13
votes
How do you manage separate development environments on your computer?
Hello Tildes!
There's an open-source app I would like to work on and contribute code to, but it uses a toolchain that I'm not terribly familiar with (Deno), and I'm not a huge fan of letting tools like this have full access to my system and files.
Do any of you use a system to containerize different development environments for software development? I could definitely use a standard Docker/Podman container to run the app, but I'm not aware of a good system where you can edit a program's source in an IDE, make changes, build the app, open a local port, and save your new code, all within a sandboxed environment.
If anyone uses a system like this or something related, I would love to hear about it and share ideas.
I guess I'll be the "use Nix" guy in this thread. Nix is built for this, and if you want to spin up a development shell with specific packages for development that is relatively trivial to do. It certainly has a high learning curve, but I can't go back at this point.
Edit: I didn’t make this clear originally in this comment, but Nix builds are sandboxed. You can run your builds as a Nix flake target, taking advantage of this. This would not provide protection while running the application, but you can take advantage of systemd or other container solutions if you are particularly worried. Containers are not as isolated as full virtual machines though, and if you are doing something that might involve malware then you should be running everything in a fully isolated virtual machine. Honestly, if you are just doing bog standard, normal development work you don’t need to worry about this.
Agreed, but I'll extend this and say devenv specifically takes the really great parts of Nix and makes them much more accessible. It also makes use of flakes and direnv to get really dead-simple per-directory development environments. I think I've tried every other suggestion in this thread (extensively!), and devenv meets my needs working across different codebases every day the best by a significant margin
I guess this will be my final push to start going through the Nix documentation. Are you fully using NixOS or just the
nix
tool on another OS?I don't know if it really is what you're looking for per se. Nix isn't isolated in same sense as docker.
But it's definitely perfect for setting up development environments, especially with flakes. Which you can use with just the
nix
tool. Beware though, as mentioned earlier, Nix's learning curve is kinda brutal.Seconding this. I’m a Nix user, I don’t believe Nix is equivalent to a container solution.
In my naive understanding, Nix essentially lets you install tools to your system in a way that (a) lets you verify a bunch of things about the installation (e.g., versions of all the tool’s dependencies) and (b) makes that installation declarative. Nix makes it easy to have identical installations on different machines or equivalent installations on different OSs, but not in quite the same way as a containerization tool like Docker does.
Like other comments have mentioned, none of these tools differ that much in terms of security though. I’m not sure what the truly isolated option would be aside from having a VM, but I’m not a cybersecurity researcher.
NixOS can actually do containers via
systemd-nspawn
, and the builds Nix runs are sandboxed. Technically, you could execute all your builds via a Nix flake target rather than create a development shell if you wanted this isolation the Nix sandbox provides. This would not be good enough for doing something like malware research, but definitely satisfies the original goal.Sorry, I didn’t clarify. I use nix-darwin on MacOS. I’m not familiar with the capabilites of NixOS. Re. flake targets that makes sense, but development environments are not sandboxed as far as I understand. Am I wrong?
You are correct! I just wanted to clarify my original “use Nix” as it didn’t explain anything about sandboxed builds or containerization possibilities. I agree that if there is any worry about malware then everything should be fully isolated in a virtual machine - which is an even harder discussion.
There is a project,
nixos-shell
, that does what you ask though. But regarding containers, the warning at the top of that chapter is relevant. Anything that is not running in a virtual machine is just on your host machine as far as I am concerned.i see it as nix is compartmentionalizing. You’re just sorting things into rooms, as opposed to jail cells
I use NixOS on all of my machines at this point, I like how easy it is to configure my systems.
Docker with Docker compose is how we do exactly this. It is pretty painless, and you can probably do live reloading. The Deno Docs even have references for setting it up specifically for using Deno.
Very interesting, I appreciate how they even included a setup for running as a non-root user. Thanks for sharing!
Docker would do the job in multiple ways. You can either have it set up to watch for file changes or commits and build then run the container on changes, or just run the container and bind the virtual directories to real directories.
But fyi docker by default runs with root access, so uh not exactly enhancing security much. It’s mainly for build reproducibility than security.
I know i've heard podman mentioned in the same space. Not sure if it's more security focused or not, but I believe that's a selling point I've heard.
It is, at least as far is this is concerned, as it runs rootless by default.
Yea, I work with older Android toolchains that need to run on specific host machines so I use docker for everything. I keep the full Android root in a docker volume along with the host's /dev and some other nice to haves so I can use e.g. the built adb binary inside the container to debug the device.
I'm unsure if I'm not understanding the request, but to me that sounded like you were describing devcontainers. In VsCode stuff like automatic port forwarding is built-in to the IDE. The only cases I've found this setup to be problematic is with graphical applications, but it's more of just a pain than an actual blocker.
I personally use podman devcontainers for almost everything I can. I don't like piling my host machine full of random packages, so I isolate where I can.
As an amateur (at best) developer, I've also found podman devcontainers in vscode (on windows) to be not too difficult to set up.
Granted, I have a little bit of experience with wrangling podman containers for my selfhosted stuff, but that doesn't require a lot of software development knowledge.
I was going to say the same thing. For an devcontainer, you can start with a dockerfile and a devcontainer.json in your .devcontainer folder.
You can even use docker-in-docker to run docker containers in the Devcontainer environment.
We have a kubernetes deployed SaaS app at work that can run locally on k3d inside the docker container. So from a cold start, you install docker and task, run
task devcontainer-build
thentask devcontainer-start-with-cluster
. The latter kicks off the docker container and opens a vscode instance running inside the docker container. The devcontainer config specifies a bunch of plugins and standard config settings (like linting and file formatting) so that everyone's configuration is the same. There's a script hook for post-launch that initializes the k3d cluster, installs dependency charts, etc.There's a different task that starts the container without the cluster for when people are doing dev on a single module.
What's really great about having the devcontainer cluster is that I can run more than one devcontainer on different versions of the code. So if I am doing dev on a branch and I need to do a code review on someone else's PR, I can check their branch out to a different folder, launch the second devcontainer, and do whatever tests I need to do as part of the review, including trying out features in the local cluster without interrupting my work on my branch, tearing down my cluster, or anything. The two are fully independent.
By "tools like this" you mean the project itself? Because Deno as a runtime should be fine, in fact one of the selling points of Deno is that dependencies are shared in a single cache as opposed to each project having a huge
node_modules
dir like with nodeJS.Anyway, you could use a docker/podman container. Mount the source from your local drive so you can edit within your IDE and then execute in the container. You can set this up manually, or assuming VSCode you can try dev containers though I haven't tried them myself.
Dev Containers are great, especially if there are other services required to properly run the application locally (eg: an in-memory cache running alongside an application).
If your IDE doesn't have built in support, you could use something like Dev Pod that is IDE agnostic (though I've not really used it myself)
If you want to go all the way down to installing and running an IDE in a sandboxed environment, I think you're most likely looking at full virtual machines as your only option (aside from dual-booting or completely different machines).
At my company I develop the "full stack", including what is usually covered by sysadmin & devops, which means jumping between languages and language versions constantly.
My general rule is to not even have the runtime, let alone the tool chain and dev environment, for any language installed on my workstation and do everything in docker.
I've got various editors installed and chrome/Firefox/etc but with everything else being in docker switching project is very fast as is switching desktop to laptop and similar.
I've been running this way for well over 5 years and I'm yet to find a significant drawback to the approach, for my way of working at least.
Can you elaborate on why you’re uncomfortable with installing deno? Is this a security or privacy concern?
For my admittedly highly pedestrian needs, the version manager asdf has proven sufficient, though it doesn’t keep everything fully contained. If full containment were a requirement, depending on the project and tools in question I’d probably just use a VM, as that makes the whole mess dead simple and painless. Still have yet to get on the Docker train and don’t feel like learning nix.
I use Deno on a Mac, but as a hobbyist working on my own projects, all I do is create a separate project directory for each project. I just have one version of Deno installed, so when I upgrade it, it affects everything, but for me, that seems fine.
I haven't used it, but I wonder if Github Codespaces would work for getting better isolation?
If you're willing to share a link to the project you want to contribute to, I could tell you if there's anything that looks weird.
TIL what Deno is.