-
Notifications
You must be signed in to change notification settings - Fork 38
/
apt.bzl
140 lines (108 loc) · 4.97 KB
/
apt.bzl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
"""
`apt.install` macro
This documentation provides an overview of the convenience `apt.install`
repository macro to create Debian repositories with packages "installed" in
them and available to use in Bazel.
"""
load("//apt/private:deb_resolve.bzl", _deb_resolve = "deb_resolve")
load("//apt/private:deb_translate_lock.bzl", _deb_translate_lock = "deb_translate_lock")
def _apt_install(
name,
manifest,
lock = None,
nolock = False,
package_template = None,
resolve_transitive = True):
"""Repository macro to create Debian repositories.
> [!WARNING]
> THIS IS A LEGACY MACRO. Use it only if you are still using `WORKSPACE`.
> Otherwise please use the [`apt` module extension](apt.md).
Here's an example to create a Debian repo with `apt.install`:
```starlark
# WORKSPACE
load("@rules_distroless//apt:apt.bzl", "apt")
apt.install(
name = "bullseye",
# lock = "//examples/apt:bullseye.lock.json",
manifest = "//examples/apt:bullseye.yaml",
)
load("@bullseye//:packages.bzl", "bullseye_packages")
bullseye_packages()
```
Note that, for the initial setup (or if we want to run without a lock) the
lockfile attribute can be omitted. All you need is a YAML
[manifest](/examples/debian_snapshot/bullseye.yaml):
```yaml
version: 1
sources:
- channel: bullseye main
url: https://snapshot-cloudflare.debian.org/archive/debian/20240210T223313Z
archs:
- amd64
packages:
- perl
```
`apt.install` will parse the manifest and will fetch and install the
packages for the given architectures in the Bazel repo `@<NAME>`.
Each `<PACKAGE>/<ARCH>` has two targets that match the usual structure of a
Debian package: `data` and `control`.
You can use the package like so: `@<REPO>//<PACKAGE>/<ARCH>:<TARGET>`.
E.g. for the previous example, you could use `@bullseye//perl/amd64:data`.
### Lockfiles
As mentioned, the macro can be used without a lock because the lock will be
generated internally on-demand. However, this comes with the cost of
performing a new package resolution on repository cache misses.
The lockfile can be generated by running `bazel run @bullseye//:lock`. This
will generate a `.lock.json` file of the same name and in the same path as
the YAML `manifest` file.
If you explicitly want to run without a lock and avoid the warning messages
set the `nolock` argument to `True`.
### Best Practice: use snapshot archive URLs
While we strongly encourage users to check in the generated lockfile, it's
not always possible because Debian repositories are rolling by default.
Therefore, a lockfile generated today might not work later if the upstream
repository removes or publishes a new version of a package.
To avoid this problems and increase the reproducibility it's recommended to
avoid using normal Debian mirrors and use snapshot archives instead.
Snapshot archives provide a way to access Debian package mirrors at a point
in time. Basically, it's a "wayback machine" that allows access to (almost)
all past and current packages based on dates and version numbers.
Debian has had snapshot archives for [10+
years](https://lists.debian.org/debian-announce/2010/msg00002.html). Ubuntu
began providing a similar service recently and has packages available since
March 1st 2023.
To use this services simply use a snapshot URL in the manifest. Here's two
examples showing how to do this for Debian and Ubuntu:
* [/examples/debian_snapshot](/examples/debian_snapshot)
* [/examples/ubuntu_snapshot](/examples/ubuntu_snapshot)
For more infomation, please check https://snapshot.debian.org and/or
https://snapshot.ubuntu.com.
Args:
name: name of the repository
manifest: label to a `manifest.yaml`
lock: label to a `lock.json`
nolock: bool, set to True if you explicitly want to run without a lock
and avoid the DEBUG messages.
package_template: (EXPERIMENTAL!) a template file for generated BUILD
files. Available template replacement keys are:
`{target_name}`, `{deps}`, `{urls}`, `{name}`,
`{arch}`, `{sha256}`, `{repo_name}`
resolve_transitive: whether dependencies of dependencies should be
resolved and added to the lockfile.
"""
_deb_resolve(
name = name + "_resolve",
manifest = manifest,
resolve_transitive = resolve_transitive,
)
if not lock and not nolock:
# buildifier: disable=print
print("\nNo lockfile was given, please run `bazel run @%s//:lock` to create the lockfile." % name)
_deb_translate_lock(
name = name,
lock = lock if lock else "@" + name + "_resolve//:lock.json",
package_template = package_template,
)
apt = struct(
install = _apt_install,
)