Use builder image's objcopy when building with quarkus.native.container-build=true and quarkus.native.debug.enabled=true

[zakkak]

Closes #13754
Closes #13856

[jerboaa]

A couple of comments...

[jerboaa]

Wouldn't this spin up a container 3 times? Ideally, we'd stitch them together so that we can get away with a one time container invocation. I.e. podman run ... --entrypoint=/bin/bash <container> -c 'objcopy --only-keep-debug ... ; objcopy --add-gnu-debuglink=....; objcopy --strip-debug ... or podman run ... --entrypoint=/bin/bash <container> -c 'objcopy --strip-debug ... depending on the -g option.

[zakkak]

It will, but that's fairly fast in comparison to the native-image build step. Keeping it this way we don't have to maintain two different code paths for container and host builds, thus keeping it simple and more readable.

[jerboaa]

I haven't tested this myself, but apparently running containers on non-Linux isn't as quick. Perhaps mac and windows use-cases with building with the container should be tested.

[zakkak]

AFAIK Mac is almost as fast, and windows docker using WSL2 as the backend should also be pretty fast. I can do some testing on Windows, but unfortunately not on Mac.

[jerboaa]

This maybe an optimization to do as a later step (once we know this actually is a problem?)

[zakkak]

FTR: I tested this on two laptops with similar specs.
I tested the "combined" (single docker container for all 3 processes) vs the "split" (1 container per process) approach and the results were:

	Windows	Linux
Combined	~16s	~0.8s
Split	3.5 + 13 + 6.5 = ~23s	0.5 + 0.5 + 0.6 = ~1.1s

Although the benefit of using the "combined" approach is pretty clear, the overhead of the "split" approach (~7s) is still relatively low given that the image build took ~260s.

[zakkak]

@gsmet can you please review?

[gsmet]

@zakkak can you fix the conflict?

Frankly, I can't backport it as is. We can't refactor everything in a PR we want to backport...

[zakkak]

@zakkak can you fix the conflict?

Done

Frankly, I can't backport it as is. We can't refactor everything in a PR we want to backport...

I understand. I should have actually added this PR to 1.11.0.Final in the first place.
How would you like to proceed with this since we would like it in 1.11.x? Is it OK if I create a new PR with branch 1.11 as the base?
Unfortunately the refactoring is necessary to make this change in a sensible way, otherwise we would have to duplicate a lot of code and some processing.

[gsmet]

As I said I'm uncomfortable backporting something that rewrites a whole class. So either we find a finer-grained approach or we don't backport it. The current approach is not safe for a backport. I don't want to break something else to fix an issue.

Now if someone really wants this, they will have to review this VERY closely to be sure everything is safe.

/cc @maxandersen @tqvarnst

[rsvoboda]

@zakkak can you please rebase?

[zakkak]

@zakkak can you please rebase?

@rsvoboda this is not worth rebasing before #14635 gets merged, unless it's a real blocker for you.

[geoand]

This need a rebase but we need a decision on

1. Whether or needs to be backported or not (based on what @gsmet mentioned)
2. If we want this or Add native-source package type #15233 to go in first (that PR is definitely not backport material either)

[zakkak]

This need a rebase but we need a decision on

1. Whether or needs to be backported or not (based on what @gsmet mentioned)

We have concluded that this does not need to be backported.

2. If we want this or #15233 to go in first

I would prefer #15233 to go in first.

[geoand]

OK, then I will take #15233 out of draft so it can get a proper review.

Furthermore, I'll add a test for it

[zakkak]

OK, then I will take #15233 out of draft so it can get a proper review.

Furthermore, I'll add a test for it

Can we please make sure #14635 goes in first, then #15233 and finally #13963 (this PR)?

[geoand]

Ouch... I just saw #14635... Rebasing my PR onto that one won't be fun :(

[zakkak]

Ouch... I just saw #14635... Rebasing my PR onto that one won't be fun :(

I feel you, if it eases your pain it will be more or less the same for this PR ;)

[geoand]

Ouch... I just saw #14635... Rebasing my PR onto that one won't be fun :(

I feel you, if it eases your pain it will be more or less the same for this PR ;)

Yeah, we are in the same boat :)

[geoand]

Turned out to be easier than I thought :)

[zakkak]

Turned out to be easier than I thought :)

I wish I could say the same :)

This is now ready for review. I tested it locally with all three configurations and GraalVM CE 21.0:

1. Host build with -Dquarkus.native.debug.enabled=true -Dquarkus.native.graalvm-home=/opt/jvms/graalvm-ce-java11-21.0.0
2. Builder image with -Dquarkus.native.debug.enabled=true
3. Remote buidler image with -Dquarkus.native.remote-container-build=true -Dquarkus.native.debug.enabled=true

@jonathan-meier FYI (It would also be great if you could give this a spin on your "remote" docker setup)

[zakkak]

Ideally I would prefer a dynamically generated unique volume name, but I am not sure it's worth the effort.
We could also do something like fixed-name-YYYY-MM-DD-HHMM to avoid potential conflicts with existing volumes.
WDYT?

[jonathan-meier]

It's straightforward to let docker generate the unique volume id, I quickly tested it locally:

final String[] createVolumeCommand = new String[] { containerRuntime.getExecutableName(), "volume", "create" };
volumeId = runCommandAndReadOutput(createVolumeCommand, "Failed to create temp volume.");

Using this as a first step in preBuild and replacing all CONTAINER_BUILD_VOLUME_NAME with volumeId.

[zakkak]

Unfortunately it's not that simple. If you manually create the volume before starting the container, the volume (when mount) is owned by root:root and native-image fails to write to it in subsequent steps.

Creating the volume explicitly

$ podman volume create test-volume                         
test-volume
$ podman create --name temp -v test-volume:/project quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11                         
bfa2406d5fa0a003af99c91f077ed989006eb2441004135773429c425f9ce997
$ podman run --rm --entrypoint /bin/bash -it -v test-volume:/project quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11 -c "ls -la"
total 0
drwxr-xr-x.  2 root root 6 Mar  3 11:40 .
drwxr-xr-x. 19 root root 6 Mar  3 11:41 ..

Creating the volume implicitly

$ podman create --name temp -v test-volume:/project quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11
e30ffb76aa320448a3e645d7030c4dcf76b0efb83b68e3bc58a2e655c683d1de
$ podman run --rm --entrypoint /bin/bash -it -v test-volume:/project quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11 -c "ls -la"
total 0
drwxr-xr-x.  2 quarkus quarkus 6 Mar  3 11:42 .
drwxr-xr-x. 19 root    root    6 Mar  3 11:42 ..

I am not a containers expert though so I'll be happy to be corrected :)

[jonathan-meier]

Interesting! I checked the following:

• docker 19.03.13 on Ubuntu 20.10
• docker 20.10.2 on Ubuntu 20.10 in WSL
• podman 2.0.6 on Ubuntu 20.10
• podman 1.6.4 on CentOS 7.9
• podman 3.0.1 on CentOS 7.9

in all but the last case, the /project folder was owned by the quarkus user also when creating the volume explicitly. So something seems to have changed for podman 3. I'm guessing you're running on podman 3 as well?

[zakkak]

Indeed I am using podman 3.0.1 on Fedora 33.

Thanks for the additional info @jonathan-meier, I created containers/podman#9608.

[jonathan-meier]

Works like a charm! I tested various combinations of local/remote builds with debug enabled/disabled both natively on Windows and inside WSL.

[zakkak]

Works like a charm! I tested various combinations of local/remote builds with debug enabled/disabled both natively on Windows and inside WSL.

Thank you @jonathan-meier, I really appreciate it :)

[gsmet]

@zakkak @jonathan-meier I rebased this PR and also added an additional commit to fix (again) the confusion between native image name and executable name. Could you both have a look?

[zakkak]

Thanks @gsmet. It looks like the issue (which appears only in podman 3.0.x) I am working around in this PR (see #13963 (comment)) is fixed in podman 3.1.0 (which was released 2 days ago) so I was thinking about waiting for it to land in fedora and rework the PR to avoid the work-around. WDYT?

[gsmet]

If the workaround doesn't break Podman 3.1, I would get it in anyway. People don't always keep things updated.

[zakkak]

If the workaround doesn't break Podman 3.1, I would get it in anyway. People don't always keep things updated.

OK, I added a comment to explain that we follow this approach due to the Podman 3.0.x issue. It looks good to me (at least the linux part). It would be nice if someone could confirm that everything works as expected on windows as well.

[jonathan-meier]

Looks good to me too! I again tested various combinations of containerized local/remote docker builds with debug enabled/disabled both natively on Windows and inside WSL.

Please note that I did not test direct local builds on Windows producing a Windows binary (i.e. without docker, as I don't have GraalVM installed on Windows). I did not do any podman tests either.

[zakkak]

@gsmet I rebased this (cleanly). I think it's good to go (after the CI completes).

[quarkus-bot]

Failing Jobs - Building 8008ceb

Status	Name	Step	Test failures	Logs	Raw logs
✖	JVM Tests - JDK 8	Build	Test failures	Logs	Raw logs

Full information is available in the Build summary check run.

Test Failures

⚙️ JVM Tests - JDK 8 #

📦 integration-tests/kafka

✖ io.quarkus.it.kafka.SaslKafkaConsumerTest.testReception line 48 - More details - Source on GitHub

✖ io.quarkus.it.kafka.SslKafkaConsumerTest.testReception line 56 - More details - Source on GitHub

[zakkak]

CI looks good @gsmet @geoand can you please merge?