florianjacob has quit [Remote host closed the connection]
tokudan[m] has quit [Read error: Connection reset by peer]
jpo-joyent has quit [Remote host closed the connection]
timokau[m] has quit [Remote host closed the connection]
tokudan[m] has joined #nixos-security
timokau[m] has joined #nixos-security
florianjacob has joined #nixos-security
jpo-joyent has joined #nixos-security
<pie___>
i dont really understand what the difference between unikernels and processes is
<pie___>
i vaguely understand implementationwise, but fundamenyally...?
<pie___>
*fundamentally
<pie___>
or is there fundamentally no difference, and the differences between these things comes down to implementation_
<pie___>
?
<pie___>
like, if i take a microkernel system + add some unikernels, how is that different from an OS with processes?
<zimbatm>
you could say it's the same, but it's also very different
<pie___>
(or would the latter just be a more principled variant? :P)
<zimbatm>
assuming that your process is statically compiled, it still depends on syscalls to do anything
<zimbatm>
every time a syscall is being made, the process context is swapped out and handed back to the kernel (simplified)
<pie___>
i guess im trying to add a comparison to hypervisors in here somewhere but couldnt figure out where to fit it
<zimbatm>
in a unikernel, both the program and the needed syscalls are all compiled together and running in the same space
<zimbatm>
it's all a bit the same thing but different
<pie___>
yeah i guess thats how i feel <zimbatm> it's all a bit the same thing but different
<pie___>
like, that it comes down to a question of APIs
<pie___>
(ok and performance, and ..., and ...)
<zimbatm>
yeah the details are important only if you care about security or performance
<zimbatm>
for example you can run a docker container, or a VM and it's not much different in terms of API
<zimbatm>
but re-sizing a VM memory is much more complicated than allocating more ram for a process
<zimbatm>
similarly, a docker container is basically a linux distribution + your program. but it's possible to strip it down until it becomes just a single statically-built process.
<zimbatm>
and then it's just a matter of binding the syscall code with the process to get a unikernel
<pie___>
so when are these fancy new kernel types (yeah i know theyre not actually new) worth it?
<zimbatm>
and similarly, when you've built a bare container, it's really annoying to debug because there are no tools available in the container, you will be experiencing the same thing with a unikernel
<pie___>
the general story seems to be that distributed systems are a pain in the ass compared to monolithic ones x(
<zimbatm>
(but it's good for security because if there is less surface for attacks)
<zimbatm>
I don't know. I think the important part is the exercise and not the end-result necessarily
<ekleog>
pie___: theoretically they're worth it right now, if you listen to seL4 folks
<ekleog>
but we have much more infra on linux and to a lesser measure BSDs
<ekleog>
and you need to port the whole world to a new API
<pie___>
ekleog, i.e. not worth it :(
<ekleog>
heh
<zimbatm>
well one could say the same about nixpkgs
<pie___>
im evangelizing the shit out of nixos to people (badly), but..
<pie___>
lol there it is
<zimbatm>
is it worth re-packaging all of that stuff just for some additional properties? :)
<pie___>
zimbatm, not if you just want to be a user :P
<zimbatm>
yeah probably not when all you want is install steam and spotify on your machine
<pie___>
also it seems you need to be pretty deep into nixpkgs right now if you really want to be productive
<pie___>
except for the simplest things
<pie___>
zimbatm, or when you want to Get Dev Work Done
<pie___>
as oppposed to spending a week trying to package something
<pie___>
id spend that week but im a lunatic :P
<zimbatm>
but then one day your laptop breaks, and it takes 30min to be back up and running on a new machine and suddenly it feels like all these efforts have paid off
<ekleog>
pie___: I usually ssh into $job's $distro servers when I want to get dev work done, everyone has different requirements anyway
<pie___>
zimbatm, i almost had a moment like that two weeks ago, but i forgot my full disk encryption pasword and locked the keys in the encrypted backup so....didnt work out
<pie___>
ekleog, yeah i should just set up a vm
<zimbatm>
pie___: don't forget to push your code onto some hub
<zimbatm>
to make the parallel; packaging stuff with nix often exposes some weird things, like files being in the wrong places, dependencies that haven't been declared, ...
<pie___>
zimbatm, yeah
<zimbatm>
and by making the packaging exercise, if things are reported upstream it makes everyone's life easier
<pie___>
nix helps clean stuff up in a sense
<zimbatm>
similarly, I think that breaking up kernels into libraries and trying to re-arrange the boundaries of processes and kernels also expose some nice things
<pie___>
i work for a medium sized security company right now, we actually have surprisingly many nix people, i.e. more than just me, but it doesnt look like its ever going to end up in production...
<zimbatm>
business people don't trust nix at all
<zimbatm>
that's my experience at least
<ekleog>
pie___: have you already inserted a shell.nix?
<pie___>
im not sure its a business people thing
<pie___>
ekleog, what do you mean
<ekleog>
there was a talk|blog article about “how to make your company switch to nix”
<zimbatm>
if the technology hasn't been in the front page of their business journal, they won't trust it
<ekleog>
it begins with “just let me commit this shell.nix, just for my own sake and other people I'm with”
<pie___>
lol right
<ekleog>
and slowly nix takes over the world
<ekleog>
when people notice the `nix-build my-tests.nix` you've written works better than their CI stuff
<pie___>
i dont actually have any repos yet, well i will have a small one next week
<zimbatm>
nix has a quite big up-front cost so it's hard to sell as well
<pie___>
zimbatm, definitely
<pie___>
i also think there should be more explicit and easy to use escape hatches for when you just need your shit to work Right Now
<pie___>
(just run a vm is an acceptable suggestion i guess)
<pie___>
im a noob at everytihng so im still figuring it all out
<pie___>
but yeah will inertial ever let this stuff take off before i get old? :/
<ekleog>
pie___: there's buildFHSUserEnv but last I checked it was severely lacking documentation on how to use it and ideally how to nix-shell into such an environment
<pie___>
ok i phrased that wrong, i want this stuff now so i can have nice tools now and not need to learn shitty tools :P
<pie___>
so, since im in a ranting mood anyway, tables based network management makes no sense >:V (and i have no idea what im talking about)
<pie___>
the internet *is* a series of tubes!
<pie___>
ok, now that i have that out of my system...
<pie___>
ekleog, i doubt im able to help with that any time soom :/
<ekleog>
pie___: well, if you experiment with it, get it working and write a blog post on it… :p
<pie___>
maybe i'll finally set up a website after i get paid lol
ckauhaus has quit [Quit: WeeChat 2.2]
copumpkin has joined #nixos-security
<pie___>
ok i just went from nothing, to compiling the mirage noop example ... that was surprisingly easy
<pie___>
and i think part of that surprise is usually some nonzero amount of pain i have to go through with something not already in nixpkgs
<pie___>
opam is nice i guess, people seem to think so