| ▲ | reactordev 5 days ago |
| The rule for CI/CD and DevOps in general is boil your entire build process down to one line: ./build.sh
If you want to ship containers somewhere, do it in your build script where you check to see if you’re running in “CI”. No fancy pants workflow yamls to vendor lock yourself into whatever CI platform you’re using today, or tomorrow. Just checkout, build w/ params, point your coverage checker at it.This is also the same for onboarding new hires. They should be able to checkout, and build, no issues or caveats, setup for local environment. This ensures they are ready to PR by end of the day. (Fmr Director of DevOps for a Fortune 500) |
|
| ▲ | maratc 5 days ago | parent | next [-] |
| Yeah, that's a good rule. Except, do you want to build Debug or Release? Or maybe RelWithDebugInfo? And do you want that with sanitizers maybe? And what the sanitizers' options should be? Do you want to compile your tests too, if you want to run them later on a different machine? And what about that dependency that takes two hours to compile, maybe you just want to reuse the previous compilation of it? And if so, where to take that from? Etc. etc. Before long, you need another script that will output the train of options to your `build.sh`. (If Fortune 500 companies can do a one-line build with zero parameters, I suspect I'd be very bored there.) |
| |
| ▲ | reactordev 5 days ago | parent [-] | | Of course we had parameters but we never ship debug builds. Treat everything like production. If you want to debug, docker compose or add logs and metrics to seek what you find. |
|
|
| ▲ | pxc 5 days ago | parent | prev | next [-] |
| You still inevitably need a bunch of CI platform-specific bullshit for determining "is this a pull request? which branch am I running on?", etc. Depending on what you're trying to do and what tools you're working with, you may need such logic both in an accursed YAML DSL and in your build script. And if you want your CI jobs to do things like report cute little statuses, integrate with your source forge's static analysis results viewer, or block PRs, you have to integrate with the forge at a deeper level. There aren't good tools today for translating between the environment variables or other things that various CI platforms expose, managing secrets (if you use CI to deploy things) that are exposed in platform-specific ways, etc. If all you're doing with CI is spitting out some binaries, sure, I guess. But if you actually ask developers what they want out of CI, it's typically more than that. |
| |
| ▲ | michaelmior 5 days ago | parent | next [-] | | A lot of CI platforms (such as GitHub) spit out a lot of environment variables automatically that can help you with the logic in your build script. If they don't, they should give you a way to set them. One approach is to keep the majority of the logic in your build script and just use the platform-specific stuff to configure the environment for the build script. Of course, as you mention, if you want to do things like comment on PRs or report detailed status information, you have to dig deeper. | | |
| ▲ | pxc 5 days ago | parent | next [-] | | Yes, and real portability for working with the environment variables is doable but there's nothing out there that provides it for you afaik. You just have to read a lot carefully. My team offers integrations of static analysis tools and inventorying tools (SBOM generation + CVE scanning) to other teams at my organization, primarily for appsec purposes. Our organization's departments have a high degree of autonomy, and tooling varies a lot. We have code hosted in GitLab, GitHub, Azure DevOps, and in distant corners my team has not yet worked with, elsewhere. Teams we've worked with run their CI in GitLab, GitHub, Azure DevOps, AWS CodeBuild, and Jenkins. Actual runners teams use may be SaaS-provided by the CI platform, or self-hosted on AWS or Azure. In addition to running in CI, we provide the same tools locally, for use on macOS as well as Linux via WSL. The tools my team uses for these scans are common open-source tools, and we distribute them via Nix (and sometimes Docker). That saves us a lot of headaches. But every team has their own workflow preferences and UI needs, and we have to meet them on the platforms they already use. For now we manage it ourselves, and it's not too terrible. But if there were something that actually abstracted away boring but occasionally messy differences like which environment variables mean in different CI systems, that