Add dynamic option for vault #7238
Conversation
|
Is there also a reason to prefer the static build? Should we always build it one way instead of offering an option? |
|
HashiCorp distributes the static build as their downloadable binary, so I feel we should respect that as a default, but I could be convinced otherwise. |
|
I'd love to get a comment from one of the developers on that. |
|
Perhaps you'd like to weigh in, @jefferai? |
|
I'm not opposed to this per se but want to mention a few things:
|
|
@jefferai Out of band, I'll follow up with you separately or on the referenced tickets, but quickly to point (3): CGO_ENABLED=1 does indeed help with this, and to (2): I have more context on this now and there are also some non-VPN cases in which it is an issue as well. Like I said, I'll follow up elsewhere. Thanks for opining here. Very helpful. @mistydemeo Looks like the option (non-default) approach in my PR is the right one. Let me augment this PR with a new commit which adds a warning message as per (1). |
|
@consultantRR I am aware of non-VPN cases where this helps. I just know that the VPN case is dependent on specifics. |
|
Indeed, I should have said "some VPN users on Mac OS X" and not "VPN users on Mac OS X" in the commit message. |
Given these two things I'm 👎 on adding this option until we have more information here. I don't want us to add options unsupported by upstream (because then we implicitly support them instead) and I don't want to add options that aren't going to be widely used to definitely fix a specific problem. Don't need to close this, can leave it open for now. |
|
@MikeMcQuaid @consultantRR is one of the people we never heard from so here is saying it did help, just didn't say anything on the previous ticket Also let me just clarify "unsupported" in this context: our unit tests run on static builds but we also run the race detector which requires dynamic builds. We don't know of any breakages; it's really in the context of platform-specific cgo things (default DNS resolver, possibly cert handling depending on how that has shaken out, which syscalls are available) where if the user experiences an issue with dynamic builds we will try to help but may fall back on "Go issue" and report upstream if the issue is not something we can replicate with the static build. So it's not like we abandon those users. As I said before I'm fine with it, I just think a warning is a good idea, for instance notifying the user that using the dynamic option changes DNS resolution so if the user experiences issues they may want to try the official/static build. I should note that this isn't really Vault specific behavior anyways; any Go program will behave this way. So I'm just being overly cautious here rather than aware of specific problems. |
|
@jefferai Thanks, I agree with everything you wrote. (By the way, the cert handling issues you mention are, in my experience, no longer a problem. I believe it's only DNS resolution that remains a potential problem in some use cases with static binaries on OS X.) @MikeMcQuaid As @jefferai correctly notes, this is essentially a longstanding Go issue. Users who want to use a tool like Vault on OS X in certain situations (split DNS over OpenVPN & Bonjour/mdns, for example) do sometimes need to build the tool dynamically. It would be nice, in my opinion, if they could easily do so with Homebrew. (Not as a default, but as an option, as I have proposed.) How's this for a proposed warning message? Previously, I proposed:
How about:
Let me know if that works ok, and settles the prior concerns. If so, I'll commit the new warning, and hopefully we can move ahead with merging this and #7246. |
|
If it's easy to turn into a reusable message I'd remove the HC/Vault mention and just make it generic so other Go packages could reuse it (maybe with some simplification first). |
|
Cool, how about:
|
|
Homebrew doesn't really want to be printing out such large warnings. It sounds to me like the dynamic build makes more sense for macOS but only if we decide to do so without warnings. If we add warnings we should just go for an option where we have |
| target = "dev-dynamic" | ||
| else | ||
| target = "dev" | ||
| end |
There was a problem hiding this comment.
target = build.with?("dynamic) ? "dev-dynamic" : "dev" and stick it immediately above system "make", target
|
Do you build from source regardless of dynamic flag or not? |
|
If no build options are specified, then a prebuilt bottle is installed, I believe. |
|
I'd really prefer if it's not marked as unsupported. Don't really want to scare off users. |
|
Does HB provide any information (env flags, build flags, whatevs) to compilers about what's being built and/or version? Or is it relatively easy to do so? |
Indeed.
Yes but are there more specific things you're looking for? |
|
I mainly would like a way to know when a user reports an issue whether the build is static or dynamic. I can get values at compile time (that's how we get the git rev for instance) but I'm not sure other than keying on CGO_ENABLED whether I can easily discover this at compile time. This would actually be useful beyond HB, so maybe the best thing here is to defer this for the moment. I can look at getting something in for 0.6.3 to either detect it on my side or so that HB can pass in some identifying value at compile time. |
|
This PR is simply making the Could be handled there, I suppose. |
|
Sure, like I said I will try to solve it generally. :-) |
|
For 0.6.3 I've added output that will indicate whether cgo is enabled when the binary is run. My preference would be to wait until then (a couple of weeks) and then add this option in with the 0.6.3 formula. |
|
Sounds good to me too 👍 |
|
Vault 0.6.3 is released, and I have updated this PR accordingly. I think the Do Not Merge tag can now be removed, no? |
| sha256 "2dc0195cf0aaae3a9508fa2e8312ad9211a2f7b0880ed939b81473714dba1757" => :yosemite | ||
| sha256 "a0e956cad79a349755610aa3b2fd9c84abbd2fa7c3f0a6faef496880b04d07bf" => :sierra | ||
| sha256 "ef2c6c35dd6d2765b099a5f46b7c815ad48c7f8e5a92875c0254b0063f6ef098" => :el_capitan | ||
| sha256 "af8867dfa593c61bf441fccb3e30611364a13fcd5bfed4c297860f109ad4e560" => :yosemite |
There was a problem hiding this comment.
Please leave this as-is, they'll be updated when we pull.
|
@BrewTestBot test this please |
|
Having trouble applying the patch; could you squash this down to one commit? Thanks! |
- Add option “with-dynamic” to vault, in order to optionally build with CGO_ENABLED - This is a common use case for VPN users on Mac OS X - See: hashicorp/vault#1159 hashicorp/vault#712
|
Done. Thanks! |
|
Thanks! Merged as 3a9a2ab. |
|
Crap, sorry about the typo in the commit message. |
Add option “with-dynamic” to nomad, in order to optionally build with CGO_ENABLED. This is a common use case for some VPN users on macOS: #7238
brew install --build-from-source <formula>, where<formula>is the name of the formula you're submitting?brew audit --strict <formula>(after doingbrew install <formula>)?DNS resolution issues when using vault hashicorp/vault#1159
hashicorp/vault#712