Page MenuHomePhabricator
Create Task
Maniphest T112560

[tracking] Disposable VMs need a cache for package managers
Closed, ResolvedPublic
Actions

Description

@dduvall raised the concern that the one off instances would lack caching. Currently for pip/npm/bundle we point the caches to the jenkins-bot and it is being reused by builds. With Nodepool, there is no cache which would force us to download from the package managers.

Some ideas:

  • a shared NFS directory, but the cache can easily be poisoned, corrupted.
  • observes dependencies being used, collect them and build a cache daily. Share it via a read-only NFS dir. A couple problems: that needs work to collect the deps, package managers would attempt to write to the read-only cache dir whenever there is a dep which is not fulfilled.
  • Use a proxy. Beside setting up the proxy itself, the jobs would need http_proxy / https_proxy to be set. The compiled packages would most likely not be cached though :-/

Details

ProjectBranchLines +/-Subject
integration/configmaster+5 -1Enable castor on rake-jessie
integration/configmaster+2 -0Enable castor on tox-jessie job
integration/configmaster+2 -0Enable castor on tox-{toxenv}-jessie jobs
integration/configmaster+2 -1Enable castor on {name}-tox-{toxenv}-jessie jobs
integration/configmaster+140 -0castor: package managers cache storage
Customize query in gerrit

Related Objects
Search...

Event Timeline

hashar created this task.Sep 14 2015, 6:23 PM
hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar added a project: Continuous-Integration-Scaling.
hashar added subscribers: hashar, dduvall, zeljkofilipin.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2015, 6:23 PM
hashar mentioned this in T112561: Evaluate angry-caching-proxy as a package managers cache.Sep 14 2015, 6:24 PM
JanZerebecki added a subscriber: JanZerebecki.Sep 14 2015, 7:19 PM
hashar added a comment.Sep 15 2015, 9:57 PM

Discussing with OpenStack people, they have some jobs downloading Linux distributions and are looking for a cache/mirroring solution. Their RFC (== spec) is at https://review.openstack.org/#/c/194477/ .

hashar closed subtask T112561: Evaluate angry-caching-proxy as a package managers cache as Resolved.Sep 15 2015, 9:57 PM
dduvall added a comment.Sep 15 2015, 10:23 PM
In T112560#1643228, @hashar wrote:

Discussing with OpenStack people, they have some jobs downloading Linux distributions and are looking for a cache/mirroring solution. Their RFC (== spec) is at https://review.openstack.org/#/c/194477/ .

FWICT, that's a proposal around caching nodepool images, not packages or other dependencies that various jobs require. In my mind, they are separate problems with only marginal overlap: CI base images will be almost completely homogenous in our case while dependent system/gem/pip/composer/npm packages vary widely from job to job.

Travis implements a user-/job-specific system that restores and caches specific directories before and after each job executes, storing the data in S3. We could implement something similar but it would require a reliable central store, and the whole setup seems a little 'brute force' to me.

Another possibility that @hashar and I discussed was to provide separate read-only caches for the specific packaging systems—read-only to protect against the corruption that might occur during concurrent updates. Each cache would augment the package manager's read-write destination within the workspace and be periodically updated to include new packages. The update process could be scheduled or triggered at the end of each job as long as we can reliably audit which packages were installed locally during execution.

JanZerebecki added a comment.Oct 6 2015, 4:51 PM

This was discussed in https://tools.wmflabs.org/meetbot/wikimedia-office/2015/wikimedia-office.2015-10-06-13.59.html see point 5.

In T112560#1643322, @dduvall wrote:

Travis implements a user-/job-specific system that restores and caches specific directories before and after each job executes, storing the data in S3. We could implement something similar but it would require a reliable central store, and the whole setup seems a little 'brute force' to me.

With tar and s3cmd this would probably be a shell one liner. If we can't get a swift or ceph object store for labs from ops, we could use rsync to an integration instance.

If we go this way to ensure isolation is maintained we need to make sure that only nodepool instances have permission to update caches that were run for gate-and-submit or post-merge, but not for test/check.

hashar added a comment.EditedOct 7 2015, 10:26 AM

I looked a bit at setting up a shared proxy using Squid3 and its ability to do SSL man in the middle (SSL-BUMP). That causes a few troubles, we would need to inject our own CA and apparently that does not work with npm which has the npmjs.org CA embedded :-/

I am going to try  devpi for python modules. It supports dynamic loading from PyPi and serving packages from a local cache.

