-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build manylinux wheels (including aarch64) with Zuul #5386
Conversation
35193ce
to
40937ac
Compare
Build failed (check pipeline). For information on how to proceed, see
|
recheck |
460ad73
to
b81b893
Compare
Build failed (check pipeline). For information on how to proceed, see
|
08c5958
to
66a0903
Compare
Build succeeded (check pipeline).
|
66a0903
to
652e1e1
Compare
Build succeeded (check pipeline).
|
This is temporarily blocked on the fact that the manylinux 2014 wheel building images don't seem to specify page size, so it compiles binaries that don't work on all systems. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to have this be a job we trigger via some API call? Our workflow for release involves pushing a tag to GitHub, uploading the sdist, then triggering the wheel building process (to ensure that the wheel builders pull the sdist and not ). As part of this we normally specify a version to build via an API call and then download the built artifacts. I see we can access artifacts from Zuul, but the trigger mechanism is unclear to me right now.
.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh
Outdated
Show resolved
Hide resolved
.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh
Outdated
Show resolved
Hide resolved
.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml
Outdated
Show resolved
Hide resolved
.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/files/build-wheels.sh
Outdated
Show resolved
Hide resolved
Not really; you can see the pipelines Zuul is configured to run and the events that trigger that at https://opendev.org/pyca/project-config/src/branch/master/zuul.d/pipelines.yaml
So the way that Zuul would handle this is we need to add a pipeline to listen for pushes matching For example, you can see how the main openstack release pipeline is configured at https://opendev.org/openstack/project-config/src/branch/master/zuul.d/pipelines.yaml#L164 basically whenever openstack projects push tags, the projects all have a bunch of common jobs that live in that pipeline to create and publish source tarballs, push documentation, upload to pypi, etc. The only trick here is that there's nowhere for Zuul to report. These jobs will appear in https://zuul.opendev.org/t/pyca/builds but you do have to know to look there.
"and not the git source" I guess you mean? This bit I need to get my head around. I mean, it's software we can do anything and figure out how to pull a sdist I'm sure :) But the Zuul job will be running on the source code at the pushed tag. I feel like we should really try to build from that for repeatability; if we're pulling an sdist made somewhere else we have windows for things to go wrong. |
86d5b9a
to
39ced13
Compare
6d3462d
to
4aa27c8
Compare
So this now makes an Although there's no API as such, Zuul administrators can enqueue changes against a particular ref; i.e. we could enqueue this job against existing tags and build wheels for current releases if this is of interest. As discussed above, we can also get this to watch for new tag pushes and build wheels there too. |
Ok, we now have an officla manylinux2014 aarch64 wheel building docker image: https://hub.docker.com/r/pyca/cryptography-manylinux2014_aarch64 |
06d29cf
to
14d5159
Compare
@alex @reaperhulk Thanks for your interest in this I believe this is ready for review now, and is generating good wheels from the sdist, doing basic sanity checks, and publishing them. If this is accepted and merged, I can manually trigger these jobs to run against the 3.0 tag and thus produce aarch64 wheels which could be uploaded manually (manually injecting events like this requires Zuul command-line access, so can only be done by administrators). I believe this would be of great help to everyone struggling with slowish arm64 deployments right now. For the future, you will see I put the jobs in the Zuul has roles for automated uploading to pypi (https://zuul-ci.org/docs/zuul-jobs/python-roles.html#role-upload-pypi) which is used by all openstack/opendev projects doing releases, and I'd be happy to discuss this further if it is of interest. It would likely mean giving the user openstackci permission to upload. Thanks! |
pythons: | ||
- cp35-cp35m | ||
|
||
- job: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this? We currently build our x86-64 wheels elsehwere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was a deliberate choice on my behalf to make sure the playbooks/roles are (and remain) suitable for multi-arch and multi-python builds in general
- pyca-cryptography-build-wheel-arm64 | ||
- pyca-cryptography-build-wheel-x86_64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We dont' usually run our wheel builder tasks in CI... though I guess there's no reason we couldn't. WDYT @reaperhulk ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say that this does ensure when it comes time to push a tag, you can be sure there's no surprises that you've broken something in the mean time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have an objection to this happening provided we have the concurrency for it not to hurt our CI turnaround time.
.zuul.playbooks/playbooks/wheel/roles/build-wheel-manylinux/tasks/main.yaml
Outdated
Show resolved
Hide resolved
This adds the Zuul playbooks and role to build manylinux wheels for aarch64 and x86_64 (while aarch64 is the primary goal; it's good for the overall code to keep it flexible). It first builds an sdist from the checkout and then builds the wheels in the appropriate containers. Note this adds the jobs in the gate pipeline, which currently responds to Pull Requests, and the release pipeline, which responds to pushes to refs/tags/.* (see [1]). Note for results of jobs run against tags you will need to find the job directly from https://zuul.opendev.org/t/pyca/builds because there is nowhere to report the results as such (it could be configured to send an email). The wheels are published to the wheelhouse/ directory in the Zuul logs, which is also listed as an artifact on the build results page. [1] https://review.opendev.org/748323
14d5159
to
d968c3e
Compare
pep8 failure is a black release occurring since we don't pin that. #5429 will fix it. |
Ok, |
No need to rebase, just restarted the job in this case. |
Build manylinux wheels with Zuul
This adds the Zuul playbooks and role to build manylinux wheels for
aarch64 and x86_64 (while aarch64 is the primary goal; it's good for
the overall code to keep it flexible).
It first builds an sdist from the checkout and then builds the wheels
in the appropriate containers.
Note this adds the jobs in the gate pipeline, which currently responds
to Pull Requests, and the release pipeline, which responds to pushes
to refs/tags/.* (see [1]). Note for results of jobs run against tags
you will need to find the job directly from
https://zuul.opendev.org/t/pyca/builds
because there is nowhere to report the results as such (it could be
configured to send an email).
The wheels are published to the wheelhouse/ directory in the Zuul
logs, which is also listed as an artifact on the build results page.
[1] https://review.opendev.org/748323