WEBVTT

00:00.000 --> 00:14.000
Okay, hi. Thanks for staying in this hot room. I'm Samar Yorsevson. I will talk about geeks

00:14.000 --> 00:24.000
containers and what you can do with them. So I've maintained a couple of free software projects.

00:24.000 --> 00:30.000
I've tested them with continuous integration and I've been doing this for a very long time.

00:30.000 --> 00:38.000
I've been a bit frustrated that, oh, I'm testing this on Debian and Fedora and other operating systems,

00:38.000 --> 00:50.000
but I prefer to use geeks. So I felt stuck there. I just waited for someone to do a geeks container that works in GitLab for me.

00:50.000 --> 00:58.000
And there was some inspiration on the list, Ludwig tried to do this and just posted.

00:58.000 --> 01:09.000
And that this was triggered for me. I didn't know enough to kind of start in this space, but the commands here got me going.

01:09.000 --> 01:15.000
And then it was mostly a matter of debugging things, rather than creating things.

01:15.000 --> 01:25.000
And there essentially just some highlighted some issue that caused problems that still caused problems.

01:25.000 --> 01:40.000
And this was the post was in February, 2024 and throughout 2024 I iterated on this design, maybe more and more complicated, but it actually worked.

01:40.000 --> 01:55.000
And I declared our version one more than a year ago. During 2005 I spent a lot of time integrating this in my software projects, starting to use it,

01:55.000 --> 02:09.000
and we're happy to test my software on geeks that result a couple of reproducibility problems and other problems that you would only notice when running on geeks.

02:10.000 --> 02:17.000
And once I done that I also realized I wanted to do the release troubles in a reproducible way.

02:17.000 --> 02:31.000
And of course I wanted to do them on from the geeks images. So I integrated that to my projects to build the troubles and verify that they are the same built on my laptop.

02:31.000 --> 02:43.000
And I made a couple of all these projects had releases with reproducible troubles during 2025, all buildable from geeks.

02:43.000 --> 02:50.000
And then geeks was dropped from the bin, which was what I was using to build this images.

02:50.000 --> 03:07.000
And for a couple of months I kept using my old containers that were created earlier. I felt like very modern using containers that no one knows how to reproduce, but it feels very sustainable.

03:07.000 --> 03:20.000
And I kind of restarted this project. And the early project was, my design became more and more complex. I had a goal of doing reproducible container images.

03:20.000 --> 03:36.000
And inspired by GCC bootstrapping, I kind of built the first Debian container installed geeks built pure geeks container and then from that pure geeks container built another definal container.

03:36.000 --> 03:49.000
And my idea was that this would be the same, but confusion happened and this is not possible. The new design is just simpler.

03:49.000 --> 03:57.000
And I also realized I started to make use of those Debian containers with geeks on them. So I published them separately.

03:57.000 --> 04:09.000
And I also realized that having geeks on Ubuntu and Trisco, were also useful to have two similar operating systems that you can do a reproducible build.

04:09.000 --> 04:21.000
You build something in both containers and compare their salt. And then you kind of, you want the similar enough, but you want it different to test reproducibility.

04:21.000 --> 04:40.000
And as a side effect, you also test if something non-free from Ubuntu takes your builds by building it also in Trisco. At the time, the Trisco containers were, I didn't feel confident to rely on them for production use.

04:40.000 --> 04:49.000
So this also allows me to build confidence in in Trisco containers and the geeks containers.

04:50.000 --> 05:07.000
So I resumed this project just by using geeks installed as a shell script and build this from all of this is building in not sure if I got Wi-Fi working.

05:08.000 --> 05:32.000
I'll let it load in background, but it's not. This is build not on my own laptop, but in on-git lab runners. You see, in the 65 and arm 65 runners on-git lab, you can self-host their honors and I do that for PowerPC and the risk five containers to.

05:32.000 --> 05:56.000
And of course, you can reproduce it on your own laptop, comparing their salt. So going into detail, the current setup is very much like little of its first post. It runs geeks pack, so it's not geeks system image, it's like geeks pack, very minimal.

05:56.000 --> 06:06.000
And you can see that I dropped S, S, S etc. That was causing problems and also reducing the max layers setting.

06:06.000 --> 06:17.000
It seems that having 100 setting, 100 level setting caused problems on geeks lab runners, that was one of the issues why it didn't work fully do it.

06:17.000 --> 06:42.000
And then it's copied that image to some raised throughout there. And having done that in the first job, I set up a set the second job doing running preschool or a bunch of depending on our architecture and run the same columns, comparing the outputs and confirming that they are bit by bit, don't go.

06:43.000 --> 07:01.000
And then push it to get lab raised and even manage to do it for Docker Hub. So you can use it just start with podbund and you get a geeks pure geeks environment, you can do.

07:01.000 --> 07:13.000
And you can also, yeah, you can do whatever you want in a geeks environment. And setting up my goal was to do this from GitHub, CI, CI, CD environment.

07:13.000 --> 07:20.000
And things got a bit more complicated, and this is how a job definition works looks like.

07:20.000 --> 07:27.000
It feels like going back to all times deciphering ugly quotes in some mail.

07:27.000 --> 07:34.000
Some of these I won't go to read these still, but it's actually sets up that's et cetera in a working way.

