Conversation
Solves NixOS#146603 Usage: ``` coredns-fanout = pkgs.coredns.override { externalPlugins = ["fanout"]; vendorSha256 = "<sha>"; }; ``` Practically speaking, it's not possible to know `vendorSha256` ahead of time in this case. Just set it to `vendorSha256 = "";`. The build will fail, but it will tell you the necessary sha256 This is not elegant, but I haven't found a better way to do it. In case you want to try solving this puzzle yourself, here's a rundown of what needs to be done: 1. Plugins should be appended to `plugin.cfg` in the source files 2. They should be downloaded via `go get` 3. Sources should be updated with `go generate` I'm not sure how to do it better, since point 2 requires us to have internet access, which is only possible if we use fixed-output derivations (which is what buildGoModule does already), but that would mean we'd have to do the weird dance with `vendorSha256` The weird dance is needed because of NixOS#86349
github-actions
bot
added
6.topic: nixos
KFearsoff
force-pushed
the
coredns-add-plugins
branch
from
a25af8c to
3aed274
Compare
ofborg
bot
added
10.rebuild-darwin: 1-10
winterqt
left a comment
winterqt
left a comment
There was a problem hiding this comment.
A few things:
- This should show the use of pinned plugin versions to ensure reproducibility.
- Additionally, to improve UX, you should introduce FOD hash validation by checking the
go.sumfiles.
All in all, I'm not really sure how I feel about this. I think it could work, but ideally we'd do something like I did in #14671 (comment), but that has its own issues.
wishes for WebAssembly plugins to avoid all of this pain
I don't quite understand. Do you want to see plugins being able to be pinned? If so, then yeah, that would be good. I'll think of ways how to do that.
I'm afraid I'm not confident enough in my Go package management to understand how that would be done. That would be really great to have, though!
I think you solution looks cleaner, yeah. I think implementing it is harder, and once again, I'm not quite confident enough in my Go package management. We'd also have to write update scripts for CoreDNS plugins if we hope to have that usable, which I've never done and I'm not sure how easy it is. With some help I'm thinking we'll manage to implement it nicely.
Oh yeah, there is a lot of pain. |
It's all in how you specify the package to
I can work on an example when I get a chance. I'm going to mark this as a draft since there's still some uncertainty here (if you disagree, let me know). |
|
Thanks for working on this. We are also in need of this feature. However, as written, this design is not reproducible. I think we need to find a solution that at least tries to maintain reproducibility, even if it can't guarantee it. That would probably require pinning each plugin separately and somehow injecting it into the vendored coredns src right before the build. |
|
The initial It works if I add |
|
#256710 rebases this PR and adds the ability to pin a specific version of each plugin. |
4 participants
Description of changes
Solves #146603
Usage:
Practically speaking, it's not possible to know
vendorSha256ahead of time in this case. Just set it tovendorSha256 = "";. The build will fail, but it will tell you the necessary sha256This is not elegant, but I haven't found a better way to do it. In case you want to try solving this puzzle yourself, here's a rundown of what needs to be done:
plugin.cfgin the source filesgo getgo generateI'm not sure how to do it better, since point 2 requires us to have internet access, which is only possible if we use fixed-output derivations (which is what buildGoModule does already), but that would mean we'd have to do the weird dance with
vendorSha256The weird dance is needed because of #86349
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes