Deuxfleurs
/
garage
43
37
Fork 55
Code Issues 69 Pull Requests 4 Releases 29 Wiki Activity

Upgrade CI pipeline, fix static builds #345

Merged
lx merged 7 commits from ci/bump-nix-img into main 2022-07-29 10:23:52 +00:00
Conversation 0 Commits 7 Files Changed 7 +397 -461
quentin commented 2022-07-26 16:26:34 +00:00
Owner
Copy Link

Changelog:

  • Add a check when a release binary is built to ensure it is static
  • Fix building logic of linux/arm and linux/arm64 that were wrongly built as dynamic
  • Upgrade building containers to nix 22.05
  • Change runner requirements, we don't need specific runners anymore for Nix (you can drop the Nix tag, the volume mount and do not need to perform manual warmup anymore)
  • Make default.nix easier and more idiomatic to use. For example, you can build a release binary with nix-build -A pkgs.amd64.release now. This is closer to how Nix Flakes work.
  • Integrate Clippy in nix-build (nix-build -A clippy.amd64). It has 2 benefits compared to running clippy from a nix shell: 1. it leverages Nix caching 2. it builds a working binary that can be directly used in test-smoke.sh.
  • Use a patched version of cargo2nix that fixes this bug: https://github.com/cargo2nix/cargo2nix/issues/238 - When we have a complex project + a crate (eg. openssl) that has some "propagated build inputs", cargo2nix tends to duplicate similar values. In the end, the openssl propagated build inputs was repeated thousand of times. My patch to fix the bug: 486675c672. Later, I plan to bump cargo2nix on Garage, port this patch, and at the same time open a PR to upstream it.
  • Introduce a new type of Nix runner named nix-daemon. They have many benefits over the prior builder:
    • A nix maintenance step is not needed anymore in Drone
    • Mounting volumes on each step is not needed anymore, volumes are directly injected by the runner in each step. Theoretically, it could work even on non trusted builds (this is a Drone config parameter on some repo, required to mount host volumes for example).
    • Concurrent builds are correctly supported, even across different projects
    • nix-build are now sandboxed, so builds are even more reproducible
    • (bonus) the nix-daemon can be configured to distribute a single build on many other runners thanks to distributed builds
    • (bonus) currently, the runner can directly write in the nix store which breaks isolation. But the docker daemon can be configured to prevent this. Also, the drone-docker-runner can be patched to support mounting as read only /nix/store. One of this change would make our nix operations 100% sandboxed and isolated from one another.

Instructions to setup a new runner can be found here: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/src/branch/main/app/drone-ci/integration#install-the-runner

Changelog: - [X] Add a check when a release binary is built to ensure it is static - [X] Fix building logic of linux/arm and linux/arm64 that were wrongly built as dynamic - [X] Upgrade building containers to nix 22.05 - <del>[X] Change runner requirements, we don't need specific runners anymore for Nix (you can drop the Nix tag, the volume mount and do not need to perform manual warmup anymore)</del> - [X] Make default.nix easier and more idiomatic to use. For example, you can build a release binary with `nix-build -A pkgs.amd64.release` now. This is closer to how Nix Flakes work. - [X] Integrate Clippy in `nix-build` (`nix-build -A clippy.amd64`). It has 2 benefits compared to running clippy from a nix shell: 1. it leverages Nix caching 2. it builds a working binary that can be directly used in `test-smoke.sh`. - [X] Use a patched version of `cargo2nix` that fixes this bug: https://github.com/cargo2nix/cargo2nix/issues/238 - When we have a complex project + a crate (eg. openssl) that has some "propagated build inputs", cargo2nix tends to duplicate similar values. In the end, the openssl propagated build inputs was repeated thousand of times. My patch to fix the bug: https://github.com/superboum/cargo2nix/commit/486675c67249e735dd7eb68e1b9feac9db102be7. Later, I plan to bump cargo2nix on Garage, port this patch, and at the same time open a PR to upstream it. - [X] Introduce a new type of Nix runner named `nix-daemon`. They have many benefits over the prior builder: - A `nix maintenance` step is not needed anymore in Drone - Mounting volumes on each step is not needed anymore, volumes are directly injected by the runner in each step. Theoretically, it could work even on non trusted builds (this is a Drone config parameter on some repo, required to mount host volumes for example). - Concurrent builds are correctly supported, even across different projects - `nix-build` are now sandboxed, so builds are even more reproducible - (bonus) the nix-daemon can be configured to distribute a single build on many other runners thanks to [distributed builds](https://nixos.wiki/wiki/Distributed_build) - (bonus) currently, the runner can directly write in the nix store which breaks isolation. But the docker daemon can be configured to prevent this. Also, the drone-docker-runner can be patched to support mounting as read only `/nix/store`. One of this change would make our nix operations 100% sandboxed and isolated from one another. Instructions to setup a new runner can be found here: https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/src/branch/main/app/drone-ci/integration#install-the-runner
quentin force-pushed ci/bump-nix-img from 684019c7fa to fcb04843f7 2022-07-26 16:27:58 +00:00 Compare
lx reviewed 2022-07-28 08:35:40 +00:00
.drone.yml Outdated
@ -26,3 +26,2 @@
commands:
- cp nix/nix.conf /etc/nix/nix.conf
- nix-build --no-build-output --no-out-link shell.nix --arg release false -A inputDerivation
- "[ -d /mnt/store/3vpyn2qz5ay057nq9x68sh0r328d77ng-nix-2.8.1/ ] || (mkdir -p /mnt/store && cp -r /nix/store/* /mnt/store/)"
lx commented 2022-07-28 08:23:23 +00:00
Owner
Copy Link

What if the image nixos-22.05 is updated and the hash 3vpyn2qz5ay057nq9x68sh0r328d77ng-nix-2.8.1 changes? We don't want to copy files uselessly every time. Could we find another solution to detect whether the copy needs to be made? For instance we could have a custom file name and just touch it after copying files.

What if the image `nixos-22.05` is updated and the hash `3vpyn2qz5ay057nq9x68sh0r328d77ng-nix-2.8.1` changes? We don't want to copy files uselessly every time. Could we find another solution to detect whether the copy needs to be made? For instance we could have a custom file name and just `touch` it after copying files.
lx commented 2022-07-28 08:48:45 +00:00
Owner
Copy Link

OR: freeze the docker image using a hash and not a tag

OR: freeze the docker image using a hash and not a tag
quentin commented 2022-07-29 06:48:17 +00:00
Author
Owner
Copy Link

Solved by changing how we handle Nix runners

Solved by changing how we handle Nix runners
quentin force-pushed ci/bump-nix-img from 1b79852e64 to a20a55efa9 2022-07-28 10:13:30 +00:00 Compare
quentin changed title from Upgrade CI pipeline, fix static builds to WIP: Upgrade CI pipeline, fix static builds 2022-07-28 10:31:53 +00:00
quentin force-pushed ci/bump-nix-img from 19cd8ae752 to 3ef9b3a650 2022-07-29 06:36:17 +00:00 Compare
quentin force-pushed ci/bump-nix-img from 3ef9b3a650 to a184f0d0b5 2022-07-29 06:37:46 +00:00 Compare
quentin changed title from WIP: Upgrade CI pipeline, fix static builds to Upgrade CI pipeline, fix static builds 2022-07-29 06:46:52 +00:00
lx merged commit a184f0d0b5 into main 2022-07-29 10:23:52 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
AdminAPI

Issues concerning the administration API

  
Bug

   
Check AWS

The behaviour should be checked against AWS S3

  
CI

Issues with Nix, Drone, Rust Compiler, etc.

  
Correctness

Issues of theoretical correctness that may impact edge-case scenarios

  
Critical

   
Documentation

   
Ideas

For abstract ideas/proposal to make Garage better, to better communicate our not yet achieved aims

  
Improvement

   
Low priority

For issues that we don't want to spend time on until made absolutely necessary

  
Newcomer

A bug that should be newcomer friendly.

  
Performance

   
S3 Compatibility

   
Testing

   
Usability

Propositions to make Garage easier to operate, by improving error reporting, CLI, etc.

No Label
AdminAPI
Bug
Check AWS
CI
Correctness
Critical
Documentation
Ideas
Improvement
Low priority
Newcomer
Performance
S3 Compatibility
Testing
Usability
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#345
No description provided.
Delete Branch "ci/bump-nix-img"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?