bundler: Support prefetching binary dependencies #673
Conversation
a-ovchinnikov
force-pushed
the
issue672
branch
from
ba631f6
to
5eaf37d
Compare
|
/retest |
a-ovchinnikov
force-pushed
the
issue672
branch
from
5eaf37d
to
ca5d99c
Compare
a-ovchinnikov
force-pushed
the
issue672
branch
from
ca5d99c
to
f2e0880
Compare
|
/retest |
tests/integration/test_data/bundler_everything_present/container/Containerfile
Outdated
Show resolved
Hide resolved
tests/integration/test_data/bundler_everything_present/container/Containerfile
Outdated
Show resolved
Hide resolved
cachi2/core/package_managers/bundler/scripts/lockfile_parser.rb
Outdated
Show resolved
Hide resolved
a-ovchinnikov
force-pushed
the
issue672
branch
from
f2e0880
to
4ab175e
Compare
|
I am not sure if overall that's what we want. When I was testing it locally, it looked like our parser script always adds platform = "ruby" if the source gem exists. So if users set allow binary to true, we download source gems anyway. When I had (sorbet)[https://rubygems.org/gems/sorbet-static/versions] in Gemfile.lock. JSON output had 3 gems for 3 different platforms. Then, we would not download all pre-compiled gems available as we do in Everything kind of depends on the parser. |
a-ovchinnikov
force-pushed
the
issue672
branch
from
4ab175e
to
8c8c437
Compare
My understanding is that we want to download whatever is specified in a Gemfile.lock. Technically we do not even need to ask a user if they want precompiled binaries or not, but for consistency with pip we do this. I think it is also good to be explicit about binary blobs and make user acknowledge that this is indeed what they want: there is always a chance that this was never noticed before and made its way into a stricter environment by accident. |
a-ovchinnikov
force-pushed
the
issue672
branch
from
8c8c437
to
bfad1cd
Compare
a-ovchinnikov
force-pushed
the
issue672
branch
3 times, most recently
from
847d10f
to
3c9eef6
Compare
cachi2/core/package_managers/bundler/scripts/lockfile_parser.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Mostly minor comments on top of @slimreaper35's . The default bundler version downgrade behaviour raised a red flag for me and so I believe we need to set BUNDLE_VERSION.
tests/integration/test_data/bundler_everything_present/container/Containerfile
Outdated
Show resolved
Hide resolved
a-ovchinnikov
force-pushed
the
issue672
branch
from
3c9eef6
to
5fedd82
Compare
This class represents binary dependencies which some gems have. Signed-off-by: Alexey Ovchinnikov <[email protected]>
a-ovchinnikov
force-pushed
the
issue672
branch
from
5fedd82
to
4cd4a0f
Compare
eskultety
changed the title
Some dependencies contain architecture-specific components. Their name and location differ from standard Ruby-only dependencies. As a result prior to this commit such dependencies would be skipped during prefetch. This, in turn, failed hermetic builds because a dependency would end up missing. Resolves: containerbuildsystem#672 Signed-off-by: Alexey Ovchinnikov <[email protected]>
a-ovchinnikov
force-pushed
the
issue672
branch
from
4cd4a0f
to
69cf2e6
Compare
|
One more thing, that I probably mentioned somewhere, if we want to add platform qualifier in the PURLs: |
Some gems have hard dependencies on binary-only gems (at the moment of writing sorbet was one such gem). This commit introduces a way to allow downloading binary gems by adding an allow_binary flag along the lines of pip's allow_binary flag. Signed-off-by: Alexey Ovchinnikov <[email protected]>
When there is a version mismatch between a lockfile and bundler used to build a package, bundler might try to install a version specified in the lockfile. This will result in a build failure in a hermetic environment. This change forces bundler to always use whichever version is present in the system by overriding BUNDLE_VERSION variable and setting it to 'system'. See https://bundler.io/v2.5/man/bundle-config.1.html#LIST-OF-AVAILABLE-KEYS for details. Signed-off-by: Alexey Ovchinnikov <[email protected]>
This commit adds e2e to bundler. The tests verify that gems pre-fetched with cachi2 could be built in isolation. Signed-off-by: Alexey Ovchinnikov <[email protected]>
a-ovchinnikov
force-pushed
the
issue672
branch
from
69cf2e6
to
c6c1d49
Compare
Good point. |
If I read the link correctly this is a different platform: not a platform a gem is compiled to, but a Ruby implementation. The given example explicitly mentions JRuby. |
Okay. So we can probably leave it. We are not handling this for |
Do we need it? The logic of SBOM generation is pretty static and well-tested with UTs (97+% coverage is no joke). The tests check that bundler can build a package after it was prepared by cachi2 and that there are no failures there, they do catch quite a lot of interesting behaviours as we have learned. I think adding more data is excessive and will not bring any more confidence. |
|
We have it for all e2e tests for all package managers, so at least for consistency, I would add it. We can discuss it when we put all integration tests into a single repo. That should be a good starting point for improving the integration tests overall. |
a-ovchinnikov
force-pushed
the
issue672
branch
from
1474d3d
to
e373854
Compare
A snapshot of e2e data for e2e tests. Signed-off-by: Alexey Ovchinnikov <[email protected]>
a-ovchinnikov
force-pushed
the
issue672
branch
from
e373854
to
0927391
Compare
Done! |
ad353e5
Some dependencies contain architecture-specific components. Their name and location differ from standard Ruby-only dependencies. As a result prior to this commit such dependencies would be skipped during prefetch. This, in turn, failed hermetic builds because a dependency would end up missing.
Resolves: #672
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test(as is the standard for Pipelines as Code)