Comment by otabdeveloper4
4 months ago
> I also know these are more fragile than the deeply self-contained nature of containers and their images
Not really. People only use Nix because it doesn't randomly break, bitrot or require arcane system setup.
Unlike containers. You really need k8s or something like it to mould Docker containers into something manageable.
> People only use Nix because it doesn't randomly break, bitrot or require arcane system setup.
I'll stipulate this, despite knowing and appreciating the much greater value Nix has.
Then, the problem that Nix solves isn't something container users care about. At scale, the bare metal OS hosting containers is among the least of one's problems: typically a host image is some actively maintained, rigorously tested artifact provided by one of a couple different reliable sources. Ideally container users are indifferent to it, and they experience few if any surprises using them, including taking frequent updates to close vulnerabilities.
> Unlike containers.
Containers randomly break or bitrot? I've never encountered that view. They don't do this as far as I'm aware. Container images incorporate layer hashing that ensure integrity: they do not "bitrot." Image immutability delivers highly consistent behavior, as opposed to "randomly break." The self-contained nature of containers delivers high portability, despite differences in "system setup." I fail to find any agreement with these claims. Today, people think nothing of developing images using one set of tools (Docker or what have you) and running these image using entirely distinct runtimes (containerd, cloud service runtimes, etc.) This is taken entirely for granted, and it works well.
> Arcane system setup.
I don't know what is meant by "system setup" here, and "arcane" is subjective. What I do know is that the popular container systems are successfully and routinely used by neophytes, and that this doesn't happen when the "system setup" is too demanding and arcane. The other certainty I have is that whatever cost there is in acquiring the rather minimal knowledge needed to operate containers is vastly smaller than achieving the same ends without containers: the moment a system involves more than 2-3 runtime components, containers start paying off verses running the same components natively.
> Containers randomly break or bitrot?
All the fucking time. Maybe it's possible to control your supply chain properly with containers, but nobody actually does that. 99% of the time they're pulling in some random "latest image" and applying bespoke shell commands on top.
> I don't know what is meant by "system setup" here, and "arcane" is subjective.
Clearly you've never debugged container network problems before.
> but nobody actually does that
They do. I assure you.
> they're pulling in some random "latest image"
Hardly random. Vendoring validated images from designated publishers into secured private repos is the first step on the supply chain road.
> Clearly you've never debugged container network problems before.
Configuring Traefik ingress to forward TCP connections to pods was literally the last thing I did yesterday. At one time or another I've debugged all the container network problems for every widely used protocol in existence, and a number of not so common ones.
2 replies →
Containers don't break in any of those ways, but rebuilding the images with updates does and the same is entirely true of nix.
No, because Nix configuration is declarative and statically checked.
Containers is "run these random shell commands I copy pasted from the internet on top of this random OS image I pulled from the internet, #yolo".
Did you inspect the build code of all the nixpkgs you imported? Did you inspect the code of the tarballs they depend on? Sure, the SHA256 is right there...did you look at it?
People copy and paste nix code all the damn time because it's downright unparseable and inscrutable to the majority of users. Just import <module>, set some attrs and hit build. #yolo
1 reply →