-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI/CD to build and sanity check docker container and release executables #231
Comments
Remember Gitlab provides many CI/CD runners. But I suspect this will require running a separate runner on the last stage. I'm not sure if the configuration allows this. But we must investigate this. Also consider what additional costs there is, and whether it is free for Open Source, and we have replicated this to the Open Source group. |
Should also do a hash check to ensure that the expected hashes of the released executables are in fact what we expect. That means during the release stage, we should be calculating the hashes from |
This maybe relevant too https://nixos.org/manual/nix/unstable/command-ref/new-cli/nix3-store-make-content-addressable.html Checking the hash of the release is just about ensuring integrity but it doesn't ensure authenticity. A signature would ensure authenticity. However combining the hash with an "authentic" trusted source is sufficient to ensure authenticity and integrity. Of course end-to-end authenticity is enhanced with a proper signature applied. To dog-food Polykey, it would make sense to do a code-sign from the Polykey organisation gestalt rather than GPG since we stopped using GPG. |
The CI/CD check here should actually be done on the container image build. We should also do a check against the release executable builds while we're at it. Note that the If however we are going to join all of the testnet nodes as part of the Matrix AI gestalt and mainnet could be in a different gestalt, it may in fact be required. We can keep the dependency in just for now. |
Make sure to check that bundled files JSON and protobuf files are being put into the See: MatrixAI/TypeScript-Demo-Lib#34 (comment) for discussion and fix in TypeScript-Demo-Lib. If there are future files that need to be copied over, it's also important to consider the |
Checking the build executables can be done in a number of ways automatically. Application EmulationThe idea here is to directly execute the built artifacts in the same CI/CD container environment which currently is a "nix" container running on Linux. The advantage here is probably less resources being used, and all of this could be tested on our local development machines which are NixOS (or linux with Nix). Disadvantage is that it's not a full test, we don't know for sure what might happen on the other platforms.
Example: https://jake-shadle.github.io/xwin/#2-specify-runner This guy uses WINE to test a cross-compiled Rust executable. System Emulation/VirtualisationThis relies on virtualisation, such as using QEMU to run a full system. This is closer to the real deal, but more complex and expensive. Atm, I don't believe the containers inside Gitlab CI/CD are allowed to execute QEMU so we don't automate it that way. Instead this will rely on the CI/CD system itself to provide these extra environments. Gitlab has MacOSX and Windows guests available to be used, and these can then run tests against our built executables. Note that this means the tests are not running inside the Nix container anymore. Which leads us to our next problem. What kind of tests?These tests that run against the final built executable are not like the tests we have currently inside our Jest testing. Jest itself is just a test runner, it uses Node executes JS at the end of the day. The JS itself right now is importing code directly from So for testing the final executables, the tests have to shell out out and execute the commands and then testing what is the expected side-effects. This can be done in jest by using child process exec, and all we are doing is using the JS to run child processes. If we use a library like https://github.com/raingerber/jest-shell-matchers, this allows us to create expectations and matchers that can execute external executables. However there are 2 challenges with this:
If abandon jest entirely, then we would need a new test harness, and then platform-specificity is an issue. For example if we were to write tests in a shell language like bash, this may work easily on Linux and MacOS, but not as easily in Windows which doesn't have bash. We could create platform specific ways for every platform, Linux and Mac can use bash, while Windows uses powershell, but this just ends up duplicating our We know that node and jest can work on Windows, Mac and Linux. But we won't be able to use Nix in most of these extra environments, since these are meant to be non-Nix platforms. So it's just a matter of installing Also Gitlab docs may have some suggested ways of doing things too. Portability of
|
I've done a little research into gitlabs CI/CD. It might be possible to test the built executables in native shell enviroments using a combination of tags, artefacts and dependencies. We can us tags to specify a type of runner to run the job in. It seems like we can specify a runner that is a Linux bash shell or a windows Powershell this way. Using job artefacts and dependencies we can ensure that the required built executable is copied between jobs. I need to do some more research and testing for this but my impression is that it might be possible. |
It would be best to first try it in the TS-Demo-Lib. You can create new branches and run the CI/CD manually there. Also beware of Mac:
First thing would be non-NixOS executables and Windows which will the easiest to test. |
The most recent CI/CD pipeline (after merging #284) has shown that the
This also relates to #200, where we hope to provide an explicit argument list on the |
Changed from starting on 8th Nov to 12th Nov, based on arising complexity from async-init and CLI MR on Gitlab !213. |
We can add a report from jest in the CI/CD. Might be usefull. |
Other things we can add to improve the speed of the pipeline is caching the |
The `/nix/store` is actually cached. Just in S3 so it's downloaded from
S3 to here. As for node modules, I believe that is actually cached as
well, since it is in the `/nix/store`. At least for the commands doing
`nix-build`.
The `nix-shell` ones is indeed doing `node_modules` stuff. However the
CI/CD is a bit complicated right now, best not to change the CI/CD
infrastructure just yet until we worked out all the requirements.
…On 11/12/21 1:49 PM, Brian Botha wrote:
Other things we can add to improve the speed of the pipeline is
caching the |nix/store| and |node_modules| so they don't need to be
downloaded for each job.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#231 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAE4OHMSFTSTZQ37EII2XP3ULR6EJANCNFSM5DADQM5Q>.
|
I have most of the ci/cd config worked out now.
We've seen this problem before and AFAIK it should be fixed. so I don't know why it's happening with fd-lock. I dont remember how it was fixed however. I've tried including fd-lock inside of the Typescript-demo-lib and added a test for it. there it seems to build and run just fine. I've compared the nix build process between the two repos and I can't find any differences. Do you have any ideas @CMCDragonkai |
I had a look through and couldn't find any issues where we ever talked about this. But it does seem familiar. Is it workable inside a |
Running pkg inside the shell seems to work. trying to do a nix-build of just the application gives the same error. I think this has something to do with the installation process trying to build the prebuilds instead of downloading them. |
In fact wasn't this fixed by preventing node-gyp-build from building anything in the first place? |
It is definitely possible for |
If I fix it to |
But for now it seems nix-build runs fine in the CI/CD environments so I'm looking at what progress I can make there. |
|
js-polykey is now building in ci/cd |
That's awesome news |
It is building and copying over the artifacts but the tests are failing now. It's just missing some of the required files so that's an easy fix. Right now its relating to this issue MatrixAI/TypeScript-Demo-Lib#34 where the .json files are missing. |
Nice!!! |
What was the problem? |
The problem just seems to be when running nix-build locally. it just seems to work in the runners. I don't know why yet. |
Try cleaning your Nix cache and see what happens. Details here: https://nixos.org/manual/nix/unstable/package-management/garbage-collection.html Note it will have to reinstall when you do nix-shell. You should do it when you're not in any nix-shells. |
Good news, the |
Nope, that doesn't fix it. |
Docker test is working now. |
Macos test is working now. just need to work out a small fix for it. |
All of the CI/CD tests are passing now! |
I added a flag to |
Ok, right now the ground work has been laid out an we have basic tests running for the following enviroments.
The tests so far just run a quick test I made in The docker test is just running the docker image with no flags for now so it's just printing out the help page. I also expanded the test jobs out into multiple runners, so testing should complete quicker now. |
Note: It's possible to take the output from the build stage and use it in the publish stage. this should be addressed at some point. |
Also note, There are comments above where I am troubleshooting it. |
Adjusting end date to Wednesday December 1 (from November 19 - delayed from refactoring work in #283), to give time for review and merge. |
Should incorporate the cached compiler path: #296 (comment) |
The networking tests has been changed since async start was integrated. I'm removing these changes so that I can see what the original code was meant to do and fix these problems. This is why it's not a good idea to use be using |
@tegefaulkes all other tests which has this behaviour needs to be reverted back to the way it was before with the unit under test actually being in each test function. |
I remember there was incorrect usage of getters in |
This is now all working. Successful build and QA sanity check here: https://gitlab.com/MatrixAI/open-source/js-polykey/-/pipelines/444133744 Note that due to staging, and expected test failures from nodes and related functionality, right now master is expected to have a failed pipeline. However in qa-testing when skipping testing, all of this worked. Furthermore, QA sanity check is very basic. All it is checking is whether the program itself can run. By running the help command. That's it. This is a good first step. Subsequently we can reuse our test-suite that we are using in |
In the process of working on this, we discovered issues regarding licenses and |
The final built executables coming out of vercel/pkg are not tested when uploaded as pre-release executables.
We should run a final test on those, maybe a simplified test that runs just the
--version
or--help
page to ensure that the executable actually runs on the target environment. This can help us know whether the final packaged executables are actually working mostly.This requires our CI/CD to expand to include all environments:
We have these stages:
This might work as an extra stage:
qa
to mean "quality assurance". And it needs to use raw environments (not based on our Nix image that we use to build things).Tasks
qa
that enables Linux, Windows, and Mac environment runners, that means this stage runs on an entirely different runner compared to check, build and release.--help
and--version
to get the help page and the version page respectively.Regarding docker:
nix-build ./release.nix -A docker
docker run -it name-version:hash
.docker run -it matrixai_typescript-demo-lib-1.0.0:f3wf1wxvkdbbmrhxx9rhr5qw2skbrah6
testnet.polykey.io
The text was updated successfully, but these errors were encountered: