#Private packages in modules 🧵

@exotic mulch @silk kestrel I'm starting this thread to see if we could pave the path towards implementing https://github.com/dagger/dagger/issues/8809.

Justin, I'm particularly interested in understanding if/how https://github.com/dagger/dagger/issues/9007 could actually here and if there's anything we can do in parallel so whatever we do to implement this is in line with the idea proposed by the engine session config file

hm, i actually don't think that 9007 is actually the solution here

we'd implement 8809 in a similar way to how the git socket forwarding works i think

essentially, having a buildkit session attachable of some variety that can load git information from the client

one of the methods on that would fetch the gitconfig

ok, perfect. I had the same idea in mind but Guillaume mentioned something about 9007 maybe helping somehow and I just wanted to be sureabout that

then, we can mount this file automatically into module containers

(although probably making the file a secret?)

yep, yep. SGTM 🚢

imo, the session config is more a mechanism to load config into a single dagger session for things that don't actually require a full engine reload - e.g. changing mirrors, etc.

How do we determine where to draw the line regarding which configurations should be restricted to a single Dagger session—such as a mirror—and which should be treated as more permanent or engine-wide settings, like .gitconfig ?

Anything that can be session wide should be

Engine wide settings are more difficult to share, harder to update, etc

So if there's a way to implement session wide settings for a setting, we should do it imo

Mmmh, still a bit confused:

• why do we rely on automatic mounting of the .gitconfig
• and not have it manually specified in the session config file

And what's the heuristic to classify them ?

Ah good question

Because there's no session config yet

We have to go and invent it

But also, we already automount the git socket right?

Makes sense to make git "just work" if we can

I have been looking at this issue, and my understanding so far is that this fails in modulesource.go -> func moduleSource when getting commit info.

in there we do a select operation on query git, and the handler for that select does support using auth socket if provided.

I am trying to see if we can pass along the AuthSocket somehow in this call

if for some reason you think that is not possible or a bad idea, pls let me know.

I am wondering if we should only allow specific keys to be imported from git config instead of everything

brute force, private module with private deps: https://v3.dagger.cloud/rajatjindal/traces/6e7805b3db56a8b23b8f9f21bbc527c9

some notes:

• if SSH_AUTH_SOCK is set, cloning the private module git repo works
• for downloading the private dependencies, we need changes to codegen container
• mount ssh auth socket in codegen container and set SSH_AUTH_SOCK env variable. This was straightforward once I figured where this needed to be set.
• set GOPRIVATE env variable - probably need to hook as input to engine somehow?
• create a /root/.gitconfig to ask git to use ssh instead of https. (probably need to configure for all well known git repos or somehow use wildcard host)

revisiting the changes: https://github.com/dagger/dagger/compare/main...rajatjindal:dagger:fix-private-depss, it seems we just need a way to configure "which urls to force use of ssh protocol on", and that should possibly fix the issue at hand.

(we do need some of those other changes, but once we have that config, we can have this working).

populating the complate .gitconfig from user's profile seems a little too much as this may bring in user specific settings, which we may or may not need

one workaround for that could be to "safelist" the keys that we will import from git config.

one other thing that may complicate bringing in the .gitconfig is that which .gitconfig should we pull? user-specific, system-specific or local or effective .gitconfig?

what do you think?

Got pinged today by the platform team lead of the biggest streaming company in France (300 devs) -- they are very interested in this

me and Marcos just had a sync. here is what I will be doing:

• implement an attachable that gets "effective gitconfig of the user"
• that attachable will read only a "safelisted" set of keys to start with (this is still under consideration to avoid breaking something else by importing some gitconfig that works only on user's system)
• find all the "replace https with ssh" entries. find all the hostnames
• automatically create a GOPRIVATE env variable with those hostnames entries
• and after the ^^ we should have this working.

