Linux Matters 7: Immutable Desktop Linux for Anyone
So I've had a go at making a NYX OS operating system that is an unholy abomination, but
I think it could be the no compromise immutable Linux desktop for anyone.
Is this mean Ubuntu Marta has been consigned to the dustbin of history for you?
No, Ubuntu Marta is still going on here, but as you know, and maybe some of the listeners know,
I now work on NYX OS as my day job. And so I've been experimenting with lots of the NYX OS
technologies in order to see what might be possible. And sort of in friendly competition with George
Castro and what he's doing with you, Blue, and also borrowing some ideas from him, and he's
borrowed some ideas from me. So this is kind of in reply to episode five, where Alan sort of made a
case for maybe a mutable Linux is actually the distribution model we should be looking for
for non-technical users to have a safe and protected environment. So I thought, well,
let's try and make something like that that can actually you could give to your friends and
family, and you're not handing them a footgun when you provide them with this distribution.
So this is not a distribution because that's not the way NYX OS lines, but it could be. So
think of this as a prototype. And I was just going to talk through sort of some of the ideas I've
had and how I've glued this together and how they interact with one another. So obviously NYX OS is
at the base of this. I'm not going to go into a deep dive of NYX OS, but one of NYX OS's
capabilities is that it is an immutable distribution. But it's many of the other NYX and NYX OS
features that I think round off the important capabilities that make this viable, because I don't
think the argument starts and stops with I have an immutable distribution, therefore all things
are safe. So what I've done here is take a look at NYX OS itself and use NYX to compose
an operating system, but also used a tool called home manager. So not only is this a distribution
and operating system, it's also fully composed and configured. So the configuration file for the
operating system takes care of everything to do with the boot, the kernel, the desktop environment,
your applications and how all of those things are configured. So you don't need to go
grubbing around in random places. You can't anyway because it's immutable, but this configuration
file is where all of those things are managed. And this is where I think there is some frustration
from some people about what immutable Linux can be because they feel that immutable means
inflexible and with NYX OS it's actually extremely flexible to create anything you want.
And this is one of the things I've been surprised by and it's actually possible to do very complicated
things with NYX OS or at least things that are more complicated in Debian and Ubuntu are way
easier with NYX. It feels like whenever the subject of immutable desktops come up and this being a
new shiny thing that people have been called to do, there's this kind of background hum of NYX OS
people going, I've been there, we've been doing this for ages. I'm not decrying, they may well be
right, but is that fair that this has been around for a while with NYX and we're just new to the game?
Yeah, so NYX has been around for 20 years and was designed to solve the problems that we're
encountering today like 15 years ago. So it's very interesting in that respect that it had the
foresight to think about where the software problems were headed and how to solve those problems.
So when we've arrived at this point, I think that's why there's a lot of interest in NYX and NYX OS
now because it's solving very real problems that we're facing. Yeah, I actually remember I think at
FOSDEM it must have been something like 10 years ago now NYX had a stand and I got chatting to them,
I think they were talking about something to do with voting systems at the time, but just
talking to them about how it all fitted together at that point, it seemed like this amazing forward
thinking thing, which no one else had even thought of. But now, yeah, like you say, it comes along,
it's like, oh, yeah, they have actually been doing this for a long time.
Indeed, the worry I have is my eyes glaze over at the point when you talk about a configuration
file. We came a long way with Ubuntu in the USB key in and you get a graphical installer and
what you get on the disk is the same no matter what machine you put it in and it inverts, it just
works kind of thing. And I worry that you're going to scare people off with the talk of configuration,
or are we just early on in this process and that will come, the automated easy installer will be
something in the future. So the automated easy installer does exist and in fact the system I've
put together has that baked into it. So my system produces an ISO image that boots to a desktop
environment and automatically launches the installer, which is a next next choose your desktop,
where are you, what language do you want, a fair, and that will install NYXOS without dealing with
configuration files. But what I have done is is integrated the whole configuration piece in here
as well. And the reason I've done this is because I wanted an operating system I could deploy,
because I can deploy it to my friends and families machines that I look after. And what I wanted to
do is create the Ubuntu like experience, you know, it just works, have something that uses boot
into it feels comfortable there in command of their own destiny, but they haven't been handed a
time bomb, which they can break. So here is the raw ingredients. And as I say, I have deviated from
the pure NYX path here because I feel like blending some technologies together gives us some
interesting approaches. You'll be ostracized from pure NYX Club, won't you?
Yes, that there is this notion of impurity in NYX, and this is absolutely an impure solution.
I don't love it. Give it to me. So it's NYXOS. I've chosen to use the pantheon desktop as the
desktop environment, which is the desktop environment from elementary OS. And that is presented
pretty much as elementary OS presents its desktop environment. So if you've seen elementary,
you know what to expect. It's basically that. And then I've cooked in some extra bits and pieces
like things like browsers already configured with the appropriate security settings already enabled
because that's one of the things you can do with NYX is actually configure the software as well
as make it available. So I know all of these machines have all got secure settings by default.
And all of the convenience tools that you would have on a desktop operating system. But as you
pointed out, Alan, what you don't want to do is then say, by the way, here is this big collection
of NYX files that you now have to edit if you want to add GIMP to your desktop configuration.
Exactly. Yeah. So what I have also done is I've integrated flat pack and flat hub into this
installation. So when the session logs in, it makes sure that flat hub and the elementary
app center are both enabled and the elementary app center graphical application is installed.
And both of those app stores are configured to be in the user session rather than on the system
itself. Right. So each user in their own home directory is where all of those applications
getting installed. And what that meant is when I gave my father-in-law his refreshed laptop,
he was able to go into the app center and install, for example, the Beringer application because
they've got an 18 channel digital mixer in their little home studio. And that's in flat hub.
And he just hit install and it isn't app store like experience. So they can go and get
Spotify and Google Chrome and any other applications that they might want that are not pre-installed.
That happens outside of this nix management, but in a way that you can still ensure there's some
isolation and that these applications are not treading on one another or disrupting the underlying
system. Nice. That sounds pretty neat. Have you enabled automatic updates for flat pack and all
that or not? No, I just let elementary, the elementary notification system tell the user when
updates are available and they go in and hit the update button. Right. And how are updates to the
immutable part hand or if there's a security update or if there's a new release of a major part
of this system, your phone martin. You do. In fact, phone martin, that is currently the solution.
Now I'm working on something better than that, but quite literally the solution is
have a telephone conversation with me and I have integrated into this thing. The ability to use
is a tail scale like system. So I can SSH into their machines and I can run the updates as and when.
Right. So you would edit the config file for them. If that config file needs editing, which
actually it shouldn't ever need updating because each configuration is specific to the machine,
it's been deployed on with some generic desktop and default applications, but then all of the
other applications that they want, they install via app center. Right. That does feel like a little
bit of a step backwards. You have to have your man with a beard on hand in order to update your system.
Yes, but I appreciate this is possibly early days. I know the Fedora Silver Blue people will say,
we've had this for ages, but you know, it's it's early days in in some places for these new
read only or immutable or whatever you want to call them systems. Yeah. So there are mechanisms to do
this with nix and xos. It's just I haven't figured out exactly how I want to tackle this just yet.
And we work on interesting problems like this at work and this is one of the things we've been
discussing. So you know, maybe we'll cook up something of our own as well at some point.
So what about a user like me who wants to take this system and then start running Docker
containers and doing web development? That is a very good question. And this is where I say this
is for anyone because what I've described so far is an effort to solve Allen's. Let's give typical
users a robust system now into the rest of us who want to do development. So what I've integrated
into this is a tool called distro box and distro box. In this case, on my implementation sits on
top of pod man, which is a Docker compatible runtime. And with distro box, you can get any version
of any popular distribution. And so what I do is I grab the current Ubuntu that I'm working on,
current Debian that I'm working on, maybe Alpine from time to time, bit of Fedora. But the way
distro box works is it automatically hooks up all of the sockets and services and home directory
with your current user. So when you enter the container for say Ubuntu that I've just created
with distro box, my home directory, all of my settings, all of my nix configuration, anything
that's managed within the container out of the container is all integrated. So it's a completely
seamless environment. So I stand up my various development environments for let's call them foreign
distributions using distro box. And sometimes I use my own wrapper for QMU, quick MU for doing
the same in virtual machines. So from that, you can do anything. Are there any limitations to what
you can run? I mean, it has to be able to run inside Docker slash pod man, but are there
limitations that I'm not big Docker pod man user? Not really. No. I mean, if you want to test
kernels, then yes, you want a virtual machine, rather than a container. I've chosen pod man because
it has in its support. So it integrates with system D. So if you actually want to boot the container,
you know, with a PID one, you can do that. And you can actually run like proper distributions
inside it. But using that, I've been able to move all of my Ubuntu and Debian development workflows
into these containers. But it's seamlessly just connects to my home directory and all of my
tooling is available. But you can even do things like install. I mean, you wouldn't want to do
this. You can. You could install Spotify inside one of those containers and the X socket and
the pulse socket and everything are all hooked up. So when you run Spotify, it's running on that
Ubuntu container, but it's just a graphical application on the desktop at that point neat.
