RFC: *: move away from rules_nixpkgs

This is an attempt to see how well we do without rules_nixpkgs. rules_nixpkgs has the following problems: - complicates our build system significantly (generated external repository indirection for picking local/nix python and go) - creates builds that cannot run on production (as they are tainted by /nix/store libraries) - is not a full solution to the bazel hermeticity problem anyway, and we'll have to tackle that some other way (eg. by introducing proper C++ cross-compilation toolchains and building everything from C, including Python and Go) Instead of rules_nixpkgs, we ship a shell.nix file, so NixOS users can just: jane@hacker:~/hscloud $ nix-shell hscloud-build-chrootenv:jane@hacker:~/hscloud$ prodaccess This shell.nix is in a way nicer, as it immediately gives you all tools needed to access production straight away. Change-Id: Ieceb5ae0fb4d32e87301e5c99416379cedc900c5
2021-02-13 13:16:10 +01:00 · 2021-02-13 13:16:10 +01:00 · 4b613303b1
parent 55cc9ab177
commit 4b613303b1
5 changed files with 4 additions and 212 deletions
--- a/27
+++ b/27
@ -25,21 +25,6 @@ http_archive(
    sha256 = "e46612e9bb0dae8745de6a0643be69e8665a03f63163ac6610c210e80d14c3e4",
 )
 # Load and setup Nixpkgs, if Nix is present on the build system.
 http_archive(
    name = "io_tweag_rules_nixpkgs",
    strip_prefix = "rules_nixpkgs-dc24090573d74adcf38730422941fd69b87682c7",
    urls = ["https://github.com/tweag/rules_nixpkgs/archive/dc24090573d74adcf38730422941fd69b87682c7.tar.gz"],
    sha256 = "aca86baa64174478c57f74ed09d5c2313113abe94aa3af030486d1b14032d3ed",
 )
 load("//third_party/nix:repository_rules.bzl", "hscloud_setup_nix")
 hscloud_setup_nix(
    revision = "1179841f9a88b8a548f4b11d1a03aa25a790c379",
    sha256 = "8b64041bfb9760de9e797c0a985a4830880c21732489f397e217d877edd9a990",
 )
 # Download Go/Gazelle rules
 http_archive(
    name = "io_bazel_rules_go",
@ -69,9 +54,9 @@ load("@rules_python//python:pip.bzl", "pip_repositories")
 pip_repositories()
-load("@hscloud_pip_imports//:imports.bzl", "hscloud_pip3_import")
+load("@rules_python//python:pip.bzl", "pip3_import")
-hscloud_pip3_import(
+pip3_import(
    name = "pydeps",
    requirements = "//third_party/py:requirements.txt",
 )
@ -81,12 +66,8 @@ load("@pydeps//:requirements.bzl", "pip_install")
 pip_install()
 # Setup Go toolchain.
-# This workspace is generated by hscloud_setup_nixpkgs. It will either call
+load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains")
-# go_register_toolchains() to automagically get Go toolchains from the Internet
+go_register_toolchains()
 # or, if nix is present, instead setup a toolchain from nixpkgs.
 load("@hscloud_go_toolchain//:imports.bzl", "hscloud_go_register_toolchains")
 hscloud_go_register_toolchains()
 # IMPORTANT: match protobuf version above with the one loaded by grpc
 http_archive(
--- a/cluster/tools/BUILD
+++ b/cluster/tools/BUILD
@ -31,12 +31,6 @@ copy_go_binary(
    visibility = ["//visibility:public"],
 )
 sh_binary(
    name = "nixops",
    srcs = ["nixops.sh"],
    data = ["@nixops//:bin", "//tools:secretstore"],
 )
 sh_binary(
    name = "rook-s3cmd-config",
    srcs = ["rook-s3cmd-config.sh"],
--- a/third_party/nix/BUILD
+++ b/third_party/nix/BUILD
@ -1,29 +0,0 @@
 load("@rules_python//python:defs.bzl", "py_runtime_pair")
 # Python toolchain definition that uses //third_party/nix:python.nix (via
 # external repository).
 py_runtime(
    name = "py3_runtime",
    interpreter = "@hscloud_nix_python3//:python3",
    python_version = "PY3",
 )
 py_runtime(
    name = "py2_runtime",
    interpreter = "@hscloud_nix_python2//:python2",
    python_version = "PY2",
 )
 py_runtime_pair(
    name = "py_runtime_pair",
    py2_runtime = ":py2_runtime",
    py3_runtime = ":py3_runtime",
 )
 toolchain(
    name = "py_toolchain",
    toolchain = ":py_runtime_pair",
    toolchain_type = "@rules_python//python:toolchain_type",
 )
--- a/third_party/nix/python.nix
+++ b/third_party/nix/python.nix
@ -1,46 +0,0 @@
 # This is a Python interpreter wrapper that's passed to pip3_import under
 # NixOS.
 # It allows us to build some pip wheels under NixOS that require special
 # system libraries. This is quite hacky, it would be much better if we could
 # somehow tell pip3_import that a given package needs to be built within a
 # given environment.
 with import <nixpkgs> {};
 let
  # We use mkDerivation instead of writeScript or writeScriptBin as we need a
  # derivation that both:
  # - has a directory structure (for rules_nixpkgs to be able to use it)
  # - has the Python interpreter directly in that structure and not in bin/, as
  #   rules_python's pip3_import interpreter_path requires a file target, and
  #   will not take an alias. Meanwhile, rules_nixpkgs only creates a BUILD file
  #   in the root path of the external repository (which is populated with a
  #   symlink tree from the nix derivation), so we can onlly directly reference
  #   file in the root of a Nix derivation.
  generic = package: binary:  stdenv.mkDerivation {
    name = "${binary}-wrapper";
    version = "1.0";
    src = ./.;
    unpackPhase = "";
    buildPhase = ''
      mkdir -p $out
      cat > $out/${binary} <<EOF
 #!/bin/bash
 # pyscopg wants libpq, and uses pg_config to find paths. Inject pg_config into
 # the Python interpreter's path.
 export PATH="${pkgs.postgresql}/bin:\$PATH"
 exec ${package}/bin/${binary} "\$@"
 EOF
    '';
    installPhase = ''
      chmod +x $out/${binary}
    '';
  };
 in {
  # Add cffi for import _cffi_backend in `cryptography` to work.
  python2 = generic (pkgs.python27.withPackages (ps: with ps; [ cffi ])) "python2";
  python3 = generic (pkgs.python37.withPackages (ps: with ps; [ cffi ])) "python3";
 }
--- a/third_party/nix/repository_rules.bzl
+++ b/third_party/nix/repository_rules.bzl
@ -1,108 +0,0 @@
 load("@io_tweag_rules_nixpkgs//nixpkgs:repositories.bzl", "rules_nixpkgs_dependencies")
 load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_git_repository", "nixpkgs_package")
 def has_nix(ctx):
    return ctx.which("nix-build") != None
 def _hscloud_gen_go_imports_impl(ctx):
    ctx.file("BUILD", "")
    imports_for_nix = """
 load("@io_tweag_rules_nixpkgs//nixpkgs:toolchains/go.bzl", "nixpkgs_go_configure")
 def hscloud_go_register_toolchains():
    nixpkgs_go_configure(repository = "@nixpkgs")
 """
    imports_for_non_nix = """
 load("@io_bazel_rules_go//go:deps.bzl", "go_rules_dependencies", "go_register_toolchains")
 def hscloud_go_register_toolchains():
    go_register_toolchains()
 """
    if has_nix(ctx):
        ctx.file("imports.bzl", imports_for_nix)
    else:
        ctx.file("imports.bzl", imports_for_non_nix)
 # Generate repository containing either a call to go_register_toolchains() or
 # nixpkgs_go_configure(), depending on nix presence.
 hscloud_gen_go_imports = repository_rule(
    implementation = _hscloud_gen_go_imports_impl,
    attrs = dict(),
 )
 def _hscloud_gen_pip_imports_impl(ctx):
    ctx.file("BUILD", "")
    # For Nix, we have to both pass our interpreter to pip3_import, and also
    # register it as a toolchain.
    imports_for_nix = """
 load("@rules_python//python:pip.bzl", "pip3_import")
 def hscloud_pip3_import(name, requirements):
    pip3_import(
        name = name,
        requirements = requirements,
        python_interpreter_target = "@hscloud_nix_python3//:python3",
    )
    native.register_toolchains("//third_party/nix:py_toolchain")
 """
    imports_for_non_nix = """
 load("@rules_python//python:pip.bzl", "pip3_import")
 def hscloud_pip3_import(name, requirements):
    pip3_import(
        name = name,
        requirements = requirements,
    )
 """
    if has_nix(ctx):
        ctx.file("imports.bzl", imports_for_nix)
    else:
        ctx.file("imports.bzl", imports_for_non_nix)
 # Generate repository containing a wrapped pip3_import that either uses the
 # host Python interpreter or one from nixpkgs, depending on nix presence.
 hscloud_gen_pip_imports = repository_rule(
    implementation = _hscloud_gen_pip_imports_impl,
    attrs = dict(),
 )
 def hscloud_setup_nix(revision, sha256):
    rules_nixpkgs_dependencies()
    nixpkgs_git_repository(
        name = "nixpkgs",
        revision = "1179840f9a88b8a548f4b11d1a03aa25a790c379",
        sha256 = "8b64041bfb9760de9e797c0a985a4830880c21732489f397e217d877edd9a990",
    )
    # Load python from nixpkgs. Python is a large source of non-hermiticity,
    # and loading it from nix vastly hermeticizes the build - well, at least to
    # also be dependent on this Nix store state. That's still better than just
    # grabbing whatever random system Python a user might have.
    nixpkgs_package(
        name = "hscloud_nix_python2",
        repositories = { "nixpkgs": "@nixpkgs//:default.nix" },
        nix_file = "//third_party/nix:python.nix",
        attribute_path = "python2",
        build_file_content = """
 package(default_visibility = ["//visibility:public"])
 exports_files(["python2"])
        """,
    )
    nixpkgs_package(
        name = "hscloud_nix_python3",
        repositories = { "nixpkgs": "@nixpkgs//:default.nix" },
        nix_file = "//third_party/nix:python.nix",
        attribute_path = "python3",
        build_file_content = """
 package(default_visibility = ["//visibility:public"])
 exports_files(["python3"])
        """,
    )
    # Generate a Go toolchain setup workspace rule.
    hscloud_gen_go_imports(
        name = "hscloud_go_toolchain",
    )
    hscloud_gen_pip_imports(
        name = "hscloud_pip_imports",
    )