Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add flag to disable networking in build environment #145

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add flag to disable networking in build environment #145

wants to merge 1 commit into from

Conversation

imjasonh
Copy link
Member

Intended to be used alongside #143 where dependencies are pre-fetched.

Signed-off-by: Jason Hall [email protected]

@imjasonh imjasonh requested a review from kaniini October 21, 2022 20:14
@imjasonh
Copy link
Member Author

Worth noting that this will still apk add any of the pipeline's dependencies, which might undermine some assumptions about how the flag works.

Should --disable-network also skip the apk add steps, and assume they're present in the apk cache location? 🤔

@kaniini
Copy link
Contributor

kaniini commented Oct 31, 2022

I would rather have the melange.yaml file declare the desired capabilities, rather than have a CLI option for this. We can sync on it if you want.

@imjasonh
Copy link
Member Author

imjasonh commented Nov 1, 2022

I would rather have the melange.yaml file declare the desired capabilities, rather than have a CLI option for this. We can sync on it if you want.

I like that idea too, especially as we have more capabilities than just networking.

But even if we had those we should have some way to invoke melange explicitly without those capabilities, and rely on pre-caching the things fetch steps require. fetch is sort of an odd case in that way, it "requires" networking except when it doesn't. I'd like to think of a more holistic and generalized way to express that.

In the meantime, solving this isn't a huge blocker -- there's plenty to do to improve the build system, and even without disabling networking explicitly, I think we can attest we're building hermetically if we pre-cache. We can also disable networking at the Pod/K8s layer, instead of asking melange to do it, until we figure out the best way to do that.

@kaniini
Copy link
Contributor

kaniini commented Nov 2, 2022
edited
Loading

What about something like:

pipelines/fetch.yaml:

wants:
  packages:
    - wget
  capabilities:
    - net

...

package.yaml:

package: ...

wants:
  capabilities:
    - net

pipeline:
  - wants:
      capabilities:
        - something-else
    runs: ...

And then having a --deny-capabilities=net commandline option?

@imjasonh
Copy link
Member Author

imjasonh commented Nov 2, 2022

What about something like:

That sounds good. The current direction we're going (not too late to change though) would be that fetch would still run without the capability, we'd just depend on its cache lookup + digest checking logic to avoid actually calling wget.

If that's messy we can investigate some kind of --replace-pipeline=fetch=fetch-from-cache flag that swaps the pipeline step definition at call-time, for one that doesn't require the capability.

@kaniini
Copy link
Contributor

kaniini commented Nov 2, 2022

Of note, by reusing the wants struct here, we could have pipeline elements declare their package requirements at the specific pipeline element requiring it, which could be interesting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaniini kaniini Awaiting requested review from kaniini

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@imjasonh @kaniini