On 18.8.2022 13.17, Alyssa Ross wrote:
Okay. Obviously we can support booting with the filesystem mounted read-write and no dm-verity. But the problem with that is that then changes have to be manually copied back to the source tree. We could
One way to handle this is so that people git clone to the target and build small incremental changes there.
try to add some conveniences for that (e.g. a facility to diff the modified root filesystem with the orginal version). It still means making changes to the compiled system, rather than working on the source, but for the kind of changes you're talking about, maybe doing it that way and then integrating the changes into the Spectrum source at the end wouldn't be too bad?
When installation of development tools to the target is limited, remotely mounting filesystem (e.g. sshfs) from the development host works.
Ideally it would be nice to have something like nixos-rebuild switch, that can build a new system and then switch into it. But the problem is, you have to figure out how to *automatically* take the runtime state of the system (the processes and services that are running), and somehow carry that over into the new system, where anything could have changed. So I'm not sure how we'd do that. NixOS's implementation of this is massive, tightly coupled to both NixOS and systemd, and still it's not very difficult to get it into a weird state where you need to reboot anyway to get an accurate idea of what the change does (or, if you don't realise you need to do that, you just think the change hasn't worked). If a kernel module has changed, do you try to unload an > reload it? That's pretty complicated to implement, because you have to unbind the devices from it, unload the module, then rebind them, and even then the module might have had important state that's been lost.
Good examples but there's no one answer to these scenarios. Depends really much on the case and developer preferences. Often services restarting is enough, sometimes system reboot is required. Also, people doing kernel development are usually fairly seasoned and consider which makes sense to themselves. E.g. kernel modules run reset for the hardware in init() and scripts/tests can be used to handle unbind-unload-rebind in driver development. Managing state persistence over resets or SW updates is an eternity problem. It's an interesting problem - I studied dynamic software updates and state migration is one key challenge there. DSU has not taken traction, though. It's tough to update both code and the runtime state. We have legacy and culture of restarts. In critical systems it's designed and handled with hardware, even system redundancy - not at single component level.
If the developer is working on that kernel module it's probably okay, but what if they're working on something else and just pulled a bunch of changes that happened to include a kernel module change? Same with if e.g. the Weston service changes, except in that case we have no way to restore the previous state. So either we choose not to automatically restart Weston, in which case we're not really running the new system, but a weird hybrid that may have bugs not present in either the old or new system, or we do restart Weston, and risk an unsuspecting user losing their whole windowing session.
True. In these scenarios I've learned not to try to cover every possible scenario on behalf of other people. Developers are smart and they understand and learn constraints of system changes.
If there's a way we could make this work well, I'm open to it, but it's not at all obvious to me what that would look like.
Given above, I try to keep this at high level design. Two configurations: a. development - enables development, testing and debugging with caveats b. user - immutable, hardened, strong security promises Now we have b. which makes a. by design impossible *on target*, making development iterations slow. The question is if we want to generally enable a. and then say - "there it is for anyone who needs it". Best, -Ville