Flip --experimental_strict_action_env on by default. #6263
Conversation
benjaminp
force-pushed
the
strict-action-env-by-default
branch
from
2ab5e0a
to
d744b39
Compare
benjaminp
force-pushed
the
strict-action-env-by-default
branch
4 times, most recently
from
d81673c
to
e6b4c9d
Compare
| @@ -111,7 +111,7 @@ | |||
| public static class StrictActionEnvOptions extends FragmentOptions { | |||
| @Option( | |||
| name = "experimental_strict_action_env", | |||
There was a problem hiding this comment.
if enabled by default, please remove the "experimental prefix" and set the oldName to experimental_strict_action_env.
There was a problem hiding this comment.
I think we just want this flag to go away. If you want something like the old behavior, the correct thing to do is to pass --action_env=PATH and --action_env=LD_LIBRARY_PATH. --noexperimental_strict_action_env does some universally bad things like reading from the server environment rather than the client environment.
There was a problem hiding this comment.
You are right. I was under the impression that without --experimental_strict_action_env all shell environment variables are inherited by the action environment but I was wrong there.
|
Overall looks good. Can you please add a @laurentlb for guidance on whether this is compatible with the incompatible flags policy. We want to flip the default value of a flag. Is that ok? |
|
Is it a breaking change? Is it likely to break users? Having RELNOTES is definitely useful. |
The change is that we no longer pass all environment variables to command execution. So it will break people who depend on this. Such users can change the |
|
Can we discuss this on bazel-dev@googlegroups.com? |
|
This seems like a pretty big breaking change, and we don't know the scope of breakage flipping this flag will bring. Even though it's reversible, it's still adding maintenance burden to our end users. Could we discuss this on bazel-discuss or bazel-dev for a start? |
|
Thank you for the reviews and sending that email, Jakob. Question about RELNOTES: Does that have to be in a commit message or is editing the PR description here sufficient? |
|
@benjaminp it needs to be in the commit message. Thanks! |
See bazelbuild#2574. For a while, many actions did not respect the --action_env command line option, but those have been fixed now. So, I think it's time to flip on this flag for greater hermeticity by default. RELNOTES: The --experimental_strict_action_env option is now on by default. This means Bazel will no longer use the client's PATH and LD_LIBRARY_PATH environmental variables in the default action environment. If the old behavior is desired, pass --action_env=PATH and --action_env=LD_LIBRARY_PATH. --noexperimental_strict_action_env will also temporarily restore the old behavior. However, as --action_env is a more general and explicit way to pass client environmental variables into actions, --noexperimental_strict_action_env will eventually be deprecated and removed.
benjaminp
force-pushed
the
strict-action-env-by-default
branch
from
e6b4c9d
to
7337e5c
Compare
|
I've added RELNOTES to the commit message. |
|
LGTM! |
|
This only affects two environment variables (but they are admittedly pretty important). |
|
Could it be the case that this option still makes odd decisions when doing cross remote builds? We currently have a remote build cluster for which we use the following This configuration seems to be sufficient when doing builds from a Linux client on this Debian 8 based cluster. However, when doing builds from a Windows client, we see that |
|
Ah. Looks like this is already documented as a TODO in Carry on! |
|
It's probably worth filing a formal issue for that problem, too. |
|
Anything blocking this from getting merged now? Would be nice to get this into the |
|
I ll merge it when I am back in the office on Monday! |
|
merging in progress! |
The `SassCompiler` action calls a Bash script which in turn assumes `grep`, `cut`, `dirname` and other commands to be available in the `PATH`. But we can't rely on that to be true without `use_default_shell_env = True`. That's because without this flag, shell scripts use Bash's default `PATH` (since `/usr/bin/env -` clears the entire environment). That default `PATH` will be different on different platforms, and is not guaranteed to contain all the shell commands this script expects to be able to call. Indeed, on NixOS the default `PATH` for Bash is `/no-such-path`. If turning on `use_default_shell_env` makes your nervous, it shouldn't. According to bazelbuild/bazel#6263, `--experimental_strict_action_env` will become the default in Bazel v0.20. This means that the default env will be restricted, standard and small. (So this shouldn't hurt hermeticity - actually it should help it.)
See #2574. For a while, many actions did not respect the --action_env command line option, but those have been fixed now. So, I think it's time to flip on this flag for greater hermeticity by default.