-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Official" production setup / Nix usage / Migration Plan #2303
Comments
With poetry, we get This is even more relevant for the webserver stack: Having a fixed version of python/postgres/redis/apache is nice, but on production, I'd want security fixes to be easily deployable. On Ubuntu Server, such updates happen automatically for apt-installed packages through unattended-upgrades. We even stuff like backported security fixes by the ubuntu team. From my understanding, the philosophy of nix is contrary to that: I want a compatible environment with all security patches, not an identical environment. @niklasmohrin are you aware of anything that could get us the unattended-upgrades (and possibly even: auto-upgrade python dependencies within compatible versions, if security updates are released) experience with nix? A cheap and close solution could be a cronjob that rebuilds the environment regularly, but I don't want anything to happen if no security updates are available. Patch updates that fix bugs that we're not affected by shouldn't cause downtime. I can see this working out if we keep a native installation, adapt the upgrade/restore scripts to work that way, and put a disclamer in the wiki that says "lock files are for dev environments, we don't release frequently enough to cover security updates in all dependencies". For CI-testability, the scripts would probably get a few more lines that would be non-nix-exclusive. |
I don't know what we could do with nix in production, so here's my 2 cents about python and poetry. We could install the |
Sounds reasonable. I would, intuitively, prefer an approach where we run with a changed lockfile over one where it is completely uncoupled from the running environment. It of course depends on the actual solutions we come up with though.
I believe that EvaP should (within reason) work independent of the running database and not using nix for this is definitely in scope. This would also mean that for the production setup, we don't need to include process-compose-flake and services-flake in the "trusted software" list, only leaving nixpkgs, poetry2nix, and poetry. To facilitate this, we could make the scripts behind the Additionally, nixpkgs historically is rather bad at pushing out security updates in a quick fashion because a change to a package might trigger hash changes to a lot of child-packages, and those should be completed before an update can be published (this was astronomically bad with the xz incident, as it is included in the standard build environment). So yeah, sticking with Ubuntu with unattended upgrades for postgres etc. seems like a good move. For Python, using the system installation with nix is not possible. A Python update in nixpkgs would also take some time to propagate, because it's used in a lot of packages. Not sure how long it takes through the fastest channel though.
Not really, one can periodically update and reload, but afaik there is no builtin way. I am not even sure whether PyPI has information on which versions of a package are secure. For example Django 4.0.0 seems to be insecure, but the version is not yanked on PyPI. If we would get reliable information about insecure versions, I suppose one could also run a periodic check to see if any of the installed packages are affected and update them. One thing that is sometimes done in Rust projects is building and testing with the minimally allowed version of every package. I was wondering whether this would also make sense for us, but given that we are not a library that others depend on and are therefore able to only allow dependency versions to vary in the "patch" category, this probably makes little sense for us.
I think that would be very cool, if it works reliably and without too many hacks.
Shouldn't pip also not care about our use of poetry, because we have specified it in the I think that the unavoidability of writing down what versions of dependencies are installed is nice and would much rather have it explicit like this than hidden away. In that sense, I think that running poetry to update the lockfile, then reloading the nix environment would also be an okay workflow. I am not the one who has to use it though :D |
Follow-Up to #2274: Do we also want production instances to be set-up using nix? It might simplify stuff. We may be able to test on a dev server.
update_production.sh
andload_production_backup.sh
scripts match the envisioned setup.The text was updated successfully, but these errors were encountered: