feat: build binaries and Docker images in CI

[mgattozzi]

feat: build binaries and Docker images in CI

For releases we need to have Docker images and binary images available for the
user to actually run influxdb3. These CI changes will build the binaries on a
release tag and the Docker image as well, test, sign, and publish them and make
them available for download.

Co-Authored-By: Brandon Pfeifer bpfeifer@influxdata.com

Closes #24773

[mgattozzi]

Okay this is open for review. Before merging I will need to set the CI to only run only on release tags. If you want to test the builds yourself let me know internally on slack and I can get you access to the docker builds and the binary builds.

[mgattozzi]

I'm having some issues with the defaults I've set for docker via env vars (something about permission denied for the fs) that I don't get just running the binary itself which is a docker issue with how I'm running it I think. Otherwise I think we're in a great spot.

[hiltontj]

Thanks @mgattozzi - this is a huge lift. I only had a couple questions/comments, but otherwise LGTM. Would probably be good to get @bnpfeife's approval as well.

[bnpfeife]

I'm having some issues with the defaults I've set for docker via env vars (something about permission denied for the fs) that I don't get just running the binary itself which is a docker issue with how I'm running it I think. Otherwise I think we're in a great spot.

Hey, I've created a PR that resolves the build issue. Though I'm out of time tonight to test it.

[mgattozzi]

I removed the files, included @bnpfeife's changes for making the directory, and I've exposed the right port as well as setting the proper default address to 0.0.0.0 so that docker containers and deployments of influxdb should work as expected. I tagged you for another rereview @hiltontj given there is a code change.

[hiltontj]

🚢

[mgattozzi]

With @hiltontj's changes to where heappy is located I'll need to make a few here in order to get the builds to work on windows again but it shouldn't be that hard. @bnpfeife if you think that the changes otherwise are good then I think we can merge once I fix the conflicts and turn on the release filters so CI isn't building artifacts all the time.

[jdstrand]

This default value is difficult to work with. Consider:

$ dpkg --compare-versions 3.0.0 lt 3.0.1 && echo yes  # good
yes

$ dpkg --compare-versions 3.0.0 lt 3.x-0123abcd && echo yes  # maybe not good?
yes

$ dpkg --compare-versions 3.x-gfed9876 lt 3.x-0123abcd && echo yes  # but what if 3.x-0123abcd was created before 3.x-gfed9876?
[1]

Part of the reason why I'm commenting on this is that we are uploading to influxdb/releases/influxdb3, but these aren't releases, they're snapshots. Package managers are going to have trouble dealing with these versions. I would advocate that the influxdb/releases/influxdb3 only contain things that are considered a release and use something else for snapshots or nightlies.

Fyi, telegraf has telegraf/nightlies/telegraf_nightly_amd64.deb, which gets overwritten every night. Maybe that isn't what you want right now though (ie, perhaps it is useful to have different snapshots).

As a strawperson, I suggest that:

1. someone creates influxdb/snapshots/influxdb3 and move everything that was uploaded to influxdb/releases/influxdb3 there. New snapshots go to influxdb/snapshots/influxdb3 and use 3.0.0+snapshot-{{env.CIRCLE_SHA1[:8]}} as the default.
2. if one of the current uploads was an mvp, tag it with 3.0.0-0.alpha.0.0, rebuild it and put the rebuilt artifacts in influxdb/releases/influxdb3. For important internal pre-alpha releases, you can tag with 3.0.0-0.alpha.0.1, 3.0.0-0.alpha.0.2, etc. When official alpha 1 is released, tag with 3.0.0-0.alpha.1, then use 3.0.0-0.alpha.2 for 2nd official alpha, and so on. Continue with 3.0.0-0.beta.1, 3.0.0-0.rc.1 as desired. This versioning scheme works with both semver and packaging. Ie: 3.0.0-0.alpha.0.0 < 3.0.0-0.alpha.0.1 < 3.0.0-0.alpha.0.2 < 3.0.0-0.alpha.1 < 3.0.0-0.alpha.2 < 3.0.0-0.beta.1 < 3.0.0-0.rc.1. All of these tagged releases go to influxdb/releases/influxdb3
3. when 3.0.0 is released, tag as 3.0.0. semver is happy since 3.0.0-0.rc.1 < 3.0.0 and packaging is updated to use 3.0.0-1 such that 3.0.0-0.rc.1 < 3.0.0-1

In the above, we don't worry if 3.0.0+snapshot-{{env.CIRCLE_SHA1[:8]}} is higher or lower in packaging since people will be installing those manually.

[bnpfeife]

This is definitely a good point. I may go ahead and update these for 1.X OSS/Enterprise and 2.X OSS. As you alluded to, the default version schemes weren't intended to be consumed by the general public. So I had just written them to make apt and yum happy. However, I definitely can foresee a future where someone makes these available to the general public (not here, but in 1.X and 2.X land).

[bnpfeife]

@mgattozzi

Hey, my apologies that I haven't looked at this for some time! I had left some comments but they hadn't appeared in the conversation part of the PR until I started a review. I updated/removed one of my review comments and added another so it aligns better with what @jdstrand suggested. Looking through it, I think everything is just minor changes.

Edit: Oh, my comments were "Pending". GitHub should really let you know that those aren't visible.
https://github.com/orgs/community/discussions/10369

[bnpfeife]

Oh, I think that this can be removed.

[bnpfeife]

This is definitely a good point. I may go ahead and update these for 1.X OSS/Enterprise and 2.X OSS. As you alluded to, the default version schemes weren't intended to be consumed by the general public. So I had just written them to make apt and yum happy. However, I definitely can foresee a future where someone makes these available to the general public (not here, but in 1.X and 2.X land).

[bnpfeife]

Since we're publishing "snapshot" packages, let's change the destination depending on the release type:

   publish-packages:
     docker:
       - image: cimg/python:3.6
+    parameters:
+      # "destination" should be one of:
+      #   - releases
+      #   - nightlies
+      #   - snapshots
+      destination:
+        - type: string
      steps:
        - attach_workspace:
           at: /tmp/workspace
        - aws-s3/sync:
           arguments:             --acl public-read
           aws-region:            RELEASE_AWS_REGION
           aws-access-key-id:     RELEASE_AWS_ACCESS_KEY_ID
           aws-secret-access-key: RELEASE_AWS_SECRET_ACCESS_KEY
           from:                  /tmp/workspace/artifacts
-          to:                    s3://dl.influxdata.com/influxdb/releases
+          to:                    s3://dl.influxdata.com/influxdb/<< parameters.destination >>

The workflows will need to be modified to pass destination along to the jobs.

[mgattozzi]

I'll still need to address all of these. I did get the branch rebased to latest main and conflicts fixed. I'll get to these early next week when I'm back from the solar eclipse viewing.

[mgattozzi]

@jdstrand and @bnpfeife I made the requested changes. I also added the sed filtering you mentioned on slack @jdstrand to make using sha256sum --check work easier.

[jdstrand]

Thanks for these changes! See inline.

[jdstrand]

This should be ^v3.0.0-0.alpha.[0-9]+.[0-9]+ (the -0 is important for package managers).

[jdstrand]

In pre-install you define:

USER=influxdb3
GROUP=influxdb3

It would be nice to do that here.

[jdstrand]

AIUI, this is saying that on Debian-based systems, unconditionally chown and chmod the LOG_DIR and DATA_DIR. Does this happen on upgrades or just new installs? Why is this needed if post-install is already creating the directories correctly. This feels like something cargo-culted in from other packaging that was meant to fix a permissions problem for the other package that doesn't apply here, but maybe I'm missing something?

[mgattozzi]

This is a straight copy from oss 2.x so maybe @bnpfeife would know more?

[bnpfeife]

Yeah, unfortunately, this is something else that has existed before I started working here. My suspicion is that someone was having issues with directory permissions being too restrictive. They probably complained so the "solution" was to always reset the permissions in post-inst. I think since we're starting anew, we should remove this. Mostly because the packaging should attempt to respect the local configuration whenever possible.

[jdstrand]

Nitpick: /usr/local/share is an odd locations for database files. I would expect /var/lib/influxdb3 in the Dockerfile too. Why this path? Presumably this is a mount point for a writable dir, why not make it in a more standard location?

[mgattozzi]

I can't remember, I think I wasn't sure or I was copying what we did in the other OSS bits. Happy to make it /var/lib.

[mgattozzi]

There are still some things that need addressing but am waiting on @bnpfeife's feedback to implement them correctly.

[bnpfeife]

Hey @jdstrand, I've been looking into updating ci-packager to support these changes:

2. don't append -1 to deb and rpm builds for alpha, beta and rc
3. update the rpm versions to use - instead of _ in the filename and internal version

I mentioned in out Slack that ci-packager executes fpm. fpm then modifies the version string before passing it to rpmbuild or dpkg-buildpackage. So, I experimented with calling rpmbuild and dpkg-buildpackage from ci-packager instead.

