Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure the packages build workflows to trigger automatically on GitHub events like pull requests or merges to the main branch. #460

Open
Tracked by #129
mjcr99 opened this issue Dec 20, 2024 · 3 comments · May be fixed by #448
Assignees
Labels

Comments

@mjcr99
Copy link
Member

mjcr99 commented Dec 20, 2024

Description

This issue enables a PR check to verify that a newly introduced change by a certain PR does not break the package generation process. To do so, different packages will be requested to be built automatically and the result will be evaluated as a PR check.

The following packages should be requested to be built as part of this check:

  • DEB amd64
  • DEB arm64
  • RPM amd64
  • RPM arm64
  • macOS intel64
  • macOs arm64
  • windows

This issue will also require deciding where to place the building workflow files, to better organize them based on their requirements.

@mjcr99 mjcr99 changed the title Configure the workflows to trigger automatically on GitHub events like pull requests or merges to the main branch. Configure the packages build workflows to trigger automatically on GitHub events like pull requests or merges to the main branch. Dec 20, 2024
@mjcr99 mjcr99 linked a pull request Dec 20, 2024 that will close this issue
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Dec 23, 2024
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Jan 8, 2025
@mjcr99
Copy link
Member Author

mjcr99 commented Jan 8, 2025

Update

(08/01/2025) Problems description.
(09/01/2025) Tested package building reusing previously compiled agent. It seems we need to recompile the agent to package it.
(10/01/2025) Proposed WF design.
(13/01/2025) Tested different scenarios to reuse binaries.

Problem 1: Workflow location

To improve CI/CD procedures, we need to develop different checks that will be triggered under certain conditions. Currently, every time a PR is updated, compilation and UT are run in order to verify the changes the PR introduces do not break anything.

A similar approach should be followed regarding packaging. We should implement tests/workflows to build and test a package when a PR introduces changes, to verify packages will keep working as it's expected.

This can be done using the following two different approaches.

  • Option 1: Use wazuh-agent-packages repository to request the tested package to be built, bring it to wazuh-agent repository, and test. This has the following implications:

    • This requires giving this repository the capability of requesting the wazuh-agent-packages private repository to trigger workflows. We have already done this before from the wazuh/wazuh repository and it requires adding the PAT token to this repository to use the WF hosted in the private one.
    • This will also require to use of the GitHub Action: return-dispatch to get the remote dispatched workflow ID and wait until it's finished, which should mean, the requested package has been successfully built and can be fetched from the private repository.
    • All the packages will be built from the same repository, no matter they are testing packages, development packages, or release packages. All the building workflows will be preserved in the private repository.
  • Option 2: Migrate the package generation workflows to this repository to build the packages directly here.

    • This option simplifies the package creation from this repository since it would not imply dealing with the private repository request mechanism, but we will need to maintain different workflows with almost the same code in two different locations since the signature and notarization of some packages must be done in the private repository.
    • It also would require more work to move and adjust the migrated workflows from the private repository.
    • The release packages will be built from the private repository, and the rest will be built from this repository.

Problem 2: Split package-building procedure in different stages.

This development also aims to split the package building process into 3 different steps, as it's currently done in the Mac OS case, we should divide the workflows to deal with the binaries creating, packaging (and signature if required), and testing.

By doing so we can:

  • Reuse the generated binaries to test the agent using direct binaries instead of the package or reuse the generated binaries to build 2 different packages, for example, build the binaries for amd64 and use them for both DEB and RPM packages if it's required, saving time and cost by reducing the number of required compilations.

  • Have a clearer view of the different package-building stages, which will allow easier debugging.

Since the Mac OS packages-building process already implements this mechanism we have to focus on the Linux packages and Windows to check which changes should be done to be able to divide this procedure into the mentioned 3 stages.

  • Linux packages: Currently the binaries are generated inside a Docker container, using Centos 7 or Debian 10 docker images, and this container also packages the binaries into the final package. Implementing the different stages under this platform would require the following points:

    • We currently support the -b option when the generate_package.sh script is called. This option would be deprecated since it clones the repository inside the Docker container using the given branch, instead of using the sources from the caller version shared in a Docker volume if no -b option is given. This should be done since we want to preserve the generated binaries using the Docker image as an interface to homogenize the building environment, so sharing the local repository with the Docker container would preserve the generated binaries and let us either test the binaries directly or build a package using this binaries. We could still preserve this option, and deal with the cloned repository inside the container fetching it after compiling, but this would complicate the process while preserving an option that is not usually used.

      • Doing so we should share the entire repository with the compiled agent binaries as a shared volume to the building Docker container, this way, we preserve the abstraction layer of the container to manage the required packaging dependencies, while also passing directly into the container the compiled binaries.
    • Currently both RPM and DEB use their receipt, their SPECS file, to be built. This file includes steps for building the binaries and installing them in a given scaffolding which is subsequently packaged, generating the final package.

      • The installation of the generated binaries uses the make install command, which calls the previously built Makefile. One of the points to take into account is if we want to reuse the generated binaries, Makefile needs to be rebuilt since the installation location for the agent straight from sources and the installation location it in the packaged folder are different.

      • The previously discussed point could be discarded since all the tests have needed the sources to be recompiled while trying to build the package using previously built binaries. This is because the data stored in the CMakeCache.txt refers to the path where the compilation has been made for the first time, since the installation paths are required to be changed, removing this CMakeCache.txt file is required otherwise, the following message appears: + cmake .. -DINSTALL_ROOT=/build_wazuh/rpmbuild/BUILDROOT/wazuh-agent-5.0.0-0.x86_64/ CMake Error: The current CMakeCache.txt directory /build_wazuh/rpmbuild/BUILD/wazuh-agent-5.0.0/src/build/CMakeCache.txt is different than the directory /home/wazuh-agent/src/build where CMakeCache.txt was created. This may result in binaries being created in the wrong place. If you are not sure, reedit the CMakeCache.txt CMake Error: The source "/build_wazuh/rpmbuild/BUILD/wazuh-agent-5.0.0/src/CMakeLists.txt" does not match the source "/home/wazuh-agent/src/CMakeLists.txt" used to generate cache. Re-run cmake with a different source directory.

      • Since the previously mentioned error refers to a mismatch between the paths where cmake has been called, I have tried to call cmake creating a folder with the same name as the second call that will be performed in the package building. The result has been the same, even trying to simulate the path the binaries hare rebuilt.

      • It has also been tested to manually modify the CMakeCache.txt, to make the paths match, but again the binaries are rebuilt.

      • The only way to avoid rebuilding the binaries would be to create something like the old install.sh script to install the generated binaries without calling cmake. This would require maintaining this script and not using the make install command which colildes with our actual idea.

First proposal

Keeping the last discussed point, the final workflow would look as follows:

flowchart TD
    A[PR Event] --> B[Trigger test]
    B -->|Packages Binaries Compilation| C[Packaging ready binaries]
    B -->|UT and IT Binaries Compilation| D[Sources installation ready binaries]
    C --> |Packages Built| E[Signed Package]
    C --> |Packages Built| F[Unsigned Package]
    E --> |Signature Test| G[Signature Tested Package]
    F --> |Install and Uninstall Test| H[Installation tested Package]
    E --> |Install and Uninstall Test| H[Installation tested Package]
Loading

