update to jdk 11 [AS-594] #1372
Conversation
|
Successful automation run (with paired firecloud-develop PR): https://fc-jenkins.dsp-techops.broadinstitute.org/job/swatomation-pipeline/46321/ |
project/Merging.scala
Outdated
| @@ -9,6 +9,7 @@ object Merging { | |||
| case PathList("com", "typesafe", _ @ _*) => MergeStrategy.last | |||
| case PathList("com", "google", "auto", "value", _ @ _*) => MergeStrategy.last | |||
| case PathList("io", "sundr", _ @ _*) => MergeStrategy.last | |||
| case PathList("javax", "activation", _ @ _*) => MergeStrategy.first | |||
There was a problem hiding this comment.
This comes in through clients built with swagger codegen. I'm not positive that this is the most correct merge strategy, but I don't think it matters hugely.
There was a problem hiding this comment.
Interesting. These generated client libraries are including the classes, not referring to them as a dependency? I'm surprised OpenAPI doesn't have support for transitive dependencies. Is there a link to an issue that can be included as a comment?
There was a problem hiding this comment.
There's a series of issues referenced here that lead to Jackson and then to swagger-core, tbh I don't understand this all well enough to know what would be a useful comment.
There was a problem hiding this comment.
There's a resolution to that last one, which will require updates to the version of swagger used to generate the clients, but I'm not exactly sure I understand what will need to happen.
There was a problem hiding this comment.
I much prefer using exclude rules instead of the blunt-intstrument merge strategy. Do you know where the conflicts are, and could you add excludes for those instead?
fwiw, we recently also had assembly issues in orch on javax.activation, though that was via javax.mail: broadinstitute/firecloud-orchestration#838
There was a problem hiding this comment.
I didn't experiment with that, I think I'd need some help to try it.
There was a problem hiding this comment.
+1 for using exclusion rules
| @@ -22,6 +23,9 @@ object Testing { | |||
|
|
|||
| val commonTestSettings: Seq[Setting[_]] = List( | |||
|
|
|||
| testOptions in Test += Tests.Setup(() => | |||
| sys.props += "mockserver.logLevel" -> "WARN" | |||
There was a problem hiding this comment.
The default log verbosity for mockserver logs every mock defined, for every test that defines it. Since this goes to the console for jenkins jobs, it makes the logs huge, to the point that the browser has trouble searching through them.
project/Testing.scala
Outdated
| @@ -55,7 +59,7 @@ object Testing { | |||
| (testOnly in Test) := ((testOnly in Test) dependsOn validMySqlHost).evaluated, | |||
|
|
|||
| parallelExecution in Test := false | |||
| ) ++ MinnieKenny.testSettings | |||
| ) ++ (if (sys.props.getOrElse("secrets.skip", false) != "true") MinnieKenny.testSettings else List()) | |||
There was a problem hiding this comment.
I chose this option name somewhat arbitrarily, if it doesn't make sense it can be changed. Alternatively, we could remove Minnie-Kenny being run by sbt; Orch doesn't have it, and it's run manually in the github CI.
There was a problem hiding this comment.
To confirm: Orch doesn't check for the secrets leaks commited in minniekenny.gitconfig? Is that a future ticket that can be linked in a comment?
There was a problem hiding this comment.
Orch doesn't have any minnie-kenny anything of any kind; I'm not aware of any discussion around it, @davidangb do you know of anything?
There was a problem hiding this comment.
I don't see any tickets in the backlog. It is used by most other services (like rawls and sam) so maybe we should add it
There was a problem hiding this comment.
for my clarification: this discussion of orch is tangential to this PR, right?
yeah, if orch does not have secrets-detection, it absolutely needs it. I'd prefer to check with appsec first on the progress of their centralized/cross-repo secrets detection before committing to any work, if appsec is already handling it let's just let them.
There was a problem hiding this comment.
I think it's tangential. The question came from the switch to skip testing for git-secrets via the line above that says sys.props.getOrElse("secrets.skip". From the comments, it sounded like orch was the repo/app that would add use this toggle instead of adding secrets tests?
There was a problem hiding this comment.
@zarsky-broad please confirm, but my understanding is this toggle is specific to Rawls, and is called from the change in this PR in docker/install.sh.
There was a problem hiding this comment.
Yeah. The old build image for Rawls didn't include git at all, so the secrets check was skipped silently. The new image has git, so the secrets check was failing here because it didn't have git-secrets. I added an optional flag to skip it that's only used in the install.sh.
The alternative is to not have sbt run the check at all, since it's explicitly run in the Github CI workflow.
There was a problem hiding this comment.
Ah, I see the problem:
Orch doesn't have it, and it's run manually in the github CI.
Orch has no minnie-kenny at all. Separately, the rawls github workflow runs minnie-kenny.
There was a problem hiding this comment.
I think there's a scenario here where you're comparing a Boolean to a String. My quick test in the repl shows that this can cause problems. Recommend coercing everything the same type.
| @@ -1,4 +1,4 @@ | |||
| FROM bigtruedata/sbt | |||
| FROM broadinstitute/scala-baseimage:jdk11-2.12.12-1.4.7 | |||
There was a problem hiding this comment.
Assuming container-based compilation is absolutely required, someday I hope this custom image gets pushed to a public GCR or anywhere else besides docker.io. We have so many tests in the terra multi-repo that are failing due to pull rate limits from docker.io these days. 😢
Or for easier patching of individual components, just use a more flexible base container like focal and then download java and the 0.016GB sbt package. While Java gets patches much slower, Scala and SBT get patches once a month. For example: sbt 1.4.8 is already out.