Ultimately, I ended up consulting both the debian and redhat versioning guidelines quite a bit. Both packaging formats consider the hyphen a separator between the "upstream version" and "package version". These components have slightly different names in the actual version specifications. However, the purpose of each component remains largely the same.

I can definitely make hyphens work, but I'm not sure that I like the implications. I interpret the "release version" ($CIRCLE_TAG) to correspond entirely to the "upstream version". Splitting the "release version" into an "upstream version" and "package version" indicates that multiple releases of the package have occurred when upstream remained unchanged.

It looks like 3.0.0-0.alpha.0 and the other pre-release versions have been crafted to sort before 3.0.0-1. I'm okay with this; ci-packager will just need to supply 1 as the "package version" when none could be parsed from the "release version".

With all of that being said, I'm wondering if it would be easier just to use ~ and +? In both packaging formats, ~ sorts before other components. Outside of that, neither impart special meaning or split the "release version".

# debian version comparisons
$ dpkg --compare-versions '1.0.0' gt '1.0.0~alpha0' # exit-code 0
$ dpkg --compare-versions '1.0.0' gt '1.0.0+snapshot0' # exit-code 1

# redhat version comparisons
$ rpmdev-vercmp '1.0.0' '1.0.0~alpha0'
1.0.0 > 1.0.0~alpha0
$ rpmdev-vercmp '1.0.0' '1.0.0+snapshot0'
1.0.0 < 1.0.0+snapshot0

[jdstrand]

Hey @jdstrand, I've been looking into updating ci-packager to support these changes:

2. don't append -1 to deb and rpm builds for alpha, beta and rc
3. update the rpm versions to use - instead of _ in the filename and internal version

I mentioned in out Slack that ci-packager executes fpm. fpm then modifies the version string before passing it to rpmbuild or dpkg-buildpackage. So, I experimented with calling rpmbuild and dpkg-buildpackage from ci-packager instead.

Ultimately, I ended up consulting both the debian and redhat versioning guidelines quite a bit. Both packaging formats consider the hyphen a separator between the "upstream version" and "package version". These components have slightly different names in the actual version specifications. However, the purpose of each component remains largely the same.

I can definitely make hyphens work, but I'm not sure that I like the implications. I interpret the "release version" ($CIRCLE_TAG) to correspond entirely to the "upstream version". Splitting the "release version" into an "upstream version" and "package version" indicates that multiple releases of the package have occurred when upstream remained unchanged.

Not having hyphens has packaging implications. In Debian, packages without hyphens are interpreted as Debian 'native' packages that come from Debian itself (eg, dpkg has version 1.21.1 in Debian whereas postgresql-14 has 14.2-1) and packaging is different between native and non-native packages. For releases of our software coming from git tags, we should use hyphens since we aren't a native package. One goal of the suggestion I gave is that 3.0.0-1 is intended to be 'the official release of 3.0.0' and '3.0.1-1' is "the official release of 3.0.1' whereas '3.0.1-2' is "the official release of 3.0.1 with a packaging change". This is fully inline with what you just said (but see below).

It looks like 3.0.0-0.alpha.0 and the other pre-release versions have been crafted to sort before 3.0.0-1. I'm okay with this; ci-packager will just need to supply 1 as the "package version" when none could be parsed from the "release version".

Indeed.

With all of that being said, I'm wondering if it would be easier just to use ~ and +? In both packaging formats, ~ sorts before other components. Outside of that, neither impart special meaning or split the "release version".

# debian version comparisons
$ dpkg --compare-versions '1.0.0' gt '1.0.0~alpha0' # exit-code 0
$ dpkg --compare-versions '1.0.0' gt '1.0.0+snapshot0' # exit-code 1

# redhat version comparisons
$ rpmdev-vercmp '1.0.0' '1.0.0~alpha0'
1.0.0 > 1.0.0~alpha0
$ rpmdev-vercmp '1.0.0' '1.0.0+snapshot0'
1.0.0 < 1.0.0+snapshot0

The problem is that in addition to deb and rpm packaging, I was trying to also reconcile semver versioning, and it doesn't allow a ~ or a + after the x.y.z, only -. I felt semver was important because this is coming from a git tag, git tags are shown in GitHub, more people are probably familiar with semver than esoteric Linux packaging version semantics and also we've seen Enterprise import influxdb in go.mod so I wanted good semver in case Community/Pro wanted to do something similar in Cargo.toml. I considered using 2.99.N for our alpha and beta builds, but I wanted the 3.0.0 to make it extremely clear that we are talking about InfluxDB 3, not any version of 2.x. Therefore, I took a common approach and used -0 to denote "this is unofficial" in the deb/rpm world with "this is prerelease" in the semver world, and then created the scheme I did that works for all of deb, rpm and semver for releases of our software that come from git tags:

