[Notes] [Git][BuildStream/buildstream][richardmaw/fix-chroot-sandbox-dev

Tristan Van Berkom pushed to branch richardmaw/fix-chroot-sandbox-devices at BuildStream / buildstream

Commits:

727f2faa

by Tristan Van Berkom at 2018-09-18T07:43:07Z

_project.py: Fix option resolution in element & source overrides

This ensures that option expressions are resolved in the project
level overrides before attempting to composite them on the instantiated
elements. Seems this is a regression from introducing the include
directive.

This fixes issue #658

ffa0bb36

by Tristan Van Berkom at 2018-09-18T07:47:44Z

tests/format/optionoverrides.py: Added test for options in element overrides

This is a regression test for issue #658

f2ae46f8

by Tristan Van Berkom at 2018-09-18T08:14:23Z

Merge branch 'tristan/fix-override-options' into 'master'

Fix override options

Closes #658

See merge request BuildStream/buildstream!802

7b117e40

by Daniel Silverstone at 2018-09-18T08:41:32Z

_artifactcache/artifactcache.py: Ensure no double-setup of remotes

Since ArtifactCache.setup_remotes() can be expensive and should only
happen once, this commit will assert() if it is called a second time
on an artifact cache instance.

Signed-off-by: Daniel Silverstone <daniel silverstone codethink co uk>

345f5f49

by Daniel Silverstone at 2018-09-18T08:41:32Z

tests/artifactcache/pull.py: Do not double-initialize remotes

The initialization of remotes is done by ArtifactCache.setup_remotes()
and as such it was wrong for these tests to be calling
CASCache.initialize_remotes() a second time.

Signed-off-by: Daniel Silverstone <daniel silverstone codethink co uk>

e32221b6

by Daniel Silverstone at 2018-09-18T08:45:50Z

sandbox/_sandboxremote.py: Acquire artifact cache via Platform

The SandboxRemote used to construct its own CASCache which was
considered dangerous.  This patch replaces that with acquisition of
the cache via the Platform singleton, hopefully eliminating issues
from having more than one artifact cache object in a single process.

Signed-off-by: Daniel Silverstone <daniel silverstone codethink co uk>

b587579f

by Tristan Van Berkom at 2018-09-18T09:53:26Z

Merge branch 'danielsilverstone-ct/fix-654' into 'master'

sandbox/_sandboxremote.py: Acquire cache via Platform

See merge request BuildStream/buildstream!797

30b41959

by Tristan Van Berkom at 2018-09-18T09:56:45Z

_artifactcache/artifactcache.py: Error out gracefully when push remote is mal-specified

When configuring a push remote and specifying either the client-cert
or the client-key, then both must be specified. This ensures we
get an informative error instead of a stack trace and BUG.

Fixes issue #625

41e8dc81

by Tristan Van Berkom at 2018-09-18T09:56:45Z

tests/artifactcache/config.py: Added test for invalid push remote configuration

Test that we get the expected error when configuring a client-cert
without client-key, or the inverse.

97071b6e

by Tristan Van Berkom at 2018-09-18T10:16:43Z

Merge branch 'tristan/fix-artifact-config-crash' into 'master'

Fix artifact config crash

Closes #625

See merge request BuildStream/buildstream!804

081dcafa

by Richard Maw at 2018-09-18T13:22:38Z

fuse: Report the correct device number for devices

This fixes all devices being mapped to the non-existant device 0,
which prevents being able to use even safe devices like /dev/null
through the hardlinks FUSE layer.

d0425608

by Richard Maw at 2018-09-18T13:22:38Z

FUSE: Mount with -odev in chroot sandbox

This is needed to permit access to the device nodes added to /dev
on Linux when FUSE is used as root.

The chroot sandbox only works with all privileges,
so there's no explicit check for being root
or having the appropriate capabilities.

A check for whether it's running as root isn't needed on Linux with bubblewrap
because /dev or its devices are mounted on top of the FUSE layer,
so device nodes are accessed directly rather than through the FUSE layer.

