Hello,
Ludovic Courtès <
address@hidden> ezt írta (időpont: 2020. márc. 8., Vas 21:54):
Hi,
"Raghav Gururajan" <address@hidden> skribis:
> The guix system transactions are NON-MODULAR. That is, you cannot selectively reconfigure certain parts of the system. For example, you either reconfigure the system as a whole (or) you do not reconfigure the system at all.
>
> IMPLICATIONS:
>
> Lets assume we have 5 packages in profile. Package 1, 3 and 5 has non-critical updates. Package 4 has non-critical update but it breaks. Package 2 has critical update (CVE). We can either upgrade all packages except package 4 (or) we can upgrade only package 2.
>
> Lets assume we have 5 services/packages in system. Package/Service 1, 3 and 5 has non-critical updates. Package/Service 4 has non-critical update but it breaks. Package/Service 2 has critical update (CVE). Now, when we reconfigure the system, all packages/services will upgrade, package/service 4 will break the system. We can of course do '--roll-back' and take the system to previous working state. But that will leave the system with critical vulnerability. Therefore, we cannot reconfigure package/service 2 or any other parts of the system, until the package/service 4 is fixed. This window/gap puts guix system at great risk and instability.
On one hand, I agree that it’d be nice to be able to update just parts
of the system, like you explain.
On the other hand, that would lead to an unknown and possibly
unreproducible system state, which defeats what declarative
(“non-modular”) system upgrades bring.
Besides, I don’t see how one could introduce this “imperative” approach
at the system level, technically.
All in all, it would be best if the situations that make “modular system
upgrades” appear necessary didn’t occur in the first place.
Thoughts?
I believe that there are two points where it would be possible to improve the situation.
1. Improve tooling to modularize the configurations: like allowing an inferior like feature for services, and adding tests to this (this is a way of service versioning), or even setting up a convention to include scheme files from a location, like ./services.d files get included, and the _expression_ they evaluated to are added to the services field if something like this makes sense.
Make it possible for services to specify upgrade actions to run when the version changes, or to fail when manual intervention is needed for a correct upgrade.
2. Allow post install action configuration, for example stating that this list of services should be restarted. Also allow to guess the right post install action if none specified, and allow the services to add features to this guessing mechanism, like which configuration changes require restart. Make it possible to reload services by arranging their configs in a way that reloads work.
In both of these cases it might be needed to inspect the previous system, but the system provision information should be enough for that. Wdyt?
Best regards,
g_bor