There are similar utilities for other package mangers:

Haven't looked at composer/packagist for now.

If we go that way, we would have to maintain 3-4 different caching proxies. It is probably easier to rely on third parties that already figured out all the troubles, so we would save a lot on the initial implementation.

Note: that does not cache native modules that require compilation. Although Pypi has the concept of wheels which are precompiled module so at least that language will benefit from the caching provided the module has wheels.

I have created the instance pmcache.integration.eqiad.wmflabs to play test with it. The package managers can be instructed to point to it via homedir dot files.

hashar added a comment.Oct 7 2015, 11:28 AM

devpi for pip/python works out of the box and is straightforward T114871: Evaluate devpi for caching Pypi python packages

hashar added a comment.Oct 7 2015, 11:43 AM

Also found Sonatype Nexus which is a Java/Maven repository system. It seems to support proxying/caching for both npm and gem:

npmhttps://books.sonatype.com/nexus-book/reference/npm-proxying-registries.html
gemhttps://books.sonatype.com/nexus-book/reference/ruby-proxying-registries.html
hashar mentioned this in T114650: tox-jessie job is failing randomly on integration/config with could not install deps, because of throttling.Oct 7 2015, 12:36 PM
hashar renamed this task from Disposable VMs need a cache for package managers to [tracking] Disposable VMs need a cache for package managers.Oct 7 2015, 8:10 PM
hashar triaged this task as Medium priority.
hashar moved this task from Backlog to In-progress on the Continuous-Integration-Scaling board.
hashar added a project: Tracking-Neverending.
hashar set Security to None.
hashar closed subtask T114871: Evaluate devpi for caching Pypi python packages as Resolved.Oct 16 2015, 7:57 AM

I gave a try to Artifactory (similar to Sonatype Nexus) but support for npm/pip/gem is not included in the open source version. Looking at upstream code, it seems all the related code is actually public, so in theory we could rebuild Artifactory to enable the missing bits (which would grant us the Pro version), but I am unsure whether it is legally acceptable.

hashar added a comment.Oct 16 2015, 8:02 AM

Another idea was to setup a Squid proxy for https request and configure it to act as a man in the middle. That can be done using the Squid feature ssl-bump and custom certificates. There are a few problems though:

  • we will need to install the certificate on all clients
  • figure out how to get the cert trusted for each package manager (but maybe they just trust whatever is under /etc/ssl/certs
  • Squid 3.4 on Debian Jessie does not come with SSL support due to a conflicting copyright/license with OpenSSL. We could craft our own package or backport Squid 3.5 which supports GNU TLS.
chasemp added a subscriber: chasemp.Oct 20 2015, 2:56 PM

We should definitely shy away from NFS as a solution for this.

hashar mentioned this in T116017: Investigate using a cache store/restore system for package managers.Oct 20 2015, 2:56 PM
hashar added a comment.Oct 20 2015, 3:01 PM

I have filled T116017 about setting up a cache store / restore system. Probably using rsync and a dedicated instance with a bunch of space. Once we have a Swift store, we can migrate the system to Swift.

JanZerebecki removed a subtask: T116038: Investigate using Drydock for CI.Oct 21 2015, 12:40 PM
hashar added a subtask: T116038: Investigate using Drydock for CI.Oct 22 2015, 1:47 PM

I have added back T116038 as a child task. It is part of the evaluation.

hashar added a comment.Oct 22 2015, 1:55 PM

I have poked the QA list to discuss about it https://lists.wikimedia.org/pipermail/qa/2015-October/002414.html

hashar added a comment.Oct 22 2015, 1:56 PM
In T112560#1738401, @chasemp wrote:

We should definitely shy away from NFS as a solution for this.

