bazel: silence merkle_cache sysroot warning, ship loader/libs separately#30449
Open
travisdowns wants to merge 3 commits into
Open
bazel: silence merkle_cache sysroot warning, ship loader/libs separately#30449travisdowns wants to merge 3 commits into
travisdowns wants to merge 3 commits into
Conversation
7 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Bazel sysroot handling to eliminate Bazel 9’s “sysroot resolved to N files” warning by switching the cc_toolchain to the upstream toolchains_llvm sysroot repository rule (single directory artifact), while introducing a parallel “runtime” sysroot archive that still exposes individual shared-library/loader files needed by Redpanda packaging.
Changes:
- Switch sysroot repositories used by the toolchain to
@toolchains_llvm//toolchain:sysroot.bzl%sysrootand update toolchain sysroot labels accordingly. - Add
*_sysroot_runtimehttp_archiverepos exposing a:runtimefilegroup for packaging consumption. - Update packaging rules and targets to consume sysroot runtime artifacts via a new
sysroot_runtimeattribute instead of walkingcc_toolchain.all_files.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| MODULE.bazel.lock | Updates module extension lock metadata and switches sysroot repos to the upstream sysroot rule; adds runtime sysroot repos and bumps sysroot tarball URLs/sha256. |
| MODULE.bazel | Adds use_repo entries for *_sysroot_runtime and updates llvm.sysroot(...) labels to the upstream sysroot target location. |
| bazel/repositories.bzl | Defines sysroot repos via the upstream sysroot rule and adds parallel http_archive repos exposing a runtime filegroup for packaging. |
| bazel/packaging/packaging.bzl | Reworks sysroot library/loader collection to use sysroot_runtime attribute; removes C++ toolchain dependency from packaging rules. |
| bazel/packaging/BUILD | Adds a sysroot_runtime alias selected by CPU and wires it into packaging targets that ship sysroot libs. |
Comment on lines
+56
to
+59
| fail("include_sysroot_libs is True but sysroot_runtime is not set on", ctx.attr.name) | ||
| loaders = [f for f in ctx.files.sysroot_runtime if f.basename.startswith("ld-linux-")] | ||
| if len(loaders) != 1: | ||
| fail("expected exactly one ld-linux loader in sysroot_runtime, got", [f.basename for f in loaders]) |
Member
Author
There was a problem hiding this comment.
Verified empirically — fail() in Starlark accepts variadic positional args joined by sep (default " "); the second positional is not treated as attr. From the Bazel docs, the real signature is fail(msg=None, attr=None, sep=" ", stack_trace=True, *args) where msg/attr are documented as deprecated keyword-only forms.
Self-contained test:
def _impl(ctx):
fail("first message", ctx.attr.name, ["a", "list", 42])
fail_rule = rule(implementation = _impl)produces:
Error in fail: first message x ["a", "list", 42]
The codebase already uses this idiom elsewhere (e.g. fail("fips_moduleandfips_config must both be specified in", ctx.attr.name) in bazel/test.bzl). Leaving as-is.
travisdowns
force-pushed
the
td-alt-sysroot-debug-fix
branch
from
d05f395 to
66ec7a3
Compare
Member
Author
|
Last push ( |
Be explicit about zstd compression level. Turns out previously we were using -19 for the amd64 tar but default (-3) for the aarch tar.
Transform absolute symlinks into relative symlinks in our sysroot. Absolute paths break when not putting the sysroot at / which is what bazel does. They would point outside the sandbox and hence break the build. Bump links to the regenerated sysroot.
Bazel 9 logs a warning while configuring the cc_toolchain:
WARNING: Sysroot @@toolchains_llvm++llvm+current_llvm_toolchain//:sysroot-components-x86_64-linux
resolved to 1689 files. Consider using the `sysroot` repository rule
in @toolchains_llvm//toolchain:sysroot.bzl which provides a
single-file (directory) sysroot for more efficient builds.
The current setup downloads each sysroot tarball with `http_archive` and
exposes every file in a `glob(["*/**"])` filegroup. The cc_toolchain
ingests the whole list — 1689 individual files — which is what the
warning is about.
The cc_toolchain only really wants the sysroot as a single
source-directory artifact, which is exactly what
@toolchains_llvm//toolchain:sysroot.bzl produces. But the packaging
rules in //bazel/packaging still need individual file labels for the
glibc dynamic loader (set as the binaries' PT_INTERP via patchelf) and
the versioned shared libraries to ship in install_path/lib. Bazel only
materializes the contents of a `srcs = ["."]` source-directory in the
cc_toolchain's special path, not for arbitrary actions, so a single
filegroup can't serve both consumers.
Use the upstream `sysroot` rule for the cc_toolchain side and pull the
same tarball a second time via `http_archive` with a glob-based BUILD
that exposes the loader and shared libraries as a `:runtime` filegroup
for packaging. The download is sha256-deduped between the two repos,
so the only added cost is one extra extraction per arch on a clean
cache.
The packaging rules now consume `:runtime` via a new `sysroot_runtime`
attribute instead of walking `cc_toolchain.all_files`, since the latter
would only see the single source-directory entry under the upstream
rule. Bump the URLs/sha256 to regenerated tarballs whose absolute
symlinks have been rewritten to relative basename links — bazel rejects
absolute symlinks in directory artifacts and the upstream `sysroot`
rule doesn't rewrite them itself. The Dockerfile change that produces
those regenerated tarballs lives in redpanda-data#30364.
travisdowns
force-pushed
the
td-alt-sysroot-debug-fix
branch
from
66ec7a3 to
b555892
Compare
Member
Author
|
Cherry-picked the first two commits from #30364 (Stephan's PR) onto this branch as discussed — |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bazel 9 logs a warning while configuring the cc_toolchain because the sysroot tarballs are exposed as ~1700 individual files. The upstream
sysrootrule fromtoolchains_llvmsolves this by exposing the sysroot as a single source-directory artifact, but our packaging rules still need individual file labels for the dynamic loader (set asPT_INTERPvia patchelf) and the versioned shared libraries we ship ininstall_path/lib. A single filegroup can't serve both consumers because bazel only materializes asrcs = ["."]source-directory in the cc_toolchain's special path, not in arbitrary actions.The commit switches the cc_toolchain side to the upstream
sysrootrule and adds a parallelhttp_archivethat pulls the same tarball with a glob-based BUILD exposing a:runtimefilegroup for packaging. The download is sha256-deduped between the two repos, so the only added cost is one extra extraction per arch on a clean cache.The packaging rules now consume
:runtimevia a newsysroot_runtimeattribute instead of walkingcc_toolchain.all_files, since the latter would only see the single source-directory entry under the upstream rule. The sysroot URLs/sha256 are bumped to regenerated tarballs whose absolute symlinks have been rewritten to relative basename links — bazel rejects absolute symlinks in directory artifacts and the upstreamsysrootrule doesn't rewrite them itself. The Dockerfile change that produces those regenerated tarballs lives in #30364.This is an alternative to the last commit of #30364. End-to-end verified:
//bazel/packaging:redpanda_tarbuilds and shipsopt/redpanda/lib/{ld-linux-x86-64.so.2, libc.so.6, libpthread.so.0, libresolv.so.2, ...}— same set of files as before.Backports Required
Release Notes