I guess Spotify is probably a bad example, but like if there was anything that only had a specific
way to be distributed like MATLAB or some like piece of software that wasn't available in the
next repositories isn't as a flat pack, you know, has a weird thing that you have to download
and install. Yeah, then you could do that inside distro box, right? You could. Yes. Nice. And you could,
you know, choose to run that application from whichever distribution happens to have the version
with the features that you write available. So I was doing some testing with VMAF, which is the
Netflix video quality profiling tool. And there's a static binary available of FFMPEG that's got all
of this built in and that works fine on Ubuntu, but because Nix and the unusual way that it's built,
it didn't execute on Nix. So I just ran that in the Ubuntu container because I can still access
all of the files I want to process because they're all set in my home directory and all just
readily available. So, you know, I've just been able to mix and match where I found little gaps
like that. So are you drinking your own champagne right now? I am. Right now. Right now, I am doing
that very thing. Yes. So if this episode comes out, then that was probably successful.
It was. And I'll put a link in the show notes to my Nix configuration that makes all of this
possible. And that's a developing project. And if anyone's interested in learning, then stop
buying. If you want to help improve things, then do that too.
Linux Matters is part of the late night Linux family. If you enjoy the show, please consider
supporting us and the rest of the late night Linux team using the PayPal or Patreon links
at linuxmatters.sh slash support. For five jobs a month on Patreon, you can enjoy an ad-free
feed of our show or for $10 get access to all the late night Linux shows ad-free. You can get in
touch with us via email show at linuxmatters.sh or chat with other listeners in our telegram group.
All the details are at linuxmatters.sh slash contact.
I have been flying steam deck airlines. That doesn't mean I've been playing airplane games on my
steam deck. It means I've been in an airplane with my steam deck, supposedly two airplanes.
I went to America for a conference last week and I thought, ah, this is my first conference
that I've been to since I bought a steam deck. I should probably take it with me and I'll be able
to use it on the plane because it was a nine or ten hour flight. I thought I'm going to get bored
and planes are notoriously small for getting laptops out and I'm notoriously big for not having
enough room near me in order to get the laptop out. So I need something else I can play with,
so I thought I'll take my steam deck. So I asked on mastodon if anyone had any recommendations,
like I don't already have tons of games on my steam deck. I asked for additional recommendations
of games that I could play offline specifically and I got a load of recommendations and I ended up
buying four different games because there was the steam summer sale on and so I got four games
for about 12, 15 pounds, something like that which was a pretty good deal I thought.
And then made sure my steam deck was fully charged and I had all the updates downloaded
and then jumped on the plane and played some games. So which games did you play and how did it go
after playing for let's say about two hours and possibly getting a bit low on battery?
So I got recommended four games like I said but I really only played one of them to death
and that was Vampire Survivors. I knew you were going to save that because I also owned Vampire
Survivors. Someone I'll come back to that but someone else suggested they looked at my steam profile
and saw what games were in it and said no you haven't clocked up much time in phase you should
probably play that which I thought was you know a bit weird but also excellent and I also got
a short hike, go to Roboto, goto Roboto I think and I got a couple of others which I didn't play
much of. One was Pony Island which are the four that I picked up and I pretty much played
Vampire Survivors most of the flight and the battery life wasn't a problem because even though
it was like a nine hour flight I get a little bit fatigued playing games for a long period and so
I didn't try and play for the whole flight it wouldn't have worked anyway I don't know how long
the battery lasts but Vampire Survivors is not a particularly power hungry game you know it's a 2D
pixel art style, horde, romp, whatever you call it and I also took a spare battery with me it was
a recommendation that Martin sent about a year ago when he was buying a think paddy said oh get
this battery you can power your laptop off of it and I've never powered my laptop off of that
battery but I have powered my Steam Deck off of it. We're not talking about a double A battery this
is like a power bank kind of battery it is a monster power bank yes 100 watts monster power bank
that has a little display that tells you how much you know capacity and time is got left anyway
I played that game on and off all the way there and I permanently had the Steam Deck attached to
the battery and I had only think that Bluetooth headphones and that was great because it
blotted out some of the airline noise while I was playing the games and the fumping soundtrack in
Vampire Survivors is a very good distraction from the fact that you're sat on a plane and how did
you sort of position yourself while you were playing did you have it rested on something or were
you holding it up in front of your face and how do you find it as an actual sort of handheld on the
device. So a couple of things worth noting I managed to get an empty seat next to me on both the
flight out there and on the flight back which meant I could have the battery and the case and the
Steam Deck on the seat next to me when I wasn't playing with it which meant I could just pick it up
and use it. For some of the time I just had it in my hands like looking down but I've got a
bit of a crick in my neck so the table on the planes that I was on is one of those half tables
that you flip down and then fold out again and so I just had it half out and it also meant
that having an empty chair next to me meant I could put my in flight red wine on the chair at the
table next to me and use the table in front of me for holding my hands. I think that's what I did
most of the time was just have my fists rested on the table in front of me playing the Steam Deck
and it was it was glorious it was great. It really helped pass the time quite a bit but I didn't
use it for the whole flight obviously I watched a film when I ate and snoozed a bit and had some
drink and chat to people but yeah it was great I highly recommend it if you do a lot of flying
and you like a bit of PC gaming get a Steam Deck. So I know you've got smaller handheld games devices
were you not tempted to use any of those in preference to the Steam Deck. I'm glad you asked I did
actually take my me you mini with me and did not get it out once oh really yep I tend to do all my
emulation on the smaller handheld devices like the me you and the clockwork pie and I don't do
any emulation on the Steam Deck I only do native PC stuff on on the Steam Deck but I didn't play
with the me you at all I just played with the Steam Deck and I was quite happy. Interesting.
So knowing what you know now would you buy another smaller retro orientated handheld.
Yeah because I don't take my Steam Deck everywhere and sometimes if I'm on a train for example I might
pull out the me you or if I'm waiting for one of the kids or something I might pull it out and have
a play with that but I'm not going to cart my Steam Deck around everywhere because it's just a
bit of a hassle because it's quite big and cumbersome but for flights it's perfect yeah I might buy
another mini computing device because the me you mini has a tiny screen and my eyes are getting
bad and I'm like it won't be the slightly bigger screen but yeah I'm I'm well happy with it and
I'll I'll continue to take it on plate. I usually take mine with me when I go on visits to
the office for work so I go down to Brighton for a few days at a time so it's excellent to take
on the train and also to have in my hotel room like I don't want to take another laptop for gaming
I just have the Steam Deck and then whip that out and sit at the do sit at the desk in the hotel
and play with it in the evenings it's really good for that yeah absolutely I would have the phone
playing podcasts listening to that while playing games in the hotel room absolutely works perfectly.
You may remember on a previous episode I spoke about developing a gnome extension
well I have now published a gnome extension oh get you so at the time of recording you can go
to extensions.nome.org and you can search for advanced sound recorder and if you're running
gnome and you have the relevant browser extension and other bit of software that you need running
you can then just click the switch to turn it on on the website which is quite clever and then
it actually installs it and run it and I just want to talk a bit about what the experience of
publishing an extension to the website was like. Before we get into the publishing can I ask you
did you change your application tool because when we last spoke you were using PA CTL to dump Jason
and past Jason did you stick with that solution or did you find a in air quotes official way to
get it that stuff as it stands the version that's published is almost exactly as it was last time
we spoke with a few minor modifications that I'll make mention towards the end all right so publishing
a no extension was a much nicer experience than developing it I'd love to say there is quite
extensive documentation that covers the review process which starts with just some sort of general
guidelines of things think about plus some really specific examples of things you should do and not
do like there's an initialization routine there's an enable and a disable routine that you get as
part of every extension and it tells you what you should and shouldn't be doing in those quite clearly
so you know you don't want to be loading your entire extension when it just runs the in it
routine you only want it to do that once you enable it things like that they also provide some
notes on the coding style you should file and an ES linked file to automatically apply that coding
style and tell you anywhere you violated it which were all really helpful stuff to do another
thing that I wanted to do was when you create your metadata file in your extension you tell it
which versions of known shell it supports and I'm running a bin to jamry jellyfish which doesn't
run the latest version of known it runs a couple of versions back so I wanted to also know if it
ran on okay on the latest versions of known so I went trying to work out a good way of doing this
and there is a distribution called known OS which if you go to OS.nome.org you can get like a
nightly build of known OS which has the latest version of known on but I didn't just want to test
on the latest version I also wanted the version in between so I did a bit of hunting around and
found that if you go to download.nome.org slash known OS you can actually find an archive of
ISO files to run previous versions and it literally just boots into known shell
no frills that's all it does it's not designed to be a distribution that you use it's just for
testing things on known so I managed to run that in a VM and then download my extension I basically
cloned it off GitHub while I was still developing and ran it that threw up some interesting
edge cases because bear in mind that the audio devices that you get in a VM aren't necessarily
the same as the ones that you get on an actual desktop so for example I control the volume by looking
for the the left channel and it was a mono output in the VM so I had to account for that also the
latest version of known OS is now running pipe wire so things are a little bit different than
stuff that's just running pulse audio I think it's running pulse audio as well as pipe wire so I could
still use the PACTL commands to actually do what I needed to do but I had to take into account
the fact that it was running pipe wire with a PACTL commands pre-installed everywhere that you
might install this extension yes they were all well they were already on no OS at least so I
didn't have any trouble there I suppose I maybe I should have some sort of detection there just to
flag if they I mean basically it will I think if you try to do it then in the extension manager in
no it would show you in error when it tries to initialize and enumerate the the interfaces that you've
got so yes maybe it would be nice if there was a user friendly warning if that happened so with all
