x/build: make GOROOT read-only before running tests #30316
Comments
|
Is it better to catch regressions to #28387 by making builders have a read-only GOROOT and hope that tests fail if they try to write, or by having a writeable GOROOT and try to verify (after tests have finished running) that GOROOT hasn't been modified? I'm not sure if it's viable to do the latter, but I wanted to ask so that we consider it. |
After the tests have finished we destroy the VM, so not point restoring write access moments before death. |
|
@dmitshur, we could do both, but it is more important to run with a read-only GOROOT and check for failing tests: tests that leave changes behind are easy for developers to detect (via The latter category is still harmful, since they will fail when users run Ephemeral changes can also interfere with proper cache invalidation, so we should avoid them even if GOROOT is writable. |
|
(It occurs to me, though, that we already have a “files opened” check in the cache subsystem. Probably we should check for — and reject — file writes in GOROOT explicitly there.) |
|
The buildlet already has a recursive file list endpoint, so the build system could also just look at all files before & after a test run to see if there are any differences. This is what x/build/cmd/gomote does to decide how to incrementally push files from developer machines to buildlets. That might be faster in that it's only doing read operations and not writes. |
|
As noted above, merely looking at the files before and after the test run is not sufficient: we don't want tests to make ephemeral changes, even if they back them out before exiting. |
|
Ah, sorry, missed that comment. |
|
Change https://golang.org/cl/163477 mentions this issue: |
bcmills
added
the
NeedsFix
Updates #30316 Change-Id: I57e489f6bbe4a3b39c907dabe5ac41fb9939cdb4 Reviewed-on: https://go-review.googlesource.com/c/go/+/163477 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
Change https://golang.org/cl/189537 mentions this issue: |
|
At least the contents of go1.13beta1.linux-amd64.tar.gz tarball from https://golang.org/dl/ is read-only, is that an intentional side-effect? I noticed this when trying to use |
Since go commit 02d24fc25285, the GOROOT directory has been made read-only, this affects the go1.13beta1 binary tarball as used by Travis CI. See golang/go#30316
|
@Lekensteyn, see #33537. |
Binary releases need to build Go and include binaries such as bin/go, bin/gofmt, and others. Previously, this was accomplished by running all.bash script for some GOOS/GOARCH pairs, and make.bash for others where it wasn't viable to run tests as part of the release process. This change makes the release process more consistent by always packaging the release archive file after running make.bash. We still run all.bash in situations where it was previously run, but we do so after the release file has already been created. This avoids the risk of any changes to GOROOT that may occur as part of all.bash (including changing file permissions to be read-only) being included in the final release file. Add a step to check that files in the buildlet's $WORKDIR/go and $WORKDIR/go/bin directories have expected permissions before creating the release file. Fixes golang/go#33537 Updates golang/go#30316 Change-Id: I7d40716dba656a8aca711377f2995df4880166c5 Reviewed-on: https://go-review.googlesource.com/c/build/+/189537 Reviewed-by: Andrew Bonventre <andybons@golang.org>
Since go commit 02d24fc25285, the GOROOT directory has been made read-only, this affects the go1.13beta1 binary tarball as used by Travis CI. See golang/go#30316
|
Making |
|
Change https://golang.org/cl/206458 mentions this issue: |
Otherwise, the test cannot create new files in the directory. Updates #32407 Updates #30316 Change-Id: Ief0df94a202be92f57d458d4ab4e4daa9ec189b1 Reviewed-on: https://go-review.googlesource.com/c/go/+/206458 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Is that also true for reverse builders (such as |
|
The other reason to restore access, of course, is so that we can test this behavior locally without infuriating ourselves. (I should be able to run |
|
Change https://golang.org/cl/206757 mentions this issue: |
|
Change https://golang.org/cl/206758 mentions this issue: |
|
Bingo: all of our (https://storage.googleapis.com/go-build-log/726e41e1/linux-amd64_acf59a73.log) |
|
Change https://golang.org/cl/208124 mentions this issue: |
|
|
The bash script that drives this test needs to know whether the fortran compiler works, but it doesn't actually care about the generated binary. Write that binary to /dev/null. Updates #28387 Updates #30316 Change-Id: I4f86da1aeb939fc205f467511fc69235a6a9af26 Reviewed-on: https://go-review.googlesource.com/c/go/+/208124 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
One of the 'go build' commands executed by this test passed the '-i' flag, which caused the 'go' command to attempt to install transitive standard-library dependencies to GOROOT/pkg/$GOOS_$GOARCH_dynlink. That failed if GOROOT/pkg was not writable (for example, if GOROOT was owned by the root user, but the user running the test was not root). As far as I can tell the '-i' flag is not necessary in this test. Prior to the introduction of the build cache it may have been an optimization, but now that the build cache is required the '-i' flag only adds extra work. Updates #30316 Change-Id: Ib60080a008c1941aa92b5bdd5a194d89fd6202aa Reviewed-on: https://go-review.googlesource.com/c/go/+/208120 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
Change https://golang.org/cl/208232 mentions this issue: |
Also add a -testwork flag to facilitate debugging the test itself. Three of the tests of this package invoked 'go install -i -buildmode=c-archive' in order to generate an archive as well as multiple C header files. Unfortunately, the behavior of the '-i' flag is inappropriately broad for this use-case: it not only generates the library and header files (as desired), but also attempts to install a number of (unnecessary) archive files for transitive dependencies to GOROOT/pkg/$GOOS_$GOARCH_shared, which may not be writable — for example, if GOROOT is owned by the root user but the test is being run by a non-root user. Instead, for now we generate the header files for transitive dependencies separately by running 'go tool cgo -exportheader'. In the future, we should consider how to improve the ergonomics for generating transitive header files without coupling that to unnecessary library installation. Updates #28387 Updates #30316 Updates #35715 Change-Id: I3d483f84e22058561efe740aa4885fc3f26137b5 Reviewed-on: https://go-review.googlesource.com/c/go/+/208117 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
