Don't expand RUN heredocs ourselves, let the shell do it #5473
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
kind/bug
|
Ephemeral COPR build failed. @containers/packit-build please check. |
nalind
force-pushed
the
heredoc-quoting
branch
5 times, most recently
from
6ad8b5f
to
f06f82d
Compare
go.mod
Outdated
| go 1.20 | ||
| go 1.21 | ||
|
|
||
| toolchain go1.21.9 |
There was a problem hiding this comment.
@nalind I am not sure but I think this directive is a blocking thing because of podman, I created a thread here. #5472 (comment)
There was a problem hiding this comment.
Okay, I'm going to try some things in the vendor Makefile target.
nalind
force-pushed
the
heredoc-quoting
branch
2 times, most recently
from
b25d215
to
c3c0536
Compare
There was a problem hiding this comment.
I suggest you wait with updating go until we have formal understanding on how to do it consistently across all our repos.
I would suggest to focus on containers/skopeo#2297 first and then we apply the changes from there in the other repos.
Makefile
Outdated
| GO111MODULE=on $(GO) mod tidy | ||
| GO111MODULE=on $(GO) mod vendor | ||
| GO111MODULE=on $(GO) mod verify | ||
| if go env | grep -q GOTOOLCHAIN ; then go mod edit -toolchain=none ; fi |
There was a problem hiding this comment.
this will break all renovate PRs as it doesn't use our makefile
There was a problem hiding this comment.
Going to try adding the variable to our local configuration for renovate.
Makefile
Outdated
| GO111MODULE=on $(GO) mod vendor | ||
| GO111MODULE=on $(GO) mod verify | ||
| if go env | grep -q GOTOOLCHAIN ; then go mod edit -toolchain=none ; fi | ||
| GOTOOLCHAIN=local GO111MODULE=on $(GO) mod tidy |
There was a problem hiding this comment.
not sure why you force GOTOOLCHAIN=local here only in the vendor target.
If anything it must be set for every go command.
There was a problem hiding this comment.
Okay, trying again with "export" this time.
nalind
changed the title
tests/bud/no-history/Dockerfile
Outdated
| @@ -1,7 +1,8 @@ | |||
| # The important thing about that first base image is that it has no history | |||
| # entries, but it does have at least one layer. | |||
|
|
|||
| FROM nixery.dev/shell AS first-stage | |||
| FROM example.com/shell AS first-stage | |||
There was a problem hiding this comment.
I was thinking anything on quay.io, or basically anything that does not introduce a new failure pain point.
There was a problem hiding this comment.
Hmm, using example.com has the advantage of producing an image reference that can't be confused with something that exists (or might once have existed, if we come back to this in the future) in an actual registry somewhere. How strongly are you in favor of a quay.io name?
There was a problem hiding this comment.
IMO, something like fakeregistry.podman.io/notreal makes the intend clear that this is not a real image. And in cases where we ever try to pull by accident we at least hit a domain under our control and name lookup should fail for that.
And ideally you add a comment in the Dockerfile that this image is being created in the test and should not be pulled.
There was a problem hiding this comment.
I think my question was: instead of on-demand building each time, can this image be built once (with saved-committed-tracked script and instructions), say onto quay.io/libpod/nohistory:20240422, and then fetched on demand. This is a very difficult test to review. If any step ever breaks in a CI run, it will cost a lot of energy to investigate.
There was a problem hiding this comment.
I don't believe I'm authorized to push to that repository, so that's not a thing I can do in this PR, or set up for this PR to use. The rest I can do.
There was a problem hiding this comment.
(Just in case it is of interest, https://datatracker.ietf.org/doc/html/rfc6761#section-6.4 specifies that the .invalid TLD should never resolve; that might be useful for similar situations.)
tests/bud.bats
Outdated
| # image) with the name the Dockerfile will specify as its base image. | ||
| run_buildah tag ${configdigest%% *} example.com/shell | ||
| # Build images using our image-with-no-history as a base, to check that we | ||
| # don't trip over ourselves when doing so. |
There was a problem hiding this comment.
Whether you go the build-each-time or build-once-and-pull-when-testing approach, I would really appreciate a step such as run_buildah inspect History and confirm that it is empty.
nalind
force-pushed
the
heredoc-quoting
branch
2 times, most recently
from
58903c2
to
11f190a
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: edsantiago, nalind The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Makefile
Outdated
| $(GO) mod tidy | ||
| $(GO) mod vendor | ||
| $(GO) mod verify | ||
| if test -n "$(strip $(shell go env GOTOOLCHAIN))"; then go mod edit -toolchain none ; fi |
There was a problem hiding this comment.
I rather not remove the toolchain line and have behave consistently across all our projects (containers/skopeo#2297, containers/common#1963 and others ...)
I don't think this is wrong, the end result is the same as far as I can tell but consistency is key IMO
cc @mtrmac
There was a problem hiding this comment.
Whatever changes we do here impact the vendoring validation tests. I'm not averse to splitting it out, but it has effects on things that come after it.
There was a problem hiding this comment.
For reproducibility, the go command writes its own toolchain name in a toolchain line any time it is updating the go version in the go.mod file
and IIRC that’s the only time that happens. So, in c/image and Skopeo we have a toolchain 1.21.0 line; then go get does not trigger any updates to 1.21.x as long as we stay on Go 1.21.
A possible unanticipated downside of the toolchain 1.21.0 approach is that Renovate files PRs just to update the toolchain, as in containers/image#2382 .
I don’t think we know for sure what Renovate does with Go ≥ 1.21 if there is no toolchain directive at all, AFAIK all updates to 1.21 were using the toolchain 1.21.0 approach so far.
There was a problem hiding this comment.
… I think what I’m saying here is that IIRC we haven’t considered the approach of just editing out the toolchain dependency.
And it might actually be a pretty good solution; if nothing else, reflects our intent more precisely than a 1.21.0 value.
… but also, I… don’t personally want to be spending much more time on toolchain. If this approach is better, I’ll happily help switch other repos, but I’d rather not invest much time evaluating it myself.
tests/bud.bats
Outdated
| @@ -333,7 +333,7 @@ _EOF | |||
| } | |||
|
|
|||
| @test "bud build with heredoc content" { | |||
| _prefetch fedora | |||
| _prefetch quay.io/fedora/python-311 | |||
There was a problem hiding this comment.
please only ever use images from quay.io/libpod/...
Second to we actually have to pull a large python image for this? I don't see the relevance of python specific code in herdoc. Can just as well test a simple shell script IMO.
There was a problem hiding this comment.
There's probably some value in checking that the right thing happens when the designated consumer of the heredoc is something other than the shell. I don't think anything the quay.io/libpod organization includes a python interpreter, but if there is one, I wouldn't mind using it instead.
tests/bud.bats
Outdated
| @@ -4547,17 +4547,17 @@ EOM | |||
| } | |||
|
|
|||
| @test "bud arg and env var with same name" { | |||
| _prefetch centos:8 | |||
| _prefetch busybox | |||
There was a problem hiding this comment.
same for the other image please make sure to use quay.io/libpod images if we already change them.
There was a problem hiding this comment.
For historical reasons there's some super complicated bizarre logic in the tests such that "busybox" and "alpine" translate to quay.io/libpod. See https://github.com/containers/buildah/blob/3763681506611b476cdd3377ee669ecaa7014b8b/tests/registries.conf
There was a problem hiding this comment.
I also have the impression that this is a collection of quite unrelated changes; although most are individually desirable, it’s harder to understand and discuss.
In particular, it took me quite a long time to understand that the stated topic of the PR is being achieved by an update of github.com/openshift/imagebuilder.
Makefile
Outdated
| @@ -1,4 +1,6 @@ | |||
| export GOPROXY=https://proxy.golang.org | |||
| export GOTOOLCHAIN=local | |||
| export GO111MODULE=on | |||
There was a problem hiding this comment.
(Maybe not in this PR?) I think with current Go versions (the go 1.21 directive in go.mod is being enforced, so we can assume a recent version), it should be possible to never refer to this variable, and to assume modules throughout.
There was a problem hiding this comment.
“this variable” being GO111MODULE, to be explicit.
Makefile
Outdated
| $(GO) mod tidy | ||
| $(GO) mod vendor | ||
| $(GO) mod verify | ||
| if test -n "$(strip $(shell go env GOTOOLCHAIN))"; then go mod edit -toolchain none ; fi |
There was a problem hiding this comment.
What is this go env condition checking for? It’s not absolutely obvious to me, my best guess is “is this a new enough Go to understand GOTOOLCHAIN?”
And if that’s the question, the go 1.21 directive in go.mod ensures the answer is “yes” (or, alternatively, if building with a much older Go which does not enforce the go 1.21 directive, the build is going to fail on a missing library feature anyway).
digester.go
Outdated
| if err == nil { | ||
| err = err1 | ||
| } | ||
| pipeReader.CloseWithError(err) |
There was a problem hiding this comment.
I always worry excessively that a failing goroutine will leave the consumer hanging.
Consider something like
func someOperationGoroutine() {
err := errors.New("Internal error: unexpected panic in someOperationGoroutine")
defer func() { // Ensure we _always_ wake up the caller
_ = pipeReader.CloseWithError(err) // CloseWithError(nil) is equivalent to Close(), always returns nil
wg.Done()
}()
err = someOperation()
}
func someOperation() {
// straight-line worry-free Go code with liberally sprinkled early `return`s and any other control flow
}
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
nalind
force-pushed
the
heredoc-quoting
branch
5 times, most recently
from
0823914
to
c84b0f6
Compare
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
nalind
force-pushed
the
heredoc-quoting
branch
3 times, most recently
from
fdcc7a6
to
f837728
Compare
When handling RUN instructions that use heredoc syntax, don't bother interpolating environment variables and argument values, and let the command that's running handle it. Signed-off-by: Nalin Dahyabhai <[email protected]>
When we get a tried-to-write-to-closed-pipe error while encoding something for a coprocess, try to capture error output from the coprocess and add it to the error message, to hopefully catch a flake we're seeing in CI. Signed-off-by: Nalin Dahyabhai <[email protected]>
|
LGTM |
openshift-merge-bot
bot
merged commit 7f0a322
into
containers:main
What type of PR is this?
/kind bug
What this PR does / why we need it:
When handling RUN instructions that use heredoc syntax, don't bother interpolating environment variables and argument values, and let the command that's running handle it.
Try to improve error reporting when we're committing an image, so that we don't lose out-of-space errors through layers of compression and editing of file headers in the layer diffs.
How to verify it
New conformance test!
Which issue(s) this PR fixes:
Special notes for your reviewer:
We fail to build e.g. https://github.com/devfile/developer-images/tree/main/universal/ubi8 when the heredoc references environment variables which are set in the heredoc itself, since we currently expand them before passing the heredoc as an argument to the command being invoked.
Does this PR introduce a user-facing change?