Add support for reading and writing lockfiles #553
Conversation
src/cmd-build
Outdated
| @@ -153,9 +158,13 @@ prepare_git_artifacts "${configdir_gitrepo}" "${PWD}/coreos-assembler-config.tar | |||
|
|
|||
| # These need to be absolute paths right now for rpm-ostree | |||
| composejson=${PWD}/tmp/compose.json | |||
| # Put this under tmprepo so it gets automatically chown'ed if needed | |||
| lockfile_out=${tmprepo}/tmp/lockfile.json | |||
There was a problem hiding this comment.
How about manifest-lock.json?
There was a problem hiding this comment.
It would be nice to have the output lockfile name indicate it is the output of the compose.. Something like manifest-lockfile-out.json. In practice we can then use manifest-lockfile-in.json as the input to the compose that we store in our fedora-coreos-configs git repo
There was a problem hiding this comment.
Not strongly against, though isn't where the lockfile located enough context already? E.g. if it's in the build dir, it's clearly an output from cosa, and if it's in the source config, it's clearly meant to be an input, right? And the commands will respect that by default (unless you explicitly pass e.g. --update-lockfile as suggested below).
There was a problem hiding this comment.
directory context does give you a lot, but if you copy things to different locations, discuss them in bug reports or on IRC, etc, you will lose that context. What if I want to copy two lockfiles to the same directory and then vimdiff them? All of these things can be done with them being the same filename and their directory setting the context, but I think It's way easier if we have explicit naming.
There was a problem hiding this comment.
Why would you copy them to the same directory?
There was a problem hiding this comment.
It sounds like you just want them named differently, but not necessarily explicitly labeled "input" and "output", which I don't particularly like since the format of the file is the exact same in either case. And e.g. a lockfile output can itself be used as an input.
How about manifest-lock.json for the one in the source config, and ostree-lock.json for the output one? That way the former is close to manifest.yaml, and the latter is close to the other ostree- objects.
There was a problem hiding this comment.
It sounds like you just want them named differently
yes
but not necessarily explicitly labeled "input" and "output"
i'd prefer it over arbitrary names. Of course the format is similar and one could use an output lockfile as input, but would be nice if the filename indicated where it came from or what it was used for. Looks like i'm not being very convincing. One final attempt 😄 lockfile.out.json and lockfile.in.json
There was a problem hiding this comment.
another option.. the lockfile in the configs repo can just be lockfile.json but the generated output lockfile is lockfile-out.json or lockfile-generated.json or something that indicates it was an output artifact.
There was a problem hiding this comment.
I went with manifest-lock.json for input to follow the convention of using the same name as the manifest itself (could also match cargo/glide and do manifest.lock though the .json is helpful for e.g. web viewing), and manifest-lock.generated.json for the output so it's obvious that it's the same file format as the input one, but that it was generated from scratch.
|
Hmm. Wouldn't we want a semantic more like where we auto-find the lockfile in the config git repo? |
Yeah, make sense to me. I mean, ideally the lockfile is stored in the same git repo as the config (and that'll be the case for FCOS) so it makes sense to codify that.
I think we need both ways. E.g. in FCOS, the mechanical pipelines will always be fetching the latest, so we don't need a lockfile input to Higher-level though, it doesn't seem like just bumping the lockfile (without doing a build & basic test) would be a common workflow, right? Let's make it a switch instead? So e.g.
|
seems reasonable to me, though I will note that we probably will need some other instrumentation around the lockfile. For example, I just hit an issue because the I have a few other questions:
|
along that same vein, if we have something like this then it would be cool to have an output artifact that represents the difference between the input and output lockfiles |
Right, I think we need to maintain an rpm-md repo that has multiple versions of the base fedora content too. |
do we have that today with coreos-pool? In the latest we have multiple versions of the kernel: |
So now that we have OSTree layer capabilities in rpm-ostree (coreos/rpm-ostree#1830), I think it makes more sense overall to make the overlay an OSTree layer. The fact that it *is* an RPM, but differs from all the other RPMs in various ways will (and already has) come up multiple times when we talk about signing, changelogs, lockfiles, overrides, etc... (See [1] and [2] for some already filed issues). Switching to an OSTree layer sidesteps many of those issues. Of course, we do lose some things from moving away from RPM: 1. it's harder to determine from where the overlay files come from on a host system (see [3] related to this) 2. invisible to `rpm-ostree db diff` (but then again, the diff we currently get isn't helpful) 3. not possible to issue an advisory for it to be consumed like the rest of the advisories (though with the current approach, making use of this without going through Bodhi would've required some non-trivial amount of work too) Overall though, I think those are things we could (and should strive to) fix in rpm-ostree rather than avoiding layers entirely. [1] coreos#544 [2] coreos#553 (comment) [3] coreos/rpm-ostree#1789
Yup, that's the correct behaviour. That's the "lock" part in the name. :)
Right, we should probably write up some docs around the exact semantics. The TL;DR is: the lockfile merely constrains the pool of NEVRAs from which to pick, it doesn't dictate what goes into the compose itself.
Could just be separate lockfiles in the same branch though, right? This is a tricky topic, but yeah, we definitely need to figure out the lockfile + multi-arch + overrides strategy, though not necessarily here. We can rework the format to accommodate whatever we decide.
Right, exactly. Then all the prod & devel streams will source from there, using the lockfile to narrow down versions.
So this comment prompted me to think more deeply about what we're doing with |
hmm. that's not exactly what I am seeing. In #553 (comment) I mention hitting an issue with the
cool, will discuss over there. |
Ahh apologies, totally misread your original question. So, this is mostly answered in the second bit of #553 (comment), but to be more explicit: right now, a package name that isn't in the lockfile can still get pulled into the compose. This means one can e.g. add a package to the manifest while keeping everything else frozen, or manually bump a locked package that brings in a new dependency. You're right though that there could be a "strict" mode in which the lockfile is the canonical source of packages (e.g. something like The downside of this approach is that it makes manipulating lockfiles (e.g. bumping/adding/removing packages) manually trickier since we'd have to always provide the full dependency tree... which we'd probably use rpm-ostree in "non-strict mode" to do as well, so it doesn't really get us out of sanity-checking the diff anyway. So overall, I'm leaning more towards rolling with the current approach for now and see how it pans out in practice? |
jlebon
changed the title
|
OK, updated! ⬆️ You'll want to test this with #555 though. |
First, add `manifest-lock.json` to the list of magical files in the source config which we check for. Then, teach `fetch` and `build` to respect the lockfile by default, but add an `--update-lockfile` option to the former allow bumping the lockfile. Finally, always generate an output lockfile from the compose and put in the build dir as `manifest-lock.generated.json`. This is the first step towards actually being able to make use of lockfiles in the FCOS pipeline.
So now that we have OSTree layer capabilities in rpm-ostree (coreos/rpm-ostree#1830), I think it makes more sense overall to make the overlay an OSTree layer. The fact that it *is* an RPM, but differs from all the other RPMs in various ways will (and already has) come up multiple times when we talk about signing, changelogs, lockfiles, overrides, etc... (See [1] and [2] for some already filed issues). Switching to an OSTree layer sidesteps many of those issues. Of course, we do lose some things from moving away from RPM: 1. it's harder to determine from where the overlay files come from on a host system (see [3] related to this) 2. invisible to `rpm-ostree db diff` (but then again, the diff we currently get isn't helpful) 3. not possible to issue an advisory for it to be consumed like the rest of the advisories (though with the current approach, making use of this without going through Bodhi would've required some non-trivial amount of work too) Overall though, I think those are things we could (and should strive to) fix in rpm-ostree rather than avoiding layers entirely. [1] coreos#544 [2] coreos#553 (comment) [3] coreos/rpm-ostree#1789
See discussions in coreos/coreos-assembler#553, especially coreos/coreos-assembler#553 (comment). Essentially, there is a use case for making the lockfile *the* canonical source of packages to install. And in fact, it seems like that should be the default mode in which `--ex-lockfile` operates. This patch then adds a `--ex-lockfile-relaxed` mode which allows packages to be added or removed (current behaviour). Just whipped this up while I still had the context in my head. Haven't thouroughly thought it through or tested it out yet.
|
Strict mode: coreos/rpm-ostree#1858 |
So now that we have OSTree layer capabilities in rpm-ostree (coreos/rpm-ostree#1830), I think it makes more sense overall to make the overlay an OSTree layer. The fact that it *is* an RPM, but differs from all the other RPMs in various ways will (and already has) come up multiple times when we talk about signing, changelogs, lockfiles, overrides, etc... (See [1] and [2] for some already filed issues). Switching to an OSTree layer sidesteps many of those issues. Of course, we do lose some things from moving away from RPM: 1. it's harder to determine from where the overlay files come from on a host system (see [3] related to this) 2. invisible to `rpm-ostree db diff` (but then again, the diff we currently get isn't helpful) 3. not possible to issue an advisory for it to be consumed like the rest of the advisories (though with the current approach, making use of this without going through Bodhi would've required some non-trivial amount of work too) Overall though, I think those are things we could (and should strive to) fix in rpm-ostree rather than avoiding layers entirely. [1] #544 [2] #553 (comment) [3] coreos/rpm-ostree#1789
First, add
manifest-lock.jsonto the list of magical files in thesource config which we check for.
Then, teach
fetchandbuildto respect the lockfile by default, butadd an
--update-lockfileoption to the former allow bumping thelockfile.
Finally, always generate an output lockfile from the compose and put in
the build dir as
manifest-lock.generated.json.This is the first step towards actually being able to make use of
lockfiles in the FCOS pipeline.