use a script instead of piping to stdin in run_docker_build #337
Conversation
minrk
changed the title
|
Good stuff @minrk ! Thanks for putting this together. 😀 Have definitely been suspicious of the pipe redirection for a while. I believe part of @pelson 's motivation for that design was to be security conscious. So we will need to evaluate these changes from that standpoint. Though maybe there are other concerns that he can share. We should probably do something similar at staged-recipes. Though before we go down that road let me take a closer look at this implementation. Expect I should have some time later next week. |
|
Also do you have any links to builds, commits and/or PRs that are relevant from the petsc feedstock? |
|
This build was run with the re-render and re-enabling the problematic test: https://circleci.com/gh/minrk/petsc-feedstock/3 This build is otherwise identical, rendered with smithy-1.3.3: https://circleci.com/gh/minrk/petsc-feedstock/4 Both pass, but note how the latter doesn't show the "No BINSTAR_TOKEN present..." output of run_docker_build.sh, indicating that it stopped at conda-build. |
|
I'm not sure that writing a script in the feedstock can introduce a new security issue, because run_test.sh, etc. are mounted from the same directory and can be modified (after launching the build, even) to change what code the container runs. Although I guess now there is a file containing the BINSTAR_TOKEN, which may be what was meant to be avoided. I'm not sure how to avoid that with the script. Things I wasn't so sure about:
|
| EOF | ||
|
|
||
| docker run -i \ |
There was a problem hiding this comment.
Given we are giving up redirection, what do you think about enabling TTY? Have already had a few issues where not having a TTY has caused problems (e.g. ncurses).
Yes, this is what I meant. Sorry if that was cryptic. Not sure ATM either, but will try to think on it. |
My inclination would be to put it in |
|
We can pass environment variables to docker on the CLI with Two pipey solutions if the file is to be avoided:
Both of these would avoid the token at rest on the host filesystem, but snoops with access to the docker service would be able to reach in and retrieve it |
|
This needs a rebase. Probably broken by PR ( #285 ). Should be an easy fix. |
minrk
force-pushed
the
docker-build-script
branch
from
4a64d00
to
9a9fe6b
Compare
|
Sorry for forgetting about this one. Rebased and TTY enabled, per comment above. |
|
Thanks @minrk . I do want to take a closer look at this again, but it may not be for a couple weeks due to the other big changes with CI providers and |
|
Tentatively scheduling this for 2.1.0. I know we still have some more discussion and review to do, but am hopeful we should get this resolved soon. Please let me know if you think this is reasonable. |
|
@gqmelo , I'd be curious to hear your thoughts on this change. Would you have a chance to take a look? |
|
I like the idea, but I'm sorry for my ignorance: is there a good reason to keep only one template? I mean, couldn't we have a It is just that this would be simpler and make it easy to use Anyway this would be probably another issue. I think these changes are nice |
Exactly as it is, build.sh includes the BINSTAR_TOKEN env from circle, which we don't have at render time. I think it could be generated as a template and use an env-file to pass the token, though. |
|
Actually, I might have a better idea - if we can do the upload from the host environment instead of the build environment, this should be even simpler, and not have any issues with tokens. |
That would be nice but you would have to setup the host environment with dependencies needed by the upload script, right? |
|
@minrk @jakirkham What about running docker two times? The first one you build using a script, the second one you upload passing the token through stdin. I think this is even better, as you never expose the token to the build scripts. |
minrk
force-pushed
the
docker-build-script
branch
from
734034b
to
df12dee
Compare
|
Was thinking about the same thing, @dalcinl. |
|
@dalcinl good idea. This now runs docker twice:
|
minrk
force-pushed
the
docker-build-script
branch
2 times, most recently
from
65b93a3
to
3976569
Compare
|
Rebased on master |
Puts the script in build_artefacts/conda-forge-build.sh It would appear that some tests interact with the stdin pipe, causing run_docker_build to finish early with apparent success, skipping the upload step. They seem to be doing this by consuming or detaching stdin somehow. By using a regular script, no pipes are involved, fixing at least one known cause of tests preventing upload. Further, future similar failures should be protected against by writing a canary file in the build_artefacts dir at the end of the script. This is checked, in case other bugs reintroduce early exit with apparent success.
and ignore it in .gitignore
1. build script doesn't have access to the token 2. upload gets token via stdin, but doesn't run user code commit build container to an image, so upload can run in the same env
- build.sh goes in .circleci - preserve set -x
minrk
force-pushed
the
docker-build-script
branch
from
3976569
to
762f420
Compare
not needed now that circle uses a real build matrix
minrk
force-pushed
the
docker-build-script
branch
from
096e7dc
to
bef0f87
Compare
|
rebased. This has gotten simpler since the original PR now that the matrix env stuff is no longer needed. |
|
Ouch. Sorry @minrk another PR that we dropped the ball. |
| -v "${RECIPE_ROOT}":/home/conda/recipe_root \ | ||
| -v "${FEEDSTOCK_ROOT}":/home/conda/feedstock_root \ | ||
| --env-file ${FEEDSTOCK_ROOT}/env \ | ||
| -e HOST_USER_ID="${HOST_USER_ID}" \ |
There was a problem hiding this comment.
You've missed the CONFIG env variable here.
| # see https://github.com/conda-forge/conda-smithy/pull/337 | ||
| # for a possible fix | ||
| set +x | ||
| echo "BINSTAR_TOKEN=${BINSTAR_TOKEN}" > "${FEEDSTOCK_ROOT}/env" |
There was a problem hiding this comment.
Put this inside .circleci folder?
There was a problem hiding this comment.
Actually would it make sense to save this in a directory that is not mounted in the container? To propose an arbitrary option, what about ~/.conda-smithy/upload.token?
missed in rebase of conda-forge#337
| CONTAINER=$(docker create -t \ | ||
| -v "${RECIPE_ROOT}":/home/conda/recipe_root \ | ||
| -v "${FEEDSTOCK_ROOT}":/home/conda/feedstock_root \ | ||
| --env-file ${FEEDSTOCK_ROOT}/env \ |
There was a problem hiding this comment.
Was not aware of this option. Nice fix!
|
This doesn't work in circleci and hangs with no output after the build.sh is run. |
|
We can change back to |
|
I'm going to revert it as I can't find anyway to fix it |
|
That seems reasonable, @isuruf. FWIW I do want us to solve this issue. Just think trying to tackle it in |
|
FWIW, after the single typo fixed in #692 I can confirm that this PR results in working builds on circleci with no issues. successful build here. |
Puts the script in build_artefacts/conda-forge-build.sh for use in the image.
It would appear that some tests interact with the stdin pipe, causing run_docker_build to finish early with apparent success, skipping the upload step. They seem to be doing this by consuming or detaching stdin somehow.
By using a regular script, pipes aren't involved, fixing at least one known cause of tests preventing upload.
Further, future similar failures should be protected against by writing a canary file in the build_artefacts dir at the end of the script. This is checked after
docker run, in case other bugs reintroduce early exit with apparent success.This is confirmed to fix the failure I was seeing on the new petsc-feedstock. The problematic test involved
mpiexec, if that's relevant.Other possibly affected cases: