[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on stateful services in Guix

From: Giovanni Biscuolo
Subject: Re: Thoughts on stateful services in Guix
Date: Wed, 05 Feb 2020 14:03:08 +0100

Hi Alex,

I'm very interested in deploying "as stateless as possible" services
with Guix, thank you for sharing your thougts on this!

I'm still non able to contribute code fot this task... I'm working on it

Alex Sassmannshausen <address@hidden> writes:

> As a result of FOSDEM conversations today I felt inspired to put some
> thoughts on paper about an area where I think we currently run into
> complications.

I also think that deploying services in a functional way (ala Guix
packages to be clear) is _complicated_ and... it's a problem

to be clear: this complication it's *absolutely not* Guix specific, but
it's something that becomes very clear when you want to use the
declarative approach to "everithing" once you've got Guix :-O

(and after you were deluded by the promises from tools like Puppet and

> Not sure if it is appropriate to write this blog-post-ish contribution
> here, but as I don't have a blog, and it's about Guix development, I
> figured it might be OK.

maybe with a little help by someone more qualified than me this should
become a Guix blog post... or better be generalized ("how to write
staletess services") and included in the cookbook

anyway, I think your analisys is very helpful in discussing how Guix can
help fighting the "state dragon"

I've some comment and questions

> Best wishes,
> Alex
> 1 Introduction
> ══════════════


>   Disciplined developers can implement many services in such a way that
>   their statefulness is delegated to other dedicated services.  In this
>   way the problem of statefulness can be isolated.  However, many
>   existing useful services /have not/ been implemented in such a way.

do you mean upstream?


from now on you used Drupal as an example: I do not know how Drupal
works, but I know other problematic web services :-)

> 2.3.1 Enter the state dragon
> ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌
>   But hang-on… if Mysql service is a dependency, and we store state in a
>   Mysql DB,

in this regard some time ago I found (see
"Lumps of impurity") a good explanation on what should be state and what
not; this is the relevant part:

--8<---------------cut here---------------start------------->8---
NixOS keeps the “OS” parts of the machine stateless, meaning that the
only state you need to manage is that which you create yourself. From
the top of my head (not an exhaustive list):

- /var, /tmp, /run: stateful, unmanaged

- each user’s $HOME directory: stateful, unmanaged (rarely used on a server, 

- Users & Groups: stateless

- Installed software: stateless

- Installed services (using systemd): stateless

- All program configuration (i.e all of /etc): stateless

- Kernel & kernel modules, grub configuration: stateless (but requires a reboot 
to activate)

- Disk mounts: stateless

By “stateless”, I mean that the given item is generated entirely from
the pure nix expression of the system, and isn’t affected by any
previous state.
--8<---------------cut here---------------end--------------->8---

I was not able to find a similar description in some Guix
document... but it's OT now :-)

(...and software config stored in $HOME should be stateless, also;
guix-home-manager [1] is a _very_ interesting work on this topic)

storing state it's obviously the job of many services, what's bad it's
some software (Drupal?  Discourse for sure, Wordpress for sure) store
(part of?) configuration as status; some software provides a CLI tool
(usually as a afterthougt, e.g. wp-cli) to imperatively configure it,
but it's always treated as status

in other words: some (usually web) services "embeds" config with status
and provide one or more interface to configure, others clearly separates
config from status leaving the "burden" of writing configuration
(usually in /etc) to sysadmins... and that software is "easy" to
integrate as a stateless (and functional) Guix service

my question is: can we work around this very bad design choiche?  can we
patch the package and have stateless config for, e.g., Drupal?

I see this someway similar to "de-blobbing" our packages: how hard it's
to do depends on upstream... unfortunately not all developers agrees
that stateful config is a problem (in a similar way not all agrees that
distributing binary-blobs it's a problem)

>   what happens when we upgrade to a newer version of Drupal,
>   with a different schema?  Would this service instantiation change the
>   state of our system?  Could we still roll-back?

oh yes, schema migration of status is also a problem to manage when we
upgrade software... and usually we do it "by hand" (making backups of
status, ecc.)

schema migration is usual when status is stored in a database,
theoretically schema migration could be applyed also when storing state
in XML (YAML?) in files, but I've never seen this use case

your proposal (below) is interesting!

>   And remember that broken symlink we introduced in the package?  That
>   files/ subdirectory contains /at least/ a stateful configuration
>   file

and that's the main problem: configuration as status

>   — but also Drupal modules, themes,

modules and themes should be packaged separately, IMHO (and yes, they
sometimes can be installed via the web interface... and that's a problem)

the general problem is that some services have become a software blob
providing all sort of features: package installation, configuration
editing, what else?

> uploaded files and caches.

uploaded files are status and generally not a problem, no?

caches are status and sometimes a problem and they need to be wiped
since not all software is "obsolete-cache-resilient"; however it's not
still clear how to manage this kind of problem Guix-wide, I've read
several problems was resolved in the past wiping cache (e.g. with gnome)
but AFAIU there is no general consensus on a general automated method

anyway I think it's not a good idea to backup caches as part of the
state-dump/state-load procedure you propose below

> What
>   happens when we upgrade Drupal?  Can we guarantee they won't be
>   irrevocably changed as part of the upgrade?  What happens when we
>   roll-back?

disaster :-O (even with state, in case of schema migrations)


> 2.3.2 Fakin' it til we're makin' it
> ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌
>   Can we get those guarantees back?  I fear not.

AFAIU there is no point in defining services in Guix if we have no
guarantees on the main promise of Guix: no?

...or put in another way: is there any defined Guix service with a
stateful (non declarative) configuration file?

what I mean is: we still do not have services like Drupal, or Discourse
or VTiger _because_ they have a stateful configuration system ad it is
not easy to "workaround" this foundamental pitfall (in some case it's
also not easy to package the software)


>   Working backwards, to ensure we can roll-back we need to make sure
>   that we have access to the state at that point in history that we want
>   to roll-back to.  When we roll-back from version 2 of Drupal to
>   version 1, we must make sure we still have the state of version 1.

this approach is *very* interesting to allow rolling-back in the event
of a failed (usually automated) migration of the state (e.g. for a
schema change): thanks!

but using this approach also for config would mean we lose the
declarative approach for (some of) our services, and I'm not sure it's a
viable long term solution; please consider that declarative
configuration means that one day (it's not an "if") Guix users will be
able to configure an entire infrastructure via one (we have Emacs today)
or more UI, one of them will be GUI and/or HTML5


> 2.4 The stateful service shimmy
> ───────────────────────────────
>   Here's the proposed general shim then:
>   1) We define a new type of shepherd service, a /stateful service/,
>      which has additional actions: state-dump-shim and
>   state-load-shim.

state-dump and state-load could be useful for stateless services, too


>   What does this give us?
>   When a migration to a new service revision causes a deployed bit of
>   software to stop working as expected, we can do a `guix system
>   –roll-back`.  This will then also restore the service's state to the
>   previous version and thus *should* restore operations.

this would be a *great* piece of automation for all of us, since it's
good practice to "manually" back up state before migrations, so
rolling-back to a previous schema is possible in case of failures (I've
had some of that in my experience); as I said, this approach is _very_
useful even for stateless Guix services


> 3 A generalisation: the Stateful-Service Service
> ════════════════════════════════════════════════
>   State dumping and restoration *should* be generalisable.
>   It should normally consist of one or more operations of:
>   • running a special program to dump data, encrypting the dump, and
>     storing it, together with the service revision hash, in a known
>     location.
>   • tarring up a directory tree, encrypting the archive and storing it,
>     together wtih the service revision hash, in a known location.
>   These operations should be able to be provided by a daemon, managed by
>   shepherd, which can be configured with a gpg key for encryption, a
>   mechanism for decryption (interactive or programmatic), a location for
>   storing/retrieving dumps (local or remote?), and a DSL for mapping
>   data dump / data restoration program invocations or file-system
>   locations to data dumps it already knows of.

very interesting, I'd wish I'd be able to provide a POC! :-S

thanks a lot! Giovanni


Giovanni Biscuolo

Xelera IT Infrastructures

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]