-
Notifications
You must be signed in to change notification settings - Fork 400
chore: experiment with Remote Build Execution (RBE) @ Namespace #10579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
basvandijk
wants to merge
117
commits into
master
Choose a base branch
from
basvandijk/namespace-bazel-remote-execution
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from 17 commits
Commits
Show all changes
117 commits
Select commit
Hold shift + click to select a range
d252a4e
Experiment with Bazel Remote Execution on Namespace
basvandijk 4eebe95
Don't print RBE bazelrc to avoid leaking short-lived credentials
basvandijk 630603e
Address Copilot review: fork guards, consistent worker ref, decouple …
basvandijk 95ee442
chore: force image rebuild
basvandijk c7118c3
Updating container images to tag: daa25a4984be312c1cf51c5a932a200fa2f…
7fc1156
Treat bre-worker-image as a required job, like ic-build-image
basvandijk 8e31772
chore: force image rebuild (again)
basvandijk 60eacb9
Fix BRE worker image push: use the Namespace tenant registry
basvandijk acc567a
Parse BRE worker digest from nsc upload output
basvandijk dd8e7fb
Potential fix for pull request finding
basvandijk 765211b
Grant id-token: write so nsc can authenticate via GitHub OIDC
basvandijk 41345a5
Revert id-token: write; Namespace runners already have a workspace id…
basvandijk d6a217a
Address review: least-privilege permissions and safe inputs reference
basvandijk e94973f
wip
basvandijk 464a535
Switch to namespace-profile-default
basvandijk a4d7525
Pass BRE test target patterns as a quoted array
basvandijk 7b3e520
Make update-image-references checkout robust on push/dispatch
basvandijk 44aa0e4
Merge remote-tracking branch 'origin' into basvandijk/namespace-bazel…
basvandijk 9c9e323
trigger container build
basvandijk 34c3300
grant ns runner all baseimage permissions
basvandijk dc11e43
Updating container images to tag: d395e4504a1bf0cf387cbf17335b6a6cf47…
9c34c77
run bazel inside the container
basvandijk 5f9d3e8
install nsc in the container
basvandijk a827076
fix
basvandijk db404e1
Updating container images to tag: a139b8d37688eb2a5e1bc4a85b730a3ea64…
ee81d00
reference ic-build image via output
basvandijk b8423ea
trigger
basvandijk 2ddf870
Updating container images to tag: a139b8d37688eb2a5e1bc4a85b730a3ea64…
dd831d4
bring nsc into scope
basvandijk fc4d909
debug
basvandijk d3c7adf
Install nsc to /bin
basvandijk 7758e4b
fix
basvandijk d182040
Updating container images to tag: 7838da7e90af323eb5aeb8463bc0346ef73…
d102776
fix
basvandijk e2c51dd
Updating container images to tag: 7a908e1407f45149e59440b14029c6b9937…
6b5be94
nsc auth exchange-github-token
basvandijk 109e28d
permissions: id-token: write
basvandijk 4fc49d1
use host's nsc auth
basvandijk cdab485
uses: namespacelabs/nscloud-setup@v0
basvandijk 5445b3f
Run skylib copy actions locally under Bazel remote execution
basvandijk 10dab84
nsc is not needed in the container since we use namespacelabs/nsclou…
basvandijk 8767ef3
Run non-remote-executable spawns locally under Namespace BRE
basvandijk b38fdf0
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 8a70e66
Updating container images to tag: d395e4504a1bf0cf387cbf17335b6a6cf47…
3c155aa
Run local-only genrules locally under Namespace BRE
basvandijk 6d3eee7
Keep BRE worker src dynamic, immune to the update-image-references sed
basvandijk 7cde29f
Pass C++ .d files in memory under Namespace BRE
basvandijk 39242c0
Run Namespace BRE job in a privileged container for ic-os podman builds
basvandijk 2b0504f
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk f819061
trigger container rebuild
basvandijk 1dac48a
Updating container images to tag: 22378bb2ad2621b518f4000afdb1ebbe793…
75e5bf8
fix(bazel): ship rust-lld's gcc-ld self-contained linker to Rustc act…
basvandijk 521b674
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk c7f598d
ci(bre): drop obsolete --experimental_inmemory_dotd_files flag
basvandijk 085bb0a
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 5439548
fix(bazel): keep rust-lld binary in sysroot for wasm canister links
basvandijk 3ef6265
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 6c83df8
test(pocket-ic): split requires-network tests into arm64-darwin variants
basvandijk 20bc0f4
test(pocket-ic): set crate_root for multi-source -darwin test variants
basvandijk c06dcdc
fix: build artifact_bundle locally to avoid dangling symlinks under BRE
basvandijk 380255a
test: run permission-denied tests as an unprivileged user when root
basvandijk 24982cf
--skip_incompatible_explicit_targets
basvandijk 2801748
fix: compile test_utilities/privileges on macOS
basvandijk a99be41
test: run sns-cli permission-denied tests as unprivileged user when root
basvandijk ab1b797
Revert " --skip_incompatible_explicit_targets"
basvandijk 861e217
Revert "test(pocket-ic): set crate_root for multi-source -darwin test…
basvandijk eef3df9
Revert "test(pocket-ic): split requires-network tests into arm64-darw…
basvandijk 9d830fc
Skip pocket-ic:unix test_canister_http_in_live_mode on the BRE job
basvandijk f6db25c
test(driver): run libvirtd/QEMU/dnsmasq as nobody when the local back…
basvandijk 3e115bb
ci: mitigate remote CAS blob eviction on the BRE job
basvandijk b1a9eff
test(driver): let nobody traverse to the libvirtd binary and working dir
basvandijk 1794676
test(driver): run net-admin scripts directly (not via capsh) when root
basvandijk 41f73bb
Revert "Skip pocket-ic:unix test_canister_http_in_live_mode on the BR…
basvandijk 1351d03
disable //packages/pocket-ic:unix
basvandijk 0a654ba
BRE -> RBE
basvandijk 1d4ad17
--test_output=errors
basvandijk 015a779
enable //packages/pocket-ic:unix again but disable test_canister_http…
basvandijk 751728f
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 5d996b8
start binary search for the hanging //packages/pocket-ic:unix
basvandijk a4fe22c
more ignores
basvandijk 20ebc34
more ignores
basvandijk 16270df
one more ignore
basvandijk bf8d8e5
more ignores
basvandijk 283f27e
run resume_killed_instance_strict
basvandijk 213e33b
run resume_killed_instance
basvandijk a41bc5f
only ignore resume_killed_instance
basvandijk f02fc80
reduce diff
basvandijk 6850827
experiment: net_admin
basvandijk 1348098
Revert "experiment: net_admin"
basvandijk 8f4f8d9
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 0694570
Unshare a self-owned netns when root lacks CAP_NET_ADMIN over the cur…
basvandijk ac4c025
test: run permission-denied tests as an unprivileged user when root
basvandijk f914787
fix: compile test_utilities/privileges on macOS
basvandijk 0ff2873
test: run sns-cli permission-denied tests as unprivileged user when root
basvandijk 75903f4
fix: address review comments in run_as_nobody_if_root
basvandijk 39e8abf
Automatically fixing code for linting and formatting issues
071d0ee
docs: comment why run_as_nobody_if_root is needed at each call site
basvandijk e224f9f
feat: add #[as_nobody_when_root] attribute form of run_as_nobody_if_root
basvandijk ceaeddc
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk f073f6c
Merge branch 'basvandijk/run-permission-denied-tests-as-nobody' into …
basvandijk 8f6d88a
fix: unwrap double-applied run_as_nobody_if_root after merge
basvandijk 3856b8c
fix: shard zig cache per action under remote execution
basvandijk 42e0d14
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk e9f93c4
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk e7a44cb
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk fb8d89d
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 5e37e0a
Refactor RBE workflow to build bazel args in a documented array
basvandijk 6bcb0ba
Revert changes in Cargo.toml
basvandijk 06f7220
Merge remote-tracking branch 'origin' into basvandijk/namespace-bazel…
basvandijk 38afa08
try resume_killed_instance again
basvandijk 7893858
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk 0c41013
rm comments
basvandijk 0bb6ad4
trigger image build
basvandijk d0f0132
refactor
basvandijk 318c9e5
tweaks
basvandijk d6b9892
Updating container images to tag: 8daf75b044f16ab4395e9746071e3d09115…
2deda1c
Merge branch 'master' into basvandijk/namespace-bazel-remote-execution
basvandijk File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| name: BRE Namespace Test | ||
|
|
||
| # Experimental: run `bazel test` on Namespace runners using Bazel Remote | ||