this tested basically you package everything up as a zip file and you upload it to no no extensions
to all there's a page they're called ad yours and you upload a zip file and tick a thing to say yes
it's gpl2 licensed and whatever I had a really weird issue with this where I couldn't get it to
work in a confined browser it kept on basically not submitting the form and I actually got some help
I raised an issue on the no git lab and someone there was trying to help me debug it and had no idea
what was going on because I had no idea what was going on and then I tried it in edge which was
installed from a dead package and everything just worked so I haven't had that happen on any other
websites but it was just a very bizarre experience it's worth noting that no actually has an
extensions application now so you can install the extensions application and you get a window
in which there's a button it looks it's like a cut down version of an app store where it shows you
a list of all the extensions that are currently installed and there's a browse button where you can
search and install additional extensions so you don't necessarily have to go to extensions.nome.org
and get it that way in a browser you can just install it and I don't know which version of
that came with but the one I'm running on 2304 has it yeah I haven't actually had a problem
installing them through the browser it was just uploading them but once I used an uncompied
browser it was fine so once you have successfully uploaded it gets reviewed and approved
hopefully by a human who reviews it and then it's there for people to install which is quite neat
how many people have installed it so far when I wrote my notes 928 people wow that's not too
shabby nice nice you've made a popular thing yeah yeah and then subsequent reviews are quite
neat so you just upload another zip file with all of your stuff in and it creates a new version
for you I think if you just change metadata rather than changing any code it just gets published
if you do change code it then needs another review but what it'll do is look at what was in the
last zip file that was approved and look was what was in the one you uploaded and it'll actually
create a diff on the website which you and the reviewer can both see so it makes it easy to
see what was changed to make sure you're not trying to sneak in anything nasty nice so you've
talked there about testing on multiple different versions of GNOME does this imply that it's wedged
to known published versions your extension won't automatically roll over to whatever the next
version of GNOME is and work there unless you specifically say it's supported on that version
or is that problem solved now I think when the next version of known comes out I will have to update
my metadata file to say it supports it for you to be able to install it through the installation
mechanisms you could I believe still download the zip file from the website and just plonk it in
the right directory and it'll run I think but yeah your metadata has to specify which versions
of GNOME shell are supported right I don't actually foresee any you know from what from the experience
I've had I don't foresee any actual compatibility issues because I mean my extension is quite basic
I can't see what they would do that would break it horribly in just a you know an incremental
release of GNOME but we shall see watch this space in a future episode where Mark explains how he
has to update his extension because it broke in GNOME 50 yes and I have done a little bit of further
development so particularly something that I came across when I was testing in the VMs was the way
that it formats the list of interfaces was basically based on the length of the name of the device
at the interfaces and if you had no device name or a short name for the interface then you ended
up with a really really tiny slider to control the volume it was basically whatever space was left
afterwards which could be basically no space at all so I did want it to make it so they were all
the same size and then whatever space was left was sort of filled in between sort of short names
and long names and so on I didn't quite manage to do that I did manage to make it so that they
will be at least 200 pixels wide but they might be wider than that it turns out as I found before
developing no extensions is it terribly easy and even as you know I approached this from the
mindset of well it's JavaScript and CSS I'm a web developer for a living this should be easy
right but actually working out how all of the elements next to each other sit and how they're
styled isn't easy there is a thing called looking glass which lets you sort of inspect elements
but doing that on elements within a menu isn't easy either I had to install another name extension
and even then I found it difficult to get the information I needed so I basically got it
working well enough and left it ship it yes so with that where it is for my purposes I'm now going
to call it feature complete and say I'm done with developing no extensions for the time being
and so people can file issues where dev now you are welcome to file issues on my GitHub if you
can submit a patch that actually shows me how you're supposed to do things then even better
I like how I submitted a patch and you didn't know until I mentioned it and you were like oh did
you and it was a very simple patch that was inconsequential yes thank you for that no worries no
well congratulations on publishing your extension not well done you yeah well done thank you