would be really valuable for us. (The same goes for even comment bots and PR management tools. GitHub and GitLab are popular, but Azure DevOps is deservedly marginal, so even general-purpose tools rarely support both Azure DevOps and other forges.) If your concern is that one day, a few years from now, you'll need to migrate from one forge to another, maybe you can say "my bash script handles all the real build logic" and get away with writing off all the things it doesn't cover. Maybe you spend a few days or even a few weeks rewriting some platform-specific logic when that time comes and forget about it. But when you're actually contending with many such systems at once, you end up wishing for sane abstractions or crafting them yourself. | |
| ▲ | merb 5 days ago | parent | prev [-] | | how can you build your containers in parallel? over multiple machines? I'm not sure that a sh script can do that with github | | |
| ▲ | pxc 5 days ago | parent | next [-] | | If you build them with Nix, you can. Just call `nix build` with a trailing `&` a bunch of times. But it's kind of cheating, because the Nix daemon actually handles per-machine scheduling and cross-machine orchestration for you. Just set up some self-hosted runners with Nix and an appropriately configured remote builders configuration to get started. If you really want to, you can graduate after that to a Kubernetes cluster where Nix is available on the nodes. Pass the Nix daemon socket through to your rootless containers, and you'll get caching in the Nix store for free even with your ephemeral containers. But you probably don't need all that anyway. Just buy or rent a big build server. Nix will use as many cores as you have by default. It will be a long time before you can't easily buy or rent a build server big enough. | |
| ▲ | reactordev 4 days ago | parent | prev [-] | | these problems are general ones and the solution is the same as running programs in parallel or across machines. When needing to build different architectures (and needing a host to provide the toolchains), what's stopping you from issuing more than 1 command in your CI/CD pipeline? Most pipelines have a way of running something on a specific host. So does k8s, ecs, <pick your provider>, and probably your IT team. My experience, when it gets time to actually build the thing. A one-liner (with args if you need them) is the best approach. If you really REALLY need to, you can have more than one script for doing it - depending on what path down the pipeline you take. Maybe it's 1) ./build.sh -config Release
2) ./deploy.sh -docker -registry=<$REGISTRY> --kick
Just try not to go too crazy. The larger the org, the larger this wrangling task can be. Look at Google and gclient/gn. Not saying it's bad, just saying it's complicated for a reason. You don't need that (you'll know if you do).The point I made is I hate when I see 42 lines in a build workflow yaml that isn't syntax highlighted because it's been |'d in there. I think the yaml's of your pipelines, etc, should be configuration for the pipeline and the actual execution should be outsourced to a script you provide. |
|
| |
| ▲ | oftenwrong 5 days ago | parent | prev [-] | | There are some very basic tools that can help with portability, such as https://github.com/milesj/rust-cicd-env , but I agree that there is a lot of proprietary, vendor-specific, valuable functionality available in the average "CI" system that you cannot make effective use of with this approach. Still, it's the approach I generally favor for a number of reasons. |
|
|
| ▲ | XorNot 5 days ago | parent | prev | next [-] |
| The other rule is that script should run as a user. Solely on that working directory. There are too many scripts like that which start, ask for sudo and then it's off to implementing someones "great idea" about your systems network interfaces. |
| |
| ▲ | reactordev 5 days ago | parent [-] | | sudo should not be required to build software. If there’s something you require that requires sudo, it’s a pre-build environment setup on your machine. On the host. Or wherever. It’s not part of the build. If you need credentials, get them from secrets or environment variables. | | |
| ▲ | immibis 5 days ago | parent [-] | | For use cases like making tar files with contents owned by root, Debian developed the tool "fakeroot", which intercepts standard library functions so that when the build script sets a file to be owned by root and then reads the ownership later, it sees it's owned by root, so it records that in the tar file. | | |
| ▲ | reactordev 4 days ago | parent [-] | | Debian takes the You can’t touch this approach to things to solve their issues. Instead of work arounds, they just hack at the lower kernel level and trace all you do. It’s a flex. fakeroot isn’t the only tool like this. I love me some Debian. |
|
|
|
|
| ▲ | BobbyTables2 5 days ago | parent | prev | next [-] |
| You’re not wrong but your suggestion also throws away a lot of major benefits of CI. I agree jobs should be one liners but we still need more than one… The single job pipeline doesn’t tell you what failed. It doesn’t parallelize unit and integration test suites while dealing with the combinatorial matrix of build type, target device, etc. At some point, a few CI runners become more powerful than a developer’s workstation. Parallelization can really matter for reducing CI times. I’d argue the root of the problem is that we are stuck on using “make” and scripts for local build automation. We need something descriptive enough to describe a meaningful CI pipeline but also allow local execution. Sure, one can develop a bespoke solution, but reinventing the wheel each time gets tiring and eventually becomes a sizable time sink. In principle, we should be able to execute pieces of .gitlab-ci.yml locally, but even that becomes non trivial with all the nonstandard YAML behaviors done in gitlab, not to mention the varied executor types. Instead we have a CI workflow and a local workflow and hope the two are manually kept in sync. In some sense, the current CI-only automation tools shouldn’t even need to exist (gitlab, Jenkins, etc) — why didn’t we just use a cron job running “build.sh” ? I argue these tools should mainly only have to focus on the “reporting/artifacts” with the pipeline execution parts handled elsewhere (or also locally for a developer). Shame on you GitLab! |
| |
| ▲ | reactordev 4 days ago | parent [-] | | You are mistaking a build for a pipeline. I still believe in pipelines and configuring the right hosts/runners to produce your artifacts. Your actual build on that host/runner should be a one-liner. |
|
|
| ▲ | mrbombastic 5 days ago | parent | prev | next [-] |
| How do you get caching of build steps with this approach? Or do you just not? |
| |
| ▲ | arianvanp 5 days ago | parent | next [-] | | Use a modern hermetic build system with remote caching or remote execution. Nix, Bazel, buck, pants. Many options | | |
| ▲ | pwnna 5 days ago | parent [-] | | This is like fighting complexity with even more complexity. Nix and bazel are definitely not close to actually achieving hermetic build at scale. And when they break the complexity increases exponentially to fix. | | |
| ▲ | pxc 5 days ago | parent [-] | | What's not hermetic with Nix? Are you talking about running with the sandbox disabled, or and macOS quirks? It's pretty damn hard to accidentally depend on the underlying system in an unexpected way with Nix. | | |
| ▲ | wredcoll 5 days ago | parent [-] | | My experience with nix, at a smaller scale than what you're talking about, is that it only worked as long as every. single. thing. was reimplemented inside nix. Once one thing was outside of nix, everything exploded and writing a workaround was miserable because the nix configuration did not make it easy. | | |
| ▲ | pxc 5 days ago | parent [-] | | > every. single. thing. was reimplemented inside nix That's kinda what hermetic means, though, isn't it? Whether that's painful or not, that's pretty much exactly what GGP was asking for! > Once one thing was outside of nix, everything exploded and writing a workaround was miserable because the nix configuration did not make it easy. Nix doesn't make it easy to have Nix builds depend on non-Nix things (this is required for hermeticity), but the other way around is usually less troublesome. Still, I know what you mean. What languages were you working in? | | |
| ▲ | wredcoll 4 days ago | parent [-] | | It was the dev environment for a bunch of wannabe microservices running across node/java/python And like, I'm getting to the point of being old enough that I've "seen this before"; I feel like I've seen other projects that went "this really hard problem will be solved once we just re-implement everything inside our new system" and it rarely works; you really need a degree of pragmatism to interact with the real world. Systemd and Kubernetes are examples of things that do a lot of re-implementation but are mostly better than the previous. | | |
| ▲ | pxc 4 days ago | parent [-] | | > Systemd and Kubernetes are examples of things that do a lot of re-implementation but are mostly better than the previous. I feel the same way about systemd, and I'll take your word for it with respect to Kubernetes. :) > "this really hard problem will be solved once we just re-implement everything inside our new system" [...] rarely works Yes. 100%. And this is definitely characteristic of Nix's ambition in some ways as well as some of the most painful experiences users have with it. > you really need a degree of pragmatism to interact with the real world Nix is in fact founded on a huge pragmatic compromise: instead of beginning with a new operating system, or a new executable format with a new linker, or even a new basic build system (a la autotools or make)! Instead of doing any of those things, Nix's design manages to bring insights and features from programming language design (various functional programming principles and, crucially, memoization and garbage collection) to build systems and package management tools, on top of existing (even aging) operating systems and toolchains. I would also contend that the Nixpkgs codebase is a treasure, encoding how to build, run, and manage an astonishing number of apps (over 120,000 packages now) and services (I'd guess at least 1,000; there are some 20,000 configuration options built into NixOS). I think this does to some extent demonstrate the viability of getting a wide variety of software to play nice with Nix's commitments. Finally, and it seems you might not be aware of this, but there are ways within Nix to relax the normal constraints! And of course you can also use Nix in various ways without letting Nix run the show.[0] (I'm happy to chat about this. My team, for instance, uses Nix to power Python development environments for AWS Lambdas without putting Nix in charge of the entire build process.) However: - fully leveraging Nix's benefits requires fitting within certain constraints
- the Nix community, culturally, does not show much interest in relaxing those constraints even when possible[1], but there is more and more work going on in this area in recent years[2][3] and some high-profile examples/guides of successful gradual adoption[4]
- the Node ecosystem's habit of expecting arbitrary network access at build time goes against one of the main constraints that Nix commits to by default, and *this indeed often makes packaging Node projects "properly" with Nix very painful*
- Python packaging is a mess and Nix does help IME, but getting there can be painful
Maybe if you decide to play with Nix again, or you encounter it on a future personal or professional project, you can remember this and look for ways to embrace the "heretical" approach. It's more viable and more popular than ever :)-- 0: https://zimbatm.com/notes/nix-packaging-the-heretic-way ; see also the community discussion of the post here: https://discourse.nixos.org/t/nix-packaging-the-heretic-way/... 1: See Graham Christensen's 2022 NixCon talk about this here. One such constraint he discusses relaxing, build-time sandboxing, is especially useful for troublesome cases some Node projects: https://av.tib.eu/media/61011 2: See also Tom Bereknyei's NixCon talk from the same year; the last segment of it is representative of increasing interest among technical leaders in the Nix community on better enabling and guiding gradual adoption: https://youtu.be/2iugHjtWqIY?t=830 3: Towards enabling gradual adoption for the most all-or-nothing part of the Nix ecosystem, NixOS, a talk by Pierre Penninckx from 2024: https://youtu.be/CP0hR6w1csc 4: One good example of this is Mitchell Hashimoto's blog posts on using Nix with Dockerfiles, as opposed to the purist's approach of packaging your whole environment via Nix and then streaming the Nix packages to a Docker image using a Nix library like `dockerTools` from Nixpkgs: https://mitchellh.com/writing/nix-with-dockerfiles |
|
|
|
|
|
| |
| ▲ | fireflash38 5 days ago | parent | prev | next [-] | | Even just makefiles have 'caching', provided you set dependencies and output correctly. A good makefile is really nice to use. Not nice to read or trace unfortunately though. | |
| ▲ | reactordev 4 days ago | parent | prev [-] | | We get them with docker. Everything becomes a container so why not use the container engine for it. If you know how layers work… |
|
|
| ▲ | HPsquared 5 days ago | parent | prev | next [-] |
| Sounds like the Lotus philosophy, "simplify and add lightness". |
|
| ▲ | marsven_422 5 days ago | parent | prev [-] |
| [dead] |
