Some folks on the internet were interested in how I had managed to ditch Docker for local development. This is a slightly overdue write up on how I typically do things now with Nix, Overmind and Just.

  • CodeBlooded@programming.dev
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    Docker builds are not reproducible

    What makes you say that?

    My team relies on Docker because it is reproducible…

    • uthredii@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      You might be interested in this article that compares nix and docker. It explains why docker builds are not considered reproducible:

      For example, a Dockerfile will run something like apt-get-update as one of the first steps. Resources are accessible over the network at build time, and these resources can change between docker build commands. There is no notion of immutability when it comes to source.

      and why nix builds are reproducible a lot of the time:

      Builds can be fully reproducible. Resources are only available over the network if a checksum is provided to identify what the resource is. All of a package’s build time dependencies can be captured through a Nix expression, so the same steps and inputs (down to libc, gcc, etc.) can be repeated.

      Containerization has other advantages though (security) and you can actually use nix’s reproducible builds in combination with (docker) containers.

      • nickwitha_k (he/him)@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        That seems like an argument for maintaining a frozen repo of packages, not against containers. You can only have a truly fully-reproducible build environment if you setup your toolchain to keep copies of every piece of external software so that you can do hermetic builds.

        I think this is a misguided way to workaround proper toolchain setup. Nix is pretty cool though.

        • uthredii@programming.dev
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          1 year ago

          That seems like an argument for maintaining a frozen repo of packages, not against containers.

          I am not arguing against containers, I am arguing that nix is more reproducible. Containers can be used with nix and are useful in other ways.

          an argument for maintaining a frozen repo of packages

          This is essentially what nix does. In addition it verifies that the packages are identical to the packages specified in your flake.nix file.

          You can only have a truly fully-reproducible build environment if you setup your toolchain to keep copies of every piece of external software so that you can do hermetic builds.

          This is essentially what Nix does, except Nix verifies the external software is the same with checksums. It also does hermetic builds.

          • nickwitha_k (he/him)@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Nix is indeed cool. I just see it as less practical than maintaining a toolchain for devs to use. Seems like reinventing the wheel, instead of airing-up the tires. I could well be absolutely wrong there - my experience is mainly enterprise software and not every process or tool there is used because it is the best one.

            • uthredii@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I just see it as less practical than maintaining a toolchain for devs to use.

              There are definately some things preventing Nix adoption. What are the reasons you see it as less practical than the alternatives?

              What are alternative ways of maintaining a toolchain that achieves the same thing?

              • nickwitha_k (he/him)@lemmy.sdf.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                I see it as less practical mainly due to the extant tooling and age/maturity of the project.

                The ways that I’m most familiar with are use of software like Artifactory - basically a multi-repo. Using such a tool, any package or artifact can be readily retained for future use. Then, for builds, one only needs to ensure that it is used as the package source, regardless of type (PyPy, Docker image, binary, RPM, etc).

                Alternatively, one can use individual repos for any relevant package type but that’s a bit more overhead to manage.

      • CodeBlooded@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I’ll certainly give this a read!

        Are you saying that nix will cache all the dependencies within itself/its “container,” or whatever its container replacement would be called?

        • uthredii@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Are you saying that nix will cache all the dependencies within itself/its “container,” or whatever its container replacement would be called?

          Yep, sort of.

          It saves each version of your dependencies to the /nix/store folder with a checksum prefixing the program name. For example you might have the following Firefox programs

          /nix/store/l7ih0zcw2csi880kfcq37lnl295r44pj-firefox-100.0.2
          /nix/store/cm1bdi4hp8g8ic5jxqjhzmm7gl3a6c46-firefox-108.0.1
          /nix/store/rfr0n62z21ymi0ljj04qw2d7fgy2ckrq-firefox-114.0.1
          

          Because of this you can largely avoid dependency conflicts. For example a program A could depend on /nix/store/cm1bdi4hp8g8ic5jxqjhzmm7gl3a6c46-firefox-108.0.1 and a program B could depend on /nix/store/rfr0n62z21ymi0ljj04qw2d7fgy2ckrq-firefox-114.0.1 and both programs would work as both have dependencies satisfied. AFAIK using other build systems you would have to break program A or program B (or find versions of program A and program B where both dependencies are satisfied).