Definitely. We do not even have NFS share on the Nodepool instances :-}

JanZerebecki mentioned this in T116038: Investigate using Drydock for CI.Oct 22 2015, 2:57 PM
hashar closed subtask T117207: Puppetize / play out with devpi as Resolved.Dec 21 2015, 2:38 PM
greg added a parent task: T119143: Migrate javascript npm CI jobs to Nodepool.Jan 15 2016, 9:23 PM
greg mentioned this in T119143: Migrate javascript npm CI jobs to Nodepool.
gerritbot added a subscriber: gerritbot.Jan 15 2016, 10:57 PM

Change 264327 had a related patch set uploaded (by Hashar):
castor: package managers cache storage

https://gerrit.wikimedia.org/r/264327

gerritbot added a project: Patch-For-Review.Jan 15 2016, 10:57 PM
hashar added a comment.Jan 15 2016, 11:32 PM

Did a first pass using a cache store/restore system based on rsync. Investigated as part of T116017

Currently deployed on https://integration.wikimedia.org/ci/job/integration-jjb-config-diff/

gerritbot added a comment.Jan 21 2016, 3:59 PM

Change 264327 merged by jenkins-bot:
castor: package managers cache storage

https://gerrit.wikimedia.org/r/264327

gerritbot added a comment.Jan 21 2016, 4:08 PM

Change 265502 had a related patch set uploaded (by Hashar):
Enable castor on {name}-tox-{toxenv}-jessie jobs

https://gerrit.wikimedia.org/r/265502

hashar closed subtask T116038: Investigate using Drydock for CI as Declined.Jan 21 2016, 4:23 PM
hashar mentioned this in T119196: Investigate using gemstash.
hashar closed subtask T119196: Investigate using gemstash as Declined.
hashar mentioned this in T116015: Investigate using a Squid based man in the middle proxy to cache package manager SSL connections.
hashar closed subtask T116015: Investigate using a Squid based man in the middle proxy to cache package manager SSL connections as Declined.
hashar closed subtask T116017: Investigate using a cache store/restore system for package managers as Resolved.
gerritbot added a comment.Jan 21 2016, 4:25 PM

Change 265502 merged by jenkins-bot:
Enable castor on {name}-tox-{toxenv}-jessie jobs

https://gerrit.wikimedia.org/r/265502

hashar added a comment.Jan 21 2016, 4:26 PM

So I went with a rsync based approach which I have nicknamed CASTOR for CAche STORage. It is implemented via Jenkins jjb/castor.yaml and I am going to enable it on the jobs running on Nodepool.

That will let us migrate the Javascript jobs ( T119143 )

hashar closed this task as Resolved.Jan 22 2016, 3:43 PM
hashar claimed this task.

Being bold. This is solved by adding in JJB jobs running on Nodepool:

builders:
 - castor-load
 # rest of builders
publishers:
 # Other publishers
 - castor-save

I am updating the jobs.

gerritbot added a comment.Jan 22 2016, 3:45 PM

Change 265741 had a related patch set uploaded (by Hashar):
Enable castor on tox-{toxenv}-jessie jobs

https://gerrit.wikimedia.org/r/265741

gerritbot added a comment.Jan 22 2016, 3:54 PM

Change 265744 had a related patch set uploaded (by Hashar):
Enable castor on tox-jessie job

https://gerrit.wikimedia.org/r/265744

gerritbot added a comment.Jan 22 2016, 3:54 PM

Change 265741 merged by jenkins-bot:
Enable castor on tox-{toxenv}-jessie jobs

https://gerrit.wikimedia.org/r/265741

gerritbot added a comment.Jan 22 2016, 3:56 PM

Change 265744 merged by jenkins-bot:
Enable castor on tox-jessie job

https://gerrit.wikimedia.org/r/265744

gerritbot added a comment.Jan 22 2016, 4:09 PM

Change 265747 had a related patch set uploaded (by Hashar):
Enable castor on rake-jessie

https://gerrit.wikimedia.org/r/265747

hashar added a comment.Jan 22 2016, 4:25 PM

I have enabled castor on the rake-jessie job as well. Gave it a try on https://gerrit.wikimedia.org/r/#/c/252698/2 which is merged. I reenqueued it in gate-and-submit to have the cache populated then 'recheck'.

Build time went from 42 seconds to 13 seconds. Cache pays off!

gerritbot added a comment.Jan 22 2016, 4:27 PM

Change 265747 merged by jenkins-bot:
Enable castor on rake-jessie

https://gerrit.wikimedia.org/r/265747

hashar mentioned this in T147635: Investigate again a central cache for package managers.Oct 7 2016, 12:34 PM
Liuxinyu970226 moved this task from Tag to Transition completed / Archived on the Tracking-Neverending board.Feb 22 2019, 7:12 AM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL