Avoid downloading files inside Docker

[ulfjack]

I am trying to generate a config for debian:buster, and get this error message:

ERROR: Analysis of target '//java/com/engflow/example:example' failed; build aborted: com.google.devtools.build.lib.packages.RepositoryFetchException: no such package '@rbe_default//config': Traceback (most recent call last):

<snip>

+ /rbe_autoconf/bazelisk build @local_config_cc//...
2020/04/14 14:04:00 Downloading https://releases.bazel.build/2.2.0/release/bazel-2.2.0-linux-x86_64...
2020/04/14 14:04:00 could not download Bazel: HTTP GET https://releases.bazel.build/2.2.0/release/bazel-2.2.0-linux-x86_64 failed: Get https://releases.bazel.build/2.2.0/release/bazel-2.2.0-linux-x86_64: x509: certificate signed by unknown authority
+ echo 'Could not create outputs_tar, see docker log for details:'
++ /usr/bin/docker logs 514b11ea9ede385a0f687903c34d2e55ac0879c4f071647e83bc1e292c9162fc

My hypothesis is that debian buster doesn't come with the right set of certificates to connect to releases.bazel.build. However, I am not sure why that should be a requirement - it seems like it should be possible to create a config by downloading the bazel binary outside of the container and copying it in to generate the config.

[smukherj1]

I believe the reason for that is the toolchain configs generator uses bazelisk under the hood here. Bazelisk is downloaded outside the container and mounted into it. However, when bazelisk itself is run inside the container, it tries to download Bazel (I think) which encounters the certificate issue. I think the value bazelisk provides is to automatically detect the target architecture to download Bazel for.

Regardless, for your issue, maybe a possibility is to add an option to the toolchain config generator rule to accept a tarball of a bazel archive to be mounted into the container and used to generate toolchain configs?

[ulfjack]

Agreed. It looks like that was done (#599) to remove the requirement to have wget installed, so it may not have worked before that either since wget presumably also requires the right certificates installed.

[ulfjack]

Given that plain debian buster doesn't work anyway (no C++ compiler, no Java toolchain, no Go, no ...), maybe the right thing to do is to improve error handling and give better feedback here?

[zoidyzoidzoid]

I received a similar error today, but because we need a proxy to download the Bazel binary in our network environment.

We point bazelisk to our own internal mirror for that, however in this case specifying BAZELISK_BASE_URL to download bazel via our internal mirror didn't work, so pointing it to a tarball would work great.

[cameron-martin]

This happened to me today with Ubuntu 22.04:

./rbe_configs_gen --toolchain_container=ubuntu:22.04 --output_tarball=ubuntu_22_04.tar --exec_os=linux --target_os=linux

2023/03/01 12:49:31 could not download Bazel: HTTP GET https://releases.bazel.build/6.0.0/release/bazel-6.0.0-linux-x86_64 failed: Get "https://releases.bazel.build/6.0.0/release/bazel-6.0.0-linux-x86_64": x509: certificate signed by unknown authority

[danieljaffe]

Did anyone figure out a work around for this issue?