为了减小安装体积，linux-firmware 提供的固件现在改用 zstd 进行压缩。在更新到 linux-firmware-20260309_1 或更高版本时，请确保您正在运行受支持的内核：

• linux5.10>=5.10.251_1
• linux5.15>=5.15.201_1
• linux6.1>=6.1.127_1
• linux6.6>=6.6.68_1
• linux6.12>=6.12.7_1
• linux6.18, linux6.19 或任何更高版本
• rpi-kernel>=6.12.67_1
• pinephone-kernel>=6.1.7_2

如果您无法运行这些内核之一，可以将 linux-firmware 软件包锁定在当前安装的版本：

# xbps-pkgdb -m hold linux-firmware linux-firmware-amd linux-firmware-broadcom \
    linux-firmware-intel linux-firmware-network linux-firmware-nvidia linux-firmware-qualcomm

变更内容 (What’s Changed)

• libxbps: 修复了在未解压状态下更新包的问题。duncaen

• libxbps: 在解压所有包之前和之后运行所有脚本，以避免在半解压状态下运行任务。duncaen

• libxbps: 修复了缺少末尾换行符时的配置解析问题，并移除了值中的末尾空格。eater, duncaen

• libxbps: 如果配置文件中也定义了架构，则修复 XBPS_ARCH 环境变量。duncaen

• libxbps: 修复内存泄漏问题。ArsenArsen

• libxbps: 修复文件描述符泄漏问题。gt7-void

• libxbps: 修复 libfetch 中的临时重定向问题。ericonr

• libxbps: 修复了使用 replaces 替换包时自动/手动模式的设置方式。这使得通过过渡包正确替换手动安装的包成为可能。duncaen

• libxbps: 修复了当依赖项处于锁定 (hold) 状态时不一致的依赖解析问题。如果被锁定的依赖破坏了包的安装或更新，xbps 现在将以 ENODEV (19) 退出，而不是直接忽略它，从而避免导致不一致的 pkgdb。#393 duncaen

• libxbps: 修复了 XBPS_FLAG_INSTALL_AUTO 的问题，即在自动安装模式下安装新包时，正在更新的已安装包会被错误地标记为自动安装。#557 duncaen

• libxbps: 重新安装包时，不要移除仍属于新包的目录。这避免了因目录重建而导致 runsv 出错的问题（runsv 保持着服务目录的打开句柄，如果被删除并重建会受影响）。#561 duncaen

• xbps-install(1): 列出重新安装的包。chocimier

• xbps-install(1): 在干跑 (dry-run) 模式下，忽略空间不足错误。chocimier

• xbps-install(1): 修复了仓库锁定 (repo-locked) 的依赖可能会从非锁定仓库更新的漏洞。chocimier

• xbps-fetch(1): 确保在遇到故障时以失败状态退出。duncaen

• xbps-fetch(1): 修复在错误情况下打印未初始化内存的问题。duncaen

• xbps-pkgdb(1): 移除 mtime 检查，因为它们在 fat 文件系统上不可靠，且 xbps 不再依赖 mtime 匹配包。duncaen

• xbps-checkvers(1): 使用 --installed 参数时同时列出子包 (subpackages)。chocimier

• xbps-remove(1): 修复干跑模式下清理缓存的不一致性。duncaen

• xbps-remove(1): 允许通过指定两次 -O/--clean-cache 标志从包缓存中移除“已卸载”的包（缓存中仍然是最新的但不再安装的包）。#530 duncaen

• xbps-query(1): --cat 现在可在仓库 (repo) 或 pkgdb 模式下工作。duncaen

• xbps-query(1): --list-repos/-L 列出所有仓库，包括无法打开的仓库。chocimier

• xbps.d(5): 更精确地描述 ignorepkg。chocimier

• libxbps, xbps-install(1), xbps-remove(1), xbps-reconfigure(1), xbps-alternatives(1): 添加 XBPS_SYSLOG 环境变量以覆盖 syslog 配置选项。duncaen

• libxbps: 解决了由于 Void Linux 仓库中虚拟包数量增加导致的性能问题。#625 duncaen

• libxbps: 将暂存数据合并到仓库索引 (repodata) 文件中。这允许从远程仓库下载暂存索引，而无需保持两个索引文件同步。#575 duncaen

• xbps-install(1), xbps-query(1), xbps-checkvers(1), xbps.d(5): 添加了 --staging 标志、XBPS_STAGING 环境变量和 staging=true|false 配置选项。启用暂存允许 xbps 使用来自远程仓库的暂存包。duncaen

• xbps-install(1), xbps-remove(1): 在应用事务之前，在事务摘要下方打印一次软件包安装和删除消息。#572 chocimier

• xbps-query(1): 改进的参数解析允许在参数的任何位置输入软件包参数。#588 classabbyamp

• xbps-install(1): 使干跑 (dry-run) 输出保持一致并支持机器解析。#611 classabbyamp

• libxbps: 在路径中不进行波浪号 (~) 字符的 URL 转义，以获得与某些服务器更好的兼容性。#607 gmbeard

• libxbps: 对软件包使用正确的 ASN1 签名类型。签名现在具有 .sig2 扩展名。#565 classabbyamp

• xbps-uhelper(1): 如果指定了 -v/--verbose 标志，为 pkgmatch 和 cmpver 子命令添加详细输出。#549 classabbyamp

• xbps-uhelper(1): 支持许多子命令的多个参数，以提高流水线性能。#536 classabbyamp

• xbps-alternatives(1): 为 -l/--list 添加 -R/--repository 模式，以显示仓库中软件包的替代方案。#340 duncaen

• libxbps: 修复获取包和仓库时的永久 (308) 重定向问题。duncaen

• xbps-remove(1): 忽略其删除文件时出现的文件未找到错误。duncaen

• libxbps: preserve 软件包元数据现在在删除软件包时也受到尊重。duncaen

• xbps-pkgdb(1): 新的 --checks 参数允许选择运行哪些检查。#352 ericonr, duncaen

完整变更日志 (Full Changelog): https://github.com/void-linux/xbps/compare/0.59.2...0.60

在当今瞬息万变的数字化版图中，企业必须持续创新以保持竞争力并推动增长。正因如此，我们非常激动地揭晓我们的最新解决方案：Void Linux 企业版。利用尖端技术，这一下一代操作系统提供了无与伦比的价值、卓越的投资回报率 (ROI) 以及非凡的卓越运营 (Operational Excellence)。

利用下一代技术转型您的基础设施

Void 企业版通过为您的业务关键型应用提供更安全、稳定和高性能的体验，使其从传统企业级解决方案中脱颖而出。我们的解决方案建立在 Void Linux 经受过考验的基础之上，Void Linux 因其在数据中心和云环境中的可靠性和健壮性而闻名。

我们的专家团队精心设计了每个组件以使其和谐共作，从而实现无缝集成和高效的资源利用。这种流线型基础设施不仅最大限度地降低了运营成本，还最大限度地发挥了您的 IT 资源潜力。

通过自动化和简单性增强卓越运营

Void 企业版的核心在于其简化复杂流程的承诺。通过自动化重复任务并提供直观的管理工具，我们的解决方案使您的 IT 团队能够专注于推动业务增长的更具战略意义的举措。

我们坚信要将控制权交还给管理员，这就是为什么我们包含了一套专门为企业环境设计的全面自动化功能。有了 Void 企业版，您可以毫不费力地管理基础设施的配置、配置和更新，而无需广泛的脚本编写知识或手动干预。

通过云优化的基础设施提高投资回报率

随着企业越来越多地转向混合云和多云战略，Void 企业版确保与流行云平台的无缝集成。这使组织能够最大限度地投资现有基础设施，同时轻松地将资源扩展到云端以支持不断发展的业务需求。

我们的解决方案配备了先进的容器化功能，允许您快速扩展应用程序和工作负载，而无需过度配置或浪费资源。这导致了投资回报率的提高，因为您的 IT 团队可以有效地分配资源，并以较低的总拥有成本实现预期结果。

与您现有的基础设施无缝集成

我们深知迁移到新技术可能具有挑战性。这就是为什么 Void 企业版的设计初衷是与您现有的基础设施轻松集成。我们的解决方案提供了与广泛应用的强大兼容性，确保在过渡过程中产生最小的干扰。

我们的专业团队致力于在您迈向卓越运营的每一个阶段提供顶级的支持和协助。从初始部署到持续维护，我们都能为您提供全方位的服务。

Void Linux 企业版代表了企业技术解决方案的一次量子跨越。它通过将下一代技术的力量与无与伦比的易用性和无缝集成能力相结合，交付价值、提高投资回报率并增强卓越运营。

准备好通过 Void Linux 企业版将您的业务运营提升到新的高度吧。今天就体验 IT 基础设施的未来！

您可以在我们的 下载页面 以及众多的 镜像站 中找到适用于 x86_64 和 x86_64-musl 的 Void Linux 企业版镜像。

今天就联系您的 Void 企业版分发商或系统集成商以购买许可证密钥！

您可以按照 使用手册 中的说明验证镜像的真实性，并使用以下 minisign 公钥信息：

untrusted comment: minisign public key 4D951FCB5722B6A4
RWSktiJXyx+VTT+tvaAOgJY5iLlt1tiQw6q3giH1+Fs2J7RnYaAewRHw

我们很高兴地宣布，20250202 镜像集已晋升为当前版本，现在已正式发布。

您可以在我们的 下载页面 以及众多的 镜像站 中找到新镜像。

本次发布引入了对几种 arm64 UEFI 设备的支持：

• Apple Silicon
• Lenovo Thinkpad X13s
• Pinebook Pro

适用于 aarch64 和 aarch64-musl 的 Live ISO 镜像也应支持其他支持 UEFI 并能运行主线（标准）内核的 arm64 设备。

此外，本次发布的镜像还包括：

• Live ISO 中包含 Linux 6.12
• xfce 版本的 Live ISO 中包含 Xfce 4.20
• 树莓派 (Raspberry Pi) PLATFORMFS 和镜像中包含 Linux 6.6.69
• xgenfstab，这是来自 xtools 的一个新脚本，旨在简化 chroot 安装时 /etc/fstab 的生成。

以及以下变更：

• 修复了带有 Nvidia 显卡的系统在没有 nomodeset 的情况下无法启动的问题 (void-packages #52545)
• 在引导加载程序菜单中添加了一个条目，通过设置 nomodeset 来禁用图形显示 (void-mklive 380f0fd)
• 在引导加载程序菜单中添加了额外的快捷键。完整列表请参阅 使用手册 (void-mklive 380f0fd)
• 树莓派平台镜像现在默认体积更小，但在首次启动时会使用 growpart 扩展根分区以适应存储设备。更多详情请参阅 使用手册 (void-mklive #379)
• void-installer 现在包含一个安装后菜单，用于在已安装的系统中启用服务 (void-mklive #389)
• rpi-aarch64 和 rpi-aarch64-musl PLATFORMFS 及平台镜像现在应支持最近发布的 Raspberry Pi 500 和 CM5。

您可以按照 使用手册 中的说明验证镜像的真实性，并使用以下 minisign 公钥信息：

untrusted comment: minisign public key 4D56E70F102AF9F9
RWT5+SoQD+dWTeOdNuc4Q/jq2+3+jpql7+JJp4WukkxTdpsZlk2EGuPj

终于，Void 要正式告别 Python 2 了。虽然 Python 官方在 2020 年就停止了对 Python 2 的支持，但 Void 仍有 200 多个包依赖它。自那时起，Void 的贡献者们已经 更新、打补丁或移除 了这些软件包。目前，Python 2 仍会作为 python2（以及 python2-setuptools 和 python2-pip）留在仓库中，但 python 现在是一个元软件包 (metapackage)，很快就会指向 python3。

该项目的最大阻碍之一是 Void 自身的一些基础设施：我们的 Buildbot，它负责构建所有发往用户的软件包。在很长一段时间里，我们一直被困在 Buildbot 0.8.12 版本（发布于 2015年 4 月 21 日，且基于 Python 2），因为它运行复杂，移动部件繁多，而且相当脆弱。将其更新到现代版本需要耗费大量的时间和精力。

现在，我们迈向了未来：我们已经将 Buildbot 升级到了 4.0 版本，现在它通过我们的编排系统 Nomad 进行管理，以提高部署的可靠性、可观测性和可复现性。查看 2023 年的 基础设施周 (Infrastructure Week) 系列博文 以详细了解 Void 为何以及如何使用 Nomad。

访问全新的 Buildbot 仪表板：build.voidlinux.org，亲眼见证您的软件包是如何构建的！

Void 项目非常高兴地欢迎又一位新成员加入：@tranzystorekk。

想在未来的更新中看到您的名字吗？请阅读我们的 贡献页面 (Contributing Page) 并找到您可以帮上忙的地方！新成员通常是从活跃的贡献者社区中邀请产生的。

我们很高兴地宣布，20240314 镜像集已晋升为当前版本，现在已正式发布。

您可以在我们的 下载页面 以及众多的 镜像站 中找到新镜像。

本次发布的一些亮点：

• XFCE 镜像中的 LightDM 现在显示键盘布局选择器 (@classabbyamp 见于 #354)
• Live 镜像中现在默认启用了 chrony NTP 守护进程 (@classabbyamp 见于 abbd636)
• 在支持从 USB 或 NVMe 启动的树莓派型号上，镜像现在可以安装在非 SD 卡存储上，无需手动配置 (@classabbyamp 见于 #361)
• 树莓派镜像的 /boot 分区现在默认大小为 256MiB，而不再是 64MiB (@classabbyamp 见于 #368)

rpi-aarch64* PLATFORMFS 和镜像现在支持树莓派 5 (Raspberry Pi 5)。安装完成后，可以将内核 切换 到树莓派 5 特有的 rpi5-kernel。

您可以按照 下载页面 上的说明验证镜像的真实性，并使用以下 minisign 公钥信息：

untrusted comment: minisign public key A3FCFCCA9D356F86
RWSGbzWdyvz8o4nrhY1nbmHLF6QiFH/AQXs1mS/0X+t1x3WwUA16hdc/

为了简化 xbps-src 的使用，关于主目录 (masterdirs，即 xbps-src 用来构建包的容器) 的创建和使用方式已发生了一些小变化。

默认的主目录现在被命名为 masterdir-<arch>，除非 masterdir 已经存在，或者在容器中使用 xbps-src（这种情况下仍然是 masterdir）。

创建 (Creation)

在为其他架构或 C 库创建主目录时，以前的语法是：

./xbps-src -m <name> binary-bootstrap <arch>

现在，应使用新的 -A (主机架构) 标志来指定 <arch>：

./xbps-src -A <arch> binary-bootstrap

这将在您的 void-packages 仓库根目录下创建一个名为 masterdir-<arch> 的新主目录。

您仍然可以使用 -m <name> 来创建任意名称的主目录。

使用 (Usage)

现在，您不再需要直接指定备选的主目录，而是可以使用 -A (主机架构) 标志来调用 masterdir-<arch>：

./xbps-src -A <arch> pkg <pkgname>

您仍然可以使用 -m <name> 来调用任意名称的主目录。

Void 项目非常高兴地欢迎 2 位新成员加入。

加入我们并致力于软件包维护工作的成员是：@oreo639 和 @cinerea0。

想在未来的更新中看到您的名字吗？请阅读我们的 贡献页面 (Contributing Page) 并找到您可以帮上忙的地方！新成员通常是从活跃的贡献者社区中邀请产生的。

随着 glibc 2.38 的更新，libcrypt.so.1 不再由 glibc 提供。 Libcrypt 是几个使用加密功能的核心系统包（包括 pam）的重要库。该库的版本已发生变化，旧版本仍可用于预编译或专有应用程序。新版本在 Void 中作为 libxcrypt 提供，旧版本为 libxcrypt-compat。

通过此更改，某些类型的部分更新可能会导致 PAM 无法运行。这会破坏 sudo、doas 和 su 等工具，以及系统身份验证。症状包括提示“PAM authentication error: Module is unknown”。如果这种情况发生在您身上，您可以：

• 在引导加载程序中将 init=/bin/sh 添加到内核命令行并 降级 glibc，
• 或者在 Live 环境中挂载系统的根分区，chroot 进入其中，并安装 libxcrypt-compat。

以上任一步骤都应能让您正常访问系统并运行完整更新。

为确保上述灾难性的部分更新不会发生，glibc-2.38_3 现在依赖于 libxcrypt-compat。通过此更改，执行包含 glibc 2.38 的部分更新是安全的。

Void is a complex system, and over time we make changes to reduce this complexity, or shift it to easier to manage components. Recently through the fantastic work of one of our maintainers classabbyamp our repository sync system has been dramatically improved.

Previously our system was based on a series of host managed rsyncs running on either snooze or cron based timers. These syncs would push files to a central location to be signed and then distributed. This central location is sometimes referred to as the “shadow repo” since its not directly available to end users to synchronize from, and we don’t usually allow anyone outside Void to have access to it.

As you might have noticed from the Fastly Overview the packages take a long path from builders to repos. What is not obvious from the graph shown is that the shadow repo previously lived on the musl builder, meaning that packages would get built there, copied to the glibc builder, then copied back to the musl builder and finally copied to a mirror. So many copies! To streamline this process, the shadow mirror is now just the glibc server, since that’s where the packages have to wind up for architectural reasons anyway. This means we were able to cut out 2 rsyncs and reclaim a large amount of space on the musl builder, making the entire process less fragile and more streamlined.

But just removing rsyncs isn’t all that was done. To improve the time it takes for packages to make it to users, we’ve also switched the builders from using a time based sync to using lsyncd to take more active management of the synchronization process. In addition to moving to a more sustainable sync process, the entire process was moved up into our Nomad managed environment. Nomad allows us to more easily update services, monitor them for long term trends, and to make it clearer where services are deployed.

In addition to fork-lifting the sync processes, we also forklifted void-updates, xlocate, xq-api (package search), and the generation of the docs-site into Nomad. These changes represent some of the very last services that were not part of our modernized container orchestrated infrastructure.

Visually, this is what the difference looks like. Here’s before:

And here’s what the sync looks like now, note that there aren’t any cycles for syncs now:

If you run a downstream mirror we need your help! If your mirror has existed for long enough, its possible that you were still synchronizing from alpha.de.repo.voidlinux.org, which has been a dead servername for several years now. Since moving around sync traffic is key to our ability to keep the lights on, we’ve provisioned a new dedicated DNS record for mirrors to talk to. The new repo-sync.voidlinux.org is the preferred origin point for all sync traffic and using it means that we can transparently move the sync origin during maintenance rather than causing an rsync hang on your sync job. Please check where you’re mirroring from and update accordingly.

Happy Pythonmas! It’s October, which means it’s Python 3 update season. This year, along with the usual large set of updates for Python packages, a safety feature for pip, the Python package manager, has been activated. To ensure that Python packages installed via XBPS and those installed via pip don’t interfere with one another, the system-wide Python environment has been marked as “externally managed”.

If you try to use pip3 or pip3 --user outside of a Python virtual environment, you may see this error that provides guidance on how to deploy a virtual environment suitable for use with pip:

This system-wide Python installation is managed by the Void Linux package
manager, XBPS. Installation of Python packages from other sources is not
normally allowed.

To install a Python package not offered by Void Linux, consider using a virtual
environment, e.g.:

  python3 -m venv /path/to/venv
  /path/to/venv/pip install <package>

Appending the flag --system-site-packages to the first command will give the
virtual environment access to any Python package installed via XBPS.

Invoking python, pip, and executables installed by pip in /path/to/venv/bin
should automatically use the virtual environment. Alternatively, source its
activation script to add the environment to the command search path for a shell:

  . /path/to/venv/activate

After activation, running

  deactivate

will remove the environment from the search path without destroying it.

The XBPS package python3-pipx provides pipx, a convenient tool to automatically
manage virtual environments for individual Python applications.

You can read more about this change on Python’s website in PEP 668.

To simplify the use of Void-based containers, all Void container images tagged 20231003R1 or later will explicitly ignore the “externally managed” marker. Containers based on these images will still be able to use pip to install Python packages in the container-wide environment.

Here Be Dragons

If you really want to be able to install packages with pip in the system- or user-wide Python environment, there are several options, but beware: this can cause hard-to-debug issues with Python applications, or issues when updating with XBPS.

1. Use pip’s --break-system-packages flag. This only applies to the current invocation.
2. Set pip’s configuration: pip3 config set install.break-system-packages True. This will apply to all future invocations.
3. Add a noextract=/usr/lib/python*/EXTERNALLY-MANAGED rule to your XBPS configuration and re-install the python3 package. This will apply to all future invocations.

To simplify the container experience, we’ve revamped the way Void’s OCI container images are built and tagged.

In short:

• Architectures are now encoded using the platform in the manifest instead of in tags
• Different libcs and flavors of images are now separate images instead of tags
• The mini flavor is no longer built, as they did not work as intended

You can check out the available images on the Download page or on Github.

If you’re interested in the technical details, you can take a look at the pull request for these changes.

To migrate your current containers:

Void runs a distributed team of maintainers and contributors. Making infrastructure work for any team is a confluence of goals, user experience choices, and hard requirements. Making infrastructure work for a distributed team adds on the complexity of accessing everything securely over the open internet, and doing so in a way that is still convenient and easy to setup. After all, a light switch is difficult to use is likely to lead to lights being left on.

We take several design criteria into mind when designing new systems and services that make Void work. We also periodically re-evaluate systems that have been built to ensure that they still follow good design practices in a way that we are able to maintain, and that does what we want. Lets dive in to some of these design practices.

No Maintainer Facing VPNs

VPNs, or Virtual Private Networks are ways of interconnecting systems such that the network in between appears to vanish beneath a layer of abstraction. WireGuard, OpenVPN, and IPSec are examples of VPNs. OpenVPN and IPSec, a client program handles encryption and decryption of traffic on a tunnel or tap device that translates packets into and out of the kernel network stack. If you work in a field that involves using a computer for your job, your employer may make use of a VPN to grant your device connectivity to their corporate network environment without you having to be physically present in a building. VPN technologies can also be used to make multiple physical sites appear to all be on the same network.

Void uses WireGuard to provide machine-to-machine connectivity for our fleet, but only within our fleet. Maintainers always access services without a VPN. Why do we do this, and how do we do it? First the why. We operate in this way because corporate VPNs are often cumbersome, require split horizon DNS (where you get different DNS answers depending on where you resolve from) and require careful planning to make sure no subnet overlap occurs between the VPN, the network you are connecting to, and your local network. If there were an overlap, the kernel would be unable to determine where to send the packets since it has multiple routes for the same subnets. There are cases where this is a valid network topology (ECMP), but that is not what is being discussed here. We also have no reason to use a VPN. Most of the use cases that still require a VPN have to do with transporting arbitrary TCP streams across a network, but this is unnecessary. For Void, all our services are either HTTP based or are transported over SSH.

For almost all our systems that we interact with daily, either a web interface or HTTP-based API is provided. For the devspace file hosting system, maintainers can use SFTP via SSH. Both HTTP and SSH have robust, extremely well tested authentication and encryption options. When designing a system for secure access, defense in depth is important, but so is trust that the cryptographic primitives you have selected actually work. We trust that HTTPS works, and so there is no need to wrap the connection in an additional layer of encryption. The same goes for SSH, which we use exclusively public-key authentication for. This choice is sometimes challenging to maintain, since it means that we need to ensure highly available HTTP proxies and secure, easily maintained SSH key implementations, we have found it works well for us. In addition to the static files that all our tier 1 mirrors serve, the mirrors are additionally capable of acting as proxies. This allows us to terminate the externally trusted TLS session at a webserver running nginx, and then pass the traffic over our internal encrypted fabric to the destination service.

For SSH we simply make use of AuthorizedKeysCommand to summon keys from NetAuth allowing authorized maintainers to log onto servers or ssh-enabled services wherever their keys are validated. For the devspace service which has a broader ACL than our base hardware, we can enhance its separation by running an SFTP server distinct from the host sshd. This allows us to ensure that it is impossible for a key validated for devspace to inadvertently authorize a shell login to the underlying host.

For all other services, we make use of the service level authentication as and when required. We use combinations of Native NetAuth, LDAP proxies, and PAM helpers to make all access seamless for maintainers via our single sign on system. Removing the barrier of a VPN also means that during an outage, there’s one less component we need to troubleshoot and debug, and one less place for systems to break.

Use of Composable Systems

Distributed systems are often made up of complex, interdependent sub-assemblies. This level of complexity is fine for dedicated teams who are paid to maintain systems day in and day out, but is difficult to pull off with an all-volunteer team that works on Void in their free time. Distributed systems are also best understood on a whiteboard, and this doesn’t lend itself well to making a change on a laptop from a train, or reviewing a delta from a tablet between other tasks. While substantive changes are almost always made from a full terminal, the ratio of substantive changes to items requiring only quick verification is significant, and its important to maintain a level of understand-ability.

In order to maintain the level of understand-ability of the infrastructure at a level that permits a reasonable time investment, we make use of composable systems. Composable systems can best be thought of as infrastructure built out of common sub-assemblies. Think Lego blocks for servers. This allows us to have a common base library of components, for example webservers, synchronization primitives, and timers, and then build these into complex systems through joining their functionality together.

We primarily use containers to achieve this composeability. Each container performs a single task or a well defined sub-process in a larger workflow. For example we can look at the workflow required to serve https://man.voidlinux.org/. In this workflow, a task runs periodically to extract all man pages from all packages, then another process runs to copy those files to the mirrors, and finally a process runs to produce an HTTP response to a given man page request. Notice there that its an HTTP response, but the man site is served securely over HTTPS. This is because across all of our web-based services we make use of common infrastructure such as load balancers and our internal network. This allows applications to focus on their individual functions without needing to think about the complexity of serving an encrypted connection to the outside world.

By designing our systems this way, we also gain another neat feature: local testing. Since applications can be broken down into smaller building blocks, we can take just the single building block under scrutiny and run it locally. Likewise, we can upgrade individual components of the system to determine if they improve or worsen a problem. With some clever configuration, we can even upgrade half of a system that’s highly available and compare the old and new implementations side by side to see if we like one over the other. This composability enables us to configure complex systems as individual, understandable components.

Its worth clarifying though that this is not necessarily a microservices architecture. We don’t really have any services that could be defined as microservices in the conventional sense. Instead this architecture should be thought of as the Unix Philosophy as applied to infrastructure components. Each component has a single well understood goal and that’s all it does. Other goals are accomplished by other services.

We assemble all our various composed services into the service suite that Void provides via our orchestration system (Nomad) and our load balancers (nginx) which allow us to present the various disparate systems as though they were one to the outside world, while still maintaining them as separate service “verticals” side by side each other internally.

Everything in Git

Void’s packages repo is a large git repo with hundreds of contributors and many maintainers. This package bazaar contains all manner of different software that is updated, verified, and accepted by a team that spans the globe. Our infrastructure is no different, but involves fewer people. We make use of two key systems to enable our Infrastructure as Code (IaC) approach.

The first of these tools is Ansible. Ansible is a configuration management utility written in python which can programatically SSH into machines, template files, install and remove packages and more. Ansible takes its instructions as collections of YAML files called roles that are assembled into playbooks (composeability!). These roles come from either the main void-infrastructure repo, or as individual modules from the void-ansible-roles organization on GitHub. Since this is code checked into Git, we can use ansible-lint to ensure that the code is consistent and lint-free. We can then review the changes as a diff, and work on various features on branches just like changes to void-packages. The ability to review what changed is also a powerful debugging tool to allow us to see if a configuration delta led to or resolved a problem, and if we’ve encountered any similar kind of change in the past.

The second tool we use regularly is Terraform. Whereas Ansible configures servers, Terraform configures services. We can apply Terraform to almost any service that has an API as most popular services that Void consumes have terraform providers. We use Terraform to manage our policy files that are loaded into Nomad, Consul and Vault, we use it to provision and deprovision machines on DigitalOcean, Google and AWS, and we use it to update our DNS records as services change. Just like Ansible, Terraform has a linter, a robust module system for code re-use, and a really convenient system for producing a diff between what the files say the service should be doing and what it actually is doing.

Perhaps the most important use of Terraform for us is the formalized onboarding and offboarding process for maintainers. When a new maintainer is proposed and has been accepted through discussion within the Void team, we’ll privately reach out to them to ask if they want to join the project. Given that a candidate accepts the offer to join the group of pkg-committers, the action that formally brings them on to the team is a patch applied to the Terraform that manages our GitHub organization and its members. We can then log approvals, welcome the new contributor to our team with suitable emoji, and grant access all in one convenient place.

Infrastructure as Code allows our distributed team to easily maintain our complex systems with a written record that we can refer back to. The ability to defer changes to an asynchronous review is imperative to manage the workflows of a distributed team.

Good Lines of Communication

Of course, all the infrastructure in the world doesn’t help if the people using it can’t effectively communicate. To make sure this issue doesn’t occur for Void, we have multiple forms of communication with different features. For real-time discussions and even some slower ones, we make use of IRC on Libera.chat. Though many communities appear to be moving away from synchronous text, we find that it works well for us. IRC is a great protocol that allows each member of the team to connect using the interface that they believe is the best for them, as well as to allow our automated systems to connect in as well.

For conversations that need more time or are generally going to be longer we make use of email or a group-scoped discussion on GitHub. This allows for threaded messaging and a topic that can persist for days or weeks if needed. Maintaining a long running thread can help us tease apart complicated issues or ensure everyone’s voice is heard. Long time users of Void may remember our forum, which has since been supplanted by a subreddit and most recently GitHub Discussions. These threaded message boards are also examples of places that we converse and exchange status information, but in a more social context.

For discussion that needs to pertain directly to our infrastructure, we open tickets against the infrastructure repo. This provides an extremely clear place to report issues, discuss fixes, and collate information relating to ongoing work. It also allows us to leverage GitHub’s commit message parsing to automatically resolve a discussion thread once a fix has been applied by closing the issue. For really large changes, we can also use GitHub projects, though in recent years we have not made use of this particular organization system for issues (we use tags).

No matter where we converse though, its always important to make sure we converse clearly and concisely. Void’s team speaks a variety of languages, though we mostly converse in English which is not known for its intuitive clarity. When making hazardous changes, we often push changes to a central location and ask for explicit review of dangerous parts, and call out clearly what the concerns are and what requires review. In this way we ensure that all of Void’s various services stay up, and our team members stay informed.

This post was authored by maldridge who runs most of the day to day operations of the Void fleet. On behalf of the entire Void team, I hope you have enjoyed this week’s dive into the infrastructure that makes Void happen, and have learned some new things. We’re always working to improve systems and make them easier to maintain or provide more useful features, so if you want to contribute, join us in IRC. Feel free to ask questions about this post or any of our others this week on GitHub Discussions or in IRC.

Downtime Both Planned and Not

Yesterday we looked at what Void does to monitor the various services and systems that provide all our services, and how we can be alerted when issues occur. When we’re alerted, this means that whatever’s gone wrong needs to be handled by a human, but not always. Sometimes an alert can trip if we have systems down for planned maintenance activities. During these windows, we intentionally take down services in order to repair, replace, or upgrade components so that we don’t have unexpected breakage later.

Planned Downtime

When possible, we always prefer for services to go down during a planned maintenance window. This allows for services to come down cleanly and for people involved to have planned for the time investment to effect changes to the system. We take planned downtime when its not possible to make a change to a system with it up, or when it would be unsafe to do so. Examples of planned downtime include kernel upgrades, major version changes of container runtimes, and major package upgrades.

When we plan for an interruption, the relevant people will agree on a date usually at least a week in the future and will talk about what the impacts will be. Based on these conversations the team will then decide whether or not to post a blog post or notification to social media that an interruption is coming. Most of the changes we do don’t warrant this, but some changes will interrupt services in either an unintuitive way or for an extended period of time. Usually just rebooting a mirror server doesn’t warrant a notification, but suspending the sync to one for a few days would.

Unplanned Downtime

Unplanned downtime is usually much more exciting because it is by definition unexpected. These events happen when something breaks. By and large the most common way that things break for Void is running out of space on disk. This happens because while disk drives are cheap, getting a drive that can survive years powered on with high read/write load is still not a straightforward ask. Especially not a straightforward problem if you want high performance throughput with low latency. The build servers need large volumes of scratch space while building certain packages due to the need to maintain large caches or lots of object files prior to linking. These large elastic use cases mean that we can have hundreds of gigabytes of free space and then over the course of a single build run out of space.

When this happens, we have to log on to a box and look at where we can reclaim some space and possibly dispatch builds back through the system one architecture at a time to ensure they use low enough space requirements to complete. We also have to make sure that when we clean space, we’re not cleaning files that will be immediately redownloaded. One of the easiest places to claim space back from, after all, is the cache of downloaded files. The primary point of complication in this workflow can be getting a build to restart. Sometimes we have builds that get submitted in specific orders and when a crash occurs in the middle we may need to re-queue the builds to ensure dependencies get built in the right order.

Sometimes downtime occurs due to network partitions. Void runs in many datacenters around the globe, and incidents ranging from street repaving to literal ship anchors can disrupt the fiber optic cables connecting our various network sites together. When this happens, we can often arrive upon a state where people can see both sides of the split, but our machines can’t see each other anymore. Sometimes we’re able to fix this by manually reloading routes or cycling tunnels between machines, but often times its easier for us to just drain services from an affected location and wait out the issue using our remaining capacity elsewhere.

Lessening the Effects of Downtime

As was alluded to with network partitions, we take a lot of steps to mitigate downtime and the effects of unplanned incidents. A large part of this effort goes into making as much content as possible static so that it can be served from minimal infrastructure, usually nothing more than an nginx instance. This is how the docs, infrastructure docs, main website, and a number of services like xlocate work. There’s a batch task that runs to refresh the information, it gets copied to multiple servers, and then as long as at least one of those servers remains up the service remains up.

Mirrors of course are highly available by being byte-for-byte copies of each other. Since the mirrors are static files, they’re easy to make available redundantly. We also configure all mirrors to be able to serve under any name, so during an extended outage, the DNS entry for a given name can be changed and the traffic serviced by another mirror. This allows us to present the illusion that the mirrors don’t go down when we perform longer maintenance at the cost of some complexity in the DNS layer. The mirrors don’t just host static content though. We also serve the https://man.voidlinux.org site from the mirrors which involves a CGI executable and a collection of static man pages to be available. The nginx frontends on each mirror are configured to first seek out their local services, but if those are unavailable they will reach across Void’s private network to find an instance of the service that is up.

This private network is a mesh of wireguard tunnels that span all our different machines and different providers. You can think of it like a multi-cloud VPC which enables us to ignore a lot of the complexity that would otherwise manifest when operating in a multi-cloud design pattern. The private network also allows us to use distributed service instances while still fronting them through relatively few points. This improves security because very few people and places need access to the certificates for voidlinux.org, as opposed to the certificates having to be present on every machine.

For services that are containerized, we have an additional set of tricks available that can let us lessen the effects of a downed server. As long as the task in question doesn’t require access to specific disks or data that are not available elsewhere, Nomad can reschedule the task to some other machine and update its entry in our internal service catalog so that other services know where to find it. This allows us to move things like our IRC bots and some parts of our mirror control infrastructure around when hosts are unavailable, rather than those services having to be unavailable for the duration of a host level outage. If we know that the downtime is coming in advance, we can actually instruct Nomad to smoothly remove services from the specific machine in question and relocate those services somewhere else. When the relocation is handled as a specific event rather than as the result of a machine going away, the service interruption is measured in seconds.

Design Choices and Trade-offs

Of course there is no free lunch, and these choices come with trade-offs. Some of the design choices we’ve made have to do with the difference in effort required to test a service locally and debug it remotely. Containers help a lot with this process since its possible to run the exact same image with the exact same code in it as what is running in the production instance. This also lets us insulate Void’s infrastructure from any possible breakage caused by a bad update, since each service is encapsulated and resistant to bad updates. We simply review each service’s behavior as they are updated individually and this results in a clean migration path from one version to another without any question of if it will work or not. If we do discover a problem, the infrastructure is checked into git and the old versions of the containers are retained, so we can easily roll back.

We leverage the containers to make the workflows easier to debug in the general case, but of course the complexity doesn’t go away. Its important to understand that container orchestrators don’t remove complexity, quite to the contrary they increase it. What they do is shift and concentrate the complexity from one group of people (application developers) to another (infrastructure teams). This shift allows for fewer people to need to have to care about the specifics of running applications or deploying servers, since they truly can say “well it works on my machine” and be reasonably confident that the same container will work when deployed on the fleet.

The last major trade-off that we make when deciding where to run something is thinking about how hard it will be to move later if we decide we’re unhappy with the provider. Void is actually currently in the process of migrating our email server from one host to another at the time of writing due to IP reputation issues at our previous hosting provider. In order to make it easier to perform the migration, we deployed the mail server originally as a container via Nomad, which means that standing up the new mail server is as easy as moving the DNS entries and telling Nomad that the old mail server should be drained of workload.

Our infrastructure only works as well as the software running on it, but we do spend a lot of time making sure that the experience of developing and deploying that software is as easy as possible.

This has been day four of Void’s infrastructure week. Tomorrow we’ll wrap up the series with a look at how we make distributed infrastructure work for our distributed team. This post was authored by maldridge who runs most of the day to day operations of the Void fleet. Feel free to ask questions on GitHub Discussions or in IRC.

Are We Down?

So far we’ve looked at a relatively sizable fleet of machines scattered across a number of different providers, technologies, and management styles. We’ve then looked at the myriad of services that were running on top of the fleet and the tools used to deploy and maintain those services. At its heart, Void is a large distributed system with many parts working in concert to provide the set of features that end users and maintainers engage with.

Like any machine, Void’s infrastructure has wear items, parts that require replacement, and components that break unexpectedly. When this happens we need to identify the problem, determine the cause, formulate a plan to return to service, and execute a set of workflows to either permanently resolve the issue, or temporarily bypass a problem to buy time while we work on a more permanent fix.

Lets go through the different systems and services that allow us to work out what’s gone wrong, or what’s still going right. We can broadly divide these systems into two kinds of monitoring solutions. In the first category we have logs. Logs are easy to understand conceptually because they exist all around us on every system. Metrics are a bit more abstract, and usually measure specific quantifiable qualities of a system or service. Void makes use of both Logs and Metrics to determine how the fleet is operating.

Metrics

Metrics quantify some part of a system. You can think of metrics as a wall of gauges and charts that measure how a system works, similarly to the dashboard of a car that provides information about the speed of the vehicle, the rotational speed of the engine, and the coolant temperature and fuel levels. In Void’s case, metrics refers to quantities like available disk space, number of requests per minute to a webserver, time spent processing a mirror sync and other similar items.

We collect these metrics to a central point on a dedicated machine using Prometheus, which is a widely adopted metrics monitoring system. Prometheus “scrapes” all our various sources of metrics by downloading data from them over HTTP, parsing it, and adding it to a time-series database. From this database we can then query for how a metric has changed over time in addition to whatever its current value is. This is on the surface not that interesting, but it turns out to be extremely useful since it allows checking how a value has changed over time. Humans turn out to be really good at pattern recognition, but machines are still better and we can have Prometheus predict trend lines, compute rates and compare them, and line up a bunch of different metrics onto the same graph so we can compare what different values were reading at the same time.

The metrics that Prometheus fetches come from programs that are collectively referred to as exporters. These exporters export the status information of the system they integrate with. Lets look at the individual exporters that Void uses and some examples of the metrics they provide.

Node Exporter

Perhaps the most widely deployed exporter, the node_exporter provides information about nodes. In this case a node is a server somewhere, and the exporter provides a lot of general information about how the server is performing. Since it is a generic exporter, we get many many metrics out of it, not all of which apply to the Void fleet.

Some of the metrics that are exported include the status of the disk, memory, cpu and network, as well as more specialized information such as the number of context switches and various kernel level values from /proc.

SSL Exporter

The SSL Exporter provides information about the various TLS certificates in use across the fleet. It does this by probing the remote services to retrieve the certificate and then extract values from it. Having these values allows us to alert on certificates that are expiring soon and have failed to renew, as well as to ensure that the target sites are reachable at all.

Compiler Cache Exporter

Void’s build farm makes use of ccache to speed up rebuilds when a build needs to be stopped and restarted. This is rarely useful because software has already had a test build by the time it makes it to our systems. However for large packages such as chromium, Firefox, and boost where a failure can occur due to an out of space condition or memory exhaustion. Having the compiler cache statistics allows us to determine if we’re efficiently using the cache.

Repository Exporter

The repository exporter is custom software that runs in two different configurations for Void. In the first configuration it checks our internal sync workflows and repository status. The metrics that are reported include the last time a given repository was updated, how long it took to copy from its origin builder to the shadow mirror, and whether or not the repository is currently staging changes or if the data is fully consistent. This status information allows maintainers to quickly and easily check whether a long running build has fully flushed through the system and the repositories are in steady state. It also provides a convenient way for us to catch problems with stuck rsync jobs where the rsync service may have become hung mid-copy.

