Compile Garage with Nix #117
No reviewers
Labels
No labels
AdminAPI
Bug
Check AWS
CI
Correctness
Critical
Documentation
Ideas
Improvement
Low priority
Newcomer
Performance
S3 Compatibility
Testing
Usability
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Deuxfleurs/garage#117
Loading…
Reference in a new issue
No description provided.
Delete branch "feature/static"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR provides 2 things:
nix-shell
nix-build
It also implies some modifications to Drone:
To release a binary, pick a commit on Drone and promote it.
To release an extra binary, publish a tag and promote the Drone build.
To release a stable binary, publish a tag matching this regex
v[0-9]+\.[0-9]+\.[0-9]+
, and promote the Drone build.Dev notes
Nix could be an elegant way to track our dependencies and cross-compile Garage. This PR tracks my tests and must not be merged yet.Goals
Features
Working:
armv7l
)shell.nix
Remaining to do for this PR:
Ideally:
Not tested yet:
Targets
I also add to the command line
--max-jobs auto --cores $(nproc)
.[OK] Linux, x86_64, Static:
[OK] Linux, aarch64, Static:
[OK] Linux, i686, Static
[OK] Linux, armv7l, Dynamic
[OK] Linux, armv6lhf, Static
[KO] Windows, x86_64 -
x86_64-pc-windows-gnu
not considered but could be easy:
powerpc64le-unknown-linux-musl
OR linux power pc 64bits (ppc64-musl)powerpc64-unknown-linux-musl
x86_64-unknown-netbsd
From the nix documentation:
So I suggest we compile for:
Build, Sign and Cache
Signing keys are generated with:
We copy the secret key in our nix folder:
Manually sign
We can sign the whole store with:
Or simply the current package and its dependencies with:
Setting a key in
nix.conf
will do the signature at build time automatically without additional commands, edit thenix.conf
of your builder:Now you are ready to build your packages:
More example of nix-copy
Clear the cache:
A desirable
nix.conf
for a consumer:And now, whenever you run a command like:
Our cache will be checked.
Legacy, if you do not want to modify
nix.conf
Now, to fetch, running the following command as root worked:
We have many problems:
nix.conf
withrequire-sigs = false
nix.conf
eg.trustedUsers = ["quentin", "root"]
Test strategy
Goals:
Pseudo script for testing:
Pseudo script for promotion:
Drawbacks
cargo2nix -f
each time we add/change a dependency to generateCargo.nix
. Dependencies in this output file are not sorted and thusdiff
is not exploitable yet (there is an issue on the upstream project)--max-jobs
(build multiple derivations at once) and--cores
(use multiple core to build a derivation).auto
set the value to the number of cores you have.crdt
andreplication
ingarage_table
), you must list them indefault.nix
x86_64-pc-windows-gnu
but mingw needx86_64-w64-mingw32
git_version
does not workDrone's Drawbacks
Ref
https://doc.rust-lang.org/nightly/rustc/platform-support.html
https://nix.dev/tutorials/cross-compilation
https://nixos.org/manual/nix/unstable/package-management/s3-substituter.html
https://fzakaria.com/2020/09/28/nix-copy-closure-your-nix-shell.html
http://www.lpenz.org/articles/nixchannel/index.html
95e5036bc3
toe1747b96d2
27e1997530
tod31dd7987f
WIP: Compile Garage with Nixto Compile Garage with Nixd31dd7987f
to46ad81ddc0
I'm very happy with this PR!
I agree we should merge this ASAP, as long as it is not in a broken state (I trust Quentin for this). Most (all?) of the remarks here can be kept for other PRs we will open later.
Question: do we really need
Cargo.nix
to be in the repository? If it is deterministcally generated fromCargo.lock
, can't we generate it dynamically when it is needed?About the patched
cargo2nix
, my worry is that we will have to maintain the patched version forever. We should therefore try to either 1/ upstream our patch, OR 2/ find a workaround to do the same thing with the non-patched version.Why exactly does
git_version!