(16/01/2025) Testing regarding problem 2 has been done.
To avoid calling cmake 2 times and change the -DINSTALL_ROOT we have tested the make DESTDIR install option. It successfully changes the path where the agent is installed, but recompilation occurs event whiteout calling cmake. Still some testing is pending to be done.
(17/01/2025) Further testing regarding problem 2 has been done.
It has been testing the case where the compilation is done using a container as a platform abstraction layer and the resulting binaries are stored in a shared folder with the host machine. After compiling, the docker is shut down and newly turned on. Then the new container was requested to build the binaries, and it has not recompiled it again, which is the needed behavior.
(21/01/2025) The binaries are reusable if it's used a Docker container acts as an abstraction layer, It means the compilation, and UT should be done using the same container that will be used to package the agent. The development requirements are being delimited. POC: https://github.com/wazuh/wazuh-agent/actions/runs/12886712324
(22/01/2025) Design the final solutions based on POC conclusions and requirements.
(23/01/2025) Successfully achieved installing the pregenerated binaries without recompiling, just bt running cmake --install . --prefix /<install_path>. Some changes have been implemented in the CmakeLists.txt, now we can try to reuse only one compilation for both RPM and DEB.
(23/01/2025) Successfully reusing precompiled binaries in RPM to create a DEB package. The only with to take into account is that the first compilation must be done in the /wazuh-local-src folder, this means, the compiling docker must share with the host a volume as follows: -v <path_to_wazuh-agent_repo>/wazuh-agent:/wazuh-local-src:rw

@mjcr99 mjcr99 self-assigned this Jan 9, 2025
@wazuhci wazuhci moved this from In progress to Blocked in XDR+SIEM/Release 5.0.0 Jan 14, 2025
@mjcr99
Copy link
Member Author

mjcr99 commented Jan 15, 2025

(15/01/2025) Meeting to inform and discuss current issue status.

Meeting conclusions

After talking about the investigation status and first proposed design with @vikman90, the following steps will be followed:

Problem 1: Workflow location

  • Package building WF will be migrated to wazuh-agent repository.
  • This migration will carry step modularization into composite actions, to make the steps as much reusable as possible.
  • wazuh-agent-packages will be used to generate packages that require signing, notarizing or allocator use.

Problem 2: Split package-building procedure in different stages.

  • Install root variable will be tried to be set in the make call instead of the cmake, doing so we will try to avoid the recompilation we have observed in the previous carried tests.
  • If recompilation is still required, this problem will be dismissed and 2 compilations will be performed.

@wazuhci wazuhci moved this from Blocked to In progress in XDR+SIEM/Release 5.0.0 Jan 16, 2025
@mjcr99
Copy link
Member Author

mjcr99 commented Jan 22, 2025

Final Proposal

The final tasks to work are the following:

  • Implement the required changes in the generate_package.sh script to use a precompiled repository to build the package without rebuilding binaries. The --sources already implements this functionality, but it should be tested and reviewed.

  • Redesign the workflow files to compile using the package builder docker images, it implies:

    • Implement a composite action to easily deal with the Docker images selection and pull.
    • Rework workflows' remote binary cache access to let the Docker container access the precompiled dependencies instead of the runner.
    • Implement a composite action to request a Docker container to compile the code.
    • Implement a composite action to request a Docker container to run the UT.
    • Implement a composite action to request to build a package reusing the previously compiled binaries. This will require testing and probably simulate the building folder for each platform.
    • Implement a composite action to request a Docker container to Smoke test package installation.
  • Redesign the workflow structure to improve binaries reuse, it implies:

    • Mix the build_and_test_component.yml and compile_and_run_tests.yml workflows since they test almost the same and they are a continuation of each other.
  • Decide the triggering mechanism for all the checks, It will require running different jobs, we may consider running it as a manual check instead of a pull_request event to prevent rerunning the check on every commit

For a given system for example Linux amd64 DEB, the full testing would look as follows:

flowchart TD
    A[Testing triggered] --> B[Compile using Docker including Tests compiltation]
    B --> C[Run UT]
    C -->|New Job| D[Build package for given system reusing binaries]
    D --> E[Smoke test package installation]
    E -->|New Job| F[Install generated package in GHA runner]
    F --> G[Run IT]
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: In progress
Development

Successfully merging a pull request may close this issue.

2 participants