Merge pull request #47 from kpcyrd/outdir

Use rebuilderd managed output directory

Author: kpcyrd

.github/assets/mOWZt75.png

@@ -26,13 +26,70 @@ afford to.
 
 [2]: https://diffoscope.org/
 
-# Setup
+# Accessing a rebuilderd instance in your browser
+
+Many instance run a web frontend to display their results. [rebuilderd-website]
+is a very good choice and the software powering the Arch Linux rebuilderd
+instance:
+
+[rebuilderd-website]: https://gitlab.archlinux.org/archlinux/rebuilderd-website
+
+https://reproducible.archlinux.org/
+
+Loading the index of all packages may take a short time.
+
+# Scripting access to a rebuilderd instance
+
+It's also possible to query and manage a rebuilderd instance in a scriptable
+way. It's recommended to install the `rebuildctl` commandline util to do this:
+
+    pacman -S rebuilderd
+
+You can then query a rebuilderd instance for the status of a specific package:
+
+    rebuildctl -H https://reproducible.archlinux.org pkgs ls --name rebuilderd
+
+You have to specify which instance you want to query because there's no
+definite truth™. You could ask multiple instances though, including one you
+operate yourself.
+
+If the rebuilder seems to have outdated data or lists a package as unknown the
+update may still be in the build queue. You can query the build queue of an
+instance like this:
+
+    rebuildctl -H https://reproducible.archlinux.org queue ls --head
+
+If there's no output that means the build queue is empty.
+
+If you're the administrator of this instance you can also run commands like:
+
+    rebuildctl status
+
+Or immediately retry all failed rebuild attempts (there's an automatic retry on
+by default):
+
+    rebuildctl pkgs requeue --status BAD --reset
+
+# Running a rebuilderd instance yourself
+
+![journalctl output of a rebuilderd-worker](.github/assets/mOWZt75.png)
+
+"I compile everything from source" - a significant amount of real world binary
+packages can already be reproduced today. The more people run rebuilders, the
+harder it is to compromise all of them.
+
+At the current stage of the project we're interested in every rebuilder there
+is! Most rebuilderd discussion currently happens in #archlinux-reprodubile on
+freenode, feel free to drop by if you're running a instance or considering
+setting one up. Having a few unreproducible packages is normal (even if it's
+slightly more than the official rebuilder), but having additional people
+confirm successful rebuilds is very helpful.
 
 ## Arch Linux
 
 Please see the setup instructions in the [Arch Linux Wiki](https://wiki.archlinux.org/index.php/Rebuilderd).
 
-## Development
+# Development
 
 A rebuilder consists of the `rebuilderd` daemon and >= 1 workers:
 

Cargo.lock

@@ -1,3 +1,3 @@
 #!/bin/sh
 set -xe
-repro -- "${1}"
+OUTDIR="${REBUILDERD_OUTDIR}" repro -- "${1}"

README.md

@@ -2,14 +2,15 @@ use crate::config;
 use crate::proc;
 use rebuilderd_common::errors::*;
 use std::collections::HashMap;
+use std::ffi::OsString;
 use std::path::Path;
 use std::time::Duration;
 
-pub async fn diffoscope(a: &str, b: &str, settings: &config::Diffoscope) -> Result<String> {
-    let mut args: Vec<&str> = settings.args.iter().map(AsRef::as_ref).collect();
-    args.push("--");
-    args.push(a);
-    args.push(b);
+pub async fn diffoscope(a: &Path, b: &Path, settings: &config::Diffoscope) -> Result<String> {
+    let mut args = settings.args.iter().map(OsString::from).collect::<Vec<_>>();
+    args.push("--".into());
+    args.push(a.into());
+    args.push(b.into());
 
     let timeout = settings.timeout.unwrap_or(3600); // 1h
 

worker/rebuilder-archlinux.sh

@@ -1,11 +1,12 @@
 use futures_util::StreamExt;
 use rebuilderd_common::errors::*;
+use std::path::{Path, PathBuf};
 use tokio::fs::File;
 use tokio::io::AsyncWriteExt;
 use url::Url;
 
-pub async fn download(url: &str, tmp: &tempfile::TempDir) -> Result<(String, String)> {
-    let url = url.parse::<Url>()
+pub async fn download(url_str: &str, path: &Path) -> Result<PathBuf> {
+    let url = url_str.parse::<Url>()
         .context("Failed to parse input as url")?;
 
     let filename = url.path_segments()
@@ -16,9 +17,9 @@ pub async fn download(url: &str, tmp: &tempfile::TempDir) -> Result<(String, Str
         bail!("Filename is empty");
     }
 
-    let target = tmp.path().join(filename);
+    let target = path.join(filename);
 
-    info!("Downloading {:?} to {:?}", url, target);
+    info!("Downloading {:?} to {:?}", url_str, target);
     let client = reqwest::Client::new();
     let mut stream = client.get(&url.to_string())
         .send()
@@ -38,8 +39,5 @@ pub async fn download(url: &str, tmp: &tempfile::TempDir) -> Result<(String, Str
     }
     info!("Downloaded {} bytes", bytes);
 