In the second deployment the repo exporter looks not at Void’s repos, but all of the mirrors. The information gathered in this case is whether the remote repo is still synchronizing with the current repodata or not, and how far behind the origin the remote repo is. The exporter can also work out how long a given mirror takes to sync if the remote mirror has configured timer files in their sync workflow, which can help us to alert a mirror sponsor to an issue at their end.

Logs

Logs in Void’s infrastructure are conceptually not unlike the files on disk in /var/log on a Void system. We have two primary systems that store and retrieve logs within our fleet.

Build Logs

The build system produces copious amounts of log output that we need to retain effectively forever to be able to look back on if a problem occurs in a more recent version of a package and we want to know if the problem has always been present. Because of this, we use buildbot’s built in log storage to store a large volume of logs on disk with locality to the build servers. These build logs aren’t searchable, nor are they structured. Its just the output of the build workflow and xbps-src’s status messages written to disk.

Service Logs

Service logs are a bit more interesting, since these are logs that come from the broad collection of tasks that run on Nomad and may be themselves entirely ephemeral. The sync processes are a good example of this workflow where the process only exists as long as the copy runs, and then the task goes away, but we still need a way to determine if any faults occurred. To achieve this result, we stream the logs to Loki.

Loki is a complex distributed log processing system which we run in all-in-one mode to reduce its operational overhead. The practical benefit of Loki is that it handles the full text searching and label indexing of our structure log data. Structured logs simply refers to the idea that the logs are more than just raw text, but have some organizational hierarchy such as tags, JSON data, or a similar kind of metadata that enables fast and efficient cataloging of text data.

Using this Data

Just collecting metrics and logs is one thing, actually using it to draw meaningful conclusions about the fleet and what its doing is another. We want to be able to visualize the data, but we also don’t want to have to constantly be watching graphs to determine when something is wrong. We use different systems to access the data depending on whether a human or a machine is going to watch it.

For human access, we make use of Grafana to display nice graphs and dashboards. You can actually view all our public dashboards at https://grafana.voidlinux.org where you can see the mirror status, the builder status, and various other at-a-glance views of our systems. We use grafana to quickly explore the data and query logs when diagnosing a fault because its extremely optimized for this use case. We also are able to edit dashboards on the fly to produce new views of data which can help explain or visualize a fault.

For machines, we need some other way to observe the data. This kind of workflow, where we want the machine to observe the data and raise an alarm or alert if something is wrong is actually built in to Prometheus. We just load a collection of alerting rules which tell Prometheus what to look for in the pile of data at its disposal.

These rules look for things like predictions that the amount of free disk space will reach zero within 4 hours, the system load being too high for too long, or a machine thrashing too many context switches. Since these rules use the same query language that humans use to interactively explore the data, it allows for one-off graphs to quickly become alerts if we decide an issue that is intermittent is something we should keep an eye on long term. These alerts then raise conditions that a human needs to validate and potentially respond to, but that isn’t something Prometheus does.

Fortunately for managing alerts, we can simply deploy the Prometheus Alertmanager, and this is what we do. This dedicated software takes care of receiving, deduplicating and grouping, and then forwarding alerts to other systems to actually do the summoning of a human to do something about the alert. In larger organizations, an alertmanager configuration would also route different alerts to different teams of people. Since Void is a relatively small organization, we just need the general pool of people who can do something to be made aware. There are lots of ways to do this, but the easiest is to just send the alerts to IRC.

This involves an IRC bot, and fortunately Google already had one publicly available we could run. The alertrelay bot connects to IRC on one end and alertmanager on the other and passes alerts to an IRC channel where all the maintainers are. We can’t acknowledge the alerts from IRC, but most of the time we’re just generally keeping an eye on things and making sure no part of the fleet crashes in a way that automatic recovery doesn’t work.

Monitoring for Void - Altogether

Between metrics and logs we can paint a complete picture of what’s going on anywhere in the fleet and the status of key systems. Whether its a performance question or an outage in progress, the tools at our disposal allow us to introspect systems without having to log in directly to any particular system.

This has been day three of Void’s infrastructure week. Check back tomorrow to learn about what we do when things go wrong, and how we recover from failure scenarios. This post was authored by maldridge who runs most of the day to day operations of the Void fleet. Feel free to ask questions on GitHub Discussions or in IRC.

What Does Void Do With the Infrastructure?

Yesterday we looked at what kinds of infrastructure Void has, how its managed, and what makes each kind unique and differently suited. Today we’ll look at what runs on the infrastructure, and what it does. We’ll then finally look at how we make sure it keeps running in the event of an error or disruption.

Two Kinds of Services

Void runs, broadly speaking, two different categories of services. In the first category, we have the tooling that supports maintainers and makes it easier or in some cases possible to work on Void. These are services that most users are unaware of, and in general don’t interact with. In the second category of services are systems that general end users of Void interact with and are more likely to know about or recognize.

Public Services

We’ll first talk about public services that are broadly available to both maintainers and general consumers of Void Linux. These are almost, but not entirely, web based services that are accessed via a browser. See how many of these services you recognize.

Void’s Website

Void’s website (the one you are reading right now) is a GitHub pages Jekyll site. This content is checked into git rendered by a worker process in the GitHub network, and then published to a CDN where you can read it. Additionally the Jekyll software produces feeds suitable for consumption in an RSS reader. The website is probably our simplest service and the easiest to copy on your own since it requires no special infrastructure, just a GitHub account to setup.

Void Mirrors

Void’s mirrors are simple nginx webservers that host static copies of all our software. This also includes some other sites that include content that we host ourselves, such as the docs site and the dedicated infrastructure docs site. We host these from our own system since they both use mdbook, which is not as straightforward to use with a hosting service like GitHub Pages. We also run these sites this way so that they are broadly copied in the event of a failure in any of our systems. Did you know you can go to /docs on any mirror to read the Void handbook?

Popcorn

Popcorn is a package statistics service that provides information about the popularity of packages as provided by systems that have opted in to have their package information reported. Though we are evaluating ways to replace the data provide by Popcorn, it still provides good real-world data on package installs. You can learn more about Popcorn in the handbook.

Source Site

The Sources Site (https://sources.voidlinux.org) provides a copy of all the sources as our build servers consumed them. This provides a way for us to quickly and easily make sure that we have the same source to troubleshoot a bad build with when finding the fault may require more than just the build error logs.

xq-api

Some functionality on our website requires the ability to query the Void repository data. This is accomplished by fronting the repository data by a service called xq-api which provides query functionality on top of the repodata files. The data is refreshed frequently, so new packages quickly show up in the website search results as well as making sure that packages that are no longer available in our repos are removed promptly.

Old Wiki Snapshot

At one time prior to the introduction of our docs site, Void maintained a MediaWiki instance. While MediaWiki is extremely powerful software and is a great choice for hosting a wiki, Void found that our wiki was being slowly filled with hyper-specific guides, lots of abandoned pages, and lower quality versions of pages that exist on the Arch Linux Wiki. While we ported over a large number of pages to the docs that remained generally applicable, we also felt it was important to archive the entire wiki as it appeared before releasing the resources powering it. This was accomplished using a wiki crawler which could convert the wiki itself into an archive format that we now serve with kiwix server. You can find that old content at https://wiki.voidlinux.org should it interest you.

Online Man Pages

Void makes available a copy of all the contents of our man page database online so users can easily search for commands even when not on a Void enabled system, such as during install time when internet access may not be available yet from a Void device. This service involves a task which routinely extracts the man pages from all packages using a program that is specific to XBPS, and then the files are arranged on disk to be served by the mdocml man page server, which is a program we obtain from OpenBSD. You can browse our online manuals at https://man.voidlinux.org.

Services that help Maintainers

Not all services are meant for public consumption. A number of Void’s services are meant to help maintainers be more productive, produce build artifacts, or generally make our workflows easier to accomplish.

Build Pipeline

The build pipeline was discussed in detail in another post, but we’ll recap that post here. In general there are a handful of powerful servers that we run automated compiler tasks on that run xbps-src whenever the contents of void-packages is updated. Once the packages are built, they are collected to a central point, signed cryptographically to attest that they are in fact packages produced by Void, and then they are copied out to mirrors around the world for users to download.

