Linux

48889 readers

932 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

Emulating NixOS' impermanence module on Fedora Atomic (discuss.online)

submitted 2 weeks ago by [email protected] to c/[email protected]

15 comments fedilink hide all child comments

Hey folks! After using Fedora Atomic for quite a while and really appreciating its approach, I've been eyeing one particular feature from NixOS: its congruent system management. Inspired from Graham Christensen's "Erase your darlings" post, I'd like to explore implementing something similar to NixOS' impermanence module on Fedora Atomic as one step towards better state management.

Why not just switch to NixOS? Well, while NixOS's package management and declarative approach are incredible, I specifically value Fedora's stringent package vetting and security practices. The nixpkgs repository, despite its impressive scope, operates more like a user repository in terms of security standards.

I've already made some progress with the following:

Fedora Atomic's shift to bootable OCI containers has helped with base system reproducibility when one creates their own images. This process has thankfully been streamlined by templates offered by either uBlue or BlueBuild
Using chezmoi for dotfiles (would've loved home-manager if it played nicer with SELinux)

My current (most likely naive and perhaps even wrong) approach involves tmpfs mounts and bind mounts to /persist, along with systemd-tmpfiles. I'm well aware this won't give me the declarative goodness of NixOS, nor will it make the system truly stateless - there's surely plenty of state I'm missing - but I'm hoping it might be another step in the right direction.

Particularly interested in:

Best practices for managing persistent vs temporary state
Working with rpm-ostree's (or bootc') assumptions
Tools or scripts that might help
Alternative approaches that achieve similar goals

Thanks in advance!

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 2 weeks ago (1 children)

That sounds a bit funny, when those technologies are just (despite me not liking to use this term) inferior

Perhaps I should have worded that better 😅. It was meant as a textbook example of status quo bias; anything found by default on a 'product' that's deliberately opinionated will see its audience gravitate towards said defaults. Even if those defaults are inferior to other options.

So, in this case, uBlue initially had a script within ujust (or just) that installed the Nix package manager. It wasn't necessarily the perfect fit, but it definitely had its use cases:

Installation of CLI software was better handled by Nix than the alternatives (read: either Toolbx/Distrobox or layering with rpm-ostree)
Flatpak was even more restricted than today. So Nix offered an additional avenue for installing GUI software without layering.
The nixpkgs repository supersedes even Fedora's own repositories in terms of available packages, effectively making it their atomic AUR.

But then, not long after the troubling conflicts between Nix and SELinux, brew was inaugurated as the de facto alternative for CLI and the rest is history.

in terms of packaging, only flatpak really shines because of its embedded permission model

Yup, can't agree more.

Yeah, I think you should at least give it a shot and see how you like it, it’s not as easy right out of the box as the other 2 you mentioned, of course, so you should find out for yourself what you feel more comfortable using.

FWIW, I have actually used Nix sparingly in the past. IIRC, it broke on me at some point 😅. That could be on me, though. Unfortunately, I don't recall the details. It could also be related to the hardening found on secureblue.

[–] [email protected] 1 points 2 weeks ago (1 children)

That's really insightful!

Also didn't know about secureblue, it looks really interesting, hopefully it can all work together

[–] [email protected] 2 points 1 week ago (1 children)

Sorry for late response.

Also didn’t know about secureblue

Yup. It's a relatively new project and doesn't try to be very newbie-friendly. Hence, will not be talked about commonly in threads. Rightfully so, as I'd argue exquisitely hardened systems simply have to prefer security over convenience.

But it's definitely neat and had its fair share of users. As the folks over at GrapheneOS and Privacy Guides seem to be enthusiastic on it, I wouldn't be surprised if it receives a new influx/stream of users once community members of GOS have launched a dedicated website on it (which is already in the works) and the peeps responsible for PG's recommendations have finally included secureblue as their de facto Linux recommendation.

hopefully it can all work together

So do I 😊!

Thank you for the chitchat! I wish you the best!

[–] [email protected] 2 points 1 week ago

Neat, it's all in the right places, I've Aldo recently moved over to Graphene so I'm excited for that!

Thank you for the chitchat! I wish you the best!

Ahh same to you, happy holidays!