Jakob Buchgraber
Software Engineer
Google Germany GmbH
Erika-Mann-Straße 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.
This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.
--
You received this message because you are subscribed to the Google Groups "Bazel remote execution and caching system developer list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-buildfa...@googlegroups.com.
To post to this group, send email to bazel-b...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-buildfarm/CAGQ4vn2GRtfyqna%3DfgXc%3Dp0uM2dHX%2BNV%3DqtrD%2B7bMhKphVHL7w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
That’s a great news
for us as we almost systematically use nix-shell
(think python’s virtualenv, but more isolated and for the whole
dependency chain instead of just the python packages) to make
our builds more isolated and strict_action_env
was getting in the way of that:
One of the ways nix-shell ensures the isolation is by replacing
the PATH
by a carefully crafted one containing only the executables for
the packages specified in the configuration of the environment.
This worked quite well with remote caching (and probably remote
building too, though I personally didn’t try it) because the
PATH (along with other related environment variables like LD_LIBRARY_PATH
)
was uniquely specifying our environment − which kinda solve the
“Bazel simply can’t track all files made available via PATH”
because the only way to change what’s available in the PATH is
by modifying the PATH itself. So strict_action_env
was in fact making our builds less reproducible
instead of more.
For our use-case (which tbh I’d like to see more widespread as it’s a great way to ensure isolated builds at a relatively low cost) having the PATH used in the remote cache key was I think a rather good solution as it gave us a really strong confidence in the remote cache at a reasonable price.
--
Théophane
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/CAGQ4vn2GRtfyqna%3DfgXc%3Dp0uM2dHX%2BNV%3DqtrD%2B7bMhKphVHL7w%40mail.gmail.com.
I think I don't understand what the problem is.For the users broken by this change, would setting "--action_env=PATH" fix it, or is it harder than that?I think the issue is that relying on PATH in the actions is unsafe and non-hermetic.We don't want users to do that inadvertently - that's why it's problematic to allow it by default.Users who know what they are doing and who have taken steps to make it more safe and hermetic (and/or those who accept the risks) can set the flag.Or am I mistaken/does the flag not fix the problem?
On Mon, Jan 21, 2019 at 12:42 AM 'Alexandra Goultiaeva' via bazel-discuss <bazel-...@googlegroups.com> wrote:I think I don't understand what the problem is.For the users broken by this change, would setting "--action_env=PATH" fix it, or is it harder than that?
First, for remote execution users, the whole discussion and this feature shouldn't matter, because Bazel should not use the PATH, LD_LIBRARY_PATH, and other system-specific environment variables from the local system anyway when it uses sends an action for remote execution (neither in the action cache key, nor send it to the remote execution system to actually be used). I hope we already agree on this and this is how it's implemented, otherwise I'm happy to explain my thoughts here.
The only case where this feature helps (and Jakob told me that this was also the thought behind the whole strict action env feature, as it's not about increasing hermeticity) is when you use local execution, but want to upload the resulting artifacts to a shared remote cache and then allow other users to get cache hits from there.
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/CAGQ4vn3vyxacVii-jVO3mFgTdE3d0KGnYfQT6Sjjayi4k9wVLA%40mail.gmail.com.
2 cents from remote exec toolchains team:Having a PATH and LD_LIBRARY_PATH set in the remote exec container should well for remote execution.I agree with most of the discussion in this thread that the strict_action_env might be more of a problem for local execution than a benefit.I do however think that the alternative suggested (not including the PATH in the action key, even for local execution + remote caching) could be very problematic for remote caching as it sounds like it could lead to cache poisoning.
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/f4b6b98b-0207-42d9-a395-3d27ffbeae8b%40googlegroups.com.
I do however think that the alternative suggested (not including the PATH in the action key, even for local execution + remote caching) could be very problematic for remote caching as it sounds like it could lead to cache poisoning.
I think the core issue at hand is that some rules (most, perhaps, atm?) are depending on the PATH to function properly, and Bazel has no way of expressing that at a finer granularity than the whole build.I'd think a more sustainable solution would include mechanisms to allow rules to express that they have a dependency on the PATH (or any other env variables), and so rule owners that mark their rules as needing PATH could do this. If that was possible, the targets for those rules only would include the PATH (or any other env var) in their key.
I agree about moving away from the PATH and towards hermetic rules, though I probably fall on the side of PATH should be (as close to) empty by default, and users should have to explicit about adding tool paths.
Will you be keeping `strict_action_env` for those of us who are happily using it (with local execution and remote caching)?
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/CAGQ4vn0Dhwc-oraUApQ%3Dzp3Bme06ORk677VgQdeeKCuw3fuYWA%40mail.gmail.com.
Sorry, big thread. I might have missed where you proposed to remove it. You feel it is necessary to take it away? I understand changing the defaults for people not using the flag, but for those who are, you're forcing them to immediately deal with a new PATH.
On Tuesday, January 22, 2019 at 11:39:10 AM UTC-5, Jakob Buchgraber wrote:
> On Tue, Jan 22, 2019 at 3:07 AM <jga...@butterflynetinc.com> wrote:
>
> Will you be keeping `strict_action_env` for those of us who are happily using it (with local execution and remote caching)?
>
>
>
> This e-mail thread proposes to remove --strict_action_env altogether. Local execution in remote caching would instead use
> the PATH of the shell and not include the PATH in the remote cache key computation. I'd be interested to learn why you would
> want to keep using strict_action_env.
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/f3ab8698-a51b-43b8-8bf1-a1850736f4db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
That might work for us, I'm not sure that would please windows users, as there's some Windows specific 'default path' handling.
https://github.com/bazelbuild/bazel/blob/master/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRuleClassProvider.java#L409
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/5a89b0eb-11a0-46d6-a8c8-0beebf2073db%40googlegroups.com.
Jakob Buchgraber
Software Engineer
Google Germany GmbH
Erika-Mann-Straße 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.
This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/CALS-RZLqKiNGCL1%3DZmQoxuCeBPvmbd4Pm1FccD%2B_sFHNv8%3D2gQ%40mail.gmail.com.
On Fri, Feb 1, 2019 at 11:01 PM 'Ulf Adams' via bazel-discuss
> Would you mind putting the proposal in a doc?
On Tuesday, 5 February 2019 11:41:10 UTC+1, Jakob Buchgraber wrote:
> Yes of course. I ll do so after my leave (2-3 weeks).
Did this happen?
Thanks,
Mathieu
> Yes of course. I ll do so after my leave (2-3 weeks).
Did this happen?