07:34.000 --> 07:41.000
I'm starts the geeks demo and adding substitutions.

07:41.000 --> 07:50.000
And I felt this could be hidden, but I didn't want to do that because I didn't felt confident how to do it.

07:50.000 --> 08:00.000
And then realized that I had this feeling or impression a lot of time when I started to do something I realized everyone has been.

08:00.000 --> 08:09.000
Someone did whatever wanted to do a lot of time ago and running to this meta-cal geeks project.

08:09.000 --> 08:17.000
And they have been doing content gig containers since 2019. So it's designed in a very different way.

08:17.000 --> 08:26.000
But they use entry point script that hides these details. And it could be a good inspiration.

08:26.000 --> 08:33.000
So I mentioned what to use it for. You define two jobs.

08:33.000 --> 08:40.000
To run build your projects, I'm using this for software testing mostly.

08:40.000 --> 08:46.000
So I'm setting up two different geeks jobs, build my software and then compare their results.

08:46.000 --> 08:56.000
And that has been quite effective at isolating reproducible build issues and working to fix those.

08:56.000 --> 09:04.000
There's a fight against all the tools adding time stamps and other artifacts.

09:04.000 --> 09:13.000
But not only reproduce, troubles you want to, let's say you do this in a pipeline when you make a release.

09:13.000 --> 09:25.000
There's no guarantee that even if the table is reproducible at that time, that it will stay reproducible, you kind of thought it would be.

09:25.000 --> 09:32.000
But I run into many examples by stopping reproducible after a month.

09:32.000 --> 09:45.000
And you want to fix those issues too. So you want to set up a project that continuously build your older releases to confirm that they are still reproducible.

09:45.000 --> 09:59.000
And geeks container image is very useful for doing this. And also with the time machine to go back and use the geeks environment that we used before.

10:00.000 --> 10:09.000
And also security issues with that geeks-demonated rootless mode.

10:09.000 --> 10:16.000
And that actually caused problems on the geeks lab runners because they don't support a username spaces.

10:16.000 --> 10:27.000
So not only could I not run it in non-root mode, it stopped working without permissions in root mode.

10:27.000 --> 10:42.000
Because geeks-demon didn't like to be started in this environment. So you had to kind of fight all these security mitigations or security improvements by disabling them.

10:42.000 --> 10:48.000
And it's a cat and mouse game. And it depends on our architecture.

10:49.000 --> 11:04.000
And I think more research is needed on what the proper solution here because we don't want to downgrade security for people that you also want things possible to work.

11:04.000 --> 11:12.000
It seems if your root you are supposed to be able to run this, I think.

11:12.000 --> 11:26.000
Even better it would be nice to get non-root geeks-demon working on geeks lab runners too, but depends on your runner set up.

11:26.000 --> 11:30.000
So that was it. Time for questions.

11:35.000 --> 11:41.000
Do we have any questions yet?

11:41.000 --> 12:03.000
I think there are about 300 megs, 300 megs, depending on our architecture.

12:03.000 --> 12:07.000
And in the Canadian world, I don't think that's very big.

12:07.000 --> 12:19.000
And it also depends on a couple of different variants, like a slim, like a latest and extra variant with more tools.

12:19.000 --> 12:28.000
The following year, geeks installed geeks to see on every CI run is really painful too.

12:28.000 --> 12:33.000
I hope I don't punish the substitution servers by doing this too much.

12:33.000 --> 12:41.000
And I'm sorry, it's kind of how long does it take to actually come from to take and start to do anything I could use it.

12:41.000 --> 12:51.000
Yeah, yeah, the build time I thought that this was not feasible to do on a runner set up because it's so time consuming,

12:51.000 --> 13:03.000
but the big part is actually the geeks installing first geeks pool that are doing the debion or triscolor but that takes maybe 20-25 minutes in I get lab runner.

13:03.000 --> 13:10.000
On my power PC it takes maybe an hour on a risk machine it takes to our four hours.

13:10.000 --> 13:16.000
Depending on substitution, availability, that's the limiting factor.

13:16.000 --> 13:20.000
And then running the geeks pack is just five minutes.

13:20.000 --> 13:32.000
And running the jobs geeks installed at the pencil, what you installed, but I kind of had a impression that this will be a deal break and not make it work.

13:32.000 --> 13:41.000
But yeah, computers are good at doing repetitive things, so I'll let them do that.

13:41.000 --> 13:45.000
Yeah.

13:45.000 --> 13:59.000
Yeah, they are here, so if I manage to divide files very, and these are really kind of 20-30 lines of code scripts,

13:59.000 --> 14:06.000
it's a build bit script and not short.

14:06.000 --> 14:20.000
So it's really just updating environment, not sure if what's going on here can do an e-mux instead.

14:20.000 --> 14:24.000
I don't have it installed here, so I'll let it up.

14:24.000 --> 14:29.000
But it's very thin, there's very little code here.

14:29.000 --> 14:33.000
So it's mostly about wrapping it up.

14:33.000 --> 14:36.000
Yeah?

14:36.000 --> 14:37.000
Right.

14:37.000 --> 14:38.000
Thank you.

14:50.000 --> 14:52.000
Thank you.