-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for building with Nix #797
Conversation
I think the CI is failing because dream is using the wrong version of
Pinning |
lib/dune
Outdated
; Not specifying dependencies on main.css on purpose so we can skip the generation | ||
; of the CSS file if we only want to run the server. | ||
; Uncomment in development | ||
../asset/main.css |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was removed to allow the build to succeed. See #796.
See #795 for the mirage-crypto-rng 0.11.0 change (and requirements to get this through, i.e. a release of mirage). I'm sceptical of adding 360 lines to this project (adding to the complexity of it), even more since this code is not covered by CI, and there's no obvious path how to upgrade the lock file (esp. without "nix" tooling - I would be sad if "contributing to mirage-www means you have to have nix tooling and some expertise in that). This won't fix #792 (for me), since the underlying issue that tailwindcss is distributed as binary for some platforms (not including FreeBSD). So, thanks for your contribution. I'm happy to enable people to build MirageOS unikernels with NixOS, but I don't think spreading lock files around is a viable path (e.g. we have this in albatross (https://github.com/roburio/albatross) - even with a CI job that attempts to build it - but there's lack of automation on updating the lock file). I personally like to build (and see failures and fix them) with the latest HEAD of opam-repository, instead of pointing to specific commits and find out weeks, months, years later that there's a huge amount of technical debt accumulated. But that's of course a debatable development methodology. |
That is a valid concern. The nice thing about opam-nix is that it continues to work with the existing opam tooling, so it allows those using opam to collaborate with those using nix.
I believe 434508c should remedy this. It builds tailwindcss from source, and Nix is available for FreeBSD (although I've never used it myself). Nix really shines in handling these kind of multi-language environments.
Regarding the lack of support for automatic upgrading of lockfiles, this is perhaps an intentional feature of Nix providing reproducibility. I imagine it would be possible to set up CI to automatically upgrade this, but any breaking changes would need to be dealt with manually (but this is also the case outside of Nix).
One can in fact do this with opam-nix too. Removing |
Thanks for your reply @RyanGibb, still I've a couple of questions unanswered:
I understand that nix uses lock files for reproducible builds and binaries, but as I tried to emphasize in the OCaml & opam ecosystem there are rolling releases of sources, and I find it crucial to stay on top of the releases. I've worked on a thin extension for opam to feature reproducible builds (https://github.com/roburio/orb -- https://builds.robur.coop), which uses the HEAD of opam-repository (and indeed there are lots of updates to opam-repository that don't result in different hashes of the resulting unikernel binaries) -- so there's no requirement to update every now and then commit hashes -- but instead failures can be seen early (and then fixed). So, I wonder how to join forces or document/explain more clearly what the development model of the mirage-www unikernel (and other unikernels) is -- and from what I read there is a divergence between "let's stick to a certain opam-repository commit" and "let's try and fail the latest, observe CI and fix the code". On a more technical level, in your lock file, there is twice |
And to be clear, I'm open to have this merged if others in the @mirage/core team think this is a good path to have. I'm curious what others think in terms of development model for MirageOS unikernels. I'm just hesitant since several years ago it was "let's add a debian subdirectory with changelog, dependencies, ...", then some years ago it was "let's add Dockerfile into each repository", and now it is lock files for various systems (nix, npm, esy, ...). |
I would like to extend the @hannesm's point of view by the current state of Adding support for NixOS implies not only a responsibility on your part to maintain that support but also a collective responsibility to those involved in the MirageOS project to keep an eye on that support. This is, I think, where things become problematic and can be misinterpreted. Like @hannesm, I am not against NixOS support and we have repeatedly shown good signals to the NixOS community to improve MirageOS libraries and software (like Solo5). However, we are not yet in a position to systematically (and for obvious reasons of time) integrate NixOS issues into all our projects. What would be interesting in this context is to be able to support NixOS semi-automatically from a well-defined tool or workflow - note that MirageOS has already experimented with this kind of transition in the past (notably in the support of AFL). If such a thing exists and can be easily appropriated collectively, I would personally be happy to experiment/test and go further in this direction. |
Hi @hannesm and @dinosaure. First of all, thanks for taking the time and the energy to respond. To respond to @hannesm first:
I should preface this by saying that while I find it to be very useful, I'm not trying to convince you yourself to use Nix if you don't have the time or energy to learn this new tool. I suppose the simplest answer would be that it addresses your issue of building tailwindcss from source. I would also argue that instead of adding another layer on top of all these tools it instead replaces a lot of functionality of Opam with a philosophy I find easier to work with. Rather than creating and maintaining mutable Opam switches, you can instead use Nix to deterministically build and provide sources for development and builds. You can transparent share these dependencies between projects, garbage collect them, and recreate them trivially. I would say it remove a lot of the complexity of Opam; the only part of Opam that is used for in While I find it to be very useful, people like tools they are used to, and it is unarguably additional work to gain familiarity with Nix. I would argue not because it's necessarily more complex but rather because it's unfamiliar.
I don't have any experience with
It seems like a CI action or GitHub action that runs
I am afraid I'm unfamiliar with how other unikernels are developed in general. I can certainly see the advantage to the former though.
This is the result of different projects lockfiles composing. By default it's conservative and duplicates them, but it's possible to deduplicate them. I'll push an update doing this now. And to respond to @dinosaure:
I understand your problem, and empathise with it.
My motivation in this PR is not to add support for NixOS (or else I would have also added a NixOS module for deployment on a NixOS system), but rather simply support to build the project with Nix for the benefits in reproducible builds and development environments. Nix, for our purposes here, is a build system and package manager. And NixOS is a Linux distribution built on top of Nix. I've written a bit about the differences between Nix and NixOS. However, I would be happy to help to maintain this Nix support. I hope this clarifies that I do not aim to support an additional operating system with this, but rather integrate a useful tool.
Regarding semi-automatic support, I'm not entirely sure how this would work. I think the closest existing project is https://github.com/RyanGibb/hillingar which aims to be an interface to simplify adding support for building Mirage unikernels with Nix. This In summary, I think the benefits of this PR is support for reproducible development environments and deployments. |
Reading leanprover/lake#15 (comment) made me realise that an alternative might be just to omit committing the lockfile. |
However I can see there isn't much interest in this so I'm going to close the issue |
This PR adds support for building the project with Nix.
It supports building a binary program as well as a unikernel with https://github.com/tweag/opam-nix and https://github.com/RyanGibb/hillingar respectively.
To build a binary, one can use
$ nix build .
or$ nix build .#scope.mirageio-bin
.To build a unikernel
$ nix build .#unikernel.<target>
, e.g.$ nix build .#unikernel.unix
.One can also create a development environment from these derivations. So instead of a new user having to go through the manual process of creating an opam switch and installing all the dependencies (along with debugging steps that might arise with the pinned packages, vendored dependencies, and external system packages) they can just run
nix develop .#<derivation> -c <command>
, e.g.nix develop . -c codium `pwd`
ornix develop .#unikernel.unix -c dune build
.I hope this will enable reproducible builds to help alleviate issues such as:
make build
#757