-    let target = target.to_str()
-        .ok_or_else(|| format_err!("Input path contains invalid characters"))?;
-
-    Ok((target.to_string(), filename.to_string()))
+    Ok(PathBuf::from(filename))
 }

worker/src/diffoscope.rs

@@ -64,8 +64,8 @@ struct Connect {
 
 #[derive(Debug, StructOpt)]
 struct Diffoscope {
-    pub a: String,
-    pub b: String,
+    pub a: PathBuf,
+    pub b: PathBuf,
 }
 
 async fn spawn_rebuilder_script_with_heartbeat<'a>(client: &Client, distro: &Distro, item: &QueueItem, config: &config::ConfigFile) -> Result<Rebuild> {

worker/src/download.rs

@@ -1,8 +1,10 @@
 use futures_util::FutureExt;
-use nix::unistd::Pid;
 use nix::sys::signal::{self, Signal};
+use nix::unistd::Pid;
 use rebuilderd_common::errors::*;
 use std::collections::HashMap;
+use std::ffi::OsStr;
+use std::fmt;
 use std::path::Path;
 use std::process::Stdio;
 use std::time::{Duration, Instant};
@@ -106,7 +108,10 @@ impl Capture {
     }
 }
 
-pub async fn run(bin: &Path, args: &[&str], opts: Options) -> Result<(bool, String)> {
+pub async fn run<I, S>(bin: &Path, args: I, opts: Options) -> Result<(bool, String)>
+    where I: IntoIterator<Item = S> + fmt::Debug,
+    S: AsRef<OsStr>,
+{
     info!("Running {:?} {:?}", bin, args);
     let mut child = Command::new(bin)
         .args(args)

worker/src/main.rs

@@ -1,15 +1,19 @@
 use crate::config;
-use crate::proc;
 use crate::diffoscope::diffoscope;
 use crate::download::download;
+use crate::proc;
 use rebuilderd_common::Distro;
 use rebuilderd_common::api::{Rebuild, BuildStatus};
 use rebuilderd_common::errors::*;
 use rebuilderd_common::errors::{Context as _};
 use std::borrow::Cow;
 use std::collections::HashMap;
+use std::fs;
+use std::io::ErrorKind;
 use std::path::{Path, PathBuf};
 use std::time::Duration;
+use tokio::fs::File;
+use tokio::io::AsyncReadExt;
 
 pub struct Context<'a> {
     pub distro: &'a Distro,
@@ -40,44 +44,113 @@ fn locate_script(distro: &Distro, script_location: Option<PathBuf>) -> Result<Pa
     bail!("Failed to find a rebuilder backend")
 }
 
+fn path_to_string(path: &Path) -> Result<String> {
+    let s = path.to_str()
+        .with_context(|| anyhow!("Path contains invalid characters: {:?}", path))?;
+    Ok(s.to_string())
+}
+
+pub async fn compare_files(a: &Path, b: &Path) -> Result<bool> {
+    let mut buf1 = [0u8; 4096];
+    let mut buf2 = [0u8; 4096];
+
+    info!("Comparing {:?} with {:?}", a, b);
+    let mut f1 = File::open(a).await
+        .with_context(|| anyhow!("Failed to open {:?}", a))?;
+    let mut f2 = File::open(b).await
+        .with_context(|| anyhow!("Failed to open {:?}", b))?;
+
+    let mut pos = 0;
+    loop {
+        // read up to 4k bytes from the first file
+        let n = f1.read_buf(&mut &mut buf1[..]).await?;
+
+        // check if the first file is end-of-file
+        if n == 0 {
+            debug!("First file is at end-of-file");
+
+            // check if other file is eof too
+            let n = f2.read_buf(&mut &mut buf2[..]).await?;
+            if n > 0 {
+                info!("Files are not identical, {:?} is longer", b);
+                return Ok(false);
+            } else {
+                return Ok(true);
+            }
+        }
+
+        // check the same chunk in the other file
+        match f2.read_exact(&mut buf2[..n]).await {
+            Ok(n) => n,
+            Err(err) if err.kind() == ErrorKind::UnexpectedEof => {
+                info!("Files are not identical, {:?} is shorter", b);
+                return Ok(false);
+            },
+            err => err?,
+        };
+
+        if buf1[..n] != buf2[..n] {
+            // get the exact position
+            // this can't panic because we've already checked the slices are not equal
+            let pos = pos + buf1[..n].iter().zip(
+                buf2[..n].iter()
+            ).position(|(a,b)|a != b).unwrap();
+            info!("Files {:?} and {:?} differ at position {}", a, b, pos);
+
+            return Ok(false);
+        }
+
+        // advance the number of bytes that are equal
+        pos += n;
+    }
+}
+
 pub async fn rebuild(ctx: &Context<'_>, url: &str) -> Result<Rebuild> {
+    // setup
     let tmp = tempfile::Builder::new().prefix("rebuilderd").tempdir()?;
 
