#maintainers

@tawny flicker lol, looks like the graphql doc comment containing <secret-id> is confusing Netlify since it looks like a HTML tag: https://app.netlify.com/sites/devel-docs-dagger-io/deploys/64414b7500a2320008f8d913

could use a ✅ on this PR when someone has time: https://github.com/dagger/dagger/pull/4932

@north jay made an issue for getting rid of the shim as pid 1 in containers: https://github.com/dagger/dagger/issues/4989 Wouldn't say it's easy in terms of effort required, but fairly clear path to doing it

cpuguy83 1527 made an issue for getting

Well caught, I'll update it

you're good, fix is already merged 👍

just saw that when pulling :p

Thanks

@civic yacht @still garnet @wet mason Is there any good way to capture the graphql queries that are run during a pipeline?

No, but we could add a debug option to enable that pretty easily I think

Probably just in dagger session so it doesn't have to be replicated in each sdk

I'll take a look. It's not super important, I'm just trying to line up SDK Code <-> GraphQL queries <-> journal.log files (+ associated buildkit events and DAG) so we can make even better visual and information design decisions. 🙂

Thank you!

Yep! If you want to add it, I think a super simple path would be to just update the handler (i.e. the one used here: https://github.com/dagger/dagger/blob/9155662d51313ae5b6761e681a306dee8f1736f2/router/router.go#L173) to print the requests+responses it receives to os.Stderr, which will make it show up in SDK log output when that's enabled. Could also be nice to integrate it with progress streams somehow, but would probably be more complicated

Perfect. 🙏🏻

some querybuilder improvements 👌
https://github.com/dagger/dagger/pull/5008
https://github.com/dagger/dagger/pull/5007

nice!

@rancid turret I'm looking at https://github.com/dagger/dagger/issues/4205

@rancid turret I think you should take over the top comment - your summary in the bottom comment is essential reading, I would just take over the editorial work of keeping that top comment up-to-date and exhaustive

Yep, I intended to do that but haven't been able yet.

I did it in Lazy execution is confusing.

@stray heron @rancid turret @cosmic cove sorry I'm only looking at 4205 now. Failed to protect my async time sooner

sadly I have questions, so we'll need another 24h cycle at least

@wet mason @civic yacht @still garnet do you guys have consensus on 4205? I'm trying to parse the many layers of comments to understand who is proposing what exactly

seems to me like we're reaching consensus on bits and pieces, but don't have a full proposal yet. Guessing @rancid turret is working on that

Yes, I planned on doing it today but will work on that tomorrow. Main thing is still the general purpose err := ctr.Sync(ctx) that just forces a buildkit evaluation (doesn't trigger default entrypoint/args). See if we can get unblocked on the name choice at least.

There's more context on Lazy execution is confusing, just click on the issues that have #4205 as proposals.

hi, is the container registry available?
I'm getting HTTP 503 when trying to pull one of these

registry.dagger.io/dagger:v0.5.0
registry.dagger.io/dagger:main

Hi, Github Packages is seing incidents: https://www.githubstatus.com/incidents/vsc464zj7gv4. Do you already have the dagger engine locally / in cache ? We are aiming to remove dependency from just one registry, but it's work in progress 😇

sadly no since its a new system, I'll try to build it using the main Dockerfile, thank you!

I think it's back. Is it for you too ?

Yep, managed to pull the image, thanks again!

@still garnet FYI, I also looked into https://github.com/ironcamel/Graph-Easy in the past for rendering of DAGs in the CLI.

It takes graphviz dot (and a few other formats) and renders to ASCII/Unicode (and other formats)

I have something working now 😁 https://www.youtube.com/watch?v=b5XdF7oVL0Q

That looks really good, @still garnet!

thanks! i was losing hope last night, but after a few changes things started to really click

beautiful 🤩

loved the beats :dj:

@rancid turret The fix for the DX build and from issue (https://github.com/dagger/dagger/issues/4588) is here https://github.com/dagger/dagger/pull/5052

Please review when you have a moment 🙂

Hello everyone, Dagger looks very interesting and we would like to do a try in our Spring Boot microservices? Is there any example already built for Spring?

Looking at building my own engine and cli for supply chain reasons.
Wondering if you'd consider a bootstrapper that can build dagger without dagger in tree?

We were just talking about that (I'm subscribed to your moby packaging repo 🙂

I just responded on that Github issue and then now saw this message in discord 😅 : https://github.com/Azure/moby-packaging/issues/46#issuecomment-1527985611

I guess my comment there is partially answered here, but still curious to hear if us supplying an SBOM or similar could in the long-run simplify things for you by eliminating the need to do a separate build

Welcome! I don’t think we have an example for that yet, but we’re happy to help you, I think dagger and spring boot should work well together

👋 . I've done some maven/springboot Dagger collaboration for the upcoming Platform Enginnering on Kubernetes book (https://www.manning.com/books/platform-engineering-on-kubernetes). You can find the Dagger bits and pieces here: https://github.com/salaboy/fmtok8s-frontend/blob/main/pipeline.go

Thanks, I will take a look 👍

purchased! thanks for sharing

@still garnet can you check out "Force synchronous execution" (https://github.com/dagger/dagger/issues/5065), see if you agree?

Please don’t kill me @rancid turret, I just thought of another possible name (no other change): checkpoint.

container.Checkpoint(ctx)
directory.Checkpoint(ctx)
etc

I like the historical reference of sync(2) in unix. But I think “checkpoint” might be more intuitive for developers who may not have grown up learning unix system calls 😁

wdyt?

Commit? ducks

No prob 😁 I've been using sync for a while because it correlates directly with "synchronizing lazy pipeline in engine". Gerhard is the one who thought of the sync(2) correlation in unix.

between the two, I prefer Sync - it seems to be in common enough use (sync/async discussions, synchronization in general, etc) to be familiar outside of the Unix context, it's also much shorter

That purpose still seems clearer to me with sync instead of checkpoint which is similar to status.

https://tenor.com/view/okay-okay-okay-kyle-broflovski-south-park-help-my-teenager-hates-me-south-park-help-my-teenager-hates-me-gif-25136714

https://tenor.com/view/inazuma-eleven-go-inago-anime-doug-mcarthur-minamisawa-atsushi-gif-20890128

me trying to sidetrack the design right before the finish line 😛

sync works 👍

Container.🚀() 👍

I've been writing a separate proposal for the "multiple pipeline synchronization" (in https://github.com/dagger/dagger/issues/4205), seemed nice until now when I find myself wondering if it's worth it.

Essentially doing err := client.Sync(ctx, lint, test) as a convenience/syntax sugar on top of the language's concurrency:

Pros

• Very easy/simple to use;
• Reduces concurrency burden on user to implement correctly;
• Uniform in all SDKs, which eases adoption (doing concurrency directly is different in all of them);

Cons

• Requires custom code in all SDKs, can be source of drift (hard to do via API);
• Would only work by calling .Sync() internally, so not usable for concurrently calling other fields, meaning you should still learn how to do concurrency correctly;

That last point is the killer and why now I don't think it's worth it.

I think you should consider decoupling the "run in parallel" and "disable laziness" parts. And change the name to reflect that. Let's say we call in Parallel (but could be Do or something else)

// This is lazy
tasks := client.Parallel(lint, test)
// Run synchronously if needed. Same convention as container, directory etc.
finishedTasks, err := tasks.Sync(ctx)

I wonder if we could have a version of this that works by constructing a parallel GraphQL query? like { foo: container { from("alpine") { id } }, bar: directory { id } } - we currently have no way to express that with the SDKs

This was my original intent actually, and I still plan on doing it for resolving objects into IDs. After this, the same primitive could be reused within the SDK, including for client.Sync.

neat! did you plan to have the user provide names for the query fields, or for codegen to handle that internally?

Automatically, it's just needed to match the responses:

query {
    id1: container {
        ... withExec(["go", "test", ...]) {
            id
        }
    }
    id2: container {
        ... withExec(["gofmt", ...]) {
            id
        }
    }
}

I worry that our original intent (to expose the query builder as a low-level, but usable plumbing) has been lost along the way - I wouldn't even know how to experiment with alternative native DX without becoming a codegen and dagger internals expert

since our current DX is opinionated, and we shipped it saying "let's just ship it and see how devs like it, we can always adjust later" -> but I worry that's actually not true

Could also be done by sending multiple named queries in the graphql doc, and allowing for batched execution

These are the main issues with our type-safe query builder:

• No sibling selection, requiring multiple requests;
• Needs multiple requests to be done concurrently, otherwise blocking;

Laziness is actually good for performance, but depending on the language's concurrency has been problematic. It's also more verbose. That's why I'm thinking on ways to improve both in our DX.

I don't understand what you mean. We are trying to adjust based on user feedback.

yes we definitely are adjusting based on user feedback. but so far within certain constraints, it has to fit the existing DX. I mean specifically: how easy is it to try new things quickly (like an experimental alternative SDK) without rebuilding the foundation. We haven’t really tried that kind of experiment yet - for example the “pipeline builder” model, or other ideas to stick more closely to graphql

where does hack/make engine:build export the binary?

As I play with the Pipeline call, and now that I can visualize the result, I realize that I can't group steps in a sequence of logical steps (for example "build, then test"). Instead I can only represent nesting ("build, which includes test"). The only exception is if I can encode an explicit dependency between the pipelines, like mounting a file from one to the other. If there is no explicit dependency, then as a workaround I can create a fake one - but that's weird

I wonder if the With() proposal couldn't be the solution? If you rename it to Step() and add a mandatory name and description, then it starts looking like a different grouping method, with cleaner delineation between nesting (the contents of the callback) and sequencing (chaining).

dag.
  Step("build", func(_ dagger.Client) error {
    // Build step goes here
  }).
  Step("test", func(_ dagger.CLient) error {
    // Test step goes here
  })

Is this a dumb idea?

It sounds like there's actually a dependency between "build" and "test". If test := build.Pipeline("test").WithExec(...), maybe we can flag in Pipeline("test") somehow to show next to "build", but after. I've seen some cases of users building a report system where they want to visually see "build" next to "test" (for example), when one is actually a dependency of the other. So I see a visualization need there.

As for the Steps in sequence, wouldn't this make it easier for people to fall into the trap of running sequentially when things can be run in parallel?

this. Seems like trying to encode all the pipeline execution possibilities (parallel, sequential) in the same query builder pattern might be challenging. In particular, as Helder mentions, the fact that we might want some things to run in parallel automagically without the user explicitly defining it

This is not what I’m talking about, sorry my explanation probably wasn’t clear. I’ll share a code snippet

package main

import (
    "context"
    "os"

    "dagger.io/dagger"
)

func main() {
    ctx := context.Background()

    dag, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stdout))
    if err != nil {
        panic(err)
    }
    defer dag.Close()

    build := dag.
        Pipeline("build").
        Git("https://github.com/dagger/dagger").
        Branch("main").
        Tree().
        DockerBuild()
    test := build.
        Pipeline("test").
        WithExec([]string{"version"})

    test.Stdout(ctx)
}

And the corresponding run: https://dagger.cloud/runs/2ecd263b-a58b-4b50-8789-bf00fa42b178

I see what you mean - you basically want to use a pipeline to represent the build phase, but then "pop the stack" and pass it to a test phase, but you can't because the pipeline is baked in to the resulting container. There's still an explicit dependency in that case, but nesting the pipelines doesn't align with your mental model. Is that right?

test is "inside" build but I want them to be siblings

right

What happens if you do this?

id, err := build.ID(ctx)
test := dag.Pipeline("test").Container(dagger.ContainerOpts{ID: id}).WithExec([]string{"version"})

I can hack it by artificially replacing the "chain" by a reference:

package main

import (
    "context"
    "os"

    "dagger.io/dagger"
)

func main() {
    ctx := context.Background()

    dag, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stdout))
    if err != nil {
        panic(err)
    }
    defer dag.Close()

    build := dag.
        Pipeline("build").
        Git("https://github.com/dagger/dagger").
        Branch("main").
        Tree().
        DockerBuild()
    test := dag.
        Pipeline("test").
        Container().
        WithRootfs(build.Rootfs()).
        WithEntrypoint([]string{"dagger"}).
        WithExec([]string{"version"})

    test.Stdout(ctx)
}

thank you! I was looking for a load by ID and couldn't figure out how 🙂

I think my suggestion might not work since the container ID still has the pipeline, but curious how it deals with the already existing 'test' pipeline

So yeah my "withrootfs" hack is a dirtier version of your hack. It works as expected (they are siblings)

So the problem is specific to the chaining of Pipeline calls, which implies nesting even when you don't mean it as nesting

Hence my proposal to make nesting and sequence more distinct with a Container.Step(func)

let me try

note that my hack is not only cumbersome, it's actually not correct because I don't get all the metadata in the image

I mean the container! 😛

and this proposal is orthogonal to whether the steps actually run in parallel, right? it's just a way of "laying out" the pipelines

@still garnet looks like your version worked: https://alpha.dagger.cloud/runs/80891ef6-51b3-4f3e-ac97-adc934088cb9

oh interesting

Yeah, I now regret changing the name to Step. The core of the idea is basically to rely on Container.With to visualize nesting, rather than Pipeline

you could call it 'pipe', since it's like Unix pipes in that they actually run in parallel 😛

Another way to put it: could Pipeline be merged into the proposed With?

I understood you correctly 👆 But the name Step isn't the problem. I think we need something else for that. Either flag build.Pipeline("test") somehow or use some sort of "Marker" (like a bookmark), to declare what are your top-level nodes you want to visualize. The problem is handling depth, if you don't restrict to top-level.

I think the chaining already implicitly means “show at the same depth, but after”. This is how A.B works for all values of A and B, except Pipeline.

Instead of modifying Pipeline to allow expressing chaining in a special way, why not use the way that already exists which is A.B

You're right, somehow I was thinking of our chain as expressing dependency, but that's in inputs.

However, if you have a dir := ctr.Directory() doesn't the directory depend on container?

yes, chaining implies dependency, in this case

1. Build container (or whatever produced ctr)
2. Get directory

but it’s different from nesting

ie this would be incorrect:

1. Build container
   1a. Get directory

Yep

Ok, now I see your reasoning on With. 😇

But I'm having a hard time visualizing usage deeper than top level, like with our CI for example (sdk / xxx / yyy). But it's late for me, I'm sluggish now 🙂

Maybe something like Pipeline vs SubPipeline, BranchPipeline. Don't know a great name, but yeah

Yeah, Pipeline wouldn't nest, while SubPipeline would.

I already see users using the term "subpipeline", I think meaning nesting.

Do we document anywhere how to install the dagger engine OCI image?

I just realized (remembered really) that we don't have install instructions for the engine itself

There's some high-level instructions hidden here: https://github.com/dagger/dagger/blob/main/core/docs/d7yxc-operator_manual.md#execution-requirements

But we were keeping that mostly for power users until we bring the various _EXPERIMENTAL_* settings related to this out and stable

Ok makes sense. I was going to correct this tweet, but realized I didn't know the correct answer and didn't know where to look https://twitter.com/felipecruz/status/1654549380450353152

No latest tag... So opinionated

@still garnet Thought of another potential reason to modify how we dedupe services, just want to double check it makes sense (making thread)

@civic yacht & @still garnet, if you solve a LLB with multiple chained ExecOps and the first one fails, do you know if it's possible to detect if the failed exec was the last one or not?

./hack/dev doesn't seem to work anymore ? Has it been deprecated/ replaced ? 🤔

I think @civic yacht refactored to dogfood early entrypoint design

You can look at .github to find the new entrypoints

The changes to use entrypoints are still just in PR, ./hack/dev should work the same. If you are trying to run all the integration tests with it then you'll get failures on some registry related tests since they rely on a separate registry being setup which only happens in ./hack/make. I think we can fix that, but that's the situation at the moment

Is it possible to expose a Container run by Dagger to the host? Like if I do :

client.Container().From("postgres").
        WithMountedCache("/var/lib/postgresql/data", client.CacheVolume("postgres")).
        WithEnvVariable("POSTGRES_USER", "postgres").
        WithEnvVariable("POSTGRES_PASSWORD", "postgres").
        WithEnvVariable("POSTGRES_DB", "postgres").
        WithExposedPort(5432).Stdout()

Will I ever be able to use local tools to play with that database? 😄

@civic yacht Is there any chance the new domain system creates flacky tests in the CI?
I have some errors on the 5052 CI but they do not seems related to my changes

For instance

#11 220.3 #5 0.252 See 'docker run --help'.
#11 220.3 #5 ERROR: process "docker-entrypoint.sh sh -e -c echo zj6i1ndhzly6yn70pgdfpstdx-from-outside > /tmp/from-outside\ndocker run --rm -v /tmp:/tmp alpine cat /tmp/from-outside\ndocker run --rm -v /tmp:/tmp alpine sh -c 'echo zj6i1ndhzly6yn70pgdfpstdx-from-inside > /tmp/from-inside'\ncat /tmp/from-inside" did not complete successfully: exit code: 125
#11 220.3 
#11 220.3 #3 service KJ53UQVCTGCUQ
#11 220.3     container_test.go:3194: 
#11 220.3             Error Trace:    /app/core/integration/container_test.go:3194
#11 220.3             Error:          Received unexpected error:
#11 220.3                             input:1: container.from.withMountedCache.withServiceBinding.withEnvVariable.withExec.stdout process "docker-entrypoint.sh sh -e -c echo zj6i1ndhzly6yn70pgdfpstdx-from-outside > /tmp/from-outside\ndocker run --rm -v /tmp:/tmp alpine cat /tmp/from-outside\ndocker run --rm -v /tmp:/tmp alpine sh -c 'echo zj6i1ndhzly6yn70pgdfpstdx-from-inside > /tmp/from-inside'\ncat /tmp/from-inside" did not complete successfully: exit code: 125
#11 220.3                             Stdout:
#11 220.3                             
#11 220.3                             Stderr:
#11 220.3                             docker: error during connect: Post "http://EHOHEVQ3FHJ7I:2375/v1.24/containers/create": dial tcp: lookup EHOHEVQ3FHJ7I on 10.88.0.1:53: no such host.
#11 220.3                             See 'docker run --help'.
#11 220.3                             
#11 220.3                             Please visit https://dagger.io/help#go for troubleshooting guidance.
#11 220.3             Test:           TestContainerInsecureRootCapabilitesWithService
#11 220.3 #3 CANCELED
#11 220.3 ------
#11 220.3  > :
#11 220.3 #5 0.252 docker: error during connect: Post "http://EHOHEVQ3FHJ7I:2375/v1.24/containers/create": dial tcp: lookup EHOHEVQ3FHJ7I on 10.88.0.1:53: no such host.

More details on the Run: https://github.com/dagger/dagger/actions/runs/4940600943/jobs/8833006029?pr=5052
PR: https://github.com/dagger/dagger/pull/5052

And when I try to run the tests in local, I'm having the following error:

    container_test.go:2844: 
                Error Trace:    /Users/tomchauveau/Documents/DAGGER/dagger/core/integration/container_test.go:2844
                Error:          Received unexpected error:
                                Post "http://dagger/query": EOF
                                Please visit https://dagger.io/help#go for troubleshooting guidance.
                Test:           TestContainerWithUnixSocket

Even for basic tests like TestContainerWith, should I raise an issue or it might come from me?

I'm basically just doing the command: ./hack/dev go test -v -count=1 -run TestContainerWith $(pwd)/core/integration/ or with another test but the result is the same 😦

Yeah there were a bunch of fixes to flakiness in those tests recently so they are a lot rarer but I also saw it happen one time recently: https://github.com/dagger/dagger/pull/5119#pullrequestreview-1417669786 cc @still garnet not sure if you have any ideas on what else could be remaining there

For this TestContainerWithUnixSocket one, I'm not sure, that is probably unrelated to the networking stuff. Is it consistent? And does it happen on main?

I could make it works somehow after multiples run, but not everytime

Same errors on main, but not everytime

Oh duh, I forgot there's literally an issue for this test when running on macos: https://github.com/dagger/dagger/issues/4073

Ah! Make sense

This one always fails yeah

The thread is kind of long, but the tl;dr is that there were some issues that got fixed, but there's still a bug that only appears on macos. We haven't prioritized investigating+fixing it yet. For the time being, you can probably just skip running that one directly on your local machine

No problem, ty!

secret scrubbing

super sad that we're still seeing these flakes 😭 looking into it

This is super cool, will be extremely useful to us: https://github.com/moby/buildkit/pull/3860

@rancid turret @still garnet Hey could you review this PR one last time if you have 5 minutes today to make sure everything is ready to be merged?
https://github.com/dagger/dagger/pull/5052

That'd be super cool. We should definitely start capturing that data when it's available. And networking monitoring in particular could be super useful.

exciting!

is there any scenario where we intentionally avoid running Go tests in parallel? just thinking about this as it seems we don't have t.Parallel in a few test cases (e.g. a few secret integration tests, a few file integration tests, etc.).

Add resource usage monitoring for build ...

If I remember correctly, at some point it was the case for the provisioning of the engine tests. But not sure if still relevant

I'm not sure there is a reason anymore. Some of the tests used to require being in serial due to the way the registry was setup and other related factors, but I don't think that's really true anymore

@celest totem is running into an issue where he can't run any tests when he doesn't have internet access because even if all the images are pulled to the local cache we still fail when trying to resolve the tag->sha: https://github.com/dagger/dagger/issues/5135

At this point I think just updating the tests to use image SHAs is probably the quickest unblock, but mentioned another feature we could add to make this work too in that issue. Let us know if anyone else has any ideas

a quick update: I've spent some time in the past days going through the secrets code and particularly the secrets scrub feature (https://github.com/dagger/dagger/issues/4864), seems we already had a PR (https://github.com/dagger/dagger/pull/4944) and it was closed due to inactivity. I made tests work and did some benchmarks, etc. I think it generally achieves what we expect and the code could be improved too (I think there's a lot of string operations going on, multiple string scans, splits, etc.), so I'm spending some iterations around this. I will also make sure that we extend tests to cover all scenarios. Some notes and draft stuff, very dirty for now -based on the original PR-: https://github.com/matiasinsaurralde/dagger/tree/secret-scrub-multi-write-2

thanks for resurrecting this! seems like a good area to focus on 👍

@dense dust, it seems that https://main--docs-dagger-io.netlify.app/ still doesn't show the changes of the main branch though

Here: https://main--docs-dagger-io.netlify.app/406009/multiplatform-support

Nope, because that's the published deploy link, which is mapped to docs.dagger.io

I'll publish now

I see, thanks. There's another docs PR on the way, almost ready: https://github.com/dagger/dagger/pull/5139. I mean, ready, just not sure about the Typescript error

Ok! I just published the new version and the "Add caching" section is showing
https://docs.dagger.io/406009/multiplatform-support#add-caching

LMK is something wasn't clear about the process, I think it's not documented in the README yet

I just wonder why is there no automatic deployment of the docs ? What is the related process, if it's a manual deployment. It seems kind of weird, I wouldn't want to ping you all the time ahah

I'm not sure, I think it's another check before going live cc @hybrid widget @stray heron

No worries!

This should explain why: https://github.com/dagger/dagger/blob/0ef2bb305d8e9c177698b1e61aab58b05eaed078/RELEASING.md#-documentation--5mins . It's on my list of things to work on within the OSS Infrastructure bucket. FTR https://github.com/dagger/dagger.io/issues/1805#issuecomment-1461638410

raising a draft PR here, based on the previously existing branch with some improvements: https://github.com/dagger/dagger/pull/5149

For discussion: https://github.com/dagger/dagger/issues/5156

@stray heron i am gonna do a few things with the dagger rust sdk. First, I am retro fitting the ci onto how you're doing it in hack/make. I've already got tests working with a properly cached base image.

2nd. I will consolidate the rust crates into features instead, this will drastically reduce the release (sdk:rust:bump) process, it shouldn't take that long as well. I.e. the new setup will only have (dagger-sdk, and dagger-codegen). the parts codegen needs to actually generate will just use features imports instead, so that it doesn't pollute the clients.

3rd. Append the sdk to the exising workflows in .github/workflows/*

The reasoning for not migrating the ci, was the awkwardness of it. the old ci setup doesn't work that well with the official dagger setup. as such I am sort of rewriting it, it isn't that much work either.

ps. don't know if this is the right channel for these kinds of things, but I wanted to open the talk here, instead of dm so people could follow along if they want to 😄

gerhard 1272 i am gonna do a few things

updated secret scrub multiwrite PR to use a single scrub string for multiline secrets (single *** instead of multiple ***), still figuring out integration tests: https://github.com/dagger/dagger/pull/5149

@civic yacht fyi: https://github.com/dagger/dagger/pull/5184

Command extensions

@civic yacht, would you have some time today to sync with me ? it's related to https://github.com/dagger/dagger/issues/5069#issuecomment-1568277016. The main question is: would it be possible to mount files as secrets from a path. @rancid turret told me that we used to rely on a dagger implementation of "fsync" (from what I understood) that could lead to the implementation of a new API endpoint enabling this feature ?

The important question is if it's possible to transfer a file from the client to the engine, keeping it a secret from BuildKit. We could then avoid sending their content via API with setSecret (bypassing encoding issues), and instead use setSecretFile(path: String!) (for example) to load the content as bytes in the in-memory store. We used to have secrets loaded from files but it used llb.Local (I think), so not sure if it's possible to do it secretly or not.

It should be possible I guess... docker buildx has a similar feature for this: https://docs.docker.com/engine/reference/commandline/buildx_build/#secret

I replied in https://github.com/dagger/dagger/issues/5069#issuecomment-1568474579

The main problems are 1) leaking the file into the cache, and 2) it breaks the composition model

@obsidian rover I just tested a Host.setSecretFile(name: String!, path: String!) and it works fine. Commented on the issue.

Can we speak sync ? Just to make sure I'm 100% aligned with your comment 🙏

Yes, 5 min

Does anyone know why my runner has been queued for the last 4 hours on https://github.com/dagger/graphql/pull/2 ?

likely don't have this type of runner available anymore: https://github.com/dagger/graphql/blob/master/.github/workflows/test.yml#L10

seems like that could be changed to just ubuntu-latest or whatever the default ubuntu is

Erik Sipsma 3294 would you have some

@still garnet I'm facing the same issue as you hit: https://github.com/dagger/dagger/actions/runs/5134582260/jobs/9238795651?pr=5228#step:6:20617. Seems like a race ? 🤔

Can't repro locally, when running just these tests

yeah, seen it in a few runs now

Made an issue in linear for that one yesterday: https://linear.app/dagger/issue/DAG-1703/testcontainerexecerror-is-flaky

seeing some issues on my latest builds too

context deadline exceeded

Have some more ideas, commenting them on your PR

Can anyone review https://github.com/dagger/dagger/pull/5208 ?

Note for later watching the "dagger on equinix metal" demo:

• The buildkit unix socket is leaking into user configurations. If it's part of our public API, we need to own it and standardize a name other than "/var/run/buildkit". If it's not, we need to hide it and give operators an alternative (eg. Airbyte production setup uses that path)

• Exposing the engine tcp port on non-localhost... I know we talked about it. Seeing this talk reminds me how dangerous it is. Right now I want to disable non-localhost altogether. When someone inevitably shoots themselves in the foot and gets hacked because of an unsecured remote access to our privileged container... Saying "but we said not to do this in the video!" will not be enough.

