Continually blocked on upstream packages #45
Comments
|
For what it's worth, ghcup is just a (very good!) tool for installing and managing standard GHC release artifacts. I have considered adding Debian packaging jobs to GHC's release pipeline. If it would be helpful for you I would be happy to give it a try; I don't think it should be difficult. |
Yes that would be super useful and would eliminate the lag problem in regards to ghc 😄 Docker haskell also includes cabal, but perhaps that can be solved as part of the cabal release process. The other consideration might be ubuntu packaging, which the haskell github action uses. The action also uses GHC + cabal installed on the default GHA agents.. not sure what they depend on. @jared-w may know more. |
I believe it is. Many already use it in docker and you only install what you need. I don't believe it's bloat. And it makes a lot of sense for users who want to add additional GHC versions to an existing image.
Since the latest version, GHCup can install into any directory via https://gitlab.haskell.org/haskell/ghcup-hs#isolated-installs This still requires (for GHC) that the target directory is empty, but we may lift that restriction, which means you'll be able to do So for now you could install via |
I guess to be more specific it is not part of the core offering of the image. I think even if we use ghcup to install ghc etc. we still ideally want to strip it out from the final image. This is because docker is provides a mechanism to switch ghc versions with docker tags, so ghcup shouldn't be needed by the end user. Having said that I think a
Thank you! Your example image does exactly what I was failing to do 😅 I have adapted your example further to get more towards what I was trying to do. That being ghcup is used to install ghc, cabal + stack. However, a multi stage docker image is used to only provide an image with ghc, cabal and stack only without ghcup or other cache used as part of building. What do you think? EDIT: I think with these improvements I am more strongly in favour of the ghcup based solution. |
I'd recommend to install it by default. I'd argue it's a common use case to derive images and augment them, e.g. when you have multi-GHC builds or simply need to do local experiments. The binary is, compared to the 2GB GHC install, very small.
Yeah |
It's not a size issue, it is more that it doesn't really fit with how docker works and could be a foot gun. Using ghcup in docker and mutating the container can have unusual effects. I think for specific use case wanting multiple ghc versions in an image I would recommend a One other concern I have noticed is the ghcup based image is a bit larger. Not a deal breaker but not ideal. I stripped out Ghcup based 8.10.4 - 2.34GB I wonder if there is an easy way to strip out something unnecessary from |
Unusual effects? This is about:
|
I would prefer not to get bogged down on this finer point. I think this can be discussed further if ghcup is chosen as the best way forward. Cheers |
To first address the Ubuntu packaging; the Ubuntu packaging does not seem to be updated anymore because it was also done by @hvr. As such, the upstream GitHub preinstalled software switched from the PPA to using ghcup by default and the GitHub actions followed suit. Any pre-installed version of GHC or cabal on a GitHub runner is currently installed by ghcup (or chocolatey on windows) I think, currently, the ideal situation to install GHC in a docker container would be to use ghcup with the isolate flag and manually copy over all the binaries individually in a subsequent stage. This lets the Dockerfile be self-documenting in which Haskell components are installed as well as minimizing the size and following standard docker conventions |
|
Thanks for the info @jared-w .
Agreed. This is pretty much what is sketched in #44 I'll see if I can understand why the ghcup installed ghc takes up more space compared to the current debian packaging. Also @psftw would need to chime in before we could consider proceeding. |
|
So it seems that ghcup is installing the base libraries with profiling enabled/supported if I understand correctly. The current debian packaging splits out the profiling versions into a separate package ie. I stripped out the profiling related files and now the sizes are comparable. @hasufell would a flag to install / not install profiling support in the base libraries be something ghcup might look to support? Another question, is there currently a way to subscribe to ghcup releases? This would be useful around knowing to bump ghcup in the images. |
I'm not sure there's a clean UX for this, since ghcup after all isn't a real package manager, but an installer. Re-installing those profiling libs would require a full reinstall of the GHC version. If the build system ( But if the only use case is docker, manually removing files may be the way to go.
There's an atom feed https://gitlab.haskell.org/haskell/ghcup-hs/-/tags But new tags don't always mean new releases. |
|
I've spent some time polishing up the changes for this in #44 . More feedback is welcome :)
No worries, happy to go with the stripping approach for now.
No problem. @hasufell now that the PR has progressed well and hopefully can be merged soon once @psftw gives his thoughts, perhaps we can discuss the question of whether to leave ghcup in the final image. So I'm pretty strongly against this. Reasons.. Additional bloat
I'm not suggesting this is significant, but it is a downside. Additional releasesIf we don't support ghcup, I would only bump ghcup when it might have a substantial impact to ghc / cabal / stack in the images. (Or when we bump something else in an image) If we officially support ghcup, then we should bump ghcup everytime it gets a new release IMO. This means the images need to be updated more (seems to be on average once a month).
Mutating a running imageSo mutating a running container will not be persisted by default. So if your goal is to play around with ghcup, you will need to re setup everything if you exit the container. There are then interesting things like All of this is finicky and non-obvious. I think there are many people who are new to docker who could get fooled by this. In other words I consider this a foot gun. We actually currently disable stack from installing new GHC versions, so it is something of a current assumption around the images. Upsides of having ghcup in the final image?So my suggestion is that having ghcup is almost always not actually useful in the image. The core reason is that docker itself is providing a mechanism to access different versions of ghc.
I would suggest that in almost all cases if you need multiple ghc versions, you would use those versions in different docker images. For example perhaps you want to test your library builds on different ghc verisons. In that case you want to build based on multiple docker images for each version in parallel. You do not have any need to have multiple ghc versions loaded in a single image.
Again, I think it much simpler to use docker for this. Most developers are familiar with switching versions in docker. As opposed to learning a new tool. As mentioned above, any mutation of the running container is not easy to persist, so you would need to repeat it. ConclusionTo sum up, I can see multiple downside and I cannot think of a case where using ghcup in the image is useful. I think the key requirement the current images don't really cover is when you want specific GHC(s) with specific cabal and specific stack. I see a |
That's not true. ghcup is a static executable that requires only
Sorry, I don't understand what you're trying to say. If people don't understand docker, they should read the documentation.
Can you tell me then how to augment an existing image, that I just derived from haskell/docker, with a new additional GHC version in one line? Either you have to replicate all the ghcup foo in your Dockerfile or figure out what files you need to copy from an existing image layer. The latter is also inflexible, because it doesn't work in a running container. At any rate, I'm not an active user of these images. I prefer to download alpine docker images of minimal size and then perform ghcup installation inside of them. That saves me from downloading several GBs of unpacked GHC. The time it takes to unpack/install GHC usually is much less than downloading a huge image. |
So once you have installed ghcup you only need curl? Point taken.
I'm suggesting it would be very rare to want to do this. ie. If I want to test my library builds with 8.10 and 9.0 I would run: docker run haskell:8.10 stack build
docker run haskell:9 stack buildwhich are completely independent and can be run in parallel easily. Wanting both ghc 8.10 and 9 in a single container, I don't know why you would want this. Or at least, I would not optimize the default usage around such a thing. Happy for @psftw to make the call who is the long time maintainer of these images. |
I don't think so. I frequently need multiple GHCs in a docker container.
|
|
I think that is rare. People building applications typically have one exact version they are using and only want that version and nothing else. People building libraries likely want to test on many versions, but as mentioned it is best to build / test on independent containers in parallel. Doing mutable stuff in docker is quite unusual, because unless you use I think |
Very hard disagree. I use docker since years and this is one of the primary use cases. |
|
FYI, I've been exploring another option of installing ghc + cabal directly from downloads from haskell.org #46 I think at this stage it is my current preference, although there are a couple of issues to iron out. |
|
👋 So I was hoping to get this cabal issue resolved first, but I am very mindful that these images are ~4 months out of date on ghc 8.10. I was originally pushing for the ghcup based approach but @psftw called out some limitations and asked OptionsghcupThere are two variant on this solution: Pros
Cons
direct installationUm, this essentially the opposite pros / cons of the ghcup approach. It is applying how we currently install stack, but to ghc + cabal. (I also added sha256 verification in this PR as PGP + sha verification is actually the full recommended approach) (If we go with this solution I would wait for this cabal issue before directly installing cabal-install and updating it to 3.6) ConclusionSo for me I prefer the direct installation method. It boils down to the fact that ghcup doesn't actually remove much logic for us. The only special ghc install logic it removes is Alongside this minimal benefit, ghcup brings a bunch of downsides as noted. This is not any criticism of ghcup which is excellent for its core use cases, but I do not think it is a good fit here. My conclusion here only applies to the current debian images, I would re-assess for Windows and ARM64 support as in those cases ghcup may be doing a lot more heavy lifiting for us. @psftw and others let me know what you think! |
|
@AlistairB I'm sorry but this is probably the 5th time I have to correct your misinformation:
Yes, you absolutely can, via the signed And even directy since
This suggests you don't understand how cryptography works and how distributions use GPG signatures, look at this: http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.74.0-1ubuntu2.3.dsc That's the signed metadata, which contains cryptographic hashes of the upstream tarballs. The hashes are verified by the person signing the metadata and hence there's no point in verifying the tarballs separately, because of the cryptographic hash. The combination of GPG signing hashes instead of the actual data is as old as cryptography and is standard practice. Please read up on the topic. |
Ok apologies, I did not know that. I have removed that as a con.
I will not claim to be a security expert, but I do not believe this conforms with the "Preferred" solution from the official images docs. The direct GHC installation solution almost exactly matches this pattern. The key difference being that ghcup is not verifying pgp keys for ghc / cabal / stack (and of course the current images do this as well). I am not saying this is "bad" security or anything, but whilst they are the recommendations I think we should follow them. As I have mentioned before there is a review process where they will call out stuff like this. |
You're wrong (again), because that would mean it's insecure to install via |
|
Sorry again for neglecting the discussion here. I was more hopeful about |
|
Semi-related, since #46 was merged recently, does it mean 8.10.7 images will be available on DockerHub shortly ? |
|
@kamek-pf yes! Sorry for the extended delay. Once docker-library/official-images#11050 is merged 8.10.7 and other missing versions should be available shortly (and going forward we can immediately update to new versions 🎉). |
|
Should be all released and updated now. Thanks all! |
To update to a new ghc / cabal version they need to be available in Debian first. Unfortunately there is a lot of lag from when the new versions are released to when they appear as debian packages. This seems to be due to @hvr being the sole person responsible for the packaging, but often not being available to do this work.
This is not a criticism of @hvr who has given a tremendous amount to the Haskell ecosystem ❤️ , but it is just a reality that there is consistent lag here.
Options
Try to improve the situation around debian package updates
We could chase this up with https://github.com/haskell-CI/haskell-ci which is the home of the debian/ubuntu packages. We could also pull in the Haskell foundation who may have ideas.
Switch to ghcup
Ghcup does not depend on these same debian packages and does promptly add new versions. I've been playing with what this might looking like.
Pros
Cons
Conclusion
???
Not sure, ghcup is a bit of a poor fit philosophically, however may be a great pragmatic choice resulting in a net win. If we do not go with ghcup, I think we should attempt to improve the lag problem with the current debian packages.
@psftw @hasufell any thoughts?
The text was updated successfully, but these errors were encountered: