livellosegreto.it is one of the many independent Mastodon servers you can use to participate in the fediverse.
Livello Segreto è il social etico che ha rispetto di te e del tuo tempo.

Administered by:

Server stats:

1.3K
active users

#sysadmin

46 posts26 participants0 posts today

Spending a chunk of my weekend wrangling servers and once again frustrated with Guix in particular for how heavyweight the package manager is. There's this one VM that only needs like 5-10G of disk space* and 1G of RAM to do its actual _job_ but if I don't provision it with twice as much RAM and four times as much disk, `guix pull` and `guix system reconfigure` are liable to run the thing completely out of storage and crash.

I have a concrete idea for what to do about this, I call it a "drone" deployment of a declaratively configured OS. In Guix terms, this would be a type of system image, in which the guix-daemon and the `guix` command are *not* included. The store would include only the packages required at runtime by the operating-system spec, not any of the packages required to rebuild them.

The idea is that you have a separate beefier machine that rebuilds the image periodically, and then you push that image to the drone somehow, ideally in a way that mimics `nixos-rebuild --boot` (i.e. the running system is not affected until you reboot it).

In addition to making it possible to use a smaller machine or VM instance with this kind of OS, this should also be good for server hardening. The store could be kept read-only, you wouldn't have to consider the package manager as part of the attack surface, etc.

Has anyone done anything even vaguely like this already? For any base OS, not just declarative distributions of Linux?

* the part of me that grew up in the days of 1.44MB floppy disks is horrified that this is a *small* amount of disk space, but that's a me issue