1. use match: '^v[0-9]+.[0-9]+.[0-9]+(-[0-9]+.(alpha|beta|rc).[0-9]+(.[0-9]+)?)?$'
2. don't append -1 to deb and rpm builds for alpha, beta and rc (ed. since they already have -0...)
3. update the rpm versions to use - instead of _ in the filename and internal version

Yes, the alpha, beta and rc versions have rather verbose version, but it works from a packaging perspective and alpha, beta and rc builds are for internal use (eg, testing) so I wanted to also optimize for MAJOR.MINOR.MICRO-N versions of our software since by far most users will only ever use them. My goal for the alpha, beta and rc versioning is really just to be packaging friendly).

That leaves +snapshot where we agree: 3.0.0+snapshot-{{env.CIRCLE_SHA1[:8]}}. In this, I abandoned the -Nsomething since a) these aren't coming from git tags so semver doesn't matter and b) I wanted the to convey the idea of 'this is 3.0.0 plus stuff' (so it is greater than 3.0.0-1 but less than 3.0.1-1).

In the end, the package versioning I chose is a compromise that:

• works with deb, rpm and semver package tooling with release versions coming from git tags which supports alpha, beta, rc and final release versions
• uses recommended policy for deb and rpm for official final versions (ie, 3.0.0-1, 3.0.1-1, 3.0.1-2, etc)
• uses established convention for deb and rpm for prerelease versions (ie, uses -0something)
• follows semver policy for prerelease versions (ie, uses -0something)
• use recommended policy for deb and rpm for unofficial snapshot releases that don't have a corresponding semver git tag (ie, 3.0.0+snapshot)

[mgattozzi]

@jdstrand and @bnpfeife I'm back from vacation and so trying to figure out what else needs to be done to get this over the line. Are there any actual changes to the versioning that need to be done here?

[jdstrand]

@jdstrand and @bnpfeife I'm back from vacation and so trying to figure out what else needs to be done to get this over the line. Are there any actual changes to the versioning that need to be done here?

From my perspective, these are the changes:

1. use match: '^v[0-9]+.[0-9]+.[0-9]+(-[0-9]+.(alpha|beta|rc).[0-9]+(.[0-9]+)?)?$'

config.yaml still has:

version:
  release:
    match: '^v[0-9]+.[0-9]+.[0-9]+'
    value: '{{env.CIRCLE_TAG[1:]}}'
  default:
    value: '3.0.0+snapshot-{{env.CIRCLE_SHA1[:8]}}'

This should be changed to:

version:
  release:
    match: '^v[0-9]+.[0-9]+.[0-9]+(-[0-9]+.(alpha|beta|rc).[0-9]+(.[0-9]+)?)?$'
    value: '{{env.CIRCLE_TAG[1:]}}'
  default:
    value: '3.0.0+snapshot-{{env.CIRCLE_SHA1[:8]}}'

2. don't append -1 to deb and rpm builds for alpha, beta and rc (ed. since they already have -0...)
3. update the rpm versions to use - instead of _ in the filename and internal version

I believe that @bnpfeife fixed these outside of this PR? @bnpfeife, can you comment?

[mgattozzi]

Okay I pushed those changes @jdstrand. Fixed the cargo deny issue and rebased off main to make sure CI passes. If this all looks good, then I'll add the correct filters so it won't run unless we want to do a release before we merge

[jdstrand]

For the portions I reviewed before, LGTM. I noticed a new file foo that seems like a mistake and have a question about the listening port inline. In the interest of time, I'm going to approve, but please remove the foo file and consider my question about the port.

Please have @bnpfeife also give it a once over.

[jdstrand]

What's this file?

[mgattozzi]

Leftover from me testing stuff with sha256sum. I thought I had deleted it, but I think I did that in the web UI and forgot to pull in those changes before a push 🤦

[jdstrand]

Should this be port 8086?

[bnpfeife]

Hey, @jdstrand @mgattozzi

I created a PR into this branch that uses a new version of ci-packager. It should support everything that was mentioned here.

[mgattozzi]

@bnpfeife I've merged it here and if we need any more changes as follow up I can do them here, but I think this will get us over the edge.

[mgattozzi]

Okay tomorrow I'm going to do some rebasing again, put the correct filters on, and then merge!