| # Execution (BRE). Actions execute on Namespace workers booted from a custom | ||
| # worker image (a mirror of ic-build) that is built, optimized and pinned by the | ||
| # `container-autobuild.yml` workflow. | ||
| # | ||
| # See: https://namespace.so/docs/bazel/execution | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| targets: | ||
| description: 'Bazel target patterns to test' | ||
| required: false | ||
| default: '//...' | ||
| type: string | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, labeled] | ||
| push: | ||
| branches: | ||
| - 'dev-gh-*' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| bazel-test-bre: | ||
| name: Bazel Test (Namespace BRE) | ||
| runs-on: namespace-profile-amd64-linux-32x64 | ||
| timeout-minutes: 120 | ||
| # Opt-in while experimental: manual dispatch, pushes to dev-gh-* branches, or | ||
| # non-fork pull requests labeled 'CI_BRE'. Only on the public repo, where | ||
| # Namespace runners are configured (otherwise the job would get stuck). Fork | ||
| # PRs are excluded because this job runs on a privileged Namespace runner with | ||
| # pre-authenticated 'nsc' and must never execute untrusted PR code. | ||
| if: >- | ||
| github.repository == 'dfinity/ic' && | ||
| ( github.event_name != 'pull_request' || | ||
| ( github.event.pull_request.head.repo.full_name == github.repository && | ||
| contains(github.event.pull_request.labels.*.name, 'CI_BRE') ) ) | ||
| steps: | ||
| - name: Set up Bazel Remote Execution | ||
| run: | | ||
| # Provisions the Namespace RBE cluster and writes a bazelrc fragment with | ||
| # the remote executor, remote cache, credentials and recommended defaults. | ||
| # 'nsc' is pre-authenticated on Namespace runners. | ||
| # NOTE: do not print this bazelrc -- it contains short-lived credentials | ||
| # that would leak into the Actions logs. | ||
| nsc bazel execution setup --bazelrc=/tmp/bazel-rbe.bazelrc | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - uses: ./.github/actions/netrc | ||
| - name: Bazel Test with BRE | ||
| shell: bash | ||
| env: | ||
| BAZEL_TARGETS: ${{ github.event.inputs.targets || '//...' }} | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| # Custom worker image: a mirror of ic-build, pinned to an immutable digest | ||
| # and optimized for BRE. The ref below (Namespace tenant registry + digest) | ||
| # is kept up to date automatically by the 'update-image-references' job in | ||
| # container-autobuild.yml. | ||
| # NOTE: the placeholder digest below is replaced on the first ic-build | ||
| # rebuild after this workflow is introduced; until then this job will fail. | ||
| worker_image="docker://nscr.io/c9ptjuknd7oc6/ic-build-worker@sha256:0000000000000000000000000000000000000000000000000000000000000000" | ||
|
|
||
| targets="$BAZEL_TARGETS" | ||
| # Split the (space-separated) target patterns into an array so each is passed | ||
| # as a single, quoted argument -- avoids word-splitting/glob surprises. The | ||
| # 'targets' input is workflow_dispatch-only and this job is gated to non-fork. | ||
| read -ra target_patterns <<<"$targets" | ||
| # We deliberately bypass the workspace .bazelrc (which pulls in the | ||
| # DFINITY-internal cache / remote-execution config) and instead pass the | ||
| # build config plus the Namespace RBE config explicitly, mirroring the | ||
| # bazel-test-arm64 job in ci-main.yml. | ||
| bazel \ | ||
| --noworkspace_rc \ | ||
| --bazelrc=./bazel/conf/.bazelrc.build --bazelrc=/tmp/bazel-rbe.bazelrc \ | ||
| test \ | ||
| --test_tag_filters=-farm_system_test,-system_test_large,-system_test_benchmark,-fuzz_test,-fi_tests_nightly,-nns_tests_nightly,-pocketic_tests_nightly \ | ||
| --remote_default_exec_properties=container-image="$worker_image" \ | ||
| --keep_going \ | ||
| "${target_patterns[@]}" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| daa25a4984be312c1cf51c5a932a200fa2fac895bdd550cac7bacb9dad553bae | ||
| 0000000000000000000000000000000000000000000000000000000000000000 | ||
|
basvandijk marked this conversation as resolved.
Outdated
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.