There was a problem hiding this comment.
So:
- Eventually, there's going to be Broad GCR coordinates for this image, @choover-broad is working on something for that...
- This is basically just git (which I debated about) and that little sbt package on top of the base adoptopenjdk image, all the existing images were running mystery meat openjdk's, the idea was to get us on the one we're officially using.
- SBT will automatically download the version of itself that you specify, so it matters a lot less what version of sbt (and scala for that matter, although it's bigger) is baked into the image.
There was a problem hiding this comment.
my take is that even though sbt will automatically download whatever it needs, the entire point of adding sbt to a baseimage is to preload as many dependencies as possible at docker-build time, and avoid re-downloading those dependencies on every build of every service that uses this image. So, counting on sbt to download what it needs defeats the purpose - if we're relying on that, I could see omitting it entirely and downloading it at runtime, avoiding the maintenance of the baseimage.
project/Merging.scala
Outdated
| @@ -9,6 +9,7 @@ object Merging { | |||
| case PathList("com", "typesafe", _ @ _*) => MergeStrategy.last | |||
| case PathList("com", "google", "auto", "value", _ @ _*) => MergeStrategy.last | |||
| case PathList("io", "sundr", _ @ _*) => MergeStrategy.last | |||
| case PathList("javax", "activation", _ @ _*) => MergeStrategy.first | |||
There was a problem hiding this comment.
Interesting. These generated client libraries are including the classes, not referring to them as a dependency? I'm surprised OpenAPI doesn't have support for transitive dependencies. Is there a link to an issue that can be included as a comment?
project/Testing.scala
Outdated
| @@ -55,7 +59,7 @@ object Testing { | |||
| (testOnly in Test) := ((testOnly in Test) dependsOn validMySqlHost).evaluated, | |||
|
|
|||
| parallelExecution in Test := false | |||
| ) ++ MinnieKenny.testSettings | |||
| ) ++ (if (sys.props.getOrElse("secrets.skip", false) != "true") MinnieKenny.testSettings else List()) | |||
There was a problem hiding this comment.
To confirm: Orch doesn't check for the secrets leaks commited in minniekenny.gitconfig? Is that a future ticket that can be linked in a comment?
project/Merging.scala
Outdated
| @@ -9,6 +9,7 @@ object Merging { | |||
| case PathList("com", "typesafe", _ @ _*) => MergeStrategy.last | |||
| case PathList("com", "google", "auto", "value", _ @ _*) => MergeStrategy.last | |||
| case PathList("io", "sundr", _ @ _*) => MergeStrategy.last | |||
| case PathList("javax", "activation", _ @ _*) => MergeStrategy.first | |||
There was a problem hiding this comment.
I much prefer using exclude rules instead of the blunt-intstrument merge strategy. Do you know where the conflicts are, and could you add excludes for those instead?
fwiw, we recently also had assembly issues in orch on javax.activation, though that was via javax.mail: broadinstitute/firecloud-orchestration#838
project/Dependencies.scala
Outdated
| def swaggerClientExcludes(m: ModuleID): ModuleID = m.exclude("jakarta.activation", "jakarta.activation-api") | ||
|
|
||
| val workspaceManager = swaggerClientExcludes("bio.terra" % "workspace-manager-client" % "0.13.0-SNAPSHOT") | ||
| val dataRepo = swaggerClientExcludes("bio.terra" % "datarepo-client" % "1.0.44-SNAPSHOT") |
There was a problem hiding this comment.
@kshakir @davidangb @asingh7115 Preferable?
There was a problem hiding this comment.
much better, glad this is working via excludes!
nit, optional: rename swaggerClientExcludes to e.g. excludeJakartaActivation. If it's only excluding one dependency, make it obvious in the name, similar to excludeGuavaJDK5. If it's a bundle of excludes, name it after who uses it, similar to workbenchGoogleExcludes.
lastly: do these no longer need to exclude guava-jdk5?
There was a problem hiding this comment.
They don't actually include guava-jdk5, that's not included in anything vaguely recent. I went with why they have the exclusion over what is being excluded, but I could see inverting it... Edit: just re-read your comment, totally misread those sentences...
There was a problem hiding this comment.
A few more comments inline. Where I think things stand on this:
- read optional comment at update to jdk 11 [AS-594] #1372 (comment), choose if you want to address it
- get swatomation tests to passing
thanks for sticking with it!
|
Successful swatomation with firecloud-develop built from accompanying PR: https://fc-jenkins.dsp-techops.broadinstitute.org/job/swatomation-pipeline/46375/ |
project/Testing.scala
Outdated
| @@ -55,7 +59,7 @@ object Testing { | |||
| (testOnly in Test) := ((testOnly in Test) dependsOn validMySqlHost).evaluated, | |||
|
|
|||
| parallelExecution in Test := false | |||
| ) ++ MinnieKenny.testSettings | |||
| ) ++ (if (sys.props.getOrElse("secrets.skip", false) != "true") MinnieKenny.testSettings else List()) | |||
There was a problem hiding this comment.
I think there's a scenario here where you're comparing a Boolean to a String. My quick test in the repl shows that this can cause problems. Recommend coercing everything the same type.
Paired with https://github.com/broadinstitute/firecloud-develop/pull/2454...