nixos-anywhere
nixos-anywhere copied to clipboard
nix-community
Add support for out of bounds management
Prerequisites
- [x] I have searched existing issues to make sure this isn't a duplicate
- [x] I have checked the documentation to see if this feature already exists
Problem Description
The problem is nixos-anywhere is isn't really anywhere, it supports deploying to machines via ssh, this is a problem to companies who want to deploy to hundreds of thousands of machines on a network that a. don't have an os but have a bios.
Proposed Solution
Support for dells redfish, ibm, lenovo out of bounds management but many use redfish under the hood aka dells drac.
https://en.wikipedia.org/wiki/Out-of-band_management
Alternatives Considered
- Use Terraform.
- Don't implement it and implement a fork of this.
- Don't implement it at all,
Feature Type
New command-line option
Use Case
- Helps companies deploy machines.
- Ability to not use ssh on machines
- Allows to deploy to machines that don't have an os but have a bios.
Implementation Ideas
- Implement a rust crate or use a rust crate perhaps to manage the out of band management or something that interfaces with libredfish and etc.
- Via nixos anywhere use that crate.
- Make frequent updates to make sure that it's keeping up with security standards.
Additional Context
https://en.wikipedia.org/wiki/Out-of-band_management https://github.com/GoogleCloudPlatform/terraform-google-out-of-band-security/tree/main https://github.com/DMTF/libredfish https://www.dmtf.org/standards/redfish
Note this request will take a long time. So anyone who is begging this feature please be patient and it might have a chance that this feature is way too long to make it work and might not even come out.
I have this branch open for a while: https://github.com/nix-community/nixos-anywhere/pull/50 It technically works, I just noticed that ipxe doesn't work very well anymore and we might need uefi http eventually.
What is the usual workflow for big companies. I thought rather than running ad-hoc commands they would rather use netboot directly... I could imagine that a netboot image could call into disko: https://github.com/nix-community/disko/blob/master/docs/disko-install.md#example-for-a-nixos-installer
Overall the workflow seems a bit different from how nixos-anywhere works, netboot is asynchronous and nixos-anywhere is synchronous.
But it's not really true out of bands management like nixos anywhere has to scan the network and talk via bios to load the image fully this allows network booting but not fully out of bounds management which would be crucial to companies that would want to switch from terraform to nixos for example.
What is the usual workflow for big companies. I thought rather than running ad-hoc commands they would rather use netboot directly...
some do but for big corporate they use out of bounds management to deploy thousands of machines.
Do you have examples what this looks like with terraform? I wasn't aware this was a thing for out-of-band-management.
Since nixos-anywhere already has terraform integration, this might be a good fit? Also don't know if it scales very well because with 1000s of machines you no longer want evaluate all of them in terraform in the way we do it.
https://github.com/GoogleCloudPlatform/terraform-google-out-of-band-security/tree/main/examples/simple_example