twoliter
twoliter copied to clipboard
bottlerocket-os
cargo-deny warnings now when building variants with in-tree kit
Hi!
Finder of edge cases here. We build our variants with an in-tree kit. Between 0.7.1 and 0.10.0 you introduced some difference in the cargo-deny run, which now results in these warnings when building the variants.
[2025-05-13T11:57:04Z DEBUG twoliter__bin::common] Running: Command { std: "cargo" "make" "--disable-check-for-updates" "--makefile" "/home/mikn/.cache/bazel/_bazel_mikn/2c3f33a86f4a406b8ffa9b29662db437/execroot/_main/platform/base/bottlerocket/build/tools/Makefile.toml" "--cwd" "/home/mikn/.cache/bazel/_bazel_mikn/2c3f33a86f4a406b8ffa9b29662db437/execroot/_main/platform/base/bottlerocket" "-e=TLPRIVATE_SDK_IMAGE=public.ecr.aws/bottlerocket/bottlerocket-sdk:v0.50.1" "-e=BUILDSYS_OUTPUT_GENERATION_ID=1" "-e=TWOLITER_TOOLS_DIR=/home/mikn/.cache/bazel/_bazel_mikn/2c3f33a86f4a406b8ffa9b29662db437/execroot/_main/platform/base/bottlerocket/build/tools" "-e=BUILDSYS_ARCH=x86_64" "-e=BUILDSYS_VARIANT=metal-k8s-1.31-storage" "-e=BUILDSYS_VERSION_IMAGE=1.2.2" "-e=GO_MODULES=" "-e=BUILDSYS_UPSTREAM_SOURCE_FALLBACK=false" "build", kill_on_drop: false }
warning[unmatched-skip-root]: skip tree root was not found in the dependency graph
┌─ /tmp/sources/deny.toml:69:15
│
69 │ { name = "migration-helpers" },
│ ━━━━━━━━━━━━━━━━━ no crate matched these criteria
warning[unmatched-source]: allowed source was not encountered
┌─ /tmp/sources/deny.toml:88:6
│
88 │ "https://github.com/bottlerocket-os/bottlerocket",
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ no crate source matched these criteria
warning[license-not-encountered]: license was not encountered
┌─ /tmp/sources/deny.toml:20:6
│
20 │ "OpenSSL",
│ ━━━━━━━ unmatched license allowance
Blocking waiting for file lock on build directory
Compiling metal-k8s-1_31-storage v0.1.0 (/home/mikn/devel/molnett/src/platform/base/bottlerocket/variants/metal-k8s-1.31-storage)
warning: [email protected]: Image feature EROFS_ROOT_PARTITION is experimental; use at your own risk!
Finished `dev` profile [optimized] target(s) in 6m 43s
[cargo-make] INFO - cargo make 0.37.24
[cargo-make] INFO -
[cargo-make] INFO - Build File: /home/mikn/.cache/bazel/_bazel_mikn/2c3f33a86f4a406b8ffa9b29662db437/execroot/_main/platform/base/bottlerocket/build/tools/Makefile.toml
[cargo-make] INFO - Task: build
[cargo-make] INFO - Profile: development
[cargo-make] INFO - Running Task: setup
[cargo-make] INFO - Running Task: setup-build
[cargo-make] INFO - Running Task: fetch-sdk
[cargo-make] INFO - Running Task: fetch-sources
[cargo-make] INFO - Running Task: fetch-vendored
[cargo-make] INFO - Running Task: check-licenses
bans ok, licenses ok, sources ok
[cargo-make] INFO - Running Task: build-sbkeys
[cargo-make] INFO - Running Task: publish-setup
11:57:11 [INFO] Found infra config at path: /home/mikn/devel/molnett/src/platform/base/bottlerocket/Infra.toml
[cargo-make] INFO - Running Task: cargo-metadata
[cargo-make] INFO - Running Task: validate-kits
[cargo-make] INFO - Running Task: build-variant
[cargo-make] INFO - Build Done in 410.68 seconds.
We depend on your migration helpers from the bottlerocket repository directly, we do not get these warnings when building the kit that our variant uses.
I added in the cargo-make output also, as I found it interesting that the output from deny comes before the cargo task check-licenses (which in turn outputs that it is fine).
The output ordering is indeed very strange!
One thing that we changed (which I think is also related to your parallel/serial comment -- will chime in there) is the way that Rust dependencies are vendored.
I wonder if this vendoring somehow misses the migration-helpers dependency. Are you using a cargo path dep?
This is my full (minus some sensitive workspace members) Cargo.toml from my variant's sources/ folder:
[workspace]
resolver = "2"
members = [
"settings-defaults/metal-dev",
"settings-extensions/etcd",
...
"settings-plugins/metal-dev",
]
[workspace.dependencies]
abi_stable = "0.11.3"
serde = "1"
serde_json = "1"
env_logger = "0.11"
[workspace.dependencies.migration-helpers]
git = "https://github.com/bottlerocket-os/bottlerocket"
tag = "v1.39.0"
version = "0.1.0"
[workspace.dependencies.bottlerocket-defaults-helper]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-defaults-helper-v0.1.1"
version = "0.1.1"
[workspace.dependencies.bottlerocket-model-derive]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-settings-models-v0.9.0"
version = "0.1"
[workspace.dependencies.bottlerocket-modeled-types]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-settings-models-v0.9.0"
version = "0.8.0"
[workspace.dependencies.bottlerocket-settings-models]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-settings-models-v0.9.0"
version = "0.9.0"
[workspace.dependencies.bottlerocket-settings-plugin]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-settings-models-v0.8.0"
version = "0.1"
[workspace.dependencies.bottlerocket-settings-sdk]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-settings-models-v0.9.0"
version = "0.1"
[workspace.dependencies.settings-extension-oci-defaults]
git = "https://github.com/bottlerocket-os/bottlerocket-settings-sdk"
tag = "bottlerocket-settings-models-v0.9.0"
version = "0.1"
[profile.release]
debug = true
With cargo path dep, I assume you mean including something in the Cargo.toml from a path, which I do not do.
Thinking about it, I think the ordering of the output may be an artefact of the fact that Bazel dumps stderr first, and then stdout, rather than interleaving them - so ignore the output order.