sounds good, bit of confusion on this point:

find all the "replace https with ssh" entries. find all the hostnames

go does support HTTPS credentials

should we not use the same HTTPS authentication methods we have in https://docs.dagger.io/api/remote-modules/
even if we don't support this right away we will need to in the future. we had demand for github PATs almost immediately after adding private SSH support, so no reason to think we can avoid it here

implement an attachable that gets "effective gitconfig of the user"
we should also avoid the creation of a new attachable here imo, we should extend the gitcredential.proto, and group all the git credentials stuff into one attachable - mostly to make it more consistent and readable

automatically create a GOPRIVATE env variable with those hostnames entries
bit split on whether this should be magic actually. even the go command itself doesn't do this, and requires GOPRIVATE to be set.
in that case, maybe a more sensible approach might be to require that users explicitly put their GOPRIVATE env variable somewhere in their dagger.json config. users with private modules should already be used to configuring this themselves, so i don't think this is a big imposition.

I just created a draft PR for this: https://github.com/dagger/dagger/pull/9323 and came here to ask this question "can we use/extend GitCredential attachable to fetch git config"

and saw your comments above ^^ @exotic mulch. I will update GitCredential to also allow fetching git config 👍

can we rename that attachable to just "Git" (or GitSvc) instead of GitCredential? as its not user facing, so i think that should be ok

🤔 yeahhhh renaming sounds good to me, it's potentially breaking for old clients to old engines, but personally, i don't generally think we should spend lots of effort on that particular code path, so rename is good!

i also want to have a clone method in that protocol one day 🙂

Git sgtm

about goprivate env variable - do we want to expose that in dagger.json? I usually don't like magic (e.g. guessing GOPRIVATE env from git config), but do you think we can just use that from user's env variable where they are running the dagger call command?

if we do want to get from dagger.json, then do we want to specify a generic env variable provider or a more strict GOPRIVATE env variable (or equivalent in other languages)?

🤔 good point

i think i'd rather avoid pulling from the user env where possible - it means that there's less of a copy-paste command for invoking (especially remote) modules

i think instead of having just GOPRIVATE in the dagger.json, you'd want to have something closer to a buildenvs map?

not really sure on whether this is the right idea still

i think we'd have the same problem if we wanted private npm or pip packages right?

what could be super cool is to allow user to say "use this as base image to compile/run my module code" with the dependencies/env they need and then we add stuff we need on top of that

i guess with those, the package.json and pyproject.toml are designed to be extensible - go.mod isn't

yeah feels similar to https://docs.dagger.io/configuration/modules#alternative-base-images

i don't really like that as a solution to the credentials problem we're discussing, but i like it better than having the magic inference which feels kinda fragile

having the ability to set those kind of sdk-specific parameters does feel super useful though (outside of this discussion) - e.g. being able to set custom build + linker flags for richer debug info, etc.

so I have one action item to merge GitConfig attachable with existing GitCredential one, but I still do not have a clear path for specifying GOPRIVATE env.

@vapid niche what do you think?

@exotic mulch my main argument to make it "magical" initially for Go at least (the requirement of GOPRIVATE) is because I think there's potentially a bigger and more long and difficult decision to take around contexual call envs / options. Currently we have the _DAGGER_ENGINE_SYSTEMENV thing which doesn't fit this use-case as the GOPRIVATE variables could potentially change from project to project.

We could do many things here but what we spoke with Rajat in the context of Go private modules is that if the .gitconfig contains a replace entry, it's very likely then that you have a GOPRIVATE variable set in order to make that config effective. So our first "straightforward" approach was to set the GOPRIVATE env var automatically for the Go SDK.

I guess the question is: Do we want to open the build specific flags / envs can of worms now?

I'd personally prefer to defer that decision for a longer issue/pr and ship this which is already blocking some users

yeah agreed - the SYSTEMENV thing should definitely go, we shouldn't use that

but I think using the dagger.json to configure this isn't too bad? this feels very tied into https://github.com/dagger/dagger/issues/6323

I guess the question is: Do we want to open the build specific flags / envs can of worms now?
bleh, i think there's two cans of worms here:

• how we pass caller side env variables (we can continue to defer this)
• how the user can configure env variables per-module instead of per-engine - i think this might be worth unboxing now - we need to do it at some point anyways right?