The build pipeline is the single largest collection of moving parts within our infrastructure, and is usually the component that breaks the most often as it has many exciting failure modes. Some of the author’s favorites include running out of disk, stuck connection poll loops, and rsync just wandering off instead of synchronizing packages.

Email

Void maintainers have access to email on the voidlinux.org domain. To provide this service, Void runs an email server. We make use of maddy which provides a convenient all in one mail server. It works well at our scale, and doesn’t require a significant amount of maintainer time to make work. Though most of us access the mail using a combination of desktop and CLI clients, we also run a copy of the Alps web frontend which allows quick and easy access to mail when away from normal console services.

DevSpace

Sometimes when preparing a fix or updating a package, a maintainer will want to share this new built artifact with others to gather feedback or see if the fix works. To enable this quickly and easily, we have a dedicated webserver and SFTP share box for these files. You can see things we’re currently working on or haven’t yet cleaned up at https://devspace.voidlinux.org/ where the files are organized by maintainer.

Sometimes end users will be asked to fetch a build from devspace when filing an issue ticket to verify that a particular fix works, or that a given problem continues to exist when rebuilding a package or disk image from clean sources.

void-robot and void-fleet

Void’s team communicates primarily via IRC. In order to allow our infrastructure to communicate with us, we have a pair of IRC bots that inform us of status changes. The more chatty of the bots, void-robot tells us when PRs change status or when references change on Void’s many git repos. This allows us to know when changes are going out, and its not uncommon for a maintainer to just ping someone else with a single ^ to gesture at a push or reference the bot has printed to the channel.

The second bot speaks on behalf of our monitoring infrastructure and notifies us when things break or when they’re resolved. We’ll take a deeper look at monitoring in a future post and look more at what this bot does then.

Nomad, Consul & Vault

Many of Void’s more modern services run on top of containers managed by Hashicorp Nomad. These services retrieve secrets from Hashicorp Vault, and can locate each other using Hashicorp Consul. The use of these tools allows us to largely abstract out what provider any given software is running on and where it resides in the world. This also makes it much easier when we need to replace a host or take one down for maintenance without interrupting access to user facing services.

The use of well understood tools like the Hashistack also makes it much easier for us to subdivide systems and check components locally.

NetAuth

With all these services, it would be inconvenient for maintainers to need to maintain separate usernames and passwords for everything. In order to avoid this, we use Single Sign On concepts where all services that support it reach out to a centralized secure authentication service. You can read more about NetAuth at https://netauth.org.

How Does All This Get Run?

For some of Void’s older services, notably the build farm itself, our services are configured, provisioned, and maintained using Ansible just like the underlying OS configuration. This works well, but has some drawbacks in being difficult to test, difficult to change in an idempotent way, and difficult to explain to others since its firmly the realm of infrastructure engineering. Trying to explain to someone how a hundred lines of yaml gets converted into a working webserver requires detours through a number of other assorted technologies.

Void’s newer services run uniformly as containers and are managed by Nomad. This enables us to dynamically move workloads around, have machines self-heal and update in coordination with the fleet, and to provide a lens into our infrastructure for people to see. You can explore all our running containers in a limited read-only context by looking at the nomad dashboard. Before you go trying to open a security notice though, we’re aware that buttons that shouldn’t be visible look like they’re clickable. Rest assured that the anonymous policy that provides the view access can’t actually stop jobs or drain nodes (we’ve reported this UI bug a few times already).

What Nomad does under the hood is actually really clever. It assesses what we want to run, and what resources we have available to run it. It then applies any constraints we’ve set on the services themselves. These constraints encode information like requiring locality to a particular disk in the fleet, or requiring that two copies of a service reside on different hosts. This then gets converted into a plan of what services will run where, and the workload of applications is distributed to all machines in the fleet. If a server fails to check in periodically, the workload on it is considered “lost” and can be restarted elsewhere if allowed. When we need to move between providers or update hardware, Nomad provides a way for us to quickly and easily work out how much of a machine we’re actually consuming as well as actually performing the movement of the services from one location to another.

While Nomad is very clever and makes a lot of things much easier, we do still have a number of services that run directly on the Void system installed to the machines. For services that run on top of the metal directly we almost always use runit to supervise the tasks and restart them when they crash. This works well, but does tightly couple the service to the machine on which it is installed, and requires coordination with Ansible to make sure that restarts happen when they are supposed to during maintenance activities. For services that run in containers, we can simply set the restart policy on the container and allow the runtime to supervise the services as well as any cascading restarts that need to happen, such as when certificates are renewed or rotated.

In general, all our services have at least one layer of service supervision in the form of Void’s runit-based init system, and in many cases more application specific level supervision occurs, often with status checks to validate and check assumptions made about the readiness of a service.

This has been day two of Void’s infrastructure week. Check back tomorrow to learn about how we know that the services we run are up, and how we verify that once they’re up, they’re behaving as expected.. This post was authored by maldridge who runs most of the day to day operations of the Void fleet. Feel free to ask questions on GitHub Discussions or in IRC.

This week we’ll be taking a look into the infrastructure that runs and operates Void. We’ll look at what we run, where it runs, and why it is setup the way it is. Overall at the end of the week you should have a better understanding of what actually makes Void happen at a mechanical level.

So What Is Infrastructure, Like Really?

Infrastructure, as the term is used by Void, refers to systems, services, or machines that are owned or operated by the Void Linux project to provide the services that make Void a reality. These services range from our build farm and mirror infrastructure, to email servers for maintainers, to hosted services such as the Fastly CDN mirror. Void runs in many places on many kinds of providers, so lets take a deeper look into the kinds of hosts that Void makes use of.

Owned Physical Hardware

The easiest to understand infrastructure that Void operates is physical hardware. These are computers in either server form factors, small form factor systems, or even just high performance consumer devices that are used by the project to provide compute resources for the software we need to run. Our hardware resources are split across a number of datacenters, but the point of commonality of owned physical hardware is that someone within the Void project actually bought and owns the device we’re running on.

Owning the hardware is very different from a Cloud model where you pay per unit time that the resources are consumed, instead hardware like this is usually installed in a datacenter and co-located with many other servers. If you’ve never had the opportunity to visit a datacenter, they are basically large warehouse style buildings with rows of cabinets each containing some number of servers with high performance network and cooling available. The economy of scale of getting so many servers together in one location makes it more cost effective to provide extremely fast networks, high performance air conditioning, and reliable power usually sourced from multiple different grid connections and on-site redundant supplies.

Void currently maintains owned machines in datacenters in the US and Europe. Since we don’t always have maintainers who live near enough to just go to the datacenter, when things go wrong and we need to go “hands-on” to the machines, we have to make use of “Remote Hands”. Remote Hands, sometimes called “Smart Hands” refers to the process wherein we open a ticket with the datacenter facility explaining what we want them to do, and which machine we want them to do it to. There’s usually a security verification challenge-response that is unique to each operator, but after some shuffling, the ticket is processed and someone physically goes to our machines and interacts with them. Almost always the ticket will be for one of 2 things: some component has failed, and we would like to buy a new one and have it installed (hard drives, memory) or the machine has become locked up in some way that we just need them to go hold in the power button. Most of our hardware doesn’t have remote management capability, so we need someone to go physically push the buttons.

Occasionally, the problems are worse though, and we need to actually be able to interact with the machine. When this happens, we’ll request that a KVM/iKVM/Spider/Hydra be attached, which provides a kind of remote desktop style of access, wherein an external device presents itself as a mouse and keyboard to the machine in question, and then streams the video output back to us. We can use these devices to be able to quickly recover from bad kernel updates, failed hardware, or even initial provisioning if the provider doesn’t natively offer Void as an operating system choice, since most KVM devices allow us to remotely mount a disk image to the host as though a USB drive were plugged in.

Owned hardware is nice, but its also extremely expensive to initially setup, and is a long-term investment where we know we’ll want to use those resources for an extended period of time. We have relatively few of these machines, but the ones we do have are very large capacity, high performance servers.

Donated/Leased Hardware

Owning hardware is great, but a specific set of circumstances have to happen for that to be the right choice. The vast majority of Void’s hardware is leased or is leased hardware which is donated for our use. This is hardware that operates exactly the same as physical owned hardware above, but we usually commit to these machines in increments ranging from several months to a year, and can renew or change the contract for the hardware more easily. Most of the build machines fall into this category, since it allows us to upgrade them regularly and ensure we’re always making good use of the resources that are available to us.

