[Nix-dev] State database in nixops

Ben Moseley ben at borde.rs
Tue Feb 24 20:59:24 CET 2015


FWIW, we're currently deploying from VMs on developers own machines.

We ensure that we have the same directory structures on our deployment VMs - so we're not being bitten by the problem mentioned by the OP.

After deploying we use nix-copy-closure to sync the deployments between developer machines and also `tar` up the profile so that any developer can perform a rollback.

It's not totally ideal - but it's a reasonable stop-gap until we move to a dedicated deployment machine.

--
Ben Moseley - Engineering
ben at borde.rs
www.borde.rs
M: +44 7788 138855

> On 23 Feb 2015, at 15:59, Rob Vermaas <rob.vermaas at gmail.com> wrote:
> 
> Hi,
> 
> at LogicBlox we use NixOS and NixOps extensively to deploy all sorts of clusters.
> 
> We are using dedicated deployment machines, from which different users can deploy
> the applications by sudo'ing to a shared user account. We back up all nix paths
> that nixops deployments use (using the 'nixops dump-nix-paths' command) to another
> standby machine as well as a S3 backed (private) binary cache. Also we backup the
> nixops state file every 15 minutes. This has been sufficient for our purposes until now.
> This way, in case of emergency, we can switch to standby server, or when shit hits
> the fan even more, we can have up a replacement deployment server within minutes.
> 
> We also have continuously deployed systems, however these are also deployed from the
> shared machines. These deployments pull latest builds from Hydra (our CI system),
> and deploy them automatically.
> 
> With regards to trace-ability / audit trail, NixOps logs to syslog which user (also
> via sudo) runs a nixops command, which might be helpful for that purpose.
> 
> One thing to keep in mind is that the NixOps state file contains secrets, e.g.
> encryption or generated ssh keys, so make sure you keep it safe. I would only put
> it in a git repository if only you have full control over the repository, or a way
> to encrypt it before you push, or both :-).
> 
> I think it would indeed be nice if we would have a way to choose the format for
> the NixOps state, and we would definitely welcome a PR for such a feature. Also,
> it would be good to hear from people, what kind of requirements they would have
> for such a feature.
> 
> Cheers,
> Rob
> 
> 
> On Sun, Feb 22, 2015 at 8:11 PM, Thomas Hunger <tehunger at gmail.com <mailto:tehunger at gmail.com>> wrote:
> Could you expand on this a bit? I've been using nixops for a while, but only recently set up a Hydra server to run tests automatically. I'm now considering doing automated deployments out of hydra, but not quite sure how that should work. It would be simple to have a hydra job that runs "nixops deploy" but having a build with external side-effects like that seems problematic.
> 
> We're running Jenkins for historical reasons. Jenkins allows executing arbitrary shell scripts after a successful build / test. We run the tests on Jenkins in the same nix-shell environment that we're using for development.
> Jenkins uses an exceedingly terrible XML config format but the files can be generated which allows us to set up projects via nixops. Jenkins also has some hooks and can e.g. be pinged by github to trigger a build.
> 
> We briefly looked at Hydra but could not figure out how to configure it via files (it looks like a point-and-click interface backed by a database). Also, because we have a working system switching is very low priority for us. There are some other open source CI systems like travis and drone which we know of but haven't yet investigated.
> 
> Even though it's very off-topic I'd definitely be interested in reading more about how other companies are using nixops!
> 
> ~
> 
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl <mailto:nix-dev at lists.science.uu.nl>
> http://lists.science.uu.nl/mailman/listinfo/nix-dev <http://lists.science.uu.nl/mailman/listinfo/nix-dev>
> 
> 
> 
> 
> --
> Rob Vermaas
> 
> [email] rob.vermaas at gmail.com <mailto:rob.vermaas at gmail.com>_______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150224/aceaa29f/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150224/aceaa29f/attachment.bin 


More information about the nix-dev mailing list