DM-37759: Rework container build workflows. #51
Conversation
ktlim
force-pushed
the
tickets/DM-37759
branch
14 times, most recently
from
5db103a to
df133e7
Compare
There was a problem hiding this comment.
I think I follow the changes to the base container (though atomic commits would have made it easier), but I'm confused about how the service container is supposed to work. If we want to build the service container with a branch build of the base container, do we have to modify build-service.yaml?
| type: string | ||
| makeLatest: | ||
| description: 'Push container with "latest" tag' | ||
| required: false |
There was a problem hiding this comment.
Why isn't this input required? With a boolean I would have thought default=false would be safer.
There was a problem hiding this comment.
I was concerned that marking it "required" would put a red asterisk in the input box which would somehow suggest to users that they always needed to check the box.
.github/workflows/build-base.yml
Outdated
| docker push $IMAGE_ID:$VERSION | ||
| [[ -n "$STACK_TAG" ]] || STACK_TAG="d_latest" | ||
| MAKE_LATEST="${{ inputs.makeLatest }}" | ||
| [[ -n "$MAKE_LATEST" ]] || MAKE_LATEST="true" |
There was a problem hiding this comment.
It looks like this defaults MAKE_LATEST to true; is this intended? If I try manually running the build action, the box starts unchecked, which I would expect to mean default false.
There was a problem hiding this comment.
I think it's always true or false, but you're right that I should make it false if empty. I think I was trying to emulate the previous behavior.
| for IMAGE_ID in "ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME" "us-central1-docker.pkg.dev/prompt-proto/prompt/$IMAGE_NAME"; do | ||
| if [ "$BRANCH" == "main" ]; then | ||
| VERSION="$STACK_TAG" |
There was a problem hiding this comment.
This applies "d_latest" or "w_latest". I take it that's the best we can do, and we should still look at the container manifest to get the exact stack version?
There was a problem hiding this comment.
I will add code to also tag with the actual eups tag.
.github/workflows/build-service.yml
Outdated
| stackTag: ${{ fromJSON(needs.matrix-gen.outputs.matrix) }} | ||
| env: | ||
| IMAGE_NAME: prompt-proto-service | ||
| STACK_TAG: ${{ matrix.stackTag }} |
There was a problem hiding this comment.
Maybe call it BASE_TAG, to disambiguate the container label (e.g., DM-37759-w_2023_06 or latest) from the actual Stack designation (w_2023_06 or d_latest)?
ktlim
force-pushed
the
tickets/DM-37759
branch
4 times, most recently
from
11904e7 to
3fca267
Compare
|
As to building against a branch of the base, the ticket calls out this case as unavailable. Since the base container is just a few third-party additions to the stack container, not including any of the code in this repo, I thought it was acceptable to only allow versions of it based on |
ktlim
force-pushed
the
tickets/DM-37759
branch
from
3fca267 to
3fb8d1b
Compare
Then I didn't understand the original description. I can think of two cases off the top of my head where we wouldn't want to use the
Right now, it looks like supporting either of these cases requires temporarily editing |
| echo "d_latest" > lsst.docker.tag | ||
| echo "d_latest" > stack.tag | ||
| fi | ||
| docker run lsstsqre/centos:"$(< lsst.docker.tag)" bash -c "cat stack/miniconda*/ups_db/global.tags" > eups.tag |
There was a problem hiding this comment.
Is this procedure guaranteed to return just one tag? How does it compare to reading the EUPS_TAG label from the container itself? (Apologies for my lack of Docker fluency; I really don't know what the tradeoffs are!)
There was a problem hiding this comment.
The Science Pipelines base containers don't have an appropriate label, as far as I can tell, and I believe retrieving that label would require downloading the whole container anyway. Since we need the container for the build, downloading it and running a command in it is not much additional expense.
For these containers, because of the way they're built, it is guaranteed that there will only be one tag.
The first case was the intended target. We would add a "stable" stack version to The second case — testing changes made to the base container build by building the service on top and testing at the service level — was not intended to be supported. The base container only has small third-party dependency additions to the stack container, none of which actually involve code from this repo. So I figured it didn't need extensive testing, and in particular not testing by running the service. Building a branch version, checking (manually) that the dependency is available and functional, and then merging prior to developing service code that requires it seemed to me to be good enough. |
Can you add a usage comment, then? In particular, the fact that we would keep using the "stable" base for an extended period of time is not obvious to anyone used to the old workflow.
I don't think such minimal tests have been sufficient in the past, but I suspect I'm not going to change your mind on this. I'll withdraw my objection to merging as-is. |
|
I added some documentation for If there are dependency installations that are service-branch-specific and need to be tested via the service, they can be added to |
2 participants
No description provided.