#Trouble sharing cache mounts cross machines - what is expected behavior with dagger cloud?

I have the team plan on dagger cloud. My understanding is that with the distributed caching it offers, my teammates machines and our CI machines should be able to benefit from cache hits on shared cache mounts. Unfortunately I haven't observed our dagger runs in CI use any caching at all. I have seen the dev machines successfully use caching, but I can't really tell if it's their local cache or a distributed cache pull down that they are benefiting from. I've got a handful of cache mounts configured like so:

                      WithMountedCache(
            path,
            cache,
            dagger.ContainerWithMountedCacheOpts{
                Sharing: dagger.Shared,
            }),

In ci, we use github actions on ephemeral self-hosted runners. I've built an AWS AMI with the minimum dependencies and dagger engine running, which has saved us 30-60s per run already. My hope and understanding was that this should be enough for them to take advantage of the caches. I've ensured that we're calling docker stop on the dagger engine and waiting up to 300s for that to finish. I've spent a dozen or more hours just on this aspect of onboarding my team to dagger, and if I can't truly realize distributed caching, it may be a show stopper for us.

Here is an example trace: https://dagger.cloud/Tallied-Technologies-Inc/traces/e22cb64f385a60335abee08ca3635149

I'm wondering if the engine itself requires a cloud token; right now we start the engine on VM boot, no cloud token and its the dagger call that provides the cloud token. Could this result in no use of dagger cloud caches?

hey @tender magnet, welcome to our community!

yes, the engine itself needs a cloud token to use Dagger Cloud

that's automatically done if dagger call is the one that spawns the engine and the DAGGER_CLOUD_TOKEN env var is set

if you're starting the engine yourself, you need to set that variable manually

when the engine is using the cache service, you'll see something like this in the engine logs:

DEBU[2024-08-09T15:42:36Z] importing cache                              
DEBU[2024-08-09T15:42:36Z] calling import cache                         
DEBU[2024-08-09T15:42:39Z] finished import cache call in 2.556976163s   
DEBU[2024-08-09T15:42:39Z] creating descriptor provider pairs           
DEBU[2024-08-09T15:42:39Z] finished creating descriptor provider pairs in 674.829µs 
DEBU[2024-08-09T15:42:39Z] parsing cache config

Thanks for the reply! I just confirmed, the caching is working if i let the dagger action start the engine with the cloud token env var.

It takes ~1min for dagger connect though, presumably it's pulling down the cache/caches.

When we let dagger call start the action, I see exec docker run --name dagger-engine-f16ce8ba8491e744 -d --restart always -v /var/lib/dagger --privileged -e DAGGER_CLOUD_TOKEN registry.dagger.io/engine:v0.12.4 --debug. Do I understand correctly that -e DAGGER_CLOUD_TOKEN binds the hosts DAGGER_CLOUD_TOKEN var to the engine container at the same var? As in, it must be set on the host prior to docker run ?

Which has me thinking... does the dagger engine pull down caches on startup, or upon the first session connection?

Do I understand correctly that -e DAGGER_CLOUD_TOKEN binds the hosts DAGGER_CLOUD_TOKEN var to the engine container at the same var? As in, it must be set on the host prior to docker run ?

yes, that's correct. That's what docker does when you do docker run -e $VAR

Which has me thinking... does the dagger engine pull down caches on startup, or upon the first session connection?

On startup. We're currently in the works of making this initial cache pull more efficient by making it lazy. It's currently downloading a bit more than what it needs and we'll be able to make it pull some things only when needed which should speed up the startup time considerably

That's great news, I think for the time being, I'm going to embed the dagger cloud token in our private AMI (locked down into a GHA runners AWS account with no access by others). We start the dagger engine as a daemon as early as possible, so the sooner the caches start downloading, the better. Will test and report back if there were any substantial gains worth the short-term security tradeoff.

How does the dagger engine authenticate when running on our machines? I don't see DAGGER_CLOUD_TOKEN set. I just tested:

1. docker rm -fv $(docker ps --filter name="dagger-engine-*" -q)
2. dagger login
3. dagger call ...

Engine startup and client connection was near instant, and no caches were used; the full dagger call execution occurred.

that sounds like a plan

dagger login only works for visibility in Dagger Cloud

Aha! I suspected as much, but the docs aren't entirely clear, at least not to me: https://docs.dagger.io/manuals/user/cloud-get-started/#connect-from-your-local-development-host

I just ran the engine myself with the cloud token set, and I'm seeing cache activity.

in general we don't see developers using the distributed cache locally in their machines mostly for several reasons:

• Local cache is generally good enough for the typical inner dev loop of change, build, etc.
• A developer might accidentally wipe the cache while doing some tests locally which will affect the production engines as well
• Dagger cloud distributed cache is "cloud/locality aware". This means that if your GHA runners are withing the AWS network, the distributed cache will use an s3 bucket in the same region your runners are so it has the maximum perofrmance. If your dev machines are in a different network (which they generally are), CloudFlare is used in this case so they'll not be really sharing the "production" engines cache

I agree with you. Adding an issue to fix that. cc @carmine lantern

cc @wanton cedar

That makes a lot of sense! Thank you. How does a cache get wiped? Is there only one instance/version of a cache by a given name? GHA Caches for example often have dynamic cache keys, and in the typical case the cache key for go is based on the sha of the go.sum. I realize its an apples to oranges comparison, but I'm curious if using dynamic cache keys for dagger caches is ill advised?

Further, I'm curious if having -ci and -dev cache key suffixes (based on whether its running in GHA or dev machine) would sufficiently isolate cache usage, such that the risk of 'accidental wipe' is eliminated?

Just realized the linked doc suggests local dev environment -> dagger cloud cache is a thing:

If you've configured cache volumes for the first time in a local development environment, call your Dagger Module via the Dagger CLI and then run the command docker container stop -t 300 "$(docker container list --filter 'name=^dagger-engine-*' -q)". This step ensures your new cache volumes populate to Dagger Cloud as these are during the engine shutdown phase. You only need to do this the first time you use Dagger Cloud locally with cache volumes or when you add new cache volumes in your Dagger pipeline.

yes, you can definitely do it! I'm just sharing that in practice it's something that no so many teams end up doing as they don't see a huge benefit vs not using it locally

mostly because devs like to fiddle with their dev a lot and sometimes they remove their docker containers which will make subsequent dagger calls to take a bit as the cache needs to be re-synced, etc

That makes sense, fortunately this is the first and only use of containerization on the team, so I have somewhat of a 'clean slate' to work with in terms of setting a standard.

The dagger engine currently caches two types of artifacts, layers and cache volumes (WithMountedCache in the Dagger API).

Layers are easier to prune as we wipe them as soon as they're not part of your pipeline DAG anymore (we can detect this).
Cache volumes are harder to wipe as the criteria really depends on the user's usage. We're currently wiping them every 30 days

that's good to know. In any case, you can still go for it and see how it goes

this won't be necessary since as I explained above, as your production runners are in AWS, your devs's machine will be surely using a different cache underlying provider. Having said that, you can definitely use -ci and -dev for an extra level of safetyness

what I'd advise in that case, is to give you a different DAGGER_CLOUD_TOKEN so your developers use a different one than production

you can't currently create new tokens in the UI, but we can do it from our backend and you'll still see them in your configuration page. cc @wanton cedar WDYT?

One of the things I tried during my troubleshooting leading up to this point was setting the cache volume mount as Shared CacheSharingMode = "SHARED". I'm curious how dangerous that is. Its a go mono repo, single root go module, so it seems safe for go mod caching - but for caching go build/go test I can imagine parallel invocations (CI Run A and CI Run B) might step on each other somehow?

yes, it really depends how the go tool actually handles that. We use "SHARED" module ourselves for a lot of concurrent pipelines and haven't seen any issues so far

@tender magnet https://github.com/golang/go/issues/40461#issuecomment-665652891

@next sparrow what you're saying makes sense, could you show me how to do this?