System Updates and Configuration

← Oh Look, Now I Have Two Problems | James' Technical Notes | I've Mostly Stopped Using GuixSD →

← Time to Start Managing Infrastructure Properly | infrastructure | I've Mostly Stopped Using GuixSD →

Well, I find myself needing to update systems. I've written before about my (possibly) strange way of thinking about systems, and one would think using such techniques would make life simpler. And to a point it does. But GuixSD is still beta and does work well on managed vps systems1 or ?inside virtual box.

Configuration management

Systems upgrades are really just an artifact of configuration management. If I need to upgrade from wheezy to stretch, it should be just a matter of updating /etc/apt/sources.list, and running the normal apt-get update && apt-get upgrade && apt-get dist-upgrade. Of course enabling such magic requires everything is properly packaged. GuiSD is similar, one just has to run guix pull && guix package -u, still everything has to be packaged or have a package recipe. Guix packages are somewhat easier to create than debian packages, I think mainly because the entire package description is a single function definition2, but such may just be my perception. So things that are properly packaged should just work. Oh wait, what about configuration files and executables that need weird setuid or setguid permissions or data files that need special permissions to be secure or any of the above that need to adhere to PCI, SOX, or other regulatory requirements? Regulatory requirements are outside the scope of this post, as I don't have to worry about such things at the house or my vps systems.

My current thinking is if the packaging is done properly, configuration management largely takes care of itself. So the key then is to package things appropriately.

Packaging

I largely use Debian with Guix on top. I have a few systems running GuixSD. Packaging applications that don't have configuration files is relatively straight forward in Debian and Guix and well documented, so I won't speak to those here, other that to say Debian has more things already packaged than Guix. I'll start blogging about Debian packaging with the tag deb. Briefly, I am using pbuilder, git buildpackage, amongst other tools.

To help handle configuration, I've found config-package-dev which handles packaging configuration files sanely, by hooking into dpkg-divert so upgrades work out right.

To manage distribution of these custom packages I've built a debian package repository with reprepro.

That leaves things such as file permissions and drift. I suspect tools such as CFengine, Puppet, Chef and their cousins are still the proper tool for such a job. Although none of them work with Guix.

At least on linode and presumably on other kvm providers. ↩
By extension, then I would have to say creating rpms are easier than creating debs as the definition is in a single spec file. Scriptlets are still external. ↩