Zoom Q&A from that demo

On the bright side: clearly there is great interest in seeing these "recipes" for deploying Dagger to different environments.

Maybe it's time to converge snippets from these open presentations, and our own snippets from production customers, clean them up and open-source them? We talked about doing it, but we didn't talk about when. Maybe the answer is: now? What does everyone think?

If we’re talking about the connection between session <-> engine, then that’s grpc and supports tls. We don’t expose the client side opts needed to specify the certs, but that would be trivial if desired. I think it would be fine to support tcp+tls on non localhost, but agree it’s safer to just block plain tcp on non localhost

Also, for /var/run/buildkit, that’s a default value we inherit from buildkit, but it’s configurable by users. We can change the default very easily too

Hi @stray heron ,

I want to discuss about the releasing of Elixir SDK a bit to make sure I'm align with you:

• Renaming the package from dagger_ex to dagger.
• Having a dagger user on hex.pm or create an organization for publishing the package. I never try the organization but it should work like user publishing a package.
• Implementing ./hack/make sdk:elixir:publish. I can take a look at this part.
• Changing the LICENSE, it's need to change to comply with dagger, am I right?
• What version we should start? Same version as dagger engine? (0.6.1 for example).

So we can test releasing that mentioned in https://github.com/dagger/dagger/pull/5201 after done all tasks above. Am I missing something?

Being able to access Dagger Engine via TCP port is a must-have for me. Using something like nc or socat for this purpose, or some other type of TCP to UNIX proxy, would be an extra hoop to jump through. Doable, but it would make Dagger less versatile out of the box. Binding to a UNIX socket by default is a good strategy.

Docker's ability to bind to a TCP port (although disabled by default) is the only reason why I am still using it today (have been running it on Linux & connecting via a Tailscale tunnel to it for a bunch of years now).

I was thinking the same thing about /var/run/buildkit.

@stray heron I remember that you said that last time, and I want to take that into account - good OX is important. I'm just worried about the path we're taking right now.

I'm all for doubling-down on TCP and making it right. Worth investing in it so that we can keep that option. I will make sure to do a follow-up on this. Adding this improvement suggestion to https://github.com/dagger/dagger.io/pull/2433 (private repository).

@stray heron can you remind me in that equinix metal setup, why there is both a tcp port and unix socket involved?

tcp for the graphql server, unix for the "dagger remote API"/wrapped buildkit grpc ?

but that can't be right

TCP so that we connect to it from local, laptop -> K8s -> Dagger Engine.

It's the same as DOCKER_HOST=tcp://100.81.87.121:2375. In this case it was _EXPERIMENTAL_DAGGER_RUNNER_HOST=tcp://remote.dagger.engine:30000

what about the unix socket?

OK so we are talking about tcp and unix for the same component - clients would use one or the other depending on the situation

Yes. We did not use the unix socket in the demo. It was there when we add self-hosted GitHub runners. These run on the same host as the Dagger Engine and then connect to it via that shared unix socket which you saw mentioned yesterday in the demo.

OK thanks. I have to run into a meeting, to be continued. So far I do feel that tcp support beyond localhost is not worth it. This can be done in userland.

Having used both setups, it is simpler & more elegant to use free GitHub runner which connect to remote Dagger Engines via TCP. Doing this via WireGuard / Tailscale is what I'm thinking.

Binding TCP to any interface - 0.0.0.0 - is what I really need.

I have another experiment which runs Dagger Engine on Fly.io Machines. That also requires the Dagger Engine to bind TCP to 0.0.0.0. With nearly-instant shutdown, start & scale-up + volume cloning & native WireGuard integration, that makes for the simplest production-ready setup that I am currently aware of. K8s is easy for me, but I know users that would prefer to not have it in their stack.

You can just ssh port forward

Or setup something more custom yourself

Allowing 0.0.0.0 implies that it’s safe to do so, when in fact it’s not. It invites a use case that is an anti-pattern. In return we get a small convenience for an unusual use case. Just tunnel the port!

(playing devils advocate a bit)

We could even add a tunnel-command flag to dagger run so that it can call the ssh tunnel command on the fly, no out-of band scaffolding needed

like RSYNC_CONNECT_PROG for those who remember that 🙂

there's another thing we can leverage that can be used if we want to prevent exposing the TCP way until we make a decision which si basically relying in DOCKER_HOST ssh capabilities. If you set DOCKER_HOST=ssh:// in your Dagger pipelines and point it to a capable Docker server, that will still run Dagger pipelines the same was as using the _EXPERIMENTAL_DAGGER_RUNNER_HOST variable. The only caveat, is that the server requires to have the docker daemon installed instead of just the Dagger engine

This already exists, when you specify _EXPERIMENTAL_DAGGER_RUNNER_HOST you include a scheme:// as prefix, one of which includes ssh://. Actually, that was added pretty recently to buildkit so we might need to make a one line addition to include it with the supported schemes

And once we move away from the _EXPERIMENTAL_DAGGER_RUNNER_HOST env I am guessing it could look a bit different in terms of ux, but we can use the same plumbing

@stray heron the markdown format in sdk/go/README.me is a bit weird, is it related to the go.dev tooling requirements, or just a neutral formatting choice? Specifically it's the link format, it uses a format I'm not familiar with (all brackets, with a footer reference)

It's just a formatting choice AFAIK. The reference links can be changed to inline one, it shouldn't affect anything. https://commonmark.org/help/tutorial/07-links.html

yep that's normal Markdown; I use that format all the time, makes it easier to read paragraphs without long URLs intermingled

good to know 🙂 thanks

That is my new favorite markdown hack, why aren't we doing this everywhere, it's so much more readable

@civic yacht I'm trying cd ci ; dagger do in our own repo but getting errors about missing go.mod.

Am I doing something stupid?

Yeah you have to run it from the root of the repo because that's where the go.mod is. so dagger do --config ./ci ci --help from the root of the repo.

You're not doing anything stupid though, it's just stupid right now. There's a linear issue for improving this. One option is to add something to dagger.json that lets you specify the project root dir that should be loaded.

Thanks

Tried running ci:sdk:go:lint but getting cryptic error

│ │ │ │ │ │ │ █◀──╯ CANCELED exec golangci-lint run -v --timeout 5m
█ │ │ │ │ │ │ │ ERROR dagger do --config ./ci ci:sdk:go:lint
┃ │ │ │ │ │ │ │ Loading+installing project...                                                       
┃ │ │ │ │ │ │ │ Running command "ci:sdk:go:lint"...                                                 
┃ │ │ │ │ │ │ │ Error: process "/entrypoint" did not complete successfully: exit code: 1            
█◀┴─┴─╯ █ │ │ │ ERROR [ci sdk go lint]
┃       ┃ │ │ │ input:1: pipeline.pipeline.pipeline.container.from.withMountedDirectory.withWorkdi  
┃       ┃ │ │ │ r.withExec.stderr failed to load cache key: error fetching default branch for repo  
┃       ┃ │ │ │ sitory https:: exit status 128                                                      
┃       ┃ │ │ │                                                                                     
┃       ┃ │ │ │ Please visit https://dagger.io/help#go for troubleshooting guidance.                
┻       │ │ │ │ 
        │ │ │ █ ERROR git://
        │ │ │ ┃ fatal: unable to access 'https://': Could not resolve host: info                    
        ┻ ┻ ┻ ┻ 

Also found a bug in cloud I think, since that error doesn't show up in cloud at all

(See #1115348310987907072 )

Yeah it doesn't enforce that required arguments are actually provided yet (also a linear issue), you can run dagger do --config ./ci ci:sdk:go:lint --repo github.com/dagger/dagger --branch main. The error you were getting is because both those args end up being empty string

I think I'm getting a flaky test on this PR: https://github.com/dagger/dagger/pull/5291

It's pure docs, but had to re-run engine-race-detection

https://linear.app/dagger/issue/DAG-1703/testcontainerexecerror-is-flaky

That's ready for review btw

Yep it's in my queue today!

If anyone could spare a quick review on this - very small docs/README change

updated this one with latest suggestions by @civic yacht and @still garnet, thanks guys!
https://github.com/dagger/dagger/pull/5149

I use Dagger engine over TCP too. Currently, its in a private network but once there's mTLS support, I'd really like to use it over public internet too. It was also relatively simple for us to switch from Buildkit to Dagger Engine. We also want to use other projects that rely on Buildkit and have a shared instance to manage. This is probably not intended behaviour but it would be nice to have that extensibility

The use case makes sense. I'm questioning how much of that use case should be implemented monolithically by Dagger, and how much by best-of-breed networking tools

Production-grade TLS support is a lot of work. If anything goes wrong, we're on the hook to troubleshoot and fix it. Add to that the security implications, which sets an even higher bar. That's cycles we're not spending on another feature or quality improvement. I question whether that's worth it.

Wouldn't you rather hook up a TLS implementation you already trust and is operationally familiar?

Buildkit supports TLS, and it's really just passing through to gRPC's support for TLS. It would be up to users to setup the certs still, we wouldn't automatically do that or anything. We just allow them to specify the certs to use for the connection. I'm not saying we need to support that now, we can wait for a pressing need, but it's very trivial to support once needed.

hello! I've been going through the pipeline freeze issue that @civic yacht described here: https://github.com/dagger/dagger/issues/5294
have spent the past days going through the multiple discussions around it and implementing the solution suggested by Erik. Seems that adding a mutex to prevent concurrent Send calls from the gRPC server might fix the issues.
for now my implementation overwrites the PB generated code as it was faster to test it this way. I'm running a final round of tests (and also Dagger tests based on buildkit patch for this) and will wrap it up so that it doesn't mess with PB generated code 👍

Pipeline freeze possibly due to Buildkit...

New old user here, been lurking since the old CUE-days. I've just managed to "self build" the Dagger Graphql through dotnet via the dagger run dotnet run-dance and I'm wondering to what extent this is supposed to be dynamic (as in being compiled runtime) or rather if it's supposed to be a one off built client released in versions (i e the graphql is ingested via dagger run dotnet run when the client is built and compiled and that's that)?

a quick one: is anyone able to reproduce this issue? seems to be happening on latest main and caused by a recent change -still figuring out which one-:

go test -v -timeout 30s -count 1 -run TestContainerWithMountedSecretOwner github.com/dagger/dagger/core/integration 
...

the failing test is TestContainerWithMountedSecretOwner/userid.

👋 passes here @celest totem

We started a DX thread somewhere, which I would like to continue and resolve, but I can't find it...

It was about the awkwardness of Pipeline() for logical grouping, and the idea of using With instead.

1. Does anyone remember where that thread is?
2. Any opinions on that? 🙂

thanks, taking a look 👀

I'm in a linux machine BTW.. not sure if that could affect

We started a DX thread somewhere which I

I m in a linux machine BTW not sure if

sharing this little improvement, hopefully I'm not missing something related to optional args and how we use them: https://github.com/dagger/dagger/pull/5304

Ping @still garnet if you can review https://github.com/dagger/dagger/pull/5158

it's on my list! will get to it today 🙂

Ah take your time, thanks! 🙂 Just to unstuck and get in next release.

Hi, I found lint-daggerized workflow failure during port Elixir SDK into dagger repo. I have a fix in https://github.com/dagger/dagger/pull/5244 but I'm not sure if I do the right thing. 🙇

adding this PR to bump buildkit version to incorporate concurrent Send calls on ExecProcessServer fix: https://github.com/dagger/dagger/pull/5312

@civic yacht How easy/hard would it be to change dagger do to not start its own session, and leave it to the SDK instead? I'm trying to bring more clarity to https://linear.app/dagger/issue/DAG-1801/engine-autostart-dx, and right now there are a few points on the side of no-session-in-dagger run, but that victory will be shortlived if dagger do is harder to split up in the same way. /cc @fair ermine

I think it should be able to just use the Go SDK. It does need to make raw graphql queries atm, but that actually is supported in the go sdk apparently, so should be good to go

Ah interesting, but we would need to use the right version of the Go SDK, right? So kind of a lateral move

Yeah, but we already have dependencies in the engine code on the go sdk and just use an override in go.mod. So if you are using an officially released CLI, that will end up using the corresponding officially released SDK, which will point back to the corresponding CLI 🙂 Maybe we could have dagger do set _EXPERIMENTAL_DAGGER_CLI_BIN to it's own executable, just to save some time re-checking.

But that won't solve the issue where you can dagger run or dagger do with a v1.0.0 CLI (and therefore API), but run SDK code that depends on the v0.5.0 API, and ends up talking to v1.0.0 because it prioritizes $DAGGER_SESSION_PORT/etc. - right?

In the past we've talked about adding an API version compatibility check to prevent this, which is still on the table, but I'm also exploring going back to SDK-initiated sessions, which resolves a lot of issues but leaves a question-mark for dagger do

The more I talk about this, the simpler an API compatibility check sounds, but there are other subtle gotchas introduced by establishing the session early, e.g. https://discord.com/channels/707636530424053791/1117951175644434472 (which exclusively affects dagger run FWIW)

Ohh sure, yeah that's another dimension to all this. Interestingly, the fact that dagger do runs code containerized gives us more ability to deal with this gracefully.

Right now, the entrypoints run as a nested session, so that's served from the shim and thus tied to the engine version. But in theory we could identify the version of dagger the user's code depends on (as part of the runtime setup https://github.com/dagger/dagger/blob/7ab8a6983dc8139d5f540cc63a8203805718785a/core/project.go#L257-L264) and then use that to ensure that we serve them a session at the right version.

SDK-initiated sessions won’t solve this, because in production, operators will require control of their engine version; it won’t be negotiable for many

If we don’t design with that version decoupling in mind, operators will work around the design, making the problem worse

that’s on top of the other benefits of “thin SDKs”

Seems like that forces the question of whether engine version should always === API version. Also related to @civic yacht's grand experiment of having the API run as an engine frontend

The buildkit API moves at a much slower pace, compared to say a large monorepo with multiple projects advancing their Dagger integration at different paces. It could be painful to have to keep bumping them to match exact versions, or even semver

Generally I think GraphQL recommends against versioning APIs, right?

Apparently, but you have to deal with physics at some point no? 😄

Does a CLI-centric UX change the parameters of this problem, by introducing CLI version in the equation?

In that UX, CLI is upstream in the control path to both engine and sdk

so maybe version checking etc could take place there? This is a half-baked though at best

Yeah, so one option is to keep the CLI serving the session API, and have SDKs run a compatibility check when they first connect to the session. That way we just have one version encompassing the CLI (incl. progress streaming protocol), the API, and the engine

Definitely the easiest for us since it collapses a few cells in the compatibility matrix into one

The downside is that upgrading Dagger can become kind of all-or-nothing, imagining a large monorepo running against one big shared engine setup, so people could end up stuck on old versions for quite a while to avoid the pain of upgrading projects they're less familiar with. But this is imagining the worst-case scenario

"run a compatibility check" could mean having SDKs run some kind of query like checkCompatibility(compatibleVersion: "v0.5.0"): Bool! - with v0.5.0 being the CLI version baked in to the SDK, like it is today

You could have a engine version field in dagger.json or equivalent. So different directories in the monorepo could require different engine versions

true, then you just have the to deal with the dagger CLI that user actually runs. I guess we could make it a thin pass-through that keeps a local cache of each version and re-execs to the appropriate one

Then how do we know which SDK version is compatible with the API? Is there any record of which version is compatible or do we base our logic on major/minor/patch?

Each SDK has a field for the engine version it supports. If the SDK queries the API, the API knows it's own version and can centrally check version compatibility.

Interesting!

@civic yacht @rancid turret FYI: I think it might be time to get rid of the Stdout/Stderr error wrapping. It's causing Buildkit to raise a cryptic error when I try to pass refs to a gateway container:

unexpected type for reference, got *core.ref

which is coming from here:

    for _, m := range req.Mounts {
        resultID := m.ResultID
        if m.Ref != nil {
            ref, ok := m.Ref.(*reference)
            if !ok {
                return nil, errors.Errorf("unexpected type for reference, got %T", m.Ref)
            }
            resultID = ref.id
        }

(code: https://github.com/moby/buildkit/blob/2ff0d2a2f53663aae917980fa27eada7950ff69c/frontend/gateway/grpcclient/client.go#L771)

Kinda gross that this is an interface but in practice it relies a concrete implementation, but the easiest step right now is probably to just clean the wrapping up, assuming its only purpose was Stdout/Stderr collection, which is now somewhat redundant with the TUI

Not sure I understand. That wrapping is now done client side (i.e., by the SDK).

The engine does raise a new custom ExecError instead of the original SolveError, is that the issue?

sorry, referring to this code: https://github.com/dagger/dagger/blob/583410f42fac5112baedd206a0453099955094d2/core/gateway.go#L126-L267

not the new error types, which are great

though maybe pieces of this are still involved in that path?

But the new ExecError comes from there.

hmm, yeah, unfortunate... maybe there's somewhere else that we can wrap, or maybe I can handle the wrapping by adding a type assertion + Unwrap() bkgw.Reference or something

Yeah

Is there a guide or cookbook recipe, or any sort of material, on how to use privileged exec? Ideally in the context of running a service, eg. kubernetes or dockerd? cc @still garnet @tidal spire @wild zephyr

other than the code in this issue, I don't believe so https://github.com/dagger/dagger/issues/5292

no, nothing official. Justo opened https://github.com/dagger/dagger/issues/5323 for documentation purposes

@stray heron i’m not sure if you see the issue https://github.com/dagger/dagger/issues/5326?

That is a great catch! Let me action it now.

Thank you. And sorry for troubling you. 🙇

Not at all! That was a great catch. I will update the issue next.

Confirm the package is taken down. 🙂

I would like to share about the progress on elixir sdk a little bit:

• The issues is now migrate to dagger issue tracker. You may search with https://github.com/dagger/dagger/issues?q=is%3Aissue+is%3Aopen+sdk(elixir) the issue has sdk(elixir) prefix.
• The dagger_ex repository is now archive.
• I start working on cookbook, focus on code example here https://github.com/wingyplus/dagger_elixir_cookbook/tree/main. My main goal is to use for testing the sdk. But I think it can be use with cookbook site in the future.

Is there a guide somewhere on how to add content to the cookbook?

I see a docs/current/cookbook/snippets directory, but there are only 5 snippets in there

Seems like a lot of them are taken from: https://github.com/dagger/dagger/blob/dc53110836824701291cf8cdde2fe6c0b2171f4f/docs/current/742989-cookbook.md?plain=1#LL265C12-L266C4

But last discussion with Vikram, we had to create them in docs/current/cookbook/snippet

https://github.com/dagger/dagger/pull/5139#discussion_r1194231592

Ok I see, so there's a gradual migration underway, and docs/current/cookbook/snippets is where new snippets should go?

From his comment, it seems that standalone code for the cookbook shall be placed here. I don't know if there is a migration on the way though. I would presume so

Ok thanks !

This should work right? https://github.com/lukemarsden/hello-dagger/commit/90acf364685b07916d47f7d3e88a8b5bdd65a067#diff-cce3c1b808a0cb9d690c232db36a0f9cc0bbc9df836af5210c73300d7b04c89cR21

with_mounted_file("/var/run/docker.sock", client.host().file("/var/run/docker.sock"))

It's with_unix_socket("/var/run/docker.sock", client.host().file("/var/run/docker.sock")).

Ah!!! cc @nocturne leaf

thank you I had missed that

I can see how the asymmetry can be confusing

Oh actually there is no asymmetry

The correct snippet is with_unix_socket("/var/run/docker.sock"), client.host().unix_socket("/var/run/docker.sock"))

I'm working on adding this to the cookbook 🙂

I'm trying this:

_, err = client.
  Container().
  From("docker").
  WithUnixSocket(
    "/var/run/docker.sock",
    client.Host().UnixSocket("/var/run/docker.sock"),
  ).
  WithExec([]string{"docker", "run", "--rm", "alpine", "uname", "-a"}).
  Sync(ctx)

but getting this:

Connected to engine 7be02c9cdded
panic: input:1: host.unixSocket eval symlinks: lstat /private/var/run/docker.sock: no such file or directory

Any suggestions welcome... I'm not sure what's wrong now

checking if there's an opt to follow symlinks in WithUnixSocket

Oh wait, there's no /var/run/docker.sock on my mac. What am I missing (or what obvious thing did I forget?)

Try From("docker:cli")~

Is docker running in the host?

yes (via d4mac)

docker ps works

Does that put the socket in a different location?

that’s what I’m trying to find out. but it seems that yes

Can you ls it?

no

❯ ls -lha /var/run/docker.sock
lrwxr-xr-x  1 root  daemon    37B May 31 09:42 /var/run/docker.sock -> /Users/helder/.docker/run/docker.sock

👋 currently we don't have a "friendly" way to enable magicache in the engine which doesn't involve telling users to manually spin up the engine and and supply the DAGGER_CACHESERVCE* variables themselves. Shall we add support for adding those automatically to the engine when first spawned if they're present at the session handler level?

Additionally, I've been bitten sometimes in the past by trying to disable the DAGGER_SERVICES feature for troubleshooting purposes after realizing that I needed to kill the engine for that to take effect. So the fact that some variables take effect on every run and others only when the engine is spawned is somehow confusing. Do you have any thoughts about this or shall we create an issue to keep track and discuss further there?

thoughts? @tepid nova @still garnet @civic yacht @ancient kettle

👋 https://github.com/dagger/dagger/blob/d1df79bc2b8edab6835177fb9e38d9112a09cca2/internal/mage/engine.go#L209

^ doesn't this invalidate Go's default test caching behavior? Is it intentional?

it is; test caching isn't very helpful when most of our tests are integration tests

it'll cache them too aggressively, since they don't have a direct dependency on the code they're testing

makes sense 🙏

So if I want to use magicache in GitHub Actions hosted runner today (not self-hosted), I'd expect the experience to be that I set some Dagger Cloud secrets that get injected as env vars. Ideally I could just have one secret that would do the work of the logs ingestion token and the cache service token.

What does the "session handler level" mean? 🙂

Ideally I could just have one secret that would do the work of the logs ingestion token and the cache service token
That might not be great because we set the expectation that it's not "secret"

If you mean that we would allow clients to set the env var rather than setting it when the engine starts, then no that's not possible yet and it's unclear if it would be possible to get that working. The reason being that:

1. When the cache service is enabled, it swaps out the whole cache manager used by the engine, so making this per-client would require somehow using one cache manager for some clients and and another for other clients
2. Cache mounts specifically need to be synced before the engine starts serving any clients, it's not possible today to sync them later

So for now this has to be configured when starting the engine container. I think the best way to improve the experience would be:

1. Improve the custom provisioned engine experience in general (e.g. maybe CLI interfaces for doing it rather than the whole "you're on your own" thing today)
2. Related to above, add an "operator API" that lets admins configure engine global settings at runtime. I could see it being possible to implement a global swap of the cache service from disabled->enabled (as opposed to trying to make it per-client).

is there a specific reason to use Alpine -besides size, etc.- as the dev engine’s base image? just curious as we’ve been discussing a related issue today

@civic yacht Hey, I'm hitting a funny issue on the Ts entrypoint.

For multiples arguments, arguments are by default ordered by alphabetic order but in the function signature it can be any order so it might happens that the argument are sent at the wrong place.
I read your code in the go SDK but could not found some kind of sorting, so how do you make sure arguments are sent in the right order?

For instance:

async function build(client: Client, repo: string, branch: string, subpath: string): Promise<string> {}

The thing is that input are given in the following way

{                                                                                                                                                "args": { "branch": "", "repo": "https://github.com/dagger/dagger", "subpath": "" },
   "parent": null,
   "resolver": 'Query.build'
} 

So branch will be inserted as first arg, instead of repo (in Typescript)

I could reintrospect the function to know in which order I shall send arguments but it might not be the best solution, I don't know if you did something special in Go

Just size, that's it afaik

@civic yacht that's the thing, we're not setting the env var when the engine starts through the CLI as we do for caching config or services (https://github.com/marcosnils/dagger/blob/fdfb3528af6dff7256c727503949ab46cd8fed27/internal/engine/docker.go#L96). I'm not suggesting to change that behavior, I'm mostly suggesting for engine provider to be able to use that variable if present when provisioning the engine. Otherwise, the only way for users to start the engine with magicache is if they do it manually outside the SDK provisioning flow

I think pulling in that ENV variable during provisioning is a great idea, personally. Especially given that we do it for other variables.

Oh I didn't remember that we did that, and actually the "-e", CacheConfigEnvName serves no purpose anymore since the engine hasn't interpreted that for a while (I'll send a fix).

We can do that but I really don't think it's a good UX because it will only work if you are auto-provisioning for the first time. If you've run dagger before and then try to set that it will have no effect.

The other thing is that magicache is only usable in AWS right now, where I think very few to zero users would be relying on the auto-provisioning, so I'm not sure if it would be useful in that sense either.

yeah.. agree, that's why I was originally thinking that we should eventually come up with a way to bump this so we can do it at runtime as you mentioned. I also agree that given that magicache is still AWS specific, for UX purposes, it might not be worth to to add it at the engine provisioning phase. So in summary, I think we're aligned to hold off this one for a bit until it's clearer how to magicache toggle would be used best. Thx for the input Erik 🙏

@ancient kettle is there a specific use-case you have in mind which would be benefited from enabling magicache with the docker provisoner?

@hasty basin wants to experiment with it in hosted GitHub Actions runners.

Granted, we can provision an engine manually for that test.

I'd say that adding it there doesn't seem harmful, but I just wouldn't advertise it at all as a great feature for users if we do put it there, more just a minor convenience for us. The great UX will come from the official support for provisioning and operator API

Yup. We’re on the same page. 👍🏻

👍 sending PR to add that there. cc @hasty basin

https://github.com/dagger/dagger/pull/5355

https://github.com/dagger/dagger/pull/5356 cc @ancient kettle @hasty basin

@civic yacht @still garnet I'm getting this error when running engine:test on Dagger GHA EKS

failed to get stream processor for application/vnd.docker.image.rootfs.diff.tar.zstd: no processor for media-type.

Does that ring any bells?

FAIL: TestEngineExitsZeroOnSignal - https://github.com/dagger/dagger/actions/runs/5359103142/jobs/9723222159#step:6:5612
FAIL: TestEngineSetsNameFromEnv - https://github.com/dagger/dagger/actions/runs/5359103142/jobs/9723222159#step:6:5669
FAIL: TestRemoteCacheRegistry - https://github.com/dagger/dagger/actions/runs/5359103142/jobs/9723222159#step:6:7327
FAIL: TestRemoteCacheS3/buildkit_s3_caching - https://github.com/dagger/dagger/actions/runs/5359103142/jobs/9723222159#step:6:7528
FAIL: TestClientWaitsForEngine

Digging a bit deeper, it's definitely the devEngineContainer function - https://github.com/dagger/dagger/blob/23be7ce76167167fd12ada64dd2a0339d258b8f3/core/integration/engine_test.go#L16C6-L16C24

Which is loading a tar file. I'll keep digging, but if either of you have any insight, I'd be grateful.

Huh okay yeah I think it's:

1. We compress all cache layers using zstd (it's way faster than gzip while also achieving a better compression ratio)
2. We are hitting the remote cache for the dev engine builds
3. When we try to load the engine tar for those tests the media type ends up being vnd.docker... instead of the oci type (which is supported with zstd) and get an error because there isn't a handler configured for docker+std for some reason, even though docker has supported zstd for 3+ years.

1+2 are good things, 3 is weird. I will dig a bit in buildkit/containerd to see why those handlers aren't setup when trying to do the import.

Interesting. Thank you. 🙏🏻

I'm glad it's using the cache. 🙂

Interesting. @civic yacht, looks like Airbyte experienced something similar: https://github.com/airbytehq/airbyte/issues/26085

Which you commented on. 🙂

Yes I was just taking a walk down memory lane with that issue 🙂

😆

Glad I could help you be nostalgic. 😉

I agree with past me that this might need an upstream fix, but it should be pretty small+quick from what I can tell, will try it out

Let me know if I can help with that.

I'm gonna do a walk + some lunch, but I'll have my phone with me and can be back at computer, if ya need me.

Have a potential fix, trying it out by just changing dagger code because it only involves registering something in containerd w/ an init func (will upstream if it works). It's hard to repro locally so I pushed the commit to your PR to try it out

Awesome! I'll check on those tests. 🙂

The change is to the engine, so I think in order to confirm the fix we'll need to let the tests run, wait a bit for the node to spin down (so local cache doesn't get re-used), and then run the tests again with source code unmodified to hit the zstd cache layers

Sounds good! I can... nudge things... to make that happen more quickly. 🙂

Node killed. Gonna run those jobs again. (I'm curious about the rust and elixir SDK failures...)

@civic yacht Green tests! https://github.com/dagger/dagger/actions/runs/5360220460

I'm going to run them again (after killing the nodes), because I'm paranoid.

https://giphy.com/gifs/fx-charlie-always-sunny-l0IykOsxLECVejOzm

Yeah looks good so far! Agree on re-running, I can see lots of load cache for oci-layout://dagger/import... lines after zstd layers being pulled, which I think means it's working, but the more consistent green runs the merrier

Sweet! It's "nice" (very extremely relieving) to see it going green. I was having flashbacks to the early dagger-in-dagger days.

(current run -- #3 -- is with existing nodes)

@civic yacht Ok. 3 green runs in a row.

@civic yacht Should we cherry-pick that commit into main?

I was just working on the upstream fix to buildkit, have it all ready now, I can cherry-pick it into our main but if it's no rush it's probably easier to just upstream and then pick it up in dagger once merged. I don't think it will be very controversial, but worst case I'll just fallback to fixing in dagger with that commit I pushed to your PR

Totally down for that. We can revisit it early next week.

https://github.com/moby/buildkit/pull/3968

I appreciate you, @civic yacht.

No problem! 🙂

added some comments about this, relevant for GPU access: https://github.com/dagger/dagger/issues/4675#issuecomment-1609549492

finally some initial GPU access from Dagger!

Very exciting 😍

Awesome! I don't get the eggplant though...an auberGinePU? 🍆

Marcos did it and Alex and I joined in solidarity 🙂

haha I just did :gpu: and 🍆 ranked first in my approximation list. You know, emojiLLM 😛

FYI there's a new SDK POC in town : #1124111401363976295

Hi All! love what dagger is doing! I am trying to get a better understanding of how the dagger engine is working: you need to spin up a docker container that runs the dagger engine. Then you can use that container to run pipelines in other containers that you specify with the SDK (e.g. client.container().from("python")). How does this work? are these containers also being spun up on the host machine where I also run the dagger engine container, or are they running inside the dagger engine container, and if so, how does that work (dind, docker.sock volume, or something todo with buildkit?) ? If I exec in the dagger engine container, I do see some stuff about buildkit, but the docker command is not available.. Is there some documentation about how this works?

@pine juniper welcome 🙂 Most recent PR relevant to your diff/merge interests: https://github.com/dagger/dagger/pull/5400/files

awesome, thanks! will read

We use Dagger for the merge/diff experiments - it exposes a higher-level interface to buildkit, comparable to HLB. However instead of a custom language, Dagger has a GraphQL API, and generated SDKs on top of that.

Here's the GraphQL reference for diff: https://docs.dagger.io/api/reference/#Directory-diff

And in the corresponding reference in the Go SDK: https://pkg.go.dev/dagger.io/dagger#Directory.Diff

Same idea for the other SDKs

The equivalent of "merge" is Directory { withDirectory }. Under the hood it's llb copy, but in PR 5400 above, it will be optimized to use the fancy new llb merge instead - without breaking the GraphQL API 🙂

Here's an example (in Go) of using withDirectory: https://github.com/dagger/examples/blob/main/go/multistage/main.go#L23-L29

    project := client.Git("https://github.com/dagger/dagger").Branch("main").Tree()

    build := client.Container().
        From("golang:1.20").
        WithDirectory("/src", project).
        WithWorkdir("/src").
        WithExec([]string{"go", "build", "./cmd/dagger"})

How/when do we release docs please? I have a docs contribution that got merged, and I'm eager to see it on the docs website 🙂

👋 @civic yacht @still garnet is there a possibility that there's a caching regression in v0.6.3? I was trying a very basic example today and I can't get the exec op cached whatever I do. Here's the repro:

-- ci/main.go --
package main

import (
    "context"
    "os"

    "dagger.io/dagger"
)

func main() {
    ctx := context.Background()
    client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))
    if err != nil {
        panic(err)
    }
    defer client.Close()

    testClient := client.Pipeline("test")
    src := testClient.Host().Directory(".", dagger.HostDirectoryOpts{Include: []string{"hola.txt"}})

    testClient.
        Container().
        From("docker.io/library/alpine@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1").
        WithMountedDirectory("/test", src).
        WithExec([]string{"cat", "/test/hola.txt"}).Sync(ctx)
}
-- hola.txt --
hola

Tried reverting that to v0.6.2 and it works correctly

seems to be related to With*Directory and host . If I remove that, exec gets cached correctly. I'm running this against main now

it also happens in main. cc @rancid turret since you've been testing some other things

we ran into this while prototyping zenith, the workaround (in Dagger, not user-side) on the zenith branch is here: https://github.com/sipsma/dagger/commit/1582077509b9662034bb68fba5819cd9c6d01461

the problem is that container hostnames are derived from LLB digests, and I think the difference in v0.6.3 is that host Directories now contain the session ID in their LLB, so that causes the hostname to change in every new Dagger session, which busts the cache

This will be partly fixed when services-v2 lands, since only services will have hostnames now. But it still means that client containers downstream of a service that depends on a host dir will have their cache busted, since the service hostname changing would propagate to it.

iirc the change to include the session ID in host directory LLB had to do with having dagger do support host directory inputs/outputs (I forget which) - and maybe that change is no longer necessary with the new architecture. If so we can maybe roll that change back, and just let dagger do be broken for now instead, since it's experimental anyway. cc @civic yacht

is the zenith branch fix you posted above based on the services -v2 branch? Or is that something we could merge to current main?

I know that's one part of the issue but wasn't there something to do with the progress socket too? I have a memory of us talking about it and could have sworn we made an issue too, but I can't find that or the discord conversation lol

shall we retract v0.6.3 until we fix this? WDYT?

I feel like we can just fix it and do another release, not hitting the cache is a bug but I don't think it's devestating enough that it is worth retracting the release for

you still get the correct behavior, just with less caching

would be the same as if you were running the dagger engine on a machine with low disk space (which would trigger aggressive pruning of the local cache). In general cache should always be considered best effort rather than a "guarantee" of sorts

good point. Makes sense

Oh right we should check on that that too. That one only affects nesting Dagger-in-Dagger at least

https://github.com/dagger/dagger/issues/5373

Thanks! I searched "cache progrock" but that did not show up in the search results

That's right, yeah that one is much more obscure

so @still garnet @civic yacht Alex's patch posted above fixes this in main (just verified it). Shall I go ahead and open a PR for it?

Yeah I agree that if we can just backport that commit to main that would be preferable to breaking the existing project stuff, which a small number of users have been playing with already

👍 PR on its way

cc @stray heron (who just opened an issue about this), see above

The downside of that fix is that anyone who was using services without explicitly exposing a port will break. (Sometimes ports aren't known ahead of time, or something like that, @tepid nova gave rabbitmq as an example)

Still very low impact I guess, and easy workaround (expose a random port)

https://github.com/dagger/dagger/pull/5452 🙏

Side note: we need testing around caching. The interaction that caused this was extremely non-obvious (local source having session ID and setting of hostnames in execs), there's very little chance we'll be able to catch anything like this going forward without having integ tests around it.

The problem is that testing caching is surprisingly hard... I'll think about it quickly and either open an issue or a PR w/ an initial test for this situation if I think of an easy approach

@civic yacht +100. I had a test in Bass that tries to test cache busting, and I thought I found a decent trick for it, but the test flakes all the time, and I haven't had time to dig into why. 😭 The tl;dr of the approach was to mount a cache volume and have each cache-bust append to a file in that volume, and check that the # of writes matches the expected # of cache busts. https://github.com/vito/bass/blob/main/pkg/runtimes/testdata/globs.bass

This was actually how I found the original issue with the hostnames, so it was at least somewhat helpful

Yeah that's exactly the problem, not sure if it's the flake you were hitting, but in general the fact that automatic pruning can happen makes this hard to create reliable tests for

ah interesting, yeah that could be a factor

Maybe we could run these tests against a temporary engine with GC disabled

True, that would probably help a lot if not fix entirely, and totally feasible by running dagger as a service, like some of the tests do already

Actually, for this very particular case I think I have something that is simpler by just opening two clients and running the same operation in both, with the pruning prevented by keeping the first client open. Pushing the test to your PR @wild zephyr

TIL that buildkit doesn't prune for opened sessions

Yeah when you do a solve in a session buildkit holds open cache refs for every result and buildkit won't prune any cache that has open refs. When the session shutsdown, the refs are all released

commit w/ that test: https://github.com/dagger/dagger/pull/5452/commits/c89c3075f7ffdcd6dbd097ad82f776bc74135eb1

@civic yacht just pushed my Container.import changes to session-frontend if you want to take a look - not 100% sure I did the lease stuff properly, and it's kind of hard to test reliably at the moment. Pushed for now so I can context-switch to some Progrock changes: https://github.com/dagger/dagger/pull/5315#issuecomment-1636086684

oh and here's the commit itself: https://github.com/sipsma/dagger/commit/c53a6c314cefe2823d26ff2b8632d0e6a427bff6

I decided to pull in my stableDigest() helper from the services-v2 branch, since I noticed FileID was busting the cache key a lot. Didn't seem like there was a quick path to Buildkit "source of truth" cache keys based on yesterday's convo, so that'll have to do for now, but it has all the issues you mentioned in https://github.com/dagger/dagger/pull/5452#issuecomment-1636062194

@civic yacht @still garnet getting

DONE 619 tests, 52 failures in 193.705s
Stderr:

Please visit https://dagger.io/help#go for troubleshooting guidance.
exit status 1

when running ./hack/make engine:test in my local branch for this PR (https://github.com/dagger/dagger/pull/5452). Doesn't seem real since CI only showed 4 failures only. Just tried to re-run and getting the same results each time. Any pointers what could be causing that many failures on my end?

do you have the full output?

let me re-run and send it over

I just ran your branch locally and got the same 4 failures in CI (which all seem expected), so not sure

brb gotta step out for ~30m

looks like ~everything is failing to resolve HTTP/git service hostnames, which is odd because those definitely expose a port

oh, maybe they call WithExposedPort after WithExec or something like that

but yeah not sure why that'd be different for your local checkout vs CI or Erik's machine

just checked and they both expose their port before WithExec - but also hopefully everyone using this API is doing that in the right order, since now it actually matters

@wild zephyr and I decided to go for the alternative fix after noticing that our docs actually tell you to do WithExec().WithExposedPort(), so the impact of skipping hostname would actually be pretty high.

This PR removes the llb.SessionID instead, t.Skips the related tests, and yoinks over the cache-busting test from the original PR: https://github.com/dagger/dagger/pull/5468

what’s the TLDR of the DX change that we’re making?

No DX change for the most recent PR, its description explains the alternative change we considered which would have had a DX impact. Above PR should only break parts of whatever state dagger do shipped in, so no impact afaik (no one should be using that)

@stray heron question about the new release note process https://github.com/dagger/dagger/pull/5408#issue-1788536705. IIUC changie new requires a PR number so it can later reference that in the changelog. One thing that's not quite clear to me is that when doing changie new, you don't always have a PR number beforehand since the PR will be created after you commit your changes and effectively open it 🤔 . Am I missing something here?

The simplest thing would be to open the PR, then push an extra commit with the changie new content.

The other option would be to reference issues instead of PRs. Maybe we support both?

In the interest of making this easy to search / link to / reference, would you like us to continue this in a new GitHub Discussion? It can also be on that same PR. Discord will make this really difficult to track down for future selves.

sure thing. I'll open a new issue since I find it weird to discuss in already merged PR's

GitHub Discussion perhaps?

sure!

As the creator of changie, let me know if I can be of help. There are lots of configuration values available if you need anything more advanced than the starting template.

Hi! It's nice to put a name to the author of changie.dev.

We did a few config changes, the project's documentation made it fairly straightforward: https://github.com/dagger/dagger/blob/main/.changie.yaml

This reference also helped: https://github.com/DelineaXPM/dsv-github-action/blob/main/.changie.yaml

Will be happy to give more feedback as we build experience with it. So far, it was smooth to learn & use - thank you!

here. https://github.com/dagger/dagger/issues/5475 cc @high heart
edit: also added a "first idea that came up" solution.