-    let (input, filename) = download(url, &tmp)
+    let inputs_dir = tmp.path().join("inputs");
+    fs::create_dir(&inputs_dir)
+        .context("Failed to create inputs/ temp dir")?;
+
+    let out_dir = tmp.path().join("out");
+    fs::create_dir(&out_dir)
+        .context("Failed to create out/ temp dir")?;
+
+    // download
+    let filename = download(url, &inputs_dir)
         .await
         .with_context(|| anyhow!("Failed to download original package from {:?}", url))?;
 
-    let (success, log) = verify(ctx, &input).await?;
-
-    if success {
-        info!("Rebuilder backend indicated a success rebuild!");
+    // rebuild
+    let input_path = inputs_dir.join(&filename);
+    let log = verify(ctx, &out_dir, &input_path).await?;
+
+    // process result
+    let output_path = out_dir.join(&filename);
+    if !output_path.exists() {
+        info!("Build failed, no output artifact found at {:?}", output_path);
+        Ok(Rebuild::new(BuildStatus::Bad, log))
+    } else if compare_files(&input_path, &output_path).await? {
+        info!("Files are identical, marking as GOOD");
         Ok(Rebuild::new(BuildStatus::Good, log))
     } else {
-        info!("Rebuilder backend exited with non-zero exit code");
+        info!("Build successful but artifacts differ");
         let mut res = Rebuild::new(BuildStatus::Bad, log);
 
         // generate diffoscope diff if enabled
         if ctx.diffoscope.enabled {
-            let output = Path::new("./build/").join(filename);
-            if output.exists() {
-                let output = output.to_str()
-                    .ok_or_else(|| format_err!("Output path contains invalid characters"))?;
-
-                let diff = diffoscope(&input, output, &ctx.diffoscope)
-                    .await
-                    .context("Failed to run diffoscope")?;
-                res.diffoscope = Some(diff);
-            } else {
-                info!("Skipping diffoscope because rebuilder script did not produce output");
-            }
+            let diff = diffoscope(&input_path, &output_path, &ctx.diffoscope)
+                .await
+                .context("Failed to run diffoscope")?;
+            res.diffoscope = Some(diff);
         }
 
         Ok(res)
     }
 }
 
-// TODO: automatically truncate logs to a max-length if configured
-async fn verify(ctx: &Context<'_>, path: &str) -> Result<(bool, String)> {
+async fn verify(ctx: &Context<'_>, out_dir: &Path, input_path: &Path) -> Result<String> {
     let bin = if let Some(script) = ctx.script_location {
         Cow::Borrowed(script)
     } else {
@@ -86,15 +159,10 @@ async fn verify(ctx: &Context<'_>, path: &str) -> Result<(bool, String)> {
         Cow::Owned(script)
     };
 
-    // TODO: establish a common interface to interface with distro rebuilders
-    // TODO: specify the path twice because the 2nd argument used to be the path
-    // TODO: we want to move this to the first instead. the 2nd argument can be removed in the future
-    let args = &[path, path];
-
     let timeout = ctx.build.timeout.unwrap_or(3600 * 24); // 24h
 
     let mut envs = HashMap::new();
-    envs.insert("REBUILDERD_OUTDIR".into(), "./build".into());
+    envs.insert("REBUILDERD_OUTDIR".into(), path_to_string(out_dir)?);
 
     let opts = proc::Options {
         timeout: Duration::from_secs(timeout),
@@ -103,5 +171,48 @@ async fn verify(ctx: &Context<'_>, path: &str) -> Result<(bool, String)> {
         passthrough: !ctx.build.silent,
         envs,
     };
-    proc::run(bin.as_ref(), args, opts).await
+    let (_success, log) = proc::run(bin.as_ref(), &[input_path], opts).await?;
+
+    Ok(log)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn compare_files_equal() {
+        let equal = compare_files(Path::new("src/main.rs"), Path::new("src/main.rs")).await.unwrap();
+        assert!(equal);
+    }
+
+    #[tokio::test]
+    async fn compare_files_not_equal1() {
+        let equal = compare_files(Path::new("src/main.rs"), Path::new("Cargo.toml")).await.unwrap();
+        assert!(!equal);
+    }
+
+    #[tokio::test]
+    async fn compare_files_not_equal2() {
+        let equal = compare_files(Path::new("Cargo.toml"), Path::new("src/main.rs")).await.unwrap();
+        assert!(!equal);
+    }
+
+    #[tokio::test]
+    async fn compare_large_files_equal() {
+        let dir = tempfile::tempdir().unwrap();
+        fs::write(dir.path().join("a"), &[0u8; 4096 * 100]).unwrap();
+        fs::write(dir.path().join("b"), &[0u8; 4096 * 100]).unwrap();
+        let equal = compare_files(&dir.path().join("a"), &dir.path().join("b")).await.unwrap();
+        assert!(equal);
+    }
+
+    #[tokio::test]
+    async fn compare_large_files_not_equal() {
+        let dir = tempfile::tempdir().unwrap();
+        fs::write(dir.path().join("a"), &[0u8; 4096 * 100]).unwrap();
+        fs::write(dir.path().join("b"), &[1u8; 4096 * 100]).unwrap();
+        let equal = compare_files(&dir.path().join("a"), &dir.path().join("b")).await.unwrap();
+        assert!(!equal);
+    }
 }