8430fdc7

by Richard Maw at 2018-09-18T13:22:38Z

tests: test that integration commands can use /dev

17 changed files:

buildstream/_artifactcache/artifactcache.py
buildstream/_fuse/hardlinks.py
buildstream/_fuse/mount.py
buildstream/_project.py
buildstream/sandbox/_mount.py
buildstream/sandbox/_sandboxchroot.py
buildstream/sandbox/_sandboxremote.py
tests/artifactcache/config.py
+ tests/artifactcache/missing-certs/certificates/client.crt
+ tests/artifactcache/missing-certs/certificates/client.key
+ tests/artifactcache/missing-certs/element.bst
tests/artifactcache/pull.py
+ tests/format/option-overrides/element.bst
+ tests/format/option-overrides/project.conf
+ tests/format/optionoverrides.py
+ tests/integration/project/elements/integration.bst
tests/integration/shell.py

Changes:

buildstream/_artifactcache/artifactcache.py

@@ -51,7 +51,7 @@ class ArtifactCacheSpec(namedtuple('ArtifactCacheSpec', 'url push server_cert cl
          url = _yaml.node_get(spec_node, str, 'url')
          push = _yaml.node_get(spec_node, bool, 'push', default_value=False)
          if not url:
 -            provenance = _yaml.node_get_provenance(spec_node)
 +            provenance = _yaml.node_get_provenance(spec_node, 'url')
              raise LoadError(LoadErrorReason.INVALID_DATA,
                              "{}: empty artifact cache URL".format(provenance))
@@ -67,6 +67,16 @@ class ArtifactCacheSpec(namedtuple('ArtifactCacheSpec', 'url push server_cert cl
          if client_cert and basedir:
              client_cert = os.path.join(basedir, client_cert)
 +        if client_key and not client_cert:
 +            provenance = _yaml.node_get_provenance(spec_node, 'client-key')
 +            raise LoadError(LoadErrorReason.INVALID_DATA,
 +                            "{}: 'client-key' was specified without 'client-cert'".format(provenance))
++
 +        if client_cert and not client_key:
 +            provenance = _yaml.node_get_provenance(spec_node, 'client-cert')
 +            raise LoadError(LoadErrorReason.INVALID_DATA,
 +                            "{}: 'client-cert' was specified without 'client-key'".format(provenance))
++
          return ArtifactCacheSpec(url, push, server_cert, client_key, client_cert)
@@ -91,6 +101,7 @@ class ArtifactCache():
          self._cache_size = None               # The current cache size, sometimes it's an estimate
          self._cache_quota = None              # The cache quota
          self._cache_lower_threshold = None    # The target cache size for a cleanup
 +        self._remotes_setup = False           # Check to prevent double-setup of remotes
          os.makedirs(self.extractdir, exist_ok=True)
          os.makedirs(self.tmpdir, exist_ok=True)
@@ -143,6 +154,10 @@ class ArtifactCache():
+     #
      def setup_remotes(self, *, use_config=False, remote_url=None):
 +        # Ensure we do not double-initialise since this can be expensive
 +        assert(not self._remotes_setup)
 +        self._remotes_setup = True
++
          # Initialize remote artifact caches. We allow the commandline to override
          # the user config in some cases (for example `bst push --remote=...`).
          has_remote_caches = False

buildstream/_fuse/hardlinks.py

@@ -42,9 +42,10 @@ from .mount import Mount
+ #
  class SafeHardlinks(Mount):
 -    def __init__(self, directory, tempdir):
 +    def __init__(self, directory, tempdir, fuse_mount_options={}):
          self.directory = directory
          self.tempdir = tempdir
 +        super().__init__(fuse_mount_options=fuse_mount_options)
      def create_operations(self):
          return SafeHardlinkOps(self.directory, self.tempdir)
@@ -121,7 +122,7 @@ class SafeHardlinkOps(Operations):
          st = os.lstat(full_path)
          return dict((key, getattr(st, key)) for key in (
              'st_atime', 'st_ctime', 'st_gid', 'st_mode',
 -            'st_mtime', 'st_nlink', 'st_size', 'st_uid'))
 +            'st_mtime', 'st_nlink', 'st_size', 'st_uid', 'st_rdev'))
      def readdir(self, path, fh):
          full_path = self._full_path(path)

buildstream/_fuse/mount.py

@@ -87,6 +87,9 @@ class Mount():
      #               User Facing API                #
      ################################################
 +    def __init__(self, fuse_mount_options={}):
 +        self._fuse_mount_options = fuse_mount_options
++
      # mount():
+     #
      # User facing API for mounting a fuse subclass implementation
@@ -184,7 +187,8 @@ class Mount():
          # Run fuse in foreground in this child process, internally libfuse
          # will handle SIGTERM and gracefully exit it's own little main loop.
+         #
 -        FUSE(self.__operations, self.__mountpoint, nothreads=True, foreground=True, nonempty=True)
 +        FUSE(self.__operations, self.__mountpoint, nothreads=True, foreground=True, nonempty=True,
 +             **self._fuse_mount_options)
          # Explicit 0 exit code, if the operations crashed for some reason, the exit
          # code will not be 0, and we want to know about it.

buildstream/_project.py

@@ -598,7 +598,10 @@ class Project():
          # any conditionals specified for project option declarations,
          # or conditionally specifying the project name; will be ignored.
+         #
 +        # Don't forget to also resolve options in the element and source overrides.
          output.options.process_node(config)
 +        output.options.process_node(output.element_overrides)
 +        output.options.process_node(output.source_overrides)
          # Load base variables
          output.base_variables = _yaml.node_get(config, Mapping, 'variables')

buildstream/sandbox/_mount.py

@@ -30,7 +30,7 @@ from .._fuse import SafeHardlinks
  # Helper data object representing a single mount point in the mount map
+ #
  class Mount():
 -    def __init__(self, sandbox, mount_point, safe_hardlinks):
 +    def __init__(self, sandbox, mount_point, safe_hardlinks, fuse_mount_options={}):
          scratch_directory = sandbox._get_scratch_directory()
          # Getting _get_underlying_directory() here is acceptable as
          # we're part of the sandbox code. This will fail if our
@@ -39,6 +39,7 @@ class Mount():
          self.mount_point = mount_point
          self.safe_hardlinks = safe_hardlinks
 +        self._fuse_mount_options = fuse_mount_options
          # FIXME: When the criteria for mounting something and it's parent
          #        mount is identical, then there is no need to mount an additional
@@ -82,7 +83,7 @@ class Mount():
      @contextmanager
      def mounted(self, sandbox):
          if self.safe_hardlinks:
 -            mount = SafeHardlinks(self.mount_origin, self.mount_tempdir)
 +            mount = SafeHardlinks(self.mount_origin, self.mount_tempdir, self._fuse_mount_options)
              with mount.mounted(self.mount_source):
                  yield
          else:
@@ -100,12 +101,12 @@ class Mount():
+ #
  class MountMap():
 -    def __init__(self, sandbox, root_readonly):
 +    def __init__(self, sandbox, root_readonly, fuse_mount_options={}):
          # We will be doing the mounts in the order in which they were declared.
          self.mounts = OrderedDict()
          # We want safe hardlinks on rootfs whenever root is not readonly
 -        self.mounts['/'] = Mount(sandbox, '/', not root_readonly)
 +        self.mounts['/'] = Mount(sandbox, '/', not root_readonly, fuse_mount_options)
          for mark in sandbox._get_marked_directories():
              directory = mark['directory']
@@ -113,7 +114,7 @@ class MountMap():
              # We want safe hardlinks for any non-root directory where
              # artifacts will be staged to
 -            self.mounts[directory] = Mount(sandbox, directory, artifact)
 +            self.mounts[directory] = Mount(sandbox, directory, artifact, fuse_mount_options)
      # get_mount_source()
+     #

buildstream/sandbox/_sandboxchroot.py

@@ -35,6 +35,9 @@ from . import Sandbox, SandboxFlags
  class SandboxChroot(Sandbox):
++
 +    _FUSE_MOUNT_OPTIONS = {'dev': True}
++
      def __init__(self, *args, **kwargs):
          super().__init__(*args, **kwargs)
@@ -67,7 +70,8 @@ class SandboxChroot(Sandbox):
          # Create the mount map, this will tell us where
          # each mount point needs to be mounted from and to
 -        self.mount_map = MountMap(self, flags & SandboxFlags.ROOT_READ_ONLY)
 +        self.mount_map = MountMap(self, flags & SandboxFlags.ROOT_READ_ONLY,
 +                                  self._FUSE_MOUNT_OPTIONS)
          root_mount_source = self.mount_map.get_mount_source('/')
          # Create a sysroot and run the command inside it

buildstream/sandbox/_sandboxremote.py

@@ -27,7 +27,7 @@ from . import Sandbox
  from ..storage._filebaseddirectory import FileBasedDirectory
  from ..storage._casbaseddirectory import CasBasedDirectory
  from .._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
 -from .._artifactcache.cascache import CASCache
 +from .._platform import Platform
  class SandboxError(Exception):
@@ -43,7 +43,6 @@ class SandboxRemote(Sandbox):
      def __init__(self, *args, **kwargs):
          super().__init__(*args, **kwargs)
 -        self.cascache = None
          url = urlparse(kwargs['server_url'])
          if not url.scheme or not url.hostname or not url.port:
@@ -56,12 +55,6 @@ class SandboxRemote(Sandbox):
          self.server_url = '{}:{}'.format(url.hostname, url.port)
 -    def _get_cascache(self):
 -        if self.cascache is None:
 -            self.cascache = CASCache(self._get_context())
 -            self.cascache.setup_remotes(use_config=True)
 -        return self.cascache
+-
      def run_remote_command(self, command, input_root_digest, working_directory, environment):
          # Sends an execution request to the remote execution server.
+         #
@@ -78,8 +71,8 @@ class SandboxRemote(Sandbox):
                                                        output_files=[],
                                                        output_directories=[self._output_directory],
                                                        platform=None)
+-
 -        cascache = self._get_cascache()
 +        platform = Platform.get_platform()
 +        cascache = platform.artifactcache
          # Upload the Command message to the remote CAS server
          command_digest = cascache.push_message(self._get_project(), remote_command)
          if not command_digest or not cascache.verify_digest_pushed(self._get_project(), command_digest):
@@ -141,7 +134,8 @@ class SandboxRemote(Sandbox):
          if tree_digest is None or not tree_digest.hash:
              raise SandboxError("Output directory structure had no digest attached.")
 -        cascache = self._get_cascache()
 +        platform = Platform.get_platform()
 +        cascache = platform.artifactcache
          # Now do a pull to ensure we have the necessary parts.
          dir_digest = cascache.pull_tree(self._get_project(), tree_digest)
          if dir_digest is None or not dir_digest.hash or not dir_digest.size_bytes:
@@ -176,7 +170,8 @@ class SandboxRemote(Sandbox):
          upload_vdir.recalculate_hash()
 -        cascache = self._get_cascache()
 +        platform = Platform.get_platform()
 +        cascache = platform.artifactcache
          # Now, push that key (without necessarily needing a ref) to the remote.
          vdir_digest = cascache.push_directory(self._get_project(), upload_vdir)
          if not vdir_digest or not cascache.verify_digest_pushed(self._get_project(), vdir_digest):

tests/artifactcache/config.py

@@ -9,8 +9,12 @@ from buildstream._context import Context
  from buildstream._project import Project
  from buildstream.utils import _deduplicate
  from buildstream import _yaml
 +from buildstream._exceptions import ErrorDomain, LoadErrorReason
 +from tests.testutils.runcli import cli
++
 +DATA_DIR = os.path.dirname(os.path.realpath(__file__))
  cache1 = ArtifactCacheSpec(url='https://example.com/cache1', push=True)
  cache2 = ArtifactCacheSpec(url='https://example.com/cache2', push=False)
  cache3 = ArtifactCacheSpec(url='https://example.com/cache3', push=False)
@@ -106,3 +110,33 @@ def test_artifact_cache_precedence(tmpdir, override_caches, project_caches, user
      # Verify that it was correctly read.
      expected_cache_specs = list(_deduplicate(itertools.chain(override_caches, project_caches, user_caches)))
      assert parsed_cache_specs == expected_cache_specs
++
++
 +# Assert that if either the client key or client cert is specified
 +# without specifying it's counterpart, we get a comprehensive LoadError
 +# instead of an unhandled exception.
 +@pytest.mark.datafiles(DATA_DIR)
 +@pytest.mark.parametrize('config_key, config_value', [
 +    ('client-cert', 'client.crt'),
 +    ('client-key', 'client.key')
 +])
 +def test_missing_certs(cli, datafiles, config_key, config_value):
 +    project = os.path.join(datafiles.dirname, datafiles.basename, 'missing-certs')
++
 +    project_conf = {
 +        'name': 'test',
++
 +        'artifacts': {
 +            'url': 'https://cache.example.com:12345',
 +            'push': 'true',
 +            config_key: config_value
 +        }
 +    }
 +    project_conf_file = os.path.join(project, 'project.conf')
 +    _yaml.dump(project_conf, project_conf_file)
++
 +    # Use `pull` here to ensure we try to initialize the remotes, triggering the error
 +    #
 +    # This does not happen for a simple `bst show`.
 +    result = cli.run(project=project, args=['pull', 'element.bst'])
 +    result.assert_main_error(ErrorDomain.LOAD, LoadErrorReason.INVALID_DATA)

tests/artifactcache/missing-certs/certificates/client.crt

tests/artifactcache/missing-certs/certificates/client.key

tests/artifactcache/missing-certs/element.bst

+kind: autotools

tests/artifactcache/pull.py

@@ -137,7 +137,6 @@ def _test_pull(user_config_file, project_dir, artifact_dir,
      # Manually setup the CAS remote
      cas.setup_remotes(use_config=True)
 -    cas.initialize_remotes()
      if cas.has_push_remotes(element=element):
          # Push the element's artifact
@@ -274,7 +273,6 @@ def _test_push_tree(user_config_file, project_dir, artifact_dir, artifact_digest
      # Manually setup the CAS remote
      cas.setup_remotes(use_config=True)
 -    cas.initialize_remotes()
      if cas.has_push_remotes():
          directory = remote_execution_pb2.Directory()
@@ -310,7 +308,6 @@ def _test_pull_tree(user_config_file, project_dir, artifact_dir, artifact_digest
      # Manually setup the CAS remote
      cas.setup_remotes(use_config=True)
 -    cas.initialize_remotes()
      if cas.has_push_remotes():
          # Pull the artifact using the Tree object

tests/format/option-overrides/element.bst

+kind: autotools

tests/format/option-overrides/project.conf

 +# Test case ensuring that we can use options
 +# in the element overrides.
 +#
 +name: test
++
 +options:
 +  arch:
 +    type: arch
 +    description: architecture
 +    values: [i686, x86_64]
++
 +elements:
 +  autotools:
 +    variables:
 +      (?):
 +      - arch == 'i686':
 +          conf-global: --host=i686-unknown-linux-gnu
 +      - arch == 'x86_64':
 +          conf-global: --host=x86_64-unknown-linux-gnu

tests/format/optionoverrides.py

 +import os
 +import pytest
 +from buildstream import _yaml
 +from tests.testutils.runcli import cli
++
 +# Project directory
 +DATA_DIR = os.path.dirname(os.path.realpath(__file__))
++
++
 +@pytest.mark.datafiles(DATA_DIR)
 +@pytest.mark.parametrize("arch", [('i686'), ('x86_64')])
 +def test_override(cli, datafiles, arch):
 +    project = os.path.join(datafiles.dirname, datafiles.basename, 'option-overrides')
++
 +    bst_args = ['--option', 'arch', arch]
 +    bst_args += [
 +        'show',
 +        '--deps', 'none',
 +        '--format', '%{vars}',
 +        'element.bst'
 +    ]
 +    result = cli.run(project=project, silent=True, args=bst_args)
 +    result.assert_success()
++
 +    # See the associated project.conf for the expected values
 +    expected_value = '--host={}-unknown-linux-gnu'.format(arch)
++
 +    loaded = _yaml.load_data(result.output)
 +    assert loaded['conf-global'] == expected_value

tests/integration/project/elements/integration.bst

 +kind: manual
 +depends:
 +- base.bst
++
 +public:
 +  bst:
 +    integration-commands:
 +    - |
 +      echo noise >/dev/null

tests/integration/shell.py

@@ -342,3 +342,13 @@ def test_sysroot_workspace_visible(cli, tmpdir, datafiles):
      ])
      assert result.exit_code == 0
      assert result.output == workspace_hello
++
++
 +# Test system integration commands can access devices in /dev
 +@pytest.mark.datafiles(DATA_DIR)
 +def test_integration_devices(cli, tmpdir, datafiles):
 +    project = os.path.join(datafiles.dirname, datafiles.basename)
 +    element_name = 'integration.bst'
++
 +    result = execute_shell(cli, project, ["true"], element=element_name)
 +    assert result.exit_code == 0

[Notes] [Git][BuildStream/buildstream][richardmaw/fix-chroot-sandbox-devices] 13 commits: _project.py: Fix option resolution in element & source overrides

Tristan Van Berkom pushed to branch richardmaw/fix-chroot-sandbox-devices at BuildStream / buildstream

Commits:

17 changed files:

Changes: