#Hey folks just hit a limit from buildkit

👋 you can use the Workdir().Write call to use the exporter without that limitation. Here's an example:

    ctx := context.Background()
    client, err := dagger.Connect(ctx)
    if err != nil {
        return err
    }
    workdir := client.Host().Workdir()

    optdir, err := client.Container().From("alpine").
        Exec(dagger.ContainerExecOpts{Args: []string{"mkdir", "-p", "/tmp/foo"}}).
        Exec(dagger.ContainerExecOpts{Args: []string{"fallocate", "-l", "200MB", "/tmp/foo/bigfile"}}).Directory("/tmp/foo").ID(ctx)
    if err != nil {
        return err
    }

    _, err = workdir.Write(ctx, optdir)
    if err != nil {
        return err
    }

    defer client.Close()

    return nil

Oh wow. That's amazing.

Um, it's still failing for me.

Error:

input:1: container.from.exec.exec.directory ResourceExhausted: grpc: received message larger than max (12013920 vs. 4194304)

code:

// ScanVulns scans the SBOM for vulnerabilities
func (p *Pipeline) ScanVulns(ctx context.Context, sbom string) error {
    client := p.Client
    scanner := client.Container().From("anchore/grype:latest")
    workdir := client.Host().Workdir()

    scanner = scanner.Exec(dagger.ContainerExecOpts{
        Args: []string{"echo", sbom, ">", "/tmp/foo/sbom.json"},
    })

    scanner = scanner.Exec(dagger.ContainerExecOpts{
        Args: []string{"sbom:/tmp/foo/sbom.json > /tmp/foo/vuln.json"},
    })

    dir, err := scanner.Directory("/tmp/foo").ID(ctx)
    if err != nil {
        return err
    }

    _, err = workdir.Write(ctx, dir, dagger.HostDirectoryWriteOpts{
        Path: "./tmp/",
    })

    return nil
}

🤔 wondering if the error might be coming from somewhere else. Can you add a log output to your Connect method to check what we see there?

    client, err := dagger.Connect(ctx, dagger.WithLogOutput(os.Stderr))

And then paste the log here 🙏

Nothing suspicious, tbh

I have tried your example and it does work out fine

by any chance could sbom be a huge string?

It is.

But I have also tried keeping it in a separate directory

if you replace sbom with something small, does it work?

Let me try.

Just trying to understand if the issue is the Exec or the Read call

seems the sbom input might be the issue?

That would be weird though. Because look here: https://github.com/RealHarshThakur/dagger-builpack/blob/main/main.go#L101

That sbom also was retrieved via buildkit

k, now that I have the complete code, let me repro 😄

I forgot I had access to the source :doh:

You could skip the image build call. Just pass a random image name to GenerateSBOM method

what image are you using?

ttl.sh/sample-golang-98148:30m

It'll expire in some time though, lol.

But we could use any image.

+!

Thank you very much for looking into it 🙂

just tried with alpine and seemed to work?

redacted

S\",\n   \"relatedSpdxElement\": \"SPDXRef-eb93193a7276c76a\"\n  },\n  {\n   \"spdxElementId\": \"SPDXRef-d6c3ebbd3b517020\",\n   \"relationshipType\": \"CONTAINS\",\n   \"relatedSpdxElement\": \"SPDXRef-f542a07f45615070\"\n  },\n  {\n   \"spdxElementId\": \"SPDXRef-d6c3ebbd3b517020\",\n   \"relationshipType\": \"CONTAINS\",\n   \"relatedSpdxElement\": \"SPDXRef-f91e100c74bf27e\"\n  },\n  {\n   \"spdxElementId\": \"SPDXRef-d6c3ebbd3b517020\",\n   \"relationshipType\": \"CONTAINS\",\n   \"relatedSpdxElement\": \"SPDXRef-f96f56f789a464ad\"\n  },\n  {\n   \"spdxElementId\": \"SPDXRef-d6c3ebbd3b517020\",\n   \"relationshipType\": \"CONTAINS\",\n   \"relatedSpdxElement\": \"SPDXRef-fb57f5df1fd169db\"\n  },\n  {\n   \"spdxElementId\": \"SPDXRef-f58b410f6a2ae227\",\n   \"relationshipType\": \"CONTAINS\",\n   \"relatedSpdxElement\": \"SPDXRef-535cfe0185d18797\"\n  },\n  {\n   \"spdxElementId\": \"SPDXRef-ffd420983d37bbae\",\n   \"relationshipType\": \"CONTAINS\",\n   \"relatedSpdxElement\": \"SPDXRef-e2c90ae8ae67431f\"\n  }\n ]\n}\n > /tmp/sbom.json" did not complete successfully: exit code: 1

Please visit https://dagger.io/help#go for troubleshooting guidance.
exit status 1

Is that just the SBOM contents?

let me help you with some modifications

Problem is in the ScanVulns method

Oh, cool 🙂

^ that should work.

there were 3 important things to consider that you'll notice in the code:

1 - You can avoid passing the sbom json through stdout since you can't mount files between containers with the WithMountedFile
2- The redirection here (https://github.com/RealHarshThakur/dagger-builpack/blob/main/main.go#L127) makes the command to fail since that container doesn't have a shell. You need to use the --file argument as you can see in my code
3 - Write doesn't export mounted files, only files that have been written in the current layers. That's why I'm getting "." directory to export

LMK if that makes sense or if I can provide more clarification with something else 🙏

Firstly, thanks a lot.
How did you figure out that the redirection is causing trouble? I know there's work being done on making debugging easier, but until then...are there any tips to debug such issues?

Also, is it possible to export files alone rather than directories? Basically,

// a is dagger.FileID
workdir.Write(ctx,a)

Or is this why you had to export the directory?

I was also a bit confused that when a exec call is made, that's not really when buildkit starts executing it, is it?
Exec is a layer but what is referencing to a layer( conatiner.File.ID(ctx) or container.Directory.ID(ctx) called? It seems to that referencing a layer is what actually invokes the layer to be executed

because when I ran the code with the redirection I got this error message in the error output:

Generating SBOM for image alpine
Scanning SBOM for vulnerabilities
input:1: container.from.withMountedFile.exec.directory process "/_shim /grype sbom:/work/sbom.json > vuln.json" did not complete successfully: exit code: 1

Please visit https://dagger.io/help#go for troubleshooting guidance.
exit status 1
marcos:tmp/lala

As you can see, that basically tells that the /grype sbom:/work/sbom.json > vuln.json is not returning successfully. If I enable the buildkit logs in the Connect method I can see some additional information like:

#17 /grype sbom:/work/sbom.json > vuln.json
#17 10.48 1 error occurred:
#17 10.48       * failed to catalog: unable to open file /work/sbom.json > vuln.json: open /work/sbom.json > vuln.json: no such file or directory
#17 10.48 
#17 ERROR: process "/_shim /grype sbom:/work/sbom.json > vuln.json" did not complete successfully: exit code: 1
input:1: container.from.withMountedFile.exec.directory process "/_shim /grype sbom:/work/sbom.json > vuln.json" did not complete successfully: exit code: 1

Which reaffirms that the error is indeed there.

AFAIK buildkit handles exports at the FS level only, it doesn't support single files. @onyx finch can confirm this.

Yes, I agree this is not entirely clear. We have received some feedback about it and we'll be making some improvements. More info here https://github.com/dagger/dagger/issues/3555

You can create the end effect of exporting single files by exporting a directory containing only the file, just made an issue: https://github.com/dagger/dagger/issues/3599

correct, that's what we did in this case. Thx for confirming and opening the issue to track the question Erik ❤️

Thanks both. I didn't imagine I would be able to prototype this so soon. Now I have a lot of time on my hands, so I'll try to see if I can pick one of the issues 😄