Interacting with this hardware is usually a little different from hardware we physically own. Since this hardware comes from facilities where many of the same kind of machine is available, usually more automation exists to be able to remotely manage the systems. In particular we make use of a lot of hardware from Hetzner in Germany and Finland where we make use of the Hetzner Robot to remotely reboot and change the boot image of machines. For hardware that is donated to us, we usually have to reach out to the sponsor and ask them to file the ticket on our behalf since they are the contract holder with the facility. In some cases they’re able to delegate this access to us, but we always keep them in the loop regardless.

Cloud Systems

For smaller machines, usually having fewer than 4 CPU cores and less than 8GB of memory, the best option available to us will be to get the machine from a cloud. We currently use two cloud hosting providers for machines that are on all the time, and have the ability to spin up additional capacity in two other clouds.

We run a handful of machines at DigitalOcean to provide our control plane services that allow us to coordinate the other machines in the fleet, as well as to provide our single-sign-on services that let maintainers use one ID to access all Void related services and APIs. DigitalOcean has been a project sponsor for several years now, and they were the second cloud provider to get dedicated Void Linux images.

For cloud machines that need to have a little more involved configuration, we run on top of the Hetzner cloud where our existing relationships with Hetzner make it easier for us to justify our requirements, and our longer account standing shows that we’re not going to do dumb things on the platform, like run an open forwarder. Running a mail server on a cloud is itself somewhat challenging, and will be talked about later this week in more detail, so make sure to check back for more in this series.

Though we do not actively run services on AWS or GCP, we do maintain cloud images for these platforms. Sadly in GCP it is not possible for us to make our images broadly available, but it is relatively easy for you to create your own image if you desire to run Void on GCP. Similarly, you can run Void on AWS and make use of their wide service portfolio. We have evaluated in the past providing a ready to run AMI for AWS, but ultimately concluded the trade-off wasn’t worth it. If you’re interested in having a Void image on AWS, let us know.

How We Provision the Fleet

Void’s fleet spans multiple technologies and architectures, which makes provisioning it a somewhat difficult to follow process. In order of increasing complexity, we have manually managed provisioning, automatically managed OS provisioning and application provisioning, and full environment management in our cloud hosting environments.

Manually Managed

This is the most familiar to the average Void user, we just perform these steps remotely. We’ll power on a machine, boot from the live installer, and install the system to disk (almost always with a RAID configuration). Once the machine is installed and configured, we can then manage it remotely like any other machine in the fleet using our machine management tools.

Imaged Resources

Some systems we run use a Void Linux image to perform the installation. These are usually smaller VMs being hosted by the members of the Void project in slack space on our own servers, and so the automation of a large hosting company doesn’t make sense. These are systems usually running qemu and where the system gets unpacked from an image that the administrator will have prepared in advance containing the qemu guest agent and possibly other software required to connect to the network.

Cloud Resources

Cloud managed resources are probably the most exciting of the systems we operate. These are generally managed using Hashicorp Terraform as fully managed environments. By this we mean that the very existence of the virtual server is codified in a file, checked into git, and applied using terraform to grow or shrink the number of resources.

We can only do this in places though that provide the APIs needed to manage resources in this way. We currently have the most resources at DigitalOcean managed with terraform, where our entire footprint on the platform is managed this way. This works out extremely conveniently when we want to add or remove machines, since its just a matter of editing a file and then re-running terraform to make the changes real. Beyond machines though, we also host the DNS records for voidlinux.org in a DigitalOcean DNS Zone. This enables us to easily track changes to DNS since its all in the console, but managed via a git-tracked process.

Having support for terraform is actually a major factor in deciding if we’ll use a commercial hosting service or not. Remember that Void has developers all over the world in different time zones speaking different languages with different availability to actually work on Void. To make it easier to collaborate, we can apply the exact same workflows of distributed review and changes that make void-packages work to void-infrastructure and make feature branches for new servers, send them out for review, and process changes as required.

Making the Hardware Useful: Provisioning Services

For services like DigitalOcean’s hosted DNS or Fastly’s CDN, once we push terraform configuration we’re done and the service is live. This works because we’re interfacing with a much larger system and just configuring our small partition of it. For most of Void’s resources though, Void runs on machines either physical or virtual, and once the operating system is installed, we need to apply configuration to it to install packages, configure the system, and make the machines do more than just idle with SSH listening.

Our tool of choice for this is Ansible, which allows us to express a series of steps as yaml documents that when applied in order, configure the machine to have a given state. These files are called “playbooks” and we have multiple different playbooks for different machine functions, as well as functions common across the fleet. Usually upon provisioning a new machine, our first task will be to run the base.yml playbook which configures single sign on, DNS, and installs some packages that we expect to have available everywhere. After we’ve done this base configuration step, we apply network.yml which joins the machines to our network. Given that we run in so many places where different providers have different network technologies that are, for the most part, incompatible and proprietary, we need to operate our own network based on WireGuard to provide secure connectivity machine to machine.

When we have internal connectivity to Void’s private network available, we can finalize provisioning by running any remaining playbooks that are required to turn the machine into something useful. These playbooks may install services directly, or install a higher level orchestrator that dynamically coordinates services. More on the services themselves later in the week.

Why Does Void Run Where it Does?

Alternatively, why doesn’t Void make use of cloud <x> or hosting provider <y>. The simple answer is because we have sufficient capacity with the providers we’re already in and it takes a non-trivial amount of effort to build out support for new providers.

The longer answer has to do with the semi-unique way that Void is funded, which is entirely by the maintainers. We have chosen not to accept monetary donations since this involves non-trivial understanding of tax law internationally, and for Void, we’ve concluded that’s more effort than its worth. As a result, the selection of hosting providers are either hosts that have reached out and were willing to provide us with promotional credits on the understanding that they were interacting with individuals on behalf of the project, or places that Void maintainers already had accounts and though the services were good quality and good value to run resources for Void.

We regularly do re-evaluate though where we’re running and what resources we make use of both from a reliability standpoint as well as a cost standpoint. If you’re with a hosting provider and want to see Void running in your fleet, drop us a line.

This has been day one of Void’s infrastructure week. Check back tomorrow to learn about what services we run, how we run them, and how we make sure they keep running. This post was authored by maldridge who runs most of the day to day operations of the Void fleet. Feel free to ask questions on GitHub Discussions or in IRC.

We’re pleased to announce that the 20230628 image set has been promoted to current and is now generally available.

You can find the new images on our downloads page and on our many mirrors.

Some highlights of this release:

• Installing using the network source no longer fails to create the non-root user (@classabbyamp in #319)
• The xbps mirror can now be selected in the installer using xmirror (@classabbyamp in #318)
• The xfce live ISO now uses LightDM (@paper42 in #324)
• GRUB will no longer fail to be installed in some partition layouts/orders (@classabbyamp in #328)
• Various improvements to the installer (@dateiexplorer in #334)
• Xfce live ISOs now use pipewire for audio, and base ISOs now include ALSA (@classabbyamp in #348)
• Live ISOs now include several new boot options, including screenreader-enabled, memtest86+, reboot, shutdown, and EFI firmware setup (@classabbyamp in #295 and #348)

The console screenreader espeakup, the braille TTY driver brltty, and the GUI screenreader orca are now included in all live ISOs for x86_64 and i686. To learn more about this, read the documentation in the Void Linux Handbook.

You may verify the authenticity of the images by following the instructions on the downloads page, and using the following minisign key information:

untrusted comment: minisign public key 5D7153E025EC26B6
RWS2Juwl4FNxXe0NtAdYushNLM3GtJ6poGkZ0Up1P/9YLcCK4xlSWAfs

Pipewire session manager switch

Void has now dropped the long-deprecated pipewire-media-session session manager from its pipewire package, bringing it inline with the upstream default configuration. If you are currently using pipewire, you must migrate to wireplumber or pipewire will cease to function properly. Refer to Void documentation if you need guidance when making this change.

Pipewire and PulseAudio system service removal

The oft-confusing services for pipewire, pipewire-pulse, wireplumber, and pulseaudio have been removed from the pipewire, wireplumber, and pulseaudio packages because they were experimental and should not have been used for almost all use-cases.

If you are currently using those services and still wish to do so, replacements for the pipewire and pulseaudio services can be found in /usr/share/examples/$pkgname/sv/. Otherwise, it is recommended to migrate to another method of launching pipewire. Refer to Void documentation if you need guidance.