-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nix package manager to base install #60
Comments
@espg can you clarify if you think it would be worth pursuing this for the "persistent on a per user level" rather than "persistent and things built are shared between all users basis"? I ask because I think there can be very significant difference in complexity between these, and the former could be accomplished without that much trouble while the latter probably requires significant efforts and may not turn out to work. Currently, anything stored in /home/jovyan after the Dockerfile is built will be persistent, but anything written there during the Dockerfile builds will be overwritten by the mounted persistent storage when the container starts. The complexity I'm worried about by having a shared directory for all users is that it isn't like sharing a directory on one computer between different users on that computer. If all users are on the same computer, you can have a master process doing things for all users and hence just write to the shared folder via one process. But, if you have multiple separate computers or containers, there is no easy way to have a shared process that make sure that write operations won't cause conflicts etc. For these situations, one typically end up needing some central service that others communicate with, but now that must be external to the users computer/container and I'd guess that will require us to make use of some additional service that may not have been developed at all yet. |
@consideRatio I'm less worried about the shared directory, because it's generally considered 'read only'... and by that, I mean that the objects that are there are write once and not mutable. You can add a new file path with a new build, but once a file is created, it's not ever going to be 'modified'. So things like 'locking' don't really matter. Each build is stored like this: /nix/store/{hash}-mylib/ , i.e., That's why I'm caviler about having it shared; it's unlikely to break because it isn't changing. The only time it should get modified is if it's grown large from old versions...like you might delete it once a year to keep the filesizes low. That's also why sudo is usually needed to set up-- to make sure that no user had write access to mess things up by changing the state of any directories. |
On that point, it probably doesn't need the multi-user setup... the only thing that the daemon is doing is spawning build processes per user, but if each user is in their own container, then the daemon is pretty redundant. There's a (vanishingly small) chance that you could run into issues with incomplete builds; i.e., someone tries to read from a directory that only has part of the files copied over, but I think that's only going to be a temporary error. Even if two people start building the same requirement/library, if they're writing to the same location, it means that they're writing the same byte-by-byte files...so if they overwrite something, they're overwriting the same file with itself |
@espg ah okay! Then I would say we want:
About sudo permissionsIt is easy and without risk to provide sudo permissions during Dockerfile build, but whenever we leave the Dockerfile build and let users start running code - that is when I'd hope to avoid introducing the need to use |
@consideRatio We shouldn't need sudo at all once nix is installed. I think the sudo call during installation is mostly to set the correct permissions on the /nix directory, and to create the nix build user that's called whenever nix-shell is invoked (the build user have write permission on the /nix directory) For item one, I think we can modify this which is modified from this code (I think):
Where the For item 2, I think it is possible but a hassle... to change the root directory of the store, you'd need to recompile from source (i.e., see here). |
Not entirely comfortable with docker builds, hence the issue rather than a pull request...
The nix package manger has a 'hard' promise of reproduciblity, especially between linux systems. If I write a
default.nix
derivation on my system and run nix on that file within the jupyterhub, I will get the same working environment--same versions of packages, with same compile time options, and same environmental variables (similar to a yarn.lock file as best I can tell). So it enables a user to either prototype a build on the jupyterhub and reproduce on another system, or, bring a working/functional environment into the jupyterhub.It would be nice to do this in a way that is persistent for users and between sessions. i.e., if someone else on the hub uses
nix-shell default.nix
, is shouldn't require a new build, because the previous build would be cached under a shared /nix. This is normally done with a multiuser install that runs a daemon to intercept nix calls and farm out the build to the nix user.Why is this hard?
Nix has a single line install using
curl -L https://nixos.org/nix/install | sh
that does a 'single user' install.The problems:
You could do it the correct way and do a multi user install with nixbuild users and a persistent daemon to build things... but then you need to mount a directory outside of the docker container. If you don't builds will:
@consideRatio leaving this here for now, will update if I find more workable solutions...
The text was updated successfully, but these errors were encountered: