Replace vendor.conf by go.mod
#682
Conversation
praseodym
force-pushed
the
go-mod
branch
6 times, most recently
from
65df899 to
5192c2a
Compare
|
Unfortunately CI fails, but I'm not quite sure why. |
|
Thanks for the PR. The CI fails because it now runs the tests as root instead of an unprivileged user. Overall, this PR is doing rather too many quite unrelated changes. They may well be desirable, but they need to be described, reviewed, and discussed one at a time — if not in separate PRs, at the very least in separate commits. (Cc: @vrothberg , who has more experience with Go modules.) |
|
I concur with @mtrmac. Let's break the changes into easier to digest commits. The main part is replacing trash with go mod. Once that's done and the CI passes, we can improve from there. |
praseodym
force-pushed
the
go-mod
branch
2 times, most recently
from
f57a531 to
8c65aaf
Compare
I made those changes to simplify the CI flow in an attempt to fix it, so I would prefer to say that it's failing despite of those changes 🙂 I've now removed these changes and instead added |
Well, the flow can only be simplified after it is understood :) |
praseodym
force-pushed
the
go-mod
branch
2 times, most recently
from
18354e3 to
5aa355f
Compare
praseodym
force-pushed
the
go-mod
branch
7 times, most recently
from
abf45a7 to
382ae13
Compare
|
LGTM |
|
|
||
| tools: tools.timestamp | ||
|
|
||
| tools.timestamp: Makefile | ||
| @go get -u $(BUILDFLAGS) golang.org/x/lint/golint | ||
| @go get $(BUILDFLAGS) github.com/vbatts/git-validation | ||
| @go get -u github.com/rancher/trash | ||
| @touch tools.timestamp |
There was a problem hiding this comment.
Looking at the build logs:
go get: warning: modules disabled by GO111MODULE=auto in GOPATH/src;
ignoring go.mod;
see 'go help modules'
go get: warning: modules disabled by GO111MODULE=auto in GOPATH/src;
ignoring go.mod;
see 'go help modules'
git-validation -q -run DCO,short-subject,dangling-whitespace
It would be nice to clean that up; AFAICS it comes from the tools.timestamp rule.
More importantly, the go get commands above, when run outside of GOPATH actually add the three commands as dependencies in go.mod; that seems quite undesirable (consumers of the library neither need nor want to include our testing infrastructure). Sadly, there isn’t an obvious way to bypass that (at least quickly skimming golang/go#27643 and several of the linked discussions).
I guess the closest to working is the https://stackoverflow.com/questions/53368187/go-modules-installing-go-tools solution of using an unrelated temporary working directory (except that it should use mktemp -d instead of hard-coding a single shared=possibly malicious directory).
There was a problem hiding this comment.
I think adding an explicit GO111MODULE=off should fix it.
There was a problem hiding this comment.
For now; containers/skopeo#695 says that Go 1.13 ignores that variable. But this is not my area of expertise.
There was a problem hiding this comment.
It looks like Go 1.13 only changes the behaviour of GO111MODULE=auto though:
https://github.com/golang/go/blob/ad4ed87f80c33f23bdd3767ef3208f15a1fb5c90/doc/go1.13.html#L181-L190
So explicitly setting GO111MODULE=off should still work with Go 1.13.
There was a problem hiding this comment.
Thanks, looking at the code GO111MODULE=off does seem to set at least the local flags in Go’s src/cmd/go/internal/modload/init.go and src/go/build/build.go to turn off modules, so this code should be fine.
Yet, GO111MODULE=off was exactly what Skopeo was using before containers/skopeo#695 , so I don’t quite know what is going on. Hopefully @vrothberg can help.
There was a problem hiding this comment.
Starting with Go v1.13 the variable will be ignored (since go modules are declared stable) but we still need it for backwards compat with 1.11 and 1.12.
As @mtrmac has mentioned, any go get and other go commands can potentially alter the module, so we need to be careful. What we do in buildah, for instance, is to keep the CI dependencies in a separate (sub) go module: https://github.com/containers/buildah/tree/master/tests/tools
What we do there is have a dedicated go module containing the tools for the CI that will be compiled on-demand. The code could also be downloaded on-demand, if desired. To trick go into believing we have dependencies on the tools, we have a dummy .go file with import _ "github.com/.../..." lines (https://github.com/containers/buildah/blob/master/tests/tools/tools.go).
I can take care of doing that once this PR is merged.
There was a problem hiding this comment.
Starting with Go v1.13 the variable will be ignored (since go modules are declared stable) but we still need it for backwards compat with 1.11 and 1.12.
That’s not what the code actually does AFAICT. There are quite a few checks for os.Getenv("GO111MODULE") == "off" in the codebase, even on master. Or have they dropped that check from some important place that affects these projects?
There was a problem hiding this comment.
Thanks for clarifying. I didn't actually check the go code but based my statement on the various build issues in Fedora when flipping it to v1.13. So it seems that GO111MODULE can still be turned off explicitly ... although it did not help with go build apparently.
go.mod
Outdated
| github.com/pkg/errors v0.0.0-20161029093637-248dadf4e906 | ||
| github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7 // indirect | ||
| github.com/satori/go.uuid v1.2.0 // indirect | ||
| github.com/sirupsen/logrus v1.4.1 |
There was a problem hiding this comment.
(Note for the record: This is an upgrade from v1.0.0.)
go.mod
Outdated
| github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7 // indirect | ||
| github.com/satori/go.uuid v1.2.0 // indirect | ||
| github.com/sirupsen/logrus v1.4.1 | ||
| github.com/stretchr/testify v1.2.2 |
There was a problem hiding this comment.
(Note for the record: This is an update from an untagged post-v1.1.4 commit.)
go.mod
Outdated
| golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 | ||
| golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 | ||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58 | ||
| golang.org/x/sys v0.0.0-20190804053845-51ab0e2deafa |
There was a problem hiding this comment.
(Note for the record: all of the /x/* above have been upgraded, fairly significantly.)
|
LGTM, but I’d love to see an ACK by @vrothberg , especially (but not exclusively) WRT the |
There was a problem hiding this comment.
Thanks for the ping!
I very much prefer keeping the ./vendor directory and the dependencies locally. Currently, all github.com/containers/ projects use go mod only for dependency management and not for deduping and caching builds. For backwards compat and to avoid regression with v1.13+, we need to add a conditional GO_BUILD to the Makefile (see https://github.com/containers/buildah/blob/master/Makefile#L16-L21).
| @touch tools.timestamp | ||
|
|
||
| vendor: tools.timestamp vendor.conf |
There was a problem hiding this comment.
I very much prefer keeping the vendor target. All other projects on github.com/containers do something as follows:
There was a problem hiding this comment.
I also want to preserve the having the code in ./vendor (via go mod vendor). The workflow of many folks is used to that. If some don't want it, they are free to not use make vendor.
|
|
||
| tools: tools.timestamp | ||
|
|
||
| tools.timestamp: Makefile | ||
| @go get -u $(BUILDFLAGS) golang.org/x/lint/golint | ||
| @go get $(BUILDFLAGS) github.com/vbatts/git-validation | ||
| @go get -u github.com/rancher/trash | ||
| @touch tools.timestamp |
There was a problem hiding this comment.
Starting with Go v1.13 the variable will be ignored (since go modules are declared stable) but we still need it for backwards compat with 1.11 and 1.12.
As @mtrmac has mentioned, any go get and other go commands can potentially alter the module, so we need to be careful. What we do in buildah, for instance, is to keep the CI dependencies in a separate (sub) go module: https://github.com/containers/buildah/tree/master/tests/tools
What we do there is have a dedicated go module containing the tools for the CI that will be compiled on-demand. The code could also be downloaded on-demand, if desired. To trick go into believing we have dependencies on the tools, we have a dummy .go file with import _ "github.com/.../..." lines (https://github.com/containers/buildah/blob/master/tests/tools/tools.go).
I can take care of doing that once this PR is merged.
In what cases does that make a difference? I could guess non-module-aware IDEs, perhaps.
Note that the others are applications, and we distribute the |
Some IDEs are going wild and I found it helpful when updating/analyzing dependencies; sometimes tracking down bugs.
I wasn't suggesting to commit the |
|
Sure, I’m fine with preserving the OTOH consumers of c/image will just list it in their I don’t know whether that means we should preserve the |
|
For the build to use |
|
I don’t quite see the point of doing that in the CI, the CI is going to start from a fresh checkout and it is going to have to populate |
|
@mtrmac, I am not sure I can follow then. Do you want preserve |
|
I think that definitely the CI, and probably the primary local build method, should rely on I don’t personally see preserving As for testing the vendor build in the CI in addition to the module-based build, I see that as even less important than preserving the vendor targets at all, but I’m fine with that as well, as long as it does not significantly increase the CI run time. |
|
Thanks for clarifying! Let's drop the |
|
@praseodym, are you still working on it? |
Through `go mod init github.com/containers/image` followed by `go mod tidy`. Signed-off-by: Mark Janssen <[email protected]>
Oops, I missed the review comments in rest of the discussion. I've just rebased this and addressed the one comment. |
|
LGTM. Thanks! @vrothberg I’ll leave this up to you to merge, in case there were some tricky aspects WRT updating consumers of c/image that already use Go modules. |
|
LGTM, thanks for contributing, @praseodym!
To the best of my knowledge, nothing will change. Consumers of c/image already marked it as After the merge here, I will iterate over the dependencies and check for new versions to make sure we're releasing an up to date module. |
Through
go mod init github.com/containers/imagefollowed bygo mod tidy.