix expression for svn.cs.uu.nl

{productionServer ? true}:let {webServer = import ../../apache-httpd {hostName = "svn.cs.uu.nl";httpPort = if productionServer then 80 else 12080;httpsPort = if productionServer then 443 else 12443;adminAddr = "[email protected]";subServices = [ subversionService ];...

};

subversionService = import ../../subversion {reposDir = rootDir + "/repos"; ...

}

Use

Building the test instance

$ upgrade-server.sh svn ./default.nix test

I Produces (say) /nix/store/98wl...-apache-httpd-service.

I Generated configuration files (e.g.,/nix/store/98wl...-apache-httpd-service/conf/httpd.conftell server to run on port 12080/12443.

I Old test server is stopped, new server is started.

Building the production instance

$ upgrade-server.sh svn ./default.nix production

I Produces (say) /nix/store/6sc6...-apache-httpd-service.

I Generated configuration files (e.g.,/nix/store/6sc6...-apache-httpd-service/conf/httpd.conftell server to run on port 80/443.

I Old production server is stopped, new server is started.

NixOS

I Nix usually used on existing Unix systems (e.g., SuSE Linux,Fedora Core, Mac OS X, FreeBSD)

I Taking it all the way: NixOS (Armijn Hemel)

I All packages installed through NixI Also hope to improve system configuration

I Stuff in /etc become Nix service components, so we getrollbacks etc.

Conclusions

I Contributions:I Safe, automatic coexistance of versions/variants.I Reliable dependencies.I Multiple concurrent configurations.I Atomic upgrades/rollbacks.I Safe garbage collection.I Binary deployment is automatic.I Can accomodate many deployment policies.I Useful for service deployment.I Integrated continuous integration / release management.

I Available at http://www.cs.uu.nl/groups/ST/Trace/Nix.

http://www.cs.uu.nl/groups/ST/Trace/Nix

Further reading

ICSE’04 E. Dolstra, E. Visser, and M. de Jonge, Imposing aMemory Management Discipline on SoftwareDeployment

LISA’04 E. Dolstra, M. de Jonge, and E. Visser, Nix: A Safeand Policy-Free System for Software Deployment

CBSE’05 E. Dolstra, Efficient Upgrading in a Purely FunctionalComponent Deployment Model

ASE’05 E. Dolstra, Secure Sharing Between Untrusted Usersin a Transparent Source/Binary Deployment Model

PhD thesis E. Dolstra, The Purely Functional SoftwareDeployment Model

software deployment with nix - github pages · tool support i deployment was (is) often done in an...

Documents