not work when building using Nix? Is there a solution to this? Has anyone else had this problem when building with Nix, and what solution have they found?For the CI it's good we have a pipeline that is as fast as possible for all commits, and that does the minimum. This means for example that we want to parallelize steps as much as possible, we don't want to lose time rebuilding caches (we can do this asynchronously with a cron), etc. I think we're already gaining a lot of speed with the Nix docker volume, can we go further and split the pipeline that does build+test from the one that does fmt+clippy? (so that they can run in parallel)
@ -12,1 +15,4 @@
environment:
HOME: /drone/garage
steps:
To speed up the CI, I was thinking we could do these steps in parallel pipelines:
I think we should study that in a separate PR
@ -106,0 +107,4 @@
- |
nix copy --to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage&secret-key=/etc/nix/signing-key.sec' \
$(nix-store -qR --include-outputs \
$(nix-instantiate --argstr target x86_64-unknown-linux-musl --arg release false))
Do we really want to update the cache with all intermediary builds? Its taking time in the CI and it will make the bucket grow uncontrolably. Maybe we can do this not at all commits but on a nightly trigger, OR rely on the nix docker volume exclusively for these artifacts.
it should be done only through a cron now.
@ -140,0 +175,4 @@
temp: {}
environment:
TARGET: x86_64-unknown-linux-musl
Can't we factorize these many pipelines into only one? In application of "don't repeat yourself", it limits the number of changes to make when we want to make a change, and it limits the chance of making a mistake.
If the only reason is performance (with many pipelines builds run in parllel), maybe we can say for now it is not important, and we will have it again when we template the .yml file?
I think we should put that in another PR, where we use a different CI or we use jsonnet or starlark
@ -140,0 +207,4 @@
- name: nix_config
path: /etc/nix
commands:
- nix-shell --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
Do we really want to run this here? It was already ran for this commit in the non-promoted pipelines.
I am convinced we want to run our tests on the release binary we will publish and not suppose that the same source code built earlier in debug will generate this time a working release build.
(Let's suppose we have 2 runners and 1 is buggy in a very strange way. We build on debug on the 1st one and we release on the 2nd one a non-tested binary that is broken)
@ -4,4 +0,0 @@
clear; cargo build
doc:
cd doc/book; mdbook build
Can we please keep at least the
all
anddoc
targets?A makefile acts like a kind of documentation: many devs will just try typing "make" to see what happens, and it can bootstrap them quickly if they don't know the cargo or mdbook commands.
Done
@ -18,0 +50,4 @@
```
nix-build
```
Mention here the following variants:
nix-build -j <n>
for faster buildnix-build --arg release true
for optimized buildIf you copied our nix.conf file, you should already have
-j xx
preconfigured. Will try to explain that betterModified with many examples
@ -18,0 +60,4 @@
cargo2nix -f
```
Many tools like rclone, mc (minio-client), or awscli will be available in your environment and will be useful to test Garage.
the mention of
awscli
is misleading, the tool is actually calledaws
on the command line (aws s3 cp ...
)aws
is the name of the command,awscli
is the name of the package.Some references:
But I think I will put the command first and the package name between parenthesis.
@ -0,0 +163,4 @@
drone info
```
The CLI tool is very self-discoverable, just happen `--help` to each subcommands.
append*
Forgot this comment:
.drone.yml
is long and I don't like the fact that we are repeating the same thing three or four times. If we could merge these four sections into only one (at the cost of not running them in parallel) that would be nice for this PR.The output .nix file is not deterministic (the tool has some unsorted arrays that are not always output in the same order) but the generated derivation should be deterministic.
Integrating in our Nix build may not be that simple as currently this file is a dependency of our build.
We can still keep in mind this for a future PR.
I have already opened a PR here: https://github.com/cargo2nix/cargo2nix/pull/201.
There is no possible workaround, the only option would be to drop cargo2nix.
Because git_version calls git and expect a
.git
folder. In Nix, we copy only the files of each crate in a clean environment, we do not have access to the.git
folder. In many cases, it is even considered an undesirable side effect, here we have a sub-crate (src/garage) that is dependant of the main project (.git) and this information is not shipped when the program is installed viacargo bin
or through a tarball.I do not have a precise example but, when programs have undesired side effects at compile time, often nix packagers just patch them. A similar example is when a program try to put its build date in the final binary.
I think having an environment variable at build time is the most packaging friendly way to track fron which source the program has been compiled, and it can be adapted to many packaging approaches.
We might do that but we could also improve cargo2nix to cache clippy intermediate steps. But it is blocked by this issue: https://github.com/cargo2nix/cargo2nix/issues/107
46ad81ddc0
todc017a0cab