Investigate Nix on CloudABI / WASI #2759
Comments
Ericson2314
changed the title
|
Looking at the CloudABI introduction, it seems to have a different notion of running a program compared to, say POSIX (structured environment instead of command-line arguments, and capability token passing). I am not sure when, and if, a C compiler that would itself work under such rules will appear. |
|
@7c6f434c Actually it's very much designed to be conservative enough that existing software can be shoehorned to work. See https://github.com/NuxiNL/cloudabi-ports; the first step is getting cross compilation to Cloud ABI in Nixpkgs working, cribbing from those bsd-style ports as necessary (should make another issue in Nixpkgs for that). Nix would be a more interesting port, but that's kind of the point :). https://lwn.net/Articles/674770/ goes into more detail of how things work in the Linux version. Also compare the earlier Capsicum from Academia. (Still not sure to what degree the implementation is shared, but the article sort of hints at it.) |
|
@7c6f434c Actually it's very much designed to be conservative enough that existing software can be shoehorned to work. See https://github.com/NuxiNL/cloudabi-ports; the first step is getting cross compilation to Cloud ABI in Nixpkgs working, cribbing from those bsd-style ports as necessary (should make another issue in Nixpkgs for that). Nix would be a more interesting port, but that's kind of the point :).
Ah indeed, as a cross-compilation target it is interesting.
For Nix itself — I guess it is telling that they have cmake but not gnumake?
|
|
@7c6f434c Yeah it would probably be easiest to cross compile Nix, and that Nix wouldn't be able to build most packages in Nixpkgs. But it would be really cool for experimental incremental software using the Nix daemon as an incremental cache. (e.g. compiler that forks off fine grained tasks as derivations. It would take a more radically redesigned Nix to make that "fork" maximally performant, but a basic demo of the concept can be made with today's Nix.) |
|
CC @cleverca22, I feel like all this is vaguely up your alley. |
|
Opened NixOS/nixpkgs#59285 for the Nix side of things. |
|
I think we would get more hype/interest if we worked towards using WebAssembly/WASI. It’s got more people behind it, but also incorporates lots of the ideas behind CloudABI: https://github.com/CraneStation/wasi-sysroot I need to figure out how to bootstrap libc++ with LLVM before we can do that many interesting things with WebAssembly though. |
|
Thanks for this! https://github.com/CraneStation/wasmtime/blob/master/docs/WASI-overview.md mentions CloudABI a lot, so it makes sense to see this on a spectrum (WASM supports safer models than OS-sandboxed Cish). |
Ericson2314
changed the title
|
I'm not sure I see the point of this one. At the end of the day most of the work needs to happen with access to global namespaces, because at the end of the day everything still sucks and we're stuck with the build systems as they actually are. |
|
@shlevy Everything indeed still sucks but:
|
|
I marked this as stale due to inactivity. → More info |
|
I closed this issue due to inactivity. → More info |
|
Still interested. |
|
Bump. |
|
Don't worry it won't be closed by stale bot again :) |
https://cloudabi.org/ is an interesting idea for bolting cap-safety onto legacy kernels. It would be very interesting to see a port of Nix to this syscall interface. In particular, I'd hope this would allow for very low-overhead sandboxed derivations, as much of the cost in the past has been manipulating the ambient namespaces which this avoids entirely.
CC @shlevy
Edit: Added WASI, which basically CloudABI + Web Assembly
The text was updated successfully, but these errors were encountered: