build: add ability to interactively run guix builds, use container that has unprivileged user #5449

kwvg · 2023-06-21T06:58:52Z

Additional Notes

Not everything can be retained on volumes, /gnu/store and /var/guix are pre-populated when extracting the Guix archive, which is done during the image building process.
- Guix also highly cautions against modifying the contents of the store by any means outside manipulating it through the Guix daemon (see https://guix.gnu.org/en/manual/en/guix.html#The-Store)
- This is enforced by means of bind-mounting /gnu/store as read-only for anything that isn't the daemon
This container also has the Xcode SDK archive hardcoded in (see guix-start) and will need to be updated if the SDK version is updated
~~The container runs as privileged process and all operations are being done as the root user (no unprivileged user exists within the container due to its barebones nature)~~ No longer true, as we're not inheriting the Alpine container. An unprivileged user is used for git-specific operations with a configurable UID/GID pair which should be matched with the host user.
This container implicitly trusts https://bordeaux.guix.gnu.org and https://ci.guix.gnu.org (see entrypoint) as it fetches substitutions from it to avoid re-building unpatched/unmodified packages by fetching them from a remote server.
- This can be disabled at the expense of significantly longer build times (to note, a lot of build outputs are discarded in between instances of this container as not everything is or can be cached, so this is recommended against)

Motivation

@PastaPastaPasta was interested in the possibility of being able to run Guix builds as it is run by CI interactively with the fewest commands possible. Since my personal devenv is entirely defined using Docker, I had some experience with interactive containers.

We initially tried using the Alpine container (and earlier versions of this PR built upon this container) already available in develop but two problems arose:

build-push-action@v2 is not particularly cooperative with edrevo/dockerfile-plus (which is how we get the INCLUDE+ macro).
- All Docker builds are context-dependent (when building a container, you need to define a "base" context from which all relative paths are interpreted), dockerfile-plus doubly so. Your context directory is loaded into the builder and therefore, it is imperative to keep the context as minimal as possible, at the risk of increased resource consumption and longer build times.
- build-push-action would not cooperate despite efforts accepting the tradeoff and passing the repository root as the context
Simultaneously, we realized permissions issues were starting to arise with backport: merge bitcoin#25643, #23583, #23618, #23603, #23817, #24520, #24508, #25639, #26018, #25437, #25484, #23585, #24549, #24733, #21991, #22526, #25633, #24597, #24955, #25099, #24552, #21851, #25389, #25357, partial #22318 (guix backports: part 3) #5426, after backporting guix: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681 bitcoin/bitcoin#25099, which is an important pre-requisite for subsequent backports that introduce Apple Silicon target support.
- The Alpine container proved too barebones and introducing support for it would require changes to it that would future backports. Hence, it was decided to leave it as a vestigial entry while we use our own Docker container.
- The container here intentionally does not inherit anything from our base containers to avoid using dockerfile-plus

The context problem still persisted after moving to the Ubuntu-based container (which matches the rest of our CI) but Docker implements something called "additional contexts" that allow you to do things like COPY operations with a different directory as the base.

kwvg · 2023-06-25T18:43:29Z

I rebased #5426 on top of this PR and it resolved the safe.directory problem (see build for more information)

PastaPastaPasta · 2023-06-26T04:53:01Z

Makes me sad this had to get moved over to ubuntu, instead of alpine, but probably fine. Started my build, let's make sure it works, seems good so far

PastaPastaPasta · 2023-06-27T14:42:18Z

For some reason my arm dash-qt binary doesn't match... everything else matches

b94461d685321ea0d6add4f2b07ae3e9da434f69ef4f5be66fecce819cb32d86  guix-build-01c022e6e244/distsrc-01c022e6e244-arm-linux-gnueabihf/src/qt/dash-qt

…copy

PastaPastaPasta · 2023-06-27T15:33:11Z

arm-linux-gnueabihf dash-qt is non-deterministic...

CI had

b94461d685321ea0d6add4f2b07ae3e9da434f69ef4f5be66fecce819cb32d86  guix-build-01c022e6e244/distsrc-01c022e6e244-arm-linux-gnueabihf/src/qt/dash-qt

I have (twice)

ca34664ebdcaec0915dc26900131eb2a1581f3e7fef7e116e7e9cc22bdd40b9c  guix-build-01c022e6e244/distsrc-01c022e6e244-arm-linux-gnueabihf/src/qt/dash-qt

knst · 2023-06-27T17:17:29Z

I got 2 binaries: b94461d685321ea0d6add4f2b07ae3e9da434f69ef4f5be66fecce819cb32d86 from my build and ca34664ebdcaec0915dc26900131eb2a1581f3e7fef7e116e7e9cc22bdd40b9c from pasta.

There's difference in disassembled code of function double_conversion::FastFixedDtoa(double, int, double_conversion::Vector<char>, int*, int*)

@kittywhiskers need to backport this one: https://github.com/bitcoin/bitcoin/pull/25643/files
Otherwise builds are non-deterministic now. @PastaPastaPasta be informed

note for myself (and for further cases): need to install gcc-arm-none-eabi to make disassembler arm-none-eabi-objdump available under amd64's linux.

PastaPastaPasta · 2023-06-27T17:21:00Z

We can probably move forward with this PR then and backport that in the next set of guix backports

PastaPastaPasta

utACK for squash merge

UdjinM6

utACK

knst · 2023-06-27T17:23:59Z

I still have couple extra comments that I accidentally put to wrong PR.

can you avoid code duplication between contrib/containers/guix/scripts/guix-check and .github/workflows/guix-build.yml?
instead hard-coded 32 jobs better to get environment variable: -e ADDITIONAL_GUIX_COMMON_FLAGS='--max-jobs=32' \ by one of the ways: you can use $(nproc --all)" or "$(grep -c ^processor /proc/cpuinfo)" or "$(getconf _NPROCESSORS_ONLN)"

PastaPastaPasta · 2023-06-27T17:30:32Z

Good thoughts, but I'm gonna merge this so we can move forward with guix part 3; feel free to do a PR with those changes

kwvg · 2023-06-27T19:12:00Z

The reason why we cannot de-duplicate is because both guix-check and guix-build are "run-anywhere" and so they cd to the workspace mount in the script, if not rely on absolute paths altogether. I feel like for an interactive instance which is supposed to be as-few-steps-as-possible (it's why I made those scripts and had a pseudo-motd printed out), we have to account for operator error and think one step ahead.

We could de-duplicate it but that would require the scripts to be modified to be relative, which defeats the point of embedding them into PATH since they won't "run-anywhere", which makes the interactive prompt harder to use.

As for binding ADDITIONAL_GUIX_COMMON_FLAGS, to nproc --all, I'm fine with it.

@knst

…#5464) ## Additional Information * Based on suggestions by @knst made [here](#5449 (comment)) and [here](#5426 (comment))

…in#26257, bump to Python 3.10, mypy 0.981, fix Docker group assignment, minor housekeeping (misc. changes: part 2) 82723dc fix: don't forget to assign user to group if group exists (Kittywhiskers Van Gogh) 066d409 chore: remove outdated `boot2docker` comment (Kittywhiskers Van Gogh) 29e98e3 chore: document `USER_ID` and `GROUP_ID` in `docker-compose.yml` (Kittywhiskers Van Gogh) 6ea897a chore: drop unmaintained Guix container (Kittywhiskers Van Gogh) 6a1786c fix: resolve `test: =: unary operator expected` error (Kittywhiskers Van Gogh) d6489f0 fix: make copy of `skip` in `GetStackFrames` to avoid clobbering (Kittywhiskers Van Gogh) 4110ff3 lint: mypy 0.981 (Kittywhiskers Van Gogh) 80a44e9 partial bitcoin#26257: python linter flake8 E275 fixup, update dependencies (Kittywhiskers Van Gogh) 7b80dfb merge bitcoin#28347: replace deprecated pkg_resources with importlib.metadata (Kittywhiskers Van Gogh) 04ac20a partial bitcoin#30527: Bump python minimum supported version to 3.10 (Kittywhiskers Van Gogh) Pull request description: ## Additional Information * Dependency for #6988 * Python 3.9's security support elapsed on 31st Oct '25 ([source](https://endoflife.date/python)), in response to that we are switching over to Python 3.10. * Due to [python/mypy#13627](python/mypy#13627) arising as a result of this bump, we also had to upgrade `mypy` to 0.981. Note that this is a divergence from upstream as they opted to upgrade to `mypy` 1.x (see [bitcoin#28009](bitcoin#28009)) but the changes needed to do so are too disruptive given this PR's larger context. Future backports should feel free to overwrite the mypy version and realign with upstream. * CI identified potential clobbering ([build](https://github.com/kwvg/dash/actions/runs/19434684086/job/55606106842#step:8:1804)) in Windows stacktraces code that started to build after [dash#6966](#6966) (see below). Additionally, C++20 has deprecated certain operators like {in,de}crementation courtesy of [P1152](https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1152r3.html), which required additional adaptation. <details> <summary>Build error:</summary> ``` stacktraces.cpp: In function ‘std::vector<long long unsigned int> GetStackFrames(size_t, size_t, const CONTEXT*)’: stacktraces.cpp:167:56: error: variable ‘skip’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Werror=clobbered] 167 | static __attribute__((noinline)) std::vector<uint64_t> GetStackFrames(size_t skip, size_t max_frames, const CONTEXT* pContext = nullptr) | ^~~~~~~~~~~~~~ cc1plus: all warnings being treated as errors ``` </details> * The `AM_CONDITIONAL` for `CRASH_HOOKS_WRAPPED_CXX_ABI` wasn't evaluated due to missing quotations (see below), this has been resolved. <details> <summary>Configure:</summary> ``` checking whether the linker accepts -Wl,-export-dynamic... no checking whether the linker accepts -rdynamic... yes checking whether C++ compiler accepts -gdwarf-4... yes checking whether C++ compiler accepts -fno-standalone-debug... yes checking whether the linker accepts -Wl,-wrap=__cxa_allocate_exception... no ./configure: line 30603: test: =: unary operator expected checking for Linux getrandom syscall... no checking for getentropy via random.h... yes checking for sysctl... yes checking for sysctl KERN_ARND... no checking for fdatasync... no ``` </details> * Currently we offer two containers for Guix builds meant for developers who aren't on Linux, one was introduced by [dash#5285](#5285) (based on [fanquake/core-review](https://github.com/fanquake/core-review)'s container, [source](https://github.com/fanquake/core-review/blob/d8cf188214879ea1b095e2ba34ca5c23dbc3ebd2/guix/imagefile)) and the other introduced by [dash#5449](#5449), the former does not seem to get much use and has been out of sync with its upstream source for a while. As the second container is used by some developers and is updated and maintained to fit Dash's specific needs, the first container has been dropped and documentation has been updated to reflect the same. * As Docker has matured with the WSL2 backend on Windows and the Apple Virtualization framework on macOS, boot2docker has been deprecated (see [boot2docker/boot2docker#1408](boot2docker/boot2docker#1408)) and the comment referencing it has been dropped. * To avoid permissions issues with mounting directories, containers come with `USER_ID` and `GROUP_ID` args ([source](https://github.com/dashpay/dash/blob/23de96916a8b8f97a2c408bb76da1d2149d7227c/contrib/containers/ci/ci-slim.Dockerfile#L123-L131)) that need to be specified at build time if the mount needs different permissions (as is often the case on macOS). To make that option more explicitly clear, it has been specified in `docker-compose.yml` with default values filled in. * [dash#6929](#6929) introduced a fix to prevent unexpected container build failure due to conflicting groups (most commonly GID 20 that on macOS is `staff` but on Linux is `dialout`) but the fix did _not_ assign the default user to that group, that has been resolved here. ## Breaking Changes None expected. ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have added or updated relevant unit/integration/functional/e2e tests - [x] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: UdjinM6: utACK 82723dc ~with one nit~ Tree-SHA512: 0e906d1a7fea9edc52a40a6a6971fa6b2599674e97e99c65a220f99cc44be78f4290be8fb9af7782cac416bcdd2338b7f17a5c50b5fdcf727b1cf84fe44c8686

kwvg added the guix-build label Jun 21, 2023

kwvg changed the title ~~contrib: add ability to interactively run guix builds based on Alpine CI image~~ build: add ability to interactively run guix builds based on Alpine CI image Jun 21, 2023

kwvg force-pushed the alpine_guix branch from eef7c04 to 28aa3f2 Compare June 21, 2023 07:06

kwvg added guix-build and removed guix-build labels Jun 21, 2023

kwvg marked this pull request as draft June 21, 2023 07:09

kwvg force-pushed the alpine_guix branch from 28aa3f2 to 15b4259 Compare June 24, 2023 21:13