Upgrade CI pipeline, fix static builds #345

quentin · 2022-07-26T16:26:34Z

quentin commented

2022-07-26 16:26:34 +00:00

Changelog:

Add a check when a release binary is built to ensure it is static
Fix building logic of linux/arm and linux/arm64 that were wrongly built as dynamic
Upgrade building containers to nix 22.05
~~[X] Change runner requirements, we don't need specific runners anymore for Nix (you can drop the Nix tag, the volume mount and do not need to perform manual warmup anymore)~~
Make default.nix easier and more idiomatic to use. For example, you can build a release binary with nix-build -A pkgs.amd64.release now. This is closer to how Nix Flakes work.
Integrate Clippy in nix-build (nix-build -A clippy.amd64). It has 2 benefits compared to running clippy from a nix shell: 1. it leverages Nix caching 2. it builds a working binary that can be directly used in test-smoke.sh.
Use a patched version of cargo2nix that fixes this bug: https://github.com/cargo2nix/cargo2nix/issues/238 - When we have a complex project + a crate (eg. openssl) that has some "propagated build inputs", cargo2nix tends to duplicate similar values. In the end, the openssl propagated build inputs was repeated thousand of times. My patch to fix the bug: 486675c672. Later, I plan to bump cargo2nix on Garage, port this patch, and at the same time open a PR to upstream it.
Introduce a new type of Nix runner named nix-daemon. They have many benefits over the prior builder:
- A nix maintenance step is not needed anymore in Drone
- Mounting volumes on each step is not needed anymore, volumes are directly injected by the runner in each step. Theoretically, it could work even on non trusted builds (this is a Drone config parameter on some repo, required to mount host volumes for example).
- Concurrent builds are correctly supported, even across different projects
- nix-build are now sandboxed, so builds are even more reproducible
- (bonus) the nix-daemon can be configured to distribute a single build on many other runners thanks to distributed builds
- (bonus) currently, the runner can directly write in the nix store which breaks isolation. But the docker daemon can be configured to prevent this. Also, the drone-docker-runner can be patched to support mounting as read only /nix/store. One of this change would make our nix operations 100% sandboxed and isolated from one another.

Instructions to setup a new runner can be found here: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/src/branch/main/app/drone-ci/integration#install-the-runner

Changelog: - [X] Add a check when a release binary is built to ensure it is static - [X] Fix building logic of linux/arm and linux/arm64 that were wrongly built as dynamic - [X] Upgrade building containers to nix 22.05 - <del>[X] Change runner requirements, we don't need specific runners anymore for Nix (you can drop the Nix tag, the volume mount and do not need to perform manual warmup anymore)</del> - [X] Make default.nix easier and more idiomatic to use. For example, you can build a release binary with `nix-build -A pkgs.amd64.release` now. This is closer to how Nix Flakes work. - [X] Integrate Clippy in `nix-build` (`nix-build -A clippy.amd64`). It has 2 benefits compared to running clippy from a nix shell: 1. it leverages Nix caching 2. it builds a working binary that can be directly used in `test-smoke.sh`. - [X] Use a patched version of `cargo2nix` that fixes this bug: https://github.com/cargo2nix/cargo2nix/issues/238 - When we have a complex project + a crate (eg. openssl) that has some "propagated build inputs", cargo2nix tends to duplicate similar values. In the end, the openssl propagated build inputs was repeated thousand of times. My patch to fix the bug: https://github.com/superboum/cargo2nix/commit/486675c67249e735dd7eb68e1b9feac9db102be7. Later, I plan to bump cargo2nix on Garage, port this patch, and at the same time open a PR to upstream it. - [X] Introduce a new type of Nix runner named `nix-daemon`. They have many benefits over the prior builder: - A `nix maintenance` step is not needed anymore in Drone - Mounting volumes on each step is not needed anymore, volumes are directly injected by the runner in each step. Theoretically, it could work even on non trusted builds (this is a Drone config parameter on some repo, required to mount host volumes for example). - Concurrent builds are correctly supported, even across different projects - `nix-build` are now sandboxed, so builds are even more reproducible - (bonus) the nix-daemon can be configured to distribute a single build on many other runners thanks to [distributed builds](https://nixos.wiki/wiki/Distributed_build) - (bonus) currently, the runner can directly write in the nix store which breaks isolation. But the docker daemon can be configured to prevent this. Also, the drone-docker-runner can be patched to support mounting as read only `/nix/store`. One of this change would make our nix operations 100% sandboxed and isolated from one another. Instructions to setup a new runner can be found here: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/src/branch/main/app/drone-ci/integration#install-the-runner

quentin referenced this pull request

2022-07-26 16:27:04 +00:00

Check that compiled binaries are static + fix static compilation #344

quentin force-pushed ci/bump-nix-img from 684019c7fa to fcb04843f7

2022-07-26 16:27:58 +00:00

Compare

lx reviewed 2022-07-28 08:35:40 +00:00

.drone.yml Outdated

					
				@ -26,3 +26,2 @@

				    commands:

				      - cp nix/nix.conf /etc/nix/nix.conf

				      - nix-build --no-build-output --no-out-link shell.nix --arg release false  -A inputDerivation

				    - "[ -d /mnt/store/3vpyn2qz5ay057nq9x68sh0r328d77ng-nix-2.8.1/ ] || (mkdir -p /mnt/store && cp -r /nix/store/* /mnt/store/)"

lx commented

2022-07-28 08:23:23 +00:00

What if the image nixos-22.05 is updated and the hash 3vpyn2qz5ay057nq9x68sh0r328d77ng-nix-2.8.1 changes? We don't want to copy files uselessly every time. Could we find another solution to detect whether the copy needs to be made? For instance we could have a custom file name and just touch it after copying files.

What if the image `nixos-22.05` is updated and the hash `3vpyn2qz5ay057nq9x68sh0r328d77ng-nix-2.8.1` changes? We don't want to copy files uselessly every time. Could we find another solution to detect whether the copy needs to be made? For instance we could have a custom file name and just `touch` it after copying files.

lx commented

2022-07-28 08:48:45 +00:00

OR: freeze the docker image using a hash and not a tag

quentin commented

2022-07-29 06:48:17 +00:00

Solved by changing how we handle Nix runners

quentin force-pushed ci/bump-nix-img from 1b79852e64 to a20a55efa9

2022-07-28 10:13:30 +00:00

Compare

quentin changed title from ~~Upgrade CI pipeline, fix static builds~~ to WIP: Upgrade CI pipeline, fix static builds

2022-07-28 10:31:53 +00:00

quentin force-pushed ci/bump-nix-img from 19cd8ae752 to 3ef9b3a650

2022-07-29 06:36:17 +00:00

Compare

quentin force-pushed ci/bump-nix-img from 3ef9b3a650 to a184f0d0b5

2022-07-29 06:37:46 +00:00

Compare

quentin changed title from ~~WIP: Upgrade CI pipeline, fix static builds~~ to Upgrade CI pipeline, fix static builds

2022-07-29 06:46:52 +00:00

lx merged commit a184f0d0b5 into main

2022-07-29 10:23:52 +00:00

Sign in to join this conversation.

No reviewers

No milestone

No project

No assignees

2 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#345

Rows
Columns