if we decide to take the magic approach, it's challenging to undo that later - it's always possible to add magic, but removing makes life a lot harder

i think my proposal (at it's most generic is):

• expand the sdk value in dagger.json to an object (we need this anyways https://github.com/dagger/dagger/issues/9156)
• add an sdk.env map config field to set sdk environment variables - each sdk can choose where and how to inject these (and may choose to allow/deny-list these)
• this allows setting GOPRIVATE in dagger.json

i think requiring manually encoding GOPRIVATE in dagger.json makes sense right? there's never a case where it's user specific, where a dependency might be private for one user but not for another? it would always be private.

this also just allows it to "just work" with reasonable errors when calling a remote module - if we do magic auto-detection, we would get weird goproxy errors if the user hasn't configured .gitconfig properly. but with manual GOPRIVATE set, we can get the actual git clone error, which is much more informative.

SGTM! I don't see any setbacks of trying this out. One last question I have is: how do we handle the consolidation of variables between SDK and non-sdk containers? I'm asking this in the context that it might be a pain to keep consistent the variables in dagger.json and the pipeline

shall we also add an env key in dagger.json which applies for all containers created by the engine? 🤔

hm that's a good point actually, i think we could maybe come back to that - i don't think it should be automatic, but we could maybe have a dag.CurrentModule().Env() to get the env vars from the config? not sure, i don't think you'd always need to do it automatically, it's just some cases where the config might need to be in two places

correct. The first thing that comes to mind is GOPRIVATE/GOPROXY, etc 🤣 which is generally something that you'd want to have everywhere

@exotic mulch so you still think we should just start with the sdk > env setting and go from there without any other "magical" / comprehensive config?

imo yes - but maybe worth also getting some other folks to weigh in

I'm ok with moving forward like this and leaving the discussion open in the PR so we get one last round of feedback before we merge. @silk kestrel how does that sound?

SGTM to me as well. I can prototype this now.

and report back if I hit any other edge case when doing that.

awesome, thx! if you can also please update the PR with this last pending item to discuss that'd be much appreciated

so we can send it to the team and ask for feedback 🙏

yep, on it right now. (almost done with the changes to merge new api in existing attachable, running into some issue that i am trying to debug)

also, do we want to safelist the keys of gitconfig that we want to import or we can import everything for now?

we can pull everything for now i think

🙏

one thing I realized when cleaning up the code changes for this:

git does not allow export/import of git config. I didn't catch this earlier because my explicit git config <use-ssh-instead-of-https> code change remained in the code while I was iterating over other changes.

so what I am doing right now is to get git config using git config -l, which gives me output in key=value format.

i am then parsing that output to create a shell script with git config <key> <value> commands for each of the config key and running that.

I still need to verify if this works fine, but it almost feels like fetching complete git config may not be a good idea. e.g. look at this git config which is fetched when running dagger from inside my private repository:

credential.helper=osxkeychain
init.defaultbranch=main
user.name=Rajat Jindal
user.email=rajatjindal83@gmail.com
commit.gpgsign=true
url.ssh://git@github.com/.insteadof=https://github.com/
core.excludesfile=~/.config/git/.gitignore
protocol.file.allow=always
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
core.ignorecase=true
core.precomposeunicode=true
remote.origin.url=git@github.com:rajatjindal/dagger-private-module.git
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.main.remote=origin
branch.main.merge=refs/heads/main
http.proxy=http://proxyUsername:proxyPassword@proxy.server.com:port
url.git@github.com:.insteadof=https://github.com/

I am going to call it a day (feeling quite tired for some reason), will check this out tomorrow morning. Please let me know what you think about ^^

just quoting some feedback from a private channel:

And I am 100% with @Jed in not having magic behind the scenes 🙂
Being able to define the sdk.env in dagger.json feels very neat.
Defining GOPRIVATE is natural when you're using private go modules, so declaring it on your module dagger.json feels intuitive if you're pulling a private dependency

mm yeah, this is a lot of stuff, i can see this not quite being quite what we want

there's some stuff in there that might only be applicable on the host as well, so isn't a good idea to pass along

i think we might just want a protocol method for urlInfo (naming hard) that returns a typed struct of all the fields in there

...alternatively. we create an allowlist for what's passed through.

I think allowlist might be the safest bet. its easy to extend. but if we allow everything, then its hard to go back on that

agreed 👍

let's go with allowlist approach for now then

one note for a follow-up here

if we try and do PAT support for private go modules (we should)

then we will need to implement a little git credential helper proxy that proxies git credential requests back to the user

(i think)

⚠️ but shouldn't be a distraction for now

I think the challenge here might be thx UX. Where should user specify the $user and $password for the PAT to work?

because currently it can be a system level config via .netrc or .gitconfig via credential helpers and/or hardcoded values

I'd assume that we want to go all the way with git cred helpers, right?

yeee good point - ideally we would support them all 😛 but yes, since we already do cred helpers for modules, we should support that for private go imports

👍 let's go this path first

@exotic mulch is there an estimate for 15.2? Would love this to land there 🙏

we also have the services fix which is ready for 👀

no estimate right now, but imo we should go for early next week, then get back into the swing of things with weekly releases

not sure about this landing in the timeframe for v0.15.2, but we'll see

investigating services fix now

Hi @exotic mulch, how do you anticipate the sdk.env to look like in dagger.json. do you recommend replacing sdk (string) to struct or have an additional field, something like sdkConfig while keeping sdk as such?

maybe what we can do is support reading that field as both string and struct and when saving dagger.json, always save it as struct?

we should change sdk string to a struct like this: https://github.com/dagger/dagger/issues/9156

potentially this change could be made as a separate pr first? depends on how you want to structure it

but yes, essentially dagger develop should always write back this struct

hmm, let me check, but for the user to be able to specify sdk.env in dagger.json, we need to also update the schema for dagger.json isn't it?

yup

an update: the gitconfig thing is working fine. and now I am iterating over making sdk a struct in dagger.json. making progress there.

great Rajat! let us know if you have any questions!

hey @silk kestrel! hope you had a great weekend.

Just wanted to check with you how private packages is coming as we're aiming to have a release tomorrow. Getting a sense if it might make sense to push the release for a day or two so we can get this in or if it might take a bit more time 🙏

cc @exotic mulch

the sdk field change is still a WIP, and i am working on that right now. But I dont think I can make it for tomorrows release as I still don't have a working version of it.

(The weekend was busy busy. ha ha. thank you for asking. I hope you had a great and relaxing weekend).

I'll report an update before my EOD to keep you posted on my progress

gotcha, thx! Given that it seems that this might take a bit more time, let's not take it into account for v0.15.2. Let us know in case there's anything we can help with Rajat 🙏

an update: I am making progress. Its annoying because changing this code also breaks my dev env (using hack/dev) in difficult to debug ways.

now I am doing an "additive" approach instead of "replacing" the sdk with struct (atleast for dev until I figure out other quirks).

I am hoping to get this working tonight and then work on testing/integration-tests tomorrow.

thx Rajat. Please let us know if you need any assistance

an update. I have dagger init, functions, develop working (still using additive field), but failing on dagger install <dependency> that I am debugging.

the branch is here incase you want to try it out: https://github.com/rajatjindal/dagger/pull/new/sdk-as-struct-try3

awesome Rajat, let us know if you need any help 🙏

@silk kestrel is this issue still relevant now that you told me we've decided not to pursue the ModuleDependencyConfig approach?

We still need to change sdk from a string to a struct

So i think its still relevant

I have opened the draft PR. I verified that this works for init/develop and for both inbuilt and out-of-tree sdk.

now I am working on adding support for env variable to this struct.

to update on progress. I verified the env variable + sdk-to-struct + gitconfig changes together

now cleaning up the code and fixing the tests.

awesome ❤️

thx Rajat. Can't wait to give this to users 🙏

Hi @exotic mulch, how do we fix this error:

Error: failed to get module SDK: input: module.withSource.sdk.source get field "source": reflect: call of reflect.Value.Field on zero Value```

would returning dagql.Instance work for this?