That is great to hear, always a concern of mine on how the onboarding process is.

I usually recommend using an issue rather than a pull request. As the change relates to a user in the form of an issue. Not the implementation details in a pull request.

Calling for comments on this important topic: https://github.com/dagger/dagger/issues/5484

@rancid turret. Regarding the mount of binary data as secrets. I'm well advanced, currently writing the integration tests

__Two questions: __

1. How do we want to scope the host interaction on this method: https://github.com/dagger/dagger/pull/5500/files#diff-09f798f10567cb9017b829bfa481df0a90e444368d36bd8f7025a69d1d2521c9R96-R101 ?

I don't see people copying their secret files in the workdir of the project ... Do we add the exclude / include option as another security layer ?

2. Do you know where the 128000 byte limit comes from. Is it a secret store limitation ? https://github.com/dagger/dagger/pull/5500/files#diff-4242183254eaee9649c3ed82114bd292d61bd23a0d7b2ff701c3bb16d3fb8fabR76 (cc @celest totem)

1. That's up to them I guess. Not sure what you mean by the exclude/include option here. You're not using llb.Local, the file is being read outside of buildkit. However, @civic yacht will this work with the API in runner? Not sure how host access like this will work.
2. According to Tanguy in https://github.com/dagger/dagger/pull/4944, it's because of how we're passing the secret to the shim via os/exec.Cmd. Not sure if that's changed. However, again with https://github.com/dagger/dagger/pull/5415 that should no longer be a limitation.

Yes, I agree that it's being read outside of Buidlkit.

It's just that currently, when relying on host.Directory or host.File, we cannot mount something outside of the dagger project directory (unless it changed). Do I enforce this behavior (checking that we are indeed specifying a path inside the scope of the project, or not) ?

Don't see why not.

I remember it was a choice/request from Solomon, used as a behavioral security layer: when using any host API, you can be sure that the API is not checking outside the scope of the project. Just double checking as you're the API master, if you're up I'm up 😇 🙏

@still garnet @stray heron @rancid turret If you have a minute : https://github.com/dagger/dagger/pull/5488 🙂 It's a really small PR

can check in ~10 mins

That's up to them I guess. Not sure what you mean by the exclude/include option here. You're not using llb.Local, the file is being read outside of buildkit. However, @Erik Sipsma will this work with the API in runner? Not sure how host access like this will work.
That change is totally backwards compatible from the client/API perspective, so it should work the same as today

Do you know where the 128000 byte limit comes from. Is it a secret store limitation ?
I'm not 100% sure, don't see that it could possibly be a secret store limitation, my best guess is it could have been was referring to limitations in linux on the size of env vars. But I don't know if that's really going to apply when mounting files. I'd say that you should see if you can ignore size limits for your current effort @obsidian rover, but be sure to add a test with a huge secret (like 128MB+ or something absurd) and see if it fails or not, we can go from there if it fails or is unusably slow or something like that.

How does it work when an api field receives a path the a file in the host? Won’t it run in the runner container then vs in the cli now?

No the quick gist of the new architecture is that even though the api server is in the runner, any session specific requests (e.g. local dirs, unix socket forwarding, etc.) will be routed back to the correct client and work the same as today. In buildkit terminology, the clients all have the same session attachables that they have today, they are just hooked up to our custom controller in the runner rather than the vanilla buildkit controller.

But that’s for buildkit stuff right? If the input is a string for a path to a file, where’s the code in core/schema running that does a io.ReadAll on that file?

https://github.com/dagger/dagger/blob/506d11a0e326e625bbbdfddf362338ceb00fffa4/core/schema/host.go#L107

Ah okay, I understand the question now, yeah directly reading a file based on a path like that will no longer work. And (catching up on the whole problem now) we don't want to just do a standard local import because then the secret host file will end up in the cache, which defeats the purpose.

Luckily, the changes we're making to move the gql server -> runner result in us having very fine grained access to the low level session methods. So, what I think we will do is add some utils that hooks directly into the localdir sync and lets us read files into memory rather than being forced to write them to buildkit's cache as a local import.

Let me 100% confirm that will be possible, one min

Yeah it should be possible without tons of effort. The code in buildkit where local dir sync actually happens is here: https://github.com/sipsma/buildkit/blob/d9a6afdf089a7c4b97cac704a60ad70c21086f12/source/local/local.go#L188-L217

And we now have access to the same object as what's set to caller there, so we can call those same methods except read the files to wherever we want rather than to buildkit's cache. It looks like atm we'll probably still need to sync to a path inside the runner container, but as long as it's a random tmpfs directory that's cleaned up after being read into memory that should be totally fine I think. It should also be possible in theory to sync the files directly to in-memory buffers instead, but looks like that'd be a lot more effort, so don't need to start there.

Basically @obsidian rover, I think you should continue w/ the current approach and then depending on the order of merging PRs, I'll either update mine to handle this correctly or help out updating yours to.

We synced with Helder today. I updated the current PR: https://github.com/dagger/dagger/pull/5500/files#diff-3981512bfc30a22bf4870ef86642b70161c68ab4768680a62302a8c845c1ed6eR184. Basically, our secrets break after 512000 bytes.

As discussed with Helder, it doesn't seem to be immediately blocking, as the current size is enough to mount most of private keys used as secrets, as shown on this docs example https://github.com/dagger/dagger/pull/5502. This could be a follow-up fix, WDYT ?

Yeah I wouldn't worry about trying to go past that limit right now, that sounds great. I can't really think of any immediate use case for >512kb. But if it does come up as a need in the future we can easily revisit.

Saw this in my gh notifications, interesting movement towards being able to run buildkitd directly on macos hosts: https://github.com/moby/buildkit/pull/4059#issuecomment-1649549037 Plenty of caveats of course, doesn't mean we'll be able to use it ootb, but cool to see nonetheless

@rancid turret If you have 5 minutes https://github.com/dagger/dagger/pull/5488 😄

I applied your comment! 🚀

@still garnet @civic yacht This PR seems pretty close to be mergeable, could you add a review when you have a little moment? https://github.com/dagger/dagger/pull/5315

This PR : https://github.com/dagger/dagger/pull/5488 is blocked by a strange Go issue, everything is fine except on Go test on the Go SDK itself, this one: https://github.com/dagger/dagger/actions/runs/5670762890/job/15374801748?pr=5488#step:4:1266
The source code of the test is here: https://github.com/dagger/dagger/blob/736927938824e8c35d28aec7287e79c1f89ff3fd/sdk/go/client_test.go#L100

It seems that writing in the io.Pipe() makes the code freeze, I can actually reproduce the issue locally and the code actually simply stop at the first print.

    if cfg.LogOutput != nil {
        fmt.Println("Before print")
        n, err := fmt.Fprintf(cfg.LogOutput, "Creating new Engine session... \n")
        fmt.Println("after display: ", n, err)
    }
    fmt.Println("After display")

Output

Before print
# nothing, it's stuck here

I have already see that kind of issue on previous project, but usually we can fix it with a flush, however I cannot call this method here.
Do anyone with a good experience in Go has an idea what can I do to find the issue? It's strange that it is actually blocking the code, not even returning an error

@stray heron This is the only thing holding the PR to be merged, all other tests are perfectly fine!

According to this issue https://stackoverflow.com/questions/47486128/why-does-io-pipe-continue-to-block-even-when-eof-is-reached it makes sens why it's still blocking but then how am I suppose to pass this test? The blocking behavior is expected but it's not right in my case :/

@rancid turret I remember you were against an option to track engine loading but that looks like the only effective solution to workaround this problem, or we shall change the test to not use io.Pipe() but something else, wdyt?

There's no Dagger Cloud channel (Unless I missed it?), but I've got a feature request:

• OIDC token minting for AWS/GCP/et al

Cloud could iinject a short lived credential into my BuildKit instance to save me dropping long lived tokens into my builds

That's a good idea. It's currently in our backlog. @wet mason @wild zephyr We're looking at other ways to improve specifying tokens/keys as well.

I just find out that the test is actually not working... the pipe is filled with an empty string lmao

@still garnet Hey 🙂 Ready for your final review! That should be good for a merge now 🚀

https://github.com/dagger/dagger/pull/5315

What Jenn said, to expand a bit we are planning on moving tokens to be provided client-side (requires some architecture changes as a pre-req that are being worked on now). That alone will still require long-lived tokens, but at least not on the long-running engine instance. Then we could also work on making those tokens short lived too as an orthogonal problem.

I just re-read this and realized I may have misinterpreted your message, sorry 😅 (I got thrown off when I saw the words "cloud", "tokens" and "buildkit instance" because we've been having internal conversations around those topics, but a totally different context). I think what you're describing is more that you have your own builds with dagger and rather than providing a static token as a secret you'd want something more like a dynamic secret that vends out short lived oidc tokens to the Execs implementing the build, is that correct?

@still garnet, do I remove TestFileServiceSecret or adapt? Context: https://github.com/dagger/dagger/pull/5512#discussion_r1276637514

Was that just testing File.secret in a service?

Ah, looks like it.

yep!

I'm going to remove Host.envVariable now.

GitHub is not seeing changes to my PRs: https://www.githubstatus.com

We found an issue with repos that affects ability of some of the customers to merge pull requests. We are working on mitigation.

Wait, does os.Getenv work inside our CI's mage tasks (dev engine, nesting, etc...)?

Oh, didn't know publishing the engine took so long (20m): https://github.com/dagger/dagger/actions/workflows/publish.yml?query=branch%3Amain

@worldly flare 👋 I noticed in your presentation today you mentioned wanting c2c sockets. I was just wondering if anyone would need that last night (assuming you mean Unix sockets). Whenever you have a moment, I'm curious about the use case 🙏

@still garnet I rebased and resolved conflicts in https://github.com/dagger/dagger/pull/5500, can you review again?

my use case is running nerdctl-rootless in a container, think dind here

1. add CLI to the main container
2. run the daemon in a service

afaik, nerdctl and podman will only talk to sockets directly, not over tcp (like docker cli supports)

interesting, thanks!

If I can get those to work like a TCP socket, then I wouldn't need c2c. My goal is to test hof container runtime integrations from within a container (so I can avoid the packer VM setup we use today, or use it less often anyway)

If you could test the same for Dagger in Dagger for the three main container runtimes, then we ought to be able to use the same techniques

I'm lacking context but would running socat to bridge unix/tcp do the trick?

so the context is running a container with dind as a mounted service, but for nerdctl / podman

With docker:

1. Daemon container: https://github.com/hofstadter-io/hof/blob/_dev/test/dagger/dockerd.go#L26
2. Mount service: https://github.com/hofstadter-io/hof/blob/_dev/test/dagger/dockerd.go#L55

Then my application in the container exec's out to the docker cli. What I'm after is the same for nerdctl | podman

The problem I have is nerdctl seems to only want to talk to local sockets, i.e. the tcp here does not work: https://github.com/hofstadter-io/hof/blob/_dev/test/dagger/dockerd.go#L57

I could look into running multiple processes in the same container, but I don't really want to. (hof + containerd) or (hof + socat?)

Actually, I have reproducers for both docker (passing) and nerdctl (failing)

• https://github.com/hofstadter-io/hof/blob/_dev/test/dagger/main/dockerd-in-dagger.go
• https://github.com/hofstadter-io/hof/blob/_dev/test/dagger/main/nerdctl-in-dagger.go
  I've tried both grpc & tcp for nerdctl and get

│ │   █ [0.31s] ERROR exec nerdctl -a tcp://global-containerd:2375 info
│ │   ┃ time="2023-07-28T21:24:28Z" level=fatal msg="invalid address \"tcp://global-containerd:2375\"" 

https://github.com/containerd/containerd/discussions/7101#discussioncomment-3022427

actually, I wonder if mounting a service binding as a unix socket rather than tcp would solve my issue?

getting closer with socat

│ │   █ [11.4s] ERROR exec bash -c set -euo pipefail socat -d -d UNIX-LISTEN:/run/containerd/containerd.sock,reuseaddr,unlink-early,user=root,group=root,mode=777 TCP4-CONNECT:global-containerd:2375 & sleep 1 ls -lh /run/containerd nerdctl info pkill socat
│ │   ┃ 2023/07/28 23:00:17 socat[15] W unlink("/run/containerd/containerd.sock"): No such file or director
│ │   ┃ y                                                                                                  
│ │   ┃ 2023/07/28 23:00:17 socat[15] W ioctl(5, IOCTL_VM_SOCKETS_GET_LOCAL_CID, ...): Inappropriate ioctl 
│ │   ┃ for device                                                                                         
│ │   ┃ 2023/07/28 23:00:17 socat[15] N listening on AF=1 "/run/containerd/containerd.sock"                
│ │   ┃ total 0                                                                                            
│ │   ┃ srwxrwxrwx 1 root root 0 Jul 28 23:00 containerd.sock                                              
│ │   ┃ 2023/07/28 23:00:18 socat[15] N accepting connection from AF=1 "<anon>" on AF=1 "/run/containerd/co
│ │   ┃ ntainerd.sock"                                                                                     
│ │   ┃ 2023/07/28 23:00:18 socat[15] N opening connection to AF=2 10.87.1.112:2375                        
│ │   ┃ 2023/07/28 23:00:18 socat[15] E connect(5, AF=2 10.87.1.112:2375, 16): Connection refused          
│ │   ┃ 2023/07/28 23:00:18 socat[15] N exit(1)                                                            
│ │   ┃ time="2023-07-28T23:00:28Z" level=fatal msg="failed to dial \"/run/containerd/containerd.sock\": co
│ │   ┃ ntext deadline exceeded: connection error: desc = \"transport: error while dialing: dial unix:///ru
│ │   ┃ n/containerd/containerd.sock: timeout\""   

but socat is unable to connect to the mounted service binding

It's a hack and not something I recommend per-se, but if you are looking for other short terms solutions and weren't aware, you can share a unix socket across two exec containers using a CacheVolume. Underneath the hood, a CacheVolume is just a bind mount to the two containers, so if a server binds+listens a unix socket on that cache volume, then it will show up in the client container under its mount of that volume

Ha, that's a neat trick! Maybe we could do something like that that for c2c sockets as an optimization for when both sides are on the same host. Mounted read-only on the client side for safety I suppose.

Can I merge this PR? https://github.com/dagger/dagger/pull/5488 @rancid turret ?

Yes, I approved. We can improve in follow-ups. 🙂

Yaaay

Python implementation here: https://github.com/dagger/dagger/pull/5522

@still garnet, if you can take a look when you have some spare time: https://github.com/dagger/dagger/pull/5485 👼

PR,ready to be merged: https://github.com/dagger/dagger/pull/5315

I was thinking of <container> --- [unix] ---> <socat process in the same container> --- [tcp] ---> <socat process in service container> --- [unix ---> <service>

That would require running 2 processes in each container (e.g. WriteFile an entrypoint.sh and run that instead of the process)

I could look into running multiple processes in the same container, but I don't really want to. (hof + containerd) or (hof + socat?)

Yeah, not ideal, however if that works we could look into doing a socat-like in the dagger shim to proxy unix->tcp traffic out of the box for services /cc @still garnet

I've been wondering if there are legit use cases for tcp <=> unix; so far I've been focusing on tcp <=> tcp, and unix <=> unix seems like it would fit well with our existing Socket type (just need Container.unixSocket alongside Host.unixSocket). I think unix <=> tcp is a bit of an oddball and at that point you might as well just run your own socat service, which you could build on top of both of those primitives

I spent some time seeing if Socket could be assimilated into Service but at this point think it's probably clearer to keep them separate

Yeah, I think tcp<->tcp and unix<->unix does the job

agree that if you need tcp<->unix, you need something custom

taking a look today, sorry I missed this!

Pr ready to be merged : https://github.com/dagger/dagger/pull/5523 🙂

@civic yacht maybe this rings a bell but my brain isn't working atm 🙂 Python is failing a provision test because of checkVersionCompatibility not existing in the API (https://github.com/dagger/dagger/actions/runs/5742052801/job/15565207204?pr=5558#step:5:226). My PR is https://github.com/dagger/dagger/pull/5558 and that field was merged in https://github.com/dagger/dagger/pull/5315. Why didn't the test use the dev engine? Test is here: https://github.com/dagger/dagger/blob/cf82b979ed764724d548b0acf280bb2ddb84a32c/sdk/python/tests/engine/test_download.py.

By the way, that's being checked inside dagger.Connection.

Yeah it's confusing, but I think I know what's happening:

1. Those provision tests normally don't run as part of PRs (because they take a long time), they only run when we push to main and when the version bump file is modified: https://github.com/dagger/dagger/actions/runs/5742052801/workflow?pr=5558#L16
2. Normally that version bump file is only modified during a release, but you have an exceptional case where you're migrating it to a new location, so it's causing the provision tests to kick off
3. That's triggering this branch of our yaml-shell (😩 Zenith plz save us): https://github.com/dagger/dagger/actions/runs/5742052801/workflow?pr=5558#L229 Which is running using the most recently released engine image

I'm trying to think of a way of undoing the catch-22 here... obviously moving those version files around is pretty rare, but it's an annoying situation to be in nonetheless

Ah, makes total sense. I think I was bitten again by Live Grep not searching in hidden files.

If we allow overrides for merging PRs w/ failing tests, I guess that's the last resort 🫤

Ah, yeah I have that same problem too (and the opposite problem of too many results I toggle the setting the other way)

But even if I caught that you're saying that just by the path changing, we have this problem?

Yeah, it makes sense.

Any ideas?

Yeah exactly, the only solution I can think of besides overriding the failed tests and merging anyways would be to make those provisioning tests actually work on arbitrary PRs. The thing that makes that really hard is that the tests are meant to test real-world provisioning, which means pulling from the actual registry we publish images to, which obviously becomes really iffy when it comes to just running on every push to every PR...

I'm thinking more though

I think we just merge with the fail.

Wait, will that make every merged commit fail until release?

I think that's probably the most productive, if somehow something goes wrong it'll be caught when pushed to main and we can fix it right away. Also, quite a bit of the code paths involved in provisioning end up exercised anyways in various integ/unit tests all over the place, having these very "real-world" e2e provisioning tests is mostly for an extra blanket of security around not releasing broken stuff and to get some macos test coverage (which occasionally runs into unique bugs not on linux)

Wait, will take make every merged commit fail until release?
No it shouldn't; everything works as expected on main because we actually publish images to our registry on main. Those provision tests in that case run after the publish is done and run their tests with it https://github.com/dagger/dagger/actions/runs/5742052801/workflow?pr=5558#L221-L224

The one thing to make sure of it to update this line in that workflow file to the new path: https://github.com/dagger/dagger/actions/runs/5742052801/workflow?pr=5558#L16

we actually publish images to our registry on main

Ah yes, true 🙂

Yeah, that's done, just have to push 🙂

Thanks @civic yacht 🙏 I actually knew how this works just completely forgot. Even felt strange to have the provision tests run on PR.

No worries! It was a walk down memory lane for me too 😁

Strange that I can't even run that test locally. Keeps giving me a connection refused when trying to download the cli from the test suite. Even when checking out v0.6.4 tag. Might have to reboot 🙂

I just gave it a shot on my mac directly but gave up once I hit the error ERROR: Package 'dagger-io' requires a different Python: 3.9.6 not in '>=3.10', which I don't have time for right now😅 But the tests all passed on main CI, so yeah probably something local

Tangential, but your comment about rebooting spurred me to try that to see if it would magically fix dagger shell on MacOS and it actually did! #daggernauts message

So thank you 😆

Hi, I found the _README.md in docs directory mentioned that should run make web on the root repository, but the Makefile is already gone. So I'm not sure the process has been changed to run another command or can skip this step?

Calling for thoughts on this: https://github.com/dagger/dagger/issues/5484#issuecomment-1648220880

In that thread, we reached the conclusion that the engine image should be split in 2 functionally distinct components. We need to agree on what to call those components, to avoid future confusion. And then we need to agree on how to package and distribute them (one OCI image or two?). And of course we need to bikeshed our way to those answers.

What's the canonical way to check for an ExecError in raw graphql?

They show up in the http response as errors: https://spec.graphql.org/October2021/#sec-Errors Specifically, we use the graphql feature called "extensions" and set an extension of type EXEC_ERROR with these fields: https://github.com/sipsma/dagger/blob/9024a572a1a1649e44c983ca6a51b3dc91995a87/engine/buildkit/errors.go#L22-L22

Ah interesting, I didn't even know about graphql extensions

I'm confused because I thought the reason we chose this inferior DX for exec error handling was backwards compat, but it's still listed as a breaking change in the 0.8 release. Makes me feel like maybe we should have gone for the more straightforward experience if we were going to break anyway. Sorry if I'm missing context

What's the more straightforward experience?

If Sync fails, it means Dagger failed to sync (no need to check for special errors in each SDK). If I want to know an exit code, I check exitCode.

Yeah, but there's multiple things to consider here.

You're not required to check for ExecError if you don't care about the type of error. Previously, the stderr, stderr and exit code were encoded in the error message, which means lots of people were using regex to parse the message and extract these bits. They're now easily accessible in ExecError. Making multiple calls to ctr.ExitCode, ctr.Stdout and ctr.Stderr would be a chore, but the main issue was caching. We didn't think of a way to continue using a container, after a failure and without caching said failure.

That's still a thorn because some people require that. The workaround today is to sh -c "<cmd>; echo $? > /exit_code and get it from that file, but the caveat is caching the failure.

Isn't caching the failure want I want when I'm executing test suites?

I proposed months ago taking that workaround and making it part of the core API, to get a quick solution

Well it depends. If it's a failed test yes, if it's an unexpected failure like the network was down then no.

So we'd need controls for people to decide if to cache or not, but that's not easy to generalize. Not to say it can't be done, just that no good solution has come up yet.

Don't I still have the symmetrical problem now though? When implementing my test pipelines, either I get zero caching on failed tests, or I have to implement wrappers myself, but no way to distinguish a failed test from a failed exec for other reasons.

Yes, but we'd cache the failure for you that would be a different problem.

By the way, you do have a bit more control over what type of failure you have.

If it's not an ExecError when running a test suite then it's an unexpected error.

But you can also have an exec error with unexpected errors if it happens during the execution of that exec.

On the other issue of "multiple calls would be a chore", I think that's a hasty conclusion. First, in regular GraphQL it's very easy to query for as many fields as you want. So there's a limitation of our current arbitrary codegen'ed DX rather than our API. Separately, there was the option of defining rollup logic to avoid querying after each exec. For example stderr/stdout could be concatenated; exitCode could make the last error sticky (so error->success->success results in an exitCode 'error'). Lots of possible solutions we didn't explore

If it's not an ExecError when running a test suite then it's an unexpected error.

Sure, you get that in all the options though.

Just backing up, I see that my initial assumption (we chose this path primarily for backwards compat) was wrong, clearly there are a lot of design constraints at play here. So I don't know if I agree with the design we picked, but I am no longer confused 🙂

I guess in the context of Zenith, the biggest pain will be losing cache on entire test suites because of one failed test.

Let me clarify some things on how this developed:

• ExecError was primarily an improvement to avoid users having to regex the error message to fetch those fields;
• Sync was a separate and general issue, but ended up replacing the need for the _, err := ctr.ExitCode(ctx) pattern;
• We wanted to fix ExitCode() but there was attrition because of backwards compatibility. The issue of caching failures comes from here, but it hasn't been discussed at length, it's just a can of worms we keep pushing down the road;
• People were using ExitCode() incorrectly, like if exitCode != 0 when that never worked. It would have been fixed, but then there were a lot of other people who depended on the bug actually so it would break for them if we fixed it 🤷‍♂️;
• I was looking into a simple way to fetch multiple sibling fields from our API and I have a proposal for this, but there's some tricky corner cases;
• Based on all of this, it seemed reasonable to just replace the ExitCode baggage with something new. It ended up being ExecError and Sync as they were already there for other reasons but made ExitCode() unnecessary.

Having said all of that, I remind you that the "caching failure" is still a problem that needs solving especially for two use cases that I find recurring (I have it as the main thing in my DX problems list atm). ExecError wasn't meant to to be the end of the story, just a simpler improvement for now.

OK thanks for the reminder. Part of my reaction is that this is the headline of our 0.8 release, so hard no to interpret it as "the end of the story", at the very least we're presenting it like a milestone meaningful enough to be a headliner.

It’s just because it’s everywhere so may require changing more code compared to other deprecations that were simple renames.

Btw I originally had the other deprecations first in the blog post and the exit code after in the first api section then sdks. In review the feedback was it should come first but it wasn’t meant as the headline of the post, just required more explanation.

@mellow bolt When you have 5 minutes tomorrow, could you leave your opinion on this PR please: https://github.com/dagger/dagger/pull/5594

JF is out for this week and the next one. We can have a quick look with @dense dust tomorrow Tom 🙏

Sounds good! 🚀

sharing a clean PR for initial GPU access, integration tests included: https://github.com/dagger/dagger/pull/5605

@still garnet This PR is ready for another review 😄 I updated it to be consistent with SDK logs (with more details)
https://github.com/dagger/dagger/pull/5436

trying it out!

https://tenor.com/view/karen-khachanov-tweener-tennis-atp-gif-25492355

@still garnet

https://giphy.com/gifs/xbox-overwatch-xbox-series-x-malevento-h2uddVnq2ASl2E5AML

I like that one because we’re chasing each other upwards - presumably towards the perfect design 😁

https://tenor.com/view/aaannddd-send-it-press-the-button-tom-hanks-gif-14751611

lol, I thought that too

I observed unusual behavior while running a demo on the `dagger/dagger@v0.8.1 codebase. The dagger workflow, which is version 0.8.1, initiated a new engine with version 'v0.8.2', which resulted in a version conflict for 'gale' since it explicitly uses 'v0.8.1'.

Hi,

I'm working on I just try to make Elixir work on this page at https://github.com/dagger/dagger/pull/5620 and I want to know how can I generate code snippet with syntax highlight on https://docs.dagger.io/quickstart/593914/hello/ page? It seem that playground can executing sdk code but I don't know how to do it. 😢

docs: initiate Elixir quickstart documen...

@still garnet May I can collect your opinion really quick on the actual necessity to switch ot a real query builder: https://github.com/dagger/dagger/issues/5609
It might not solve our issues so I suggested another approach 😄

@still garnet I try to find what is the root cause of Elixir SDK tests failure. And see something strange that every time Elixir SDK tests are failure, the engine show the log like

177: [21.9s] 2023/08/15 15:43:42 http2: server: error reading preface from client localhost: rpc error: code = Unknown desc = failed to get client metadata for session call: failed to base64-decode x-dagger-client-metadata: illegal base64 data at input byte 0

This snippet above found from PR 5628 https://github.com/dagger/dagger/actions/runs/5868523844/job/15912901044?pr=5628#step:4:881.

I'm not sure why it's related to the SDK client. Maybe you give an guidance.

cc @stray heron

yeah, so that's directly related to the change in that PR; that x-dagger-client-metadata header went from being JSON to being base64-encoded JSON. For some reason the Elixir SDK tests seem to be running against an old engine

or vice versa actually, not sure

from that error it looks like it might be an outdated CLI

I think Gerhard mentioned that might be happening after it fails to connect with the new one? it falls back to downloading a stable one? so if that's the case, that error might be secondary, and we need to figure out why it went for the fallback

I have been try to log cli version with this patch:

$ git diff
diff --git a/internal/mage/sdk/elixir.go b/internal/mage/sdk/elixir.go
index 534ba700..83b397f3 100644
--- a/internal/mage/sdk/elixir.go
+++ b/internal/mage/sdk/elixir.go
@@ -94,6 +94,7 @@ func (Elixir) Test(ctx context.Context) error {
                        WithEnvVariable("_EXPERIMENTAL_DAGGER_RUNNER_HOST", endpoint).
                        WithMountedFile(cliBinPath, util.DaggerBinary(c)).
                        WithEnvVariable("_EXPERIMENTAL_DAGGER_CLI_BIN", cliBinPath).
+                       WithExec([]string{"/.dagger-cli", "version"}).
                        WithExec([]string{"mix", "test"}).
                        Sync(ctx)
                if err != nil {

The engine version output

171: exec /.dagger-cli version
171: > in sdk > elixir > test > 1.14.5
171: [0.09s] dagger devel () linux/arm64
171: exec /.dagger-cli version DONE

T_T

Ahh, I found it https://github.com/dagger/dagger/issues/5642#issuecomment-1680884324

In the interest of keeping this context in GitHub @fresh harbor @still garnet: https://github.com/dagger/dagger/issues/5642#issuecomment-1680928492

@still garnet I fixed the enum and string conflict on NodeSDK with this PR: https://github.com/dagger/dagger/pull/5645, this shall delay the necessity to use a true query builder.
I'm not satisfied by what currently exist so I might create my own as an open source project later

ahh makes sense, thanks for figuring it out! 🙏

sounds like a fun side project 🚀

@stray heron I found registry too many request error on main https://github.com/dagger/dagger/actions/runs/5893416043/job/15984907482#step:5:182. Looks like it happens only on runner that Elixir runs on.

Thank you for the ping! We have an improvement coming in https://github.com/dagger/dagger/pull/5652

This is another item that we will need to address @ancient kettle as we continue dogfooding our Dagger Runners. FWIW:

• https://github.com/dagger/dagger/pull/5652#issuecomment-1682587728
• https://github.com/dagger/dagger/pull/5652#issuecomment-1682728642

cc @tepid nova @twin crow

https://github.com/dagger/dagger/pull/5652 just got merged which should make main green again

FWIW, here is the important change:

Thank you for your information. 🚀

It stills happen on the dagger-runner

Yes, we expect these to fail, but the continue-on-error makes the workflow as a whole succeed - see Status: Success https://github.com/dagger/dagger/actions/runs/5894309027

As long as the github-paid-runner succeeds, we are good.

Btw, these errors are just temporary, we will have the dagger-runner jobs fixed soon. cc @ancient kettle

I see.

@fair ermine @hybrid widget Elixir SDK issue was resolved https://github.com/dagger/dagger/pull/5661. 🙇‍♂️

Anyone has ever met this issue?

dagger session
1: connect
1: > in init
1: starting engine 
1: starting engine [2.44s]
1: starting session 
2023/08/21 16:30:11 http2: server: error reading preface from client localhost: rpc error: code = Unknown desc = failed to get client metadata for session call: failed to unmarshal x-dagger-client-metadata: invalid character 'e' looking for beginning of value

#maintainers message

I found it during fix the Elixir SDK connect failure issue.

I'm using a dagger binary compiled from main... I'm up to date :/

Are you running against the latest dev engine? You'll get that error if not

I'll empty my image storage and let you know

Ty! It fixed my issue omg

I want to start a thread about cache volumes... Will make it an issue if it goes anywhere. Paging @still garnet specifically since our discussion about namespacing on friday is what got me climbing down this particularly deep rabbit hole...

@still garnet FYI drafting a response to your servicesv2 ping now

Hi, I found Elixir SDK hang when running with dagger run (https://github.com/dagger/dagger/issues/5666). After try adding --debug option, the TUI show context deadline exceed on http://dagger/query but graphql query still perform. Anyone has ever met the issue?

👀 https://www.kapa.ai

General FYI for anyone developing on the engine, we added CVE scanning that will cause CI to fail if any Critical or High vulnerabilities are found in our engine image. If you run into this, I added some guidance on how to go about addressing it to CONTRIBUTING.md: https://github.com/dagger/dagger/blob/main/CONTRIBUTING.md#vulnerability-scanning

Also, if anyone has a sec for a quick shipit, I made a traditional "yaml compilation error" that wasn't noticed in PR since it was in a job that can only run on pushes to main 😞 : https://github.com/dagger/dagger/pull/5690

Thankfully, the plan is to move that to a Zenith Check so we won't have to deal with that anymore in the future 😁

Is there any way we could make these dagger-runner checks opt-in somehow until we expect them to be stable? It's causing a ton of noise in PRs, and is training me to ignore them, which isn't good. The only occurrence of dagger-runner I can find in the repo is in a specific workflow (_hack_make.yml) which doesn't seem related, so is this some sort of infra-level setting? cc @ancient kettle (not sure who to ping, just guessing)

@oak sandal moving our discussion about p2p, caching etc here 🙂

centralized vs p2p caching

@mellow bolt FIY Netlify docs is failing on some CI, did we break anything this week?

@civic yacht sorry to bother you about this while you're deep in Zenith Checks. Not urgent.

--> When we switch to the containerd bk backend, you mentioned "all engine drivers will need to do, is provide a containerd socket".

Looking at it now but I can't figure it out yet

I can build the docs locally

I discovered someone else experiencing the exact same issue, and it began on the same day for them as it did for us:
https://answers.netlify.com/t/builds-stopped-working-out-of-sudden-error-while-installing-dependencies-in-opt-build-repo-netlify-plugins/100256
It seems the problem might be on their end. Despite efforts, including upgrading the Node version, I haven't managed to replicate it locally.

👋 I was trying to test something with dagger listen in Dagger main latest commit and seems like dagger listen stopped working altogether? command just hangs. Doesn't happen in 0.8.4. cc @still garnet @civic yacht

Hi, I sent a PR to the engine https://github.com/dagger/dagger/pull/5712 to try to fixes the Elixir hang when run with dagger run. I just found that it hang because of cmd.SysProcAttr.Setpgid, I'm not sure why. 😂 It works, gradle also works but I'm not sure if it's the right way to fix.

FYI Netlify push a fixed

Starting a thread about cross-session IDs and all the associated tears and blood

@still garnet If you have bandwidth for a quick review about the expansion of Dagger secret API: https://github.com/dagger/dagger/pull/5707 😛

anyone knows if latest main is broken or perhaps my box is in some weird state?
getting the following when trying ./hack/dev bash:

[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x17ca344]

goroutine 1 [running, locked to thread]:
main.setDaggerDefaults(0xc000360000, 0x0)
    /app/cmd/engine/config.go:31 +0xe4
main.main.func3(0xc0004e3080?)
    /app/cmd/engine/main.go:252 +0x4da
github.com/urfave/cli.HandleAction({0x1926620?, 0x1d500a8?}, 0xc00047f340?)
    /go/pkg/mod/github.com/urfave/cli@v1.22.12/app.go:524 +0x50
github.com/urfave/cli.(*App).Run(0xc00047f340, {0xc0000500c0, 0x4, 0x4})
    /go/pkg/mod/github.com/urfave/cli@v1.22.12/app.go:286 +0x7db
main.main()
    /app/cmd/engine/main.go:401 +0x1214
panic: runtime error: invalid memory address or nil pointer dereference

nvm cleaned ~/.magefile and it went smoothly

The above issue occurs on latest main when _EXPERIMENTAL_DAGGER_SERVICES_DNS is set to 0. The reproduction flow is:

• setupNetwork is called, _EXPERIMENTAL_DAGGER_SERVICES_DNS is set to 0.
• setDaggerDefaults takes netConf (returned by setupNetwork).
• netConf is nil and setDaggerDefaults attempts to interact with it. (I found this while rebasing GPU access branch on top of latest main`)
  is this worth fixing @still garnet ? I think your PR will change a lot of this code: https://github.com/dagger/dagger/pull/5557

I was looking into various containerd remote snapshotters over past couple days and their proposed image formats (Nydus, overlaybd,etc). They all have strong arguments against tar- https://www.cyphar.com/blog/post/20190121-ociv2-images-i-tar . Ideal story in a perfect world: developers have containerd on their machine(via docker's containerd image store/nerdctl) , Buildkit supports building these newer formats and harbor(maybe others will) support storing them. So people can build, run CI/CD via Dagger and deploy using the same stack . All sharing the same cache and having the ability to lazy pull efficiently with low latencies,etc.
In reality , it does not look easy to get people to migrate to the new shiny thing, maybe the build/CI is doable but deployment runtimes doesn't seem to be an easy task.

Also, the newer formats are still something that's being debated over, its not clear which ones are better/going to stick around in a year. I've also just heard changelog podcast where @tepid nova talked about how community may never agree on any of formats.
Do you folks think there'll be specific use-cases/domains that we'll able to share the image formats across the stack? Or is it worth making it easier for users to migrate to the newer formats and have all the tooling necessary to enable that(docker and OCI kinda did that, I feel)? Really curious about what you folks think.

I was looking into various containerd

@civic yacht @still garnet @stray heron
I just opened a big issue about buildkit rootless https://github.com/dagger/dagger/issues/5763
This one aims to close all sub issues and propose a temporary solution with a piece of documentation, lmk your opinion 🙂

Is this error familiar to someone ? I'm running a job on Github action with our dagger-runner . The pipeline is written in TS. Thanks 🙏

Which version of the SDK are you using, @mellow bolt?

    "@dagger.io/dagger": "^0.6.4",

I guess I should bump to 0.8.4

There was a breaking change in v0.8.3 or 4 - I think - that causes this.

thanks @ancient kettle.Will try that

btw, it worked, sorry I forgot to let you know. Thanks again 😊

Hi, I'm just seeing your message. I had the same issue and fixed it in https://github.com/dagger/dagger/pull/5760

I could have sworn there was a Container.Mount() which allowed you to access the contents of a mount after it changed? I remember it vividly because it was such a mindblowing moment for me, I didn't even know buildkit supported this, and it was such a painful gap in the pre-cloak version.

But @wild zephyr pointed out that it doesn't exist in the current API? Does anyone remember this, or am I going crazy?

You're probably thinking of container.directory() which handles that for you (it'll detect if the requested path is under a mount, and give you a Directory relative to that mount)

Holy 💩 so Container.Directory preserves the modified contents of a mount post-exec?

Doesn't that solve https://discord.com/channels/707636530424053791/1148864430281609296 ?

yep!

File too I guess?

Unfortunately not, since it's not able to access a cache mount; you'll get an error. It's not possible to represent a cache mount as a Directory unfortunately, because internally they're actually just magic tied to the Exec op

yeah File works the same way

One more item on my list of reasons to kill cache volumes

it miiiight be possible to change this with the new architecture, since we're much closer to the metal now, not sure

https://tenor.com/view/arya-kill-list-got-game-of-thrones-gif-14185062

I have shelved this pet peeve of mine because we're so busy... But my gut feeling remains that cache volumes / cache mounts are a relic of the past and we can do better

Anyone has ever met this issue

Just realized ExperimentalPrivilegedNesting and WithEntrypoint don't work well together 😭

nesting + entrypoints

Hey, is there a plan to support cache rotation i.e. some sort of logrotate functionality or can I make a new feature request? This is what happened when I started using Dagger in our CI environment 💥. I'm testing it on a project that I'd say is on the extreme end of the scale, a front-end monolith, and we commit very frequently throughout the day.

Hey is there a plan to support cache

@dull stream can you please explain dagger to me?

Hi! I just saw this as I was trying to figure out how to run docs locally as well. The readme is indeed incorrect. @fresh harbor

The correct readme is here: https://github.com/dagger/dagger/blob/main/website/README.md

cc @hybrid widget

Note that node v.20.6.0 has a bug in it that breaks the Docusaurus build. It's a Docusaurus issue and not specific to the Dagger setup.

https://github.com/facebook/docusaurus/issues/9291

Do we have an official script for cross-compiling the Dagger CLI to multiple architectures and OSes?

Can I direct you to the getting started guide for Go? 😉 https://docs.dagger.io/sdk/go/959738/get-started#step-5-create-a-multi-build-pipeline

Nice, thanks. I wasn't sure if Dagger's official build scripts were that "vanilla" or had additional magic involved

The guide would need some modification for the package to build, but other than that it should work 🙂 go build ./cmd/dagger

internally we're usng goreleaser to compile to multiple arch and oses; https://github.com/marcosnils/dagger/blob/e5feaea7f1d6eb01d834e83b180fc3daed3463ea/.goreleaser.common.yml#L1

^ those are the build flags we set in the binary. Pretty standard....

what's the motivation for using goreleaser?

(I'm going to guess less shell scripts)

So does ./hack/make exec out to goreleaser?

and not to go build at all?

./hack/make doesn't use goreleaser since it builds the binary with the standard go build command which will only build a single binary for the OS and ARCh that the dev currently uses. IIRC the decision to use goreleaser which basically execs go build underneath was because it also helps a lot with all the publishing aspect of the CLI S3 upload, homebrew, etc.

Got it. But ./hack/make has a lot of different commands, and is supposed to be our swiss-army knife tool. But it looks like goreleaser is an exception to that, and is called separately, correct?

kind of.. goreleaser is called as part of the ./hack/make tasks but only in the engine:publish target here (https://github.com/marcosnils/dagger/blob/e5feaea7f1d6eb01d834e83b180fc3daed3463ea/internal/mage/cli.go#L47). So we haven't provided a way to fetch the binaries goreleaser is generating but it should obe straight forward to do.