Turn on hermetic builds for mac |
|||||
Issue descriptionFiling a bug from an email thread that hasn't gotten any traction. This is a feature that both the Mac and Infra teams has wanted for a while, so it would be nice if we could get this online now that we're so close. """ The mac team would like to go ahead with using hermetic builds everywhere mac, not just on the the fyi 'Chromium Mac 10.11 Force Mac Toolchain' bot. Two questions before we do that: 1) Can we tighten up the sudoers access for xcodebuild? Can we add args, so only the exact command `sudo /usr/bin/xcodebuild -license accept` can be run via sudoers, rather than any xcodebuild? I could imagine a scenario where xcodebuild could be abused on the trybots without this restriction. 2) Can we allow the sudoers xcodebuild to pass in DEVELOPER_DIR (so we can remove the xcode-select from sudoers, unless that's needed for something else?) 3) I'd love to dig into why the ruby gems require the Mac SDK. Can you share which gems fail when Xcode isn't installed? 4) If we can't remove the pre-install Xcode / delete Xcode step, can we make sure xcode-select points to the command line tools after Xcode is deleted? Thanks! Hopefully going forward this will make things easier for ChromeMac to test out new Xcode's and SDKs without adding to infra's load! """ -justincohen
,
Apr 15 2016
Ping?
,
Apr 15 2016
Still haven't had time to dig into this. It's on my plate for next week.
,
Apr 19 2016
Ok, after re-evaluating our bootstrap scripts, it looks like just installing Xcode CommandLine Tools is enough to bootstrap the machine (gems and python modules seem to install fine contrary to when I first tried this). xcodebuild will still throw an error if called and Xcode is not installed: xcode-select: error: tool 'xcodebuild' requires Xcode, but active developer directory '/Library/Developer/CommandLineTools' is a command line tools instance It's worth noting that other users of Mac hosts require Xcode installed and that this new set up will cause a another configuration drift, unless it's going to be broadcasted that Xcode is now part of the toolchain for all of the other Chromium projects. I'll still need to address #2 in the OP as well as tightening up the perms for xcodebuild. I'd also like to reimage build9-m1 to have it mirror what I just tested to see if it fails in any odd way.
,
Apr 19 2016
Not having Xcode installed would be nice, since if there's an error in the hermetic scripts and Xcode is installed the compile might fall back to the installed xcode-select and weirdness may ensue.
,
Apr 19 2016
""" It's worth noting that other users of Mac hosts require Xcode installed and that this new set up will cause a another configuration drift, unless it's going to be broadcasted that Xcode is now part of the toolchain for all of the other Chromium projects. """ I think that we should move all Mac hosts to use hermetics builds.
,
Apr 19 2016
> Not having Xcode installed would be nice, since if there's an error in the hermetic scripts and Xcode is installed the compile might fall back to the installed xcode-select and weirdness may ensue. So you're suggesting all Mac builders get reimaged? Because that's what that sounds like. That's not going to be a very fast process. > I think that we should move all Mac hosts to use hermetics builds. How could this be communicated? We (systems) don't have a list of "this is all who uses Macs in our infra".
,
Apr 19 2016
> How could this be communicated? We (systems) don't have a list of "this is all who uses Macs in our infra". This process should be transparent (the compiled results should be indistinguishable), so we could just send email to the relevant teams [skia, blink, etc.] when we update their builders to use hermetic builds. That being said, this is not a high priority - I was just suggesting that image drift is not a requirement - the whole point of hermetic builds is to decouple compile configuration from OS image/manual bot configuration.
,
Apr 27 2016
,
Apr 27 2016
,
May 18 2016
Issue 589491 has been merged into this issue.
,
May 18 2016
Now that this has been rolling out and smut tightened up xcodebuild perms, what's left to do here from my side? I can only think of trying a freshly deployed bot without system-wide Xcode installed at all, just the CLT package.
,
May 18 2016
dba@ that would be a good test. We had to make some changes to work on systems that did have Xcode installed, so it's possible a non-XCode system is broken. Can we test an xcode-less bot on FYI?
,
May 18 2016
I can set one up, or is there one that I could just redeploy? Also, do we need to be testing different OS X versions? I believe we've only been testing 10.11.
,
May 18 2016
I reverted the config for 'Chromium 10.11 Force Mac Toolchain' here: https://codereview.chromium.org/1946023004/diff/1/scripts/slave/recipe_modules/chromium_tests/chromium_fyi.py Perhaps we can put it back, and reuse that?
,
May 20 2016
That's a lot of bots, i'd rather just target a couple of bots with each version (10.9, 10.10, and 10.11). I know that's FYI and all.. but I'd rather not break a large amount of them.
,
May 20 2016
I am suggesting only testing on the 'Chromium 10.11 Force Mac Toolchain' bot.
,
May 20 2016
Sorry, it wasn't clear from that CL where it touched a bunch of other things.
,
May 20 2016
Redeployed build9-m1 with no system Xcode. However it looks likes its been failing runs for a while.
,
May 21 2016
I reverted the config in cl 1946023004 when hermetic was enabled everywhere. Sent over https://codereview.chromium.org/2005523003/ to get the config back. thanks!
,
May 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/tools/build.git/+/772692cbb72e1195ed8d3386c098281ef480d6f5 commit 772692cbb72e1195ed8d3386c098281ef480d6f5 Author: justincohen <justincohen@chromium.org> Date: Tue May 24 21:51:45 2016 Restore Force Mac Toolchain config. BUG= 601506 Review-Url: https://codereview.chromium.org/2005523003 [modify] https://crrev.com/772692cbb72e1195ed8d3386c098281ef480d6f5/scripts/slave/recipe_modules/chromium_tests/chromium_fyi.py [add] https://crrev.com/772692cbb72e1195ed8d3386c098281ef480d6f5/scripts/slave/recipes/chromium.expected/full_chromium_fyi_Chromium_Mac_10_11_Force_Mac_Toolchain.json
,
May 25 2016
Looks like the nacl integration script fails on the true xcodeless bot, i'll take a look: https://build.chromium.org/p/chromium.fyi/builders/Chromium%20Mac%2010.11%20Force%20Mac%20Toolchain/builds/3223 Everything else looks green.
,
May 27 2016
nacl_integration looks green now: https://build.chromium.org/p/chromium.fyi/builders/Chromium%20Mac%2010.11%20Force%20Mac%20Toolchain/builds/3238 phajdan@ landed a fix to pass env to test bots here: https://codereview.chromium.org/2014373002
,
Jun 1 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/infra/puppet/+/ae84ed8b45bc5c7de4bcfd22d802c8f8fd32f083 commit ae84ed8b45bc5c7de4bcfd22d802c8f8fd32f083 Author: smut <smut@google.com> Date: Wed Apr 27 21:27:31 2016
,
Jun 1 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/infra/puppet/+/b39e7a5abe37393da49d46cf48a9e6c24ad9c9eb commit b39e7a5abe37393da49d46cf48a9e6c24ad9c9eb Author: smut <smut@google.com> Date: Fri May 06 19:18:58 2016
,
Jun 17 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/build_limited/scripts/slave/+/fac06be1b9367e675daba4c163c4184ab862326b commit fac06be1b9367e675daba4c163c4184ab862326b Author: recipe-roller <recipe-roller@chromium.org> Date: Tue May 24 21:58:32 2016
,
Aug 3 2016
Don't think theres anything else for me to do here. Justin - feel free to dupe this if you've got another bug you're doing this work in.
,
Sep 19 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by d...@chromium.org
, Apr 7 2016Status: Assigned (was: Untriaged)