The tests in this package invoked 'go install -i -buildmode=c-shared' in order to generate an archive as well as multiple C header files. Unfortunately, the behavior of the '-i' flag is inappropriately broad for this use-case: it not only generates the library and header files (as desired), but also attempts to install a number of (unnecessary) archive files for transitive dependencies to GOROOT/pkg/$GOOS_$GOARCH_testcshared_shared, which may not be writable — for example, if GOROOT is owned by the root user but the test is being run by a non-root user. Instead, for now we generate the header files for transitive dependencies separately by running 'go tool cgo -exportheader'. In the future, we should consider how to improve the ergonomics for generating transitive header files without coupling that to unnecessary library installation. Updates #28387 Updates #30316 Updates #35715 Change-Id: I622426a860828020d98f7040636f374e5c766d28 Reviewed-on: https://go-review.googlesource.com/c/go/+/208119 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
Previously, 'go test -v' in this directory would result in a massive dump of go command output, because the test plumbed -v to 'build -x'. This change separates them into distinct flags, so that '-v' only implies the display of default 'go' command output. Updates #30316 Change-Id: Ifb125f35ec6a0bebe7e8286e7c546d132fb213df Reviewed-on: https://go-review.googlesource.com/c/go/+/208232 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
Change https://golang.org/cl/208482 mentions this issue: |
|
Change https://golang.org/cl/208481 mentions this issue: |
|
Change https://golang.org/cl/208483 mentions this issue: |
It turns out that the relative-path support never worked in the first place. It had been masked by the fact that we ~never invoke overlayDir with an absolute path, which caused filepath.Rel to always return an error, and overlayDir to always fall back to absolute paths. Since the absolute paths seem to be working fine (and are simpler), let's stick with those. As far as I can recall, the relative paths were only a space optimization anyway. Updates #28387 Updates #30316 Change-Id: Ie8cd28f3c41ca6497ace2799f4193d7f5dde7a37 Reviewed-on: https://go-review.googlesource.com/c/go/+/208481 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Jay Conrod <jayconrod@google.com>
Otherwise, these tests produce no output, which can make the overall output of all.bash a bit tricky to decipher. Updates #30316 Updates #29062 Change-Id: I33b9e070fd28b9f21ece128e9e603a982c08b7cc Reviewed-on: https://go-review.googlesource.com/c/go/+/208483 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Jay Conrod <jayconrod@google.com>
|
As of CL 208482, Specifically, I tested with: I believe that the main ( |
Instead of installing shared libraries to GOROOT/pkg, clone the necessary files into a new GOROOT and run there. Given that we now have a build cache, ideally we should not need to install into GOROOT/pkg at all, but we can't fix that during the 1.14 code freeze. Updates #28387 Updates #28553 Updates #30316 Change-Id: I83084a8ca29a5dffcd586c7fccc3f172cac57cc6 Reviewed-on: https://go-review.googlesource.com/c/go/+/208482 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Jay Conrod <jayconrod@google.com>
|
Change https://golang.org/cl/223745 mentions this issue: |
The existing test attempted to remove '_race' binaries from GOROOT/pkg, which could not only fail if GOROOT is read-only, but also interfere with other tests run in parallel. Updates #30316 Updates #37573 Updates #17751 Change-Id: Id7e2286ab67f8333baf4d52244b7f4476aa93a46 Reviewed-on: https://go-review.googlesource.com/c/go/+/223745 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Jay Conrod <jayconrod@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
|
Change https://golang.org/cl/223746 mentions this issue: |
|
Change https://golang.org/cl/223747 mentions this issue: |
The missing brace made the 'stale' command a no-op in the non-error case. Fix the 'short' skip in install_cross_gobin (it was backward) and update it to no longer check staleness of a not-necessarily-stale target and to no longer expect to be able to install into GOROOT/pkg. (This was missed in #30316 because that part of the test was erroneously skipped in non-short mode.) Change-Id: I6a276fec5fa5e5da3fe0daf0c2b5086116ed7c1a Reviewed-on: https://go-review.googlesource.com/c/go/+/223747 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
|
Change https://golang.org/cl/223919 mentions this issue: |
Use that operator to make test_race_install_cgo agnostic to whether GOROOT/pkg is writable. Updates #37573 Updates #30316 Change-Id: I018c63b3c369209345069f917bbb3a52179e2b58 Reviewed-on: https://go-review.googlesource.com/c/go/+/223746 Reviewed-by: Jay Conrod <jayconrod@google.com>
|
Change https://golang.org/cl/225897 mentions this issue: |
Installing to GOROOT makes tests non-parallelizable, since each test depends on the installed contents of GOROOT already being up-to-date and may reasonably assume that those contents do not change over the course of the test. Fixes #37573 Updates #30316 Change-Id: I2afe95ad11347bee3bb7c2d77a657db6d691cf05 Reviewed-on: https://go-review.googlesource.com/c/go/+/225897 Reviewed-by: Michael Matloob <matloob@golang.org>
This comment was marked as resolved.
This comment was marked as resolved.
When #28387 is fixed, we should make sure that it doesn't regress.
Can we configure the builders to make GOROOT read-only before they invoke
run.bash, and perhaps restore write permissions after the tests have finished?(CC @bradfitz @dmitshur)
The text was updated successfully, but these errors were encountered: