Add s3 remote cache

[bpaquet]

Largely inspired from #2323

[bpaquet]

I'm currently testing this under load @doctolib

[tonistiigi]

Same questions as #2323 .

• How do we test this? We don't necessarily need to run existing tests with it but we should have something that verifies the basics on the CI so we don't accidentally break it. Especially because none of the current popular downstream would have many users on it(at least initially). A separate workflow would be ok. Or if that is hard then minimally external service that tests master branch and notifies if things go wrong.
• Are you committing to maintaining this?

Why is this 40k lines bigger than the previous PR?

Take a look at the CI results as well.

cc @sethpollack

[bpaquet]

Same questions as #2323 .

• How do we test this?

I'm currenlty testing this on my CI.

We don't necessarily need to run existing tests with it but we should have something that verifies the basics on the CI so we don't accidentally break it. Especially because none of the current popular downstream would have many users on it(at least initially). A separate workflow would be ok. Or if that is hard then minimally external service that tests master branch and notifies if things go wrong.

What do you mean exactly? A dedicated workflow in github which test this? An integration test? Do you have any base I can start from?

• Are you committing to maintaining this?

Yes.

Why is this 40k lines bigger than the previous PR?

New version of the aws s3 sdk :(

Take a look at the CI results as well.

cc @sethpollack

[tonistiigi]

What do you mean exactly? A dedicated workflow in github which test this? An integration test? Do you have any base I can start from?

I assume testing something like this requires either token credentials or some kind of mock service. Our regular integration tests for things like this are in client_test.go or dockerfile_test.go. But as this would likely be something that can't just be run in a container with no external dependencies it can be a special github actions workflow. Eg. we currently have special workflow for windows testing. In that workflow/test you should run the basic loop of building, exporting cache, prune local cache, rebuild with cache and verify it matched. If you want you can use external tools in that workflow, eg. you could use buildx create for simplicity. @crazy-max

[bpaquet]

@tonistiigi Can you review?

• Tests are in hack/s3_test. I can move them where you want. Any feedback is welcome. Not sure how to taunch them in GHA, especially with the --privileged.
• I duplicated your readerat.go from the go-actions-cache. Should we move it in buildkit repo?
• Test under load still in progress.

[tonistiigi]

Add the ./hack/s3_test/run_test.sh invocation to https://github.com/moby/buildkit/blob/master/.github/workflows/build.yml with needs: [base] .

I added a commit that fixes up the Dockerfile and includes the correct buildkit binaries.

It doesn't work for me locally though

Documentation: https://docs.min.io
Finished loading IAM sub-system (took 0.0s of 0.0s to load data).
+ mc alias set myminio http://172.17.0.2:9000 minioadmin minioadmin
mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials.
mc: Successfully created `/root/.mc/share`.
mc: Initialized share uploads `/root/.mc/share/uploads.json` file.
mc: Initialized share downloads `/root/.mc/share/downloads.json` file.
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "http://172.17.0.2:9000/probe-bucket-sign-tszmiipmum4w/?location=": dial tcp 172.17.0.2:9000: connect: connection refused.

Assuming this works it doesn't actually look as complicated as I would have assumed. You can also consider adding the minio to the main Dockerfile integration-tests stage and adding a regular Go integration test.

FYI @crazy-max

[tonistiigi]

Why is containerd needed here?

[bpaquet]

Buildkit does not start without it

WARN[2022-05-06T08:27:58Z] skipping oci worker, as runc does not exist
WARN[2022-05-06T08:27:58Z] skipping containerd worker, as "/run/containerd/containerd.sock" does not exist
buildkitd: no worker found, rebuild the buildkit daemon?

May be you have a magical option to add to buildkitd -debugaddr 0.0.0.0:8060 :)

[tonistiigi]

These commands should write a constant plus a random value. See https://github.com/moby/buildkit/blob/master/client/client_test.go#L1410 . Then when you build them export the result to a local directory and check that the unique part has not change. Therefore cache matched.

[bpaquet]

Done

[tonistiigi]

Not sure how to taunch them in GHA, especially with the --privileged.

--privileged is not a problem in GH actions.

I duplicated your readerat.go from the go-actions-cache. Should we move it in buildkit repo?

Need to think about this later. I don't want an import cycle there.

[crazy-max]

You can also consider adding the minio to the main Dockerfile integration-tests stage and adding a regular Go integration test.

Added a commit to add minio to integration tests stage and also use it through linked context in the bake definition for s3 test.

I will add another commit to create a new job in our GHA workflow.

[bpaquet]

Add the ./hack/s3_test/run_test.sh invocation to https://github.com/moby/buildkit/blob/master/.github/workflows/build.yml with needs: [base] .

I added a commit that fixes up the Dockerfile and includes the correct buildkit binaries.

It doesn't work for me locally though

Documentation: https://docs.min.io
Finished loading IAM sub-system (took 0.0s of 0.0s to load data).
+ mc alias set myminio http://172.17.0.2:9000 minioadmin minioadmin
mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials.
mc: Successfully created `/root/.mc/share`.
mc: Initialized share uploads `/root/.mc/share/uploads.json` file.
mc: Initialized share downloads `/root/.mc/share/downloads.json` file.
mc: <ERROR> Unable to initialize new alias from the provided credentials. Get "http://172.17.0.2:9000/probe-bucket-sign-tszmiipmum4w/?location=": dial tcp 172.17.0.2:9000: connect: connection refused.

Fixed

Assuming this works it doesn't actually look as complicated as I would have assumed. You can also consider adding the minio to the main Dockerfile integration-tests stage and adding a regular Go integration test.

I prefer to keep it like this if you dont mind.

FYI @crazy-max

I

[bpaquet]

You can also consider adding the minio to the main Dockerfile integration-tests stage and adding a regular Go integration test.

Added a commit to add minio to integration tests stage and also use it through linked context in the bake definition for s3 test.

I will add another commit to create a new job in our GHA workflow.

@crazy-max just force pushed, sorry may be I drop some stuff. I added something in the build workflow, please feel free to refact.

[crazy-max]

@crazy-max just force pushed, sorry may be I drop some stuff. I added something in the build workflow, please feel free to refact.

Yes just saw that, that's fine. I bring it back.

I prefer to keep it like this if you dont mind.

In the future I think we don't want to rely on scripting but Go integration tests like we do for containerd and dockerd. See https://github.com/moby/buildkit/tree/master/util/testutil/integration

[crazy-max]

Not linked to this PR but I noticed that when we use linked context in bake a warning from buildx appears: https://github.com/moby/buildkit/runs/6320810388?check_suite_focus=true#step:5:622

WARNING: No output specified for docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load

Looks linked to docker/buildx#968.

There is another one less obvious that seems to appear when using COPY --link and bake linked context. Maybe caching issue but as it's an error it should fail but build continues instead: https://github.com/moby/buildkit/runs/6320810388?check_suite_focus=true#step:5:590

#56 extracting sha256:5979a4d386a9a20337edbeed4404a714b811c40e4bf73aa97fa73ca0bcdc3b9e 0.3s done
#56 extracting sha256:7964a4d2bbf168b770bc9ee09ce82d556bb466804b07f06b9c749cf928b37fa2 0.4s done
#56 extracting sha256:7964a4d2bbf168b770bc9ee09ce82d556bb466804b07f06b9c749cf928b37fa2 0.4s done
#56 merging done
#56 ERROR: maximum timeout reached

cc @tonistiigi @sipsma

[tonistiigi]

This should return Compression: default

[bpaquet]

done

[tonistiigi]

Calling this cache seems kind of confusing. It's more like s3Client

[bpaquet]

Done

[tonistiigi]

Writing to stdout is not allowed in here. If you want debug logs then you need to write them to the context logger.

[bpaquet]

removed all debug

[tonistiigi]

This should use errors.As

[bpaquet]

Done

[tonistiigi]

Add a another stage in here

FROM scratch
COPY --link --from=build /unique_first /
COPY --link --from=build /unique_second /

And in the test add --output destdir . After cache import the contents of the files need to remain the same.

[bpaquet]

Done

[tonistiigi]

LGTM but try to squash the commits a bit. It doesn't need to be a single commit but we should avoid commits that just say "fixes" or "code review". Maybe squash these 2 with the first commit. The others can remain as they are.

[tonistiigi]

Use errors.Errorf always for stacktraces

[bpaquet]

@tonistiigi I squashed everything and moved to aws-sdk-go-v2. Ready for review :)

[tonistiigi]

This file looks unused now

[bpaquet]

I'm using it to launch the test locally.

[tonistiigi]

If we have a helper script we should call it in the CI. Otherwise nobody notices if it breaks or starts to behave differently than CI invocations.

[bpaquet]

Used it in the CI

[crazy-max]

should be moved in the previous require block

[bpaquet]

Fixed. I should do something wrong when I update mod / vendor :(

[crazy-max]

LGTM

in a follow-up we should think about proper integration tests in testutil but might need to split first as suggested by @tonistiigi in #2734 (comment)

also README starts to be quite huge. wonder if we should not move some sections in dedicated pages under ./docs like the cache exporters.

[zchee]

@tonistiigi Can I send support GCS as well?

[bpaquet]

I’m using it to run the test locally.

…

On Fri 13 May 2022 at 00:03, Tõnis Tiigi ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In hack/s3_test/run_test.sh <#2824 (comment)>: > @@ -0,0 +1,7 @@ +#!/bin/sh -ex This file looks unused now — Reply to this email directly, view it on GitHub <#2824 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACSJXKMF2JOLXFTVW7POXTVJV53HANCNFSM5UJLRGCA> . You are receiving this because you authored the thread.Message ID: ***@***.***>