Prefetch source tarballs for OpenSSL and curl outside the docker build context in Travis#174
Conversation
…tainer using https Co-authored-by: Nate Coraor <[email protected]>
| check_var ${git_sha256} | ||
| check_var ${GIT_DOWNLOAD_URL} | ||
| curl -sSLO ${GIT_DOWNLOAD_URL}/v${git_fname}.tar.gz | ||
| fetch_source v${git_fname}.tar.gz ${GIT_DOWNLOAD_URL} |
There was a problem hiding this comment.
look like curl need to be specified
There was a problem hiding this comment.
There are 2 functions, this calls fetch_source, which just calls _fetch_source curl "$@". The idea is that fetching with wget is not something that should be done unless explicitly requested, the default is curl.
There was a problem hiding this comment.
I just realized, there is _fetch_source and fetch_source
There was a problem hiding this comment.
Gotcha. If CI is green that works for me.
| check_var ${autoconf_sha256} | ||
| check_var ${AUTOCONF_DOWNLOAD_URL} | ||
| curl -sSLO ${AUTOCONF_DOWNLOAD_URL}/${autoconf_fname}.tar.gz | ||
| fetch_source ${autoconf_fname}.tar.gz ${AUTOCONF_DOWNLOAD_URL} |
There was a problem hiding this comment.
look like curl need to be specified
| check_var ${automake_sha256} | ||
| check_var ${AUTOMAKE_DOWNLOAD_URL} | ||
| curl -sSLO ${AUTOMAKE_DOWNLOAD_URL}/${automake_fname}.tar.gz | ||
| fetch_source ${automake_fname}.tar.gz ${AUTOMAKE_DOWNLOAD_URL} |
There was a problem hiding this comment.
look like curl need to be specified
docker/build_scripts/prefetch.sh
Outdated
| ext=${name}_EXTENSION | ||
| url=${name}_DOWNLOAD_URL | ||
| file=${!root}${!ext:-.tar.gz} | ||
| fetch_source $file ${!url} $dir |
There was a problem hiding this comment.
Same thing here, look like the with argument is not specified
docker/build_scripts/build_utils.sh
Outdated
| } | ||
|
|
||
|
|
||
| function _fetch_source { |
There was a problem hiding this comment.
May be worth documenting the method. Also what about the following signature:
_fetch_source <url> <dest> [--method (curl|get)]
The file would be obtained from the url using file=$(basename ${url})
with default method being curl
There was a problem hiding this comment.
Yeah, I might make another pass at this to pretty things up and reduce duplication after we get the immediate issue fixed.
|
@njsmith Would be awesome if you could review and integrate 👍 |
|
Nitpick: @natefoo May you could squash |
fetching for automated builds).
natefoo
force-pushed
the
prefetch-source
branch
from
5a0af36 to
1b4a554
Compare
|
I don't understand why we have this dance with both wget and curl -- isn't the point of prefetching that we can do it on the host system, which presumably has a working curl? What problem do we solve by using wget sometimes? |
|
We aren't using wget if openssl and curl are prefetched. I left the build context fetch with wget functionality in there because forks won't necessarily build with Travis. Case in point, the whole reason I discovered the OpenSSL version change yesterday was because I was setting up Hub/quay automated/push builds of a fork I need that will retain libpython*.a. If we got rid of the wget stuff, there'd be no way for those types of builds to work. Plus, right now, you can build the images locally entirely with |
|
That doesn't answer the question though. We're not doing this prefetching dance because we want to; we're doing it because the vanilla centos5 image cannot connect to the hosts that distribute the openssl and curl sources. Or put another way, if the wget thing actually works, then we shouldn't do prefetching either. |
Makes sense. I also discovered the problem because I used derived image.
It works without problem on CircleCI. May be we could switch to that ? |
|
In the short term, I think it makes sense to address the issue. Then, we could discuss the best strategy to re-factor the prefetch system. Would it be a good compromise to get a branch based of 2e37903 (Prefetch source tarballs for OpenSSL and curl outside the docker build context in Travis ) integrated now ? |
Using circleci might work around travis's broken network and allow the |
Only on Travis, right now, due to the travis-ci/travis-ci#9391. It works fine locally and on other build platforms. |
Providing a script that prefetch (like what @natefoo started) would be a good compromise then:
|
No. The problem is that the openssl in centos5 doesn't support SNI, but more and more servers are requiring that. If you look at the history of pull requests, we've been scrambling for months to switch between different mirrors for openssl and curl, trying to find ones that still work with centos5. This is the only reason we're using So from my point of view, the whole point of switching to prefetching is that we no longer have play this game – we can use regular download sources like regular people, and stop having the image be broken constantly like it is now. However, centos5's |
|
(edited my last comment to make it clear what I was responding to) |
|
@natefoo Do you think you could you improve your last patch removing the support for wget and making the use of the prefetch a requirement ? Let me know if I can help. |
|
Well, it can connect to the official OpenSSL FTP source, but yeah, for curl it's using the Debian archive of the upstream source, so that one's not regular. I'm not disagreeing that it's a goose chase, and it will indeed continue to break going foward. I guess I was just hoping to retain the functionality for as long as it could be made to work. But, if you feel strongly that it should go, I'll rip out the remaining wget fetching and just switch to prefetches being required for OpenSSL and curl. Sound good? |
document prefetching.
|
Nice. |
|
Looks good. Thanks a lot for taking care of this; it's not fun but it helps a lot. |
Different type of fun I would say. Thanks for spending time reviewing and integrating 👍 |
3 participants
Also, upgrade OpenSSL to 1.0.2o.
This should avoid problems with using the old tools (e.g. wget) in EL5 to fetch these sources. Since people may do Docker Hub, quay.io, etc. automated builds of their own forks from the Dockerfile/context only, prefetching is not required and if sources are not prefetched we fall back to in-container fetching.
There's a lot more work that can be done to reduce duplication in the build scripts, especially with bash indirect references.
Incorporates/supercedes #172, xref #170, thanks @jcfr