Fork me on GitHub
#tools-deps
<
2020-12-03
>
Alex Miller (Clojure team)03:12:48

I just released a prerelease clj 1.10.1.745 with the new dep tree printing under clj -X:deps tree (want to get some feedback but I will extend to -Stree before I release it). Options available (won't be available under -Stree): • :file <path> - make tree from a trace.edn file created by clj -Strace instead of the local deps.edn • :indent <int> - tree spacing (default = 2) • :hide-libs <set-of-libs> - libs to hide in the tree under the root, defaults to #{org.clojure/clojure}

seancorfield17:12:26

I can't test this in our setup at work because there's no way to tell -X:deps tree about the aliases it needs to merge in (from our "master" deps.edn file specifically, but it's general problem if you want a tree based on a set of aliases).

Alex Miller (Clojure team)03:12:54

I'm also thinking about having a flag to choose whether to display excluded libs (-Stree does not, the new format does)

Alex Miller (Clojure team)03:12:58

anyways, feedback welcome

Alex Miller (Clojure team)03:12:36

there are also apis to get as data, might be useful to have a version to print or spit the tree as edn instead of printing? dunno

dominicm08:12:39

I could use edn output, then pipe into jet for manipulation.

jcf16:12:12

Hey all. I'm clutching at straws here so apologies for the noise. 🙂 Anyone tried installing deps today and noticed classpath issues like this:

Downloading: com/datomic/ion/0.9.48/ion-0.9.48.jar from datomic-cloud
Error building classpath. Could not find artifact com.datomic:ion:jar:0.9.48 in central ()
I thought it was some silly Docker stuff I was doing but I'm seeing the same problem inside a GitHub action now. Given the line that says "Downloading" I'm confused as to why a classpath can't be built.

jcf16:12:52

I started out creating a question here because I thought it was a problem with the Datomic Maven repo but I can download the JAR with aws s3 cp just fine. http://ask.datomic.com/index.php/546/could-not-find-artifact-com-datomic-ion-jar-0-9-48-in-central

jcf16:12:02

This works:

aws s3 cp  .

jcf16:12:42

$ clojure -h | head
Version: 1.10.1.739

jcf16:12:03

It works on my machine. 😄

Alex Miller (Clojure team)16:12:19

do you have AWS creds set?

jcf16:12:16

On my machine, yep. Defaults and profiles. In the Docker container I had AWS_ACCESS_KEY_ID and secret exported at build time, but have since moved that so the creds are only there at runtime. Inside the GitHub Action I've not exported anything or configured AWS in any way.

jcf16:12:39

Are you thinking my AWS creds are making things work on this host machine?

jcf16:12:59

I read that for Maven repos on S3 there's some AWS API interaction required to get the region. I guess that could be failing.

Alex Miller (Clojure team)16:12:11

yes, it needs to determine the bucket location

jcf16:12:37

You can stick a ?region=... on the end of the :mvn/repo URL I think. I could try that.

jcf16:12:51

I don't know which region the Datomic Cloud bucket is in but I should be able to find out.

jcf16:12:22

I'll try that now. Thanks Mr. Miller. Uno momento.

jcf16:12:55

Building a Docker container, and running a job (?) via GitHub Actions.

jcf16:12:44

No joy with GitHub:

Downloading: com/datomic/ion/0.9.48/ion-0.9.48.jar from datomic-cloud
Downloading: joda-time/joda-time/2.10/joda-time-2.10.jar from central
Downloading: commons-codec/commons-codec/1.15/commons-codec-1.15.jar from central
Error building classpath. Could not find artifact com.datomic:ion:jar:0.9.48 in central ()

jcf16:12:13

Docker sits here for a few seconds and then continues on its way:

Downloading: com/datomic/ion/0.9.48/ion-0.9.48.pom from datomic-cloud
Downloading: com/datomic/ion/0.9.48/ion-0.9.48.jar from datomic-cloud
Downloading: tigris/tigris/0.1.2/tigris-0.1.2.jar from clojars
Downloading: javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar from central
Downloading: com/cognitect/aws/appsync/809.2.784.0/appsync-809.2.784.0.jar from central
Downloading: com/amazonaws/aws-java-sdk-s3/1.11.210/aws-java-sdk-s3-1.11.210.jar from central
Error building classpath. Could not find artifact com.datomic:ion:jar:0.9.48 in central ()
ERROR: Service 'clojure' failed to build : The command '/bin/sh -c clojure -Srepro -P -A:dev:test:cider-clj' returned a non-zero code: 1

jcf16:12:27

I'm not sure why tools.deps is downloading things twice.

jcf16:12:50

Should there be two lines "Downloading" com.datomic/ion ?

jcf16:12:54

Ahh, that makes sense.

jcf16:12:06

Hmm. I'm still stumped in that case. :thinking_face:

jcf16:12:36

Okay, I can reproduce locally.

mv ~/.aws{,-ignore}
mv ~/.m2/repository/com/datomic/ion{,-ignore}
Then when I jack in I see the Ion dependency being downloaded and then the same error:
error in process sentinel: Could not start nREPL server: Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
DEPRECATED: Libs must be qualified, change compliment => compliment/compliment 
DEPRECATED: Libs must be qualified, change nrepl => nrepl/nrepl 
DEPRECATED: Libs must be qualified, change refactor-nrepl => refactor-nrepl/refactor-nrepl 
Downloading: com/datomic/ion/0.9.48/ion-0.9.48.pom from datomic-cloud
Downloading: org/clojure/clojure/maven-metadata.xml from datomic-cloud
Downloading: com/datomic/ion/0.9.48/ion-0.9.48.jar from datomic-cloud
Error building classpath. Could not find artifact com.datomic:ion:jar:0.9.48 in central ()

jcf16:12:59

Interestingly there's nothing in my ~/.m2/repository/com/datomic/ion/0.9.48 directory…

jcf16:12:37

I can see two .part files show up momentarily, and then they disappear after I'm told classpath construction failed.

Alex Miller (Clojure team)16:12:57

it has to do with the aws creds of whatever user you're using

Alex Miller (Clojure team)16:12:05

it does not have iam access to s3 ops or something like that

jcf16:12:20

So to pull down the Ion dependency I need to configure AWS and ensure I have at least some S3 permissions?

Alex Miller (Clojure team)16:12:07

you need to be using aws user credentials that don't prevent s3 use for HeadObject, GetObject, and maybe GetBucketLocation

jcf16:12:53

Okay, I'll create an IAM policy that grants that access. 👍 I can test that pretty quickly with Docker. GitHub Actions will take a little longer. 🙂

jcf16:12:12

Dos momentos.

Alex Miller (Clojure team)16:12:21

the objects you're going after definitely still exist and are public in the bucket, the issue here is around IAM on the accessing user

👍 3
jcf17:12:44

@alexmiller I see you've answered my question over on http://ask.datomic.com. I've added the following policy and I'm seeing the same error:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::datomic-releases-1fc2183a/*"
        }
    ]
}
There is no HeadObject action as far as I can tell; you get that with GetObject. Is there something else I'm missing? I can't find anything in the Datomic Cloud or tools.deps docs otherwise I wouldn't be pestering you like this. Sorry!

Alex Miller (Clojure team)17:12:10

sorry I'm not an IAM guru

Alex Miller (Clojure team)17:12:18

is there some kind of simulator or something that can answer whether this user has access to some resource?

jcf17:12:49

I've added the credentials to my local machine and I'm trying out the operations using the AWS CLI.

jcf17:12:05

Copying the JAR worked. Just checking I can fetch the bucket location.

jcf17:12:04

Okay, so I'm not allowed to get the bucket location. That's not surprising though as it's not my bucket. I shouldn't be able to grant myself permission to interact with buckets owned by other people.

jcf17:12:34

$ aws --profile REDACTED s3api get-bucket-location --bucket datomic-releases-1fc2183a

An error occurred (AccessDenied) when calling the GetBucketLocation operation: Access Denied

jcf17:12:22

$ aws --profile REDACTED s3 cp  .

download:  to ./ion-0.9.48.jar

Alex Miller (Clojure team)19:12:59

this bucket has a policy that GetBucketLocation is open to *

Alex Miller (Clojure team)19:12:23

you may be hitting something region related though - what's the default region for this user?

Alex Miller (Clojure team)19:12:55

buckets are inherently region-specific

Alex Miller (Clojure team)19:12:41

this is the case where adding the ?region=us-east-1 suffix to the url should help I think

jcf08:12:14

This user defaults to eu-west-2. I tried the suffix on the repo URL but no dice.

jcf08:12:54

And massive thanks for your help on this, @alexmiller. :man-bowing:

Alex Miller (Clojure team)14:12:57

can you try setting your default region creds to us-east-1?

Alex Miller (Clojure team)14:12:23

either via the region in your credentials file or setting AWS_REGION

jcf15:12:35

Coming right up! Thanks! 🙂

jcf16:12:04

@alexmiller I think I've found the right combination of permissions and Docker configuration to get things working! 💥 The IAM policy I shared previously should do the trick. There were two things I had to do to get Docker working: 1. Use COPY to add an AWS directory to the container at the beginning of the build; use of environment variables is frowned up for security reasons, and is hard to get right with enviroment: and env_file: not working at build time. If you want env vars at build time you need to add ARGs to your Dockerfile and then you can set args: within your build context. 🙂 2. Replace use of the new -P option and invoke clojure -Srepro -A:dev:test:etc -e 'nil'. I mount the same ~/.aws volume at runtime but could swap out new credentials if necessary (which could make sense if you want different access at build vs. runtime). I've got a running container with all the Datomic goodness available including connecting the SOCKS proxy up to a running system. I can connect Cider from Emacs and get all the code reloading goodness you'd expect. I've created a client and I can list databases in the Solo topology running on AWS. I have to say another massive thank you for all your help with this! Thank you! And merry Christmas! 🎅 🎄

Alex Miller (Clojure team)16:12:58

well I'm glad it's working. I'm curious why you needed the alternate clojure command, seems like if those aliases are relevant you could use clojure -Srepro -A:dev:test:etc -P

jcf16:12:25

I chalked the -P up to using a newer version of tools.deps on my host machine to what's in the most recent Docker image for Clojure. I might have just gotten the order of the arguments wrong in that case. 🤷

Alex Miller (Clojure team)16:12:43

yeah, that version could be lagging

Alex Miller (Clojure team)16:12:56

but if you're missing -P that's a good workaround

👍 3
seancorfield18:12:50

@alexmiller Any further thoughts on TDEPS-174 and/or TDEPS-175? I'm finding more and more that those are obstacles to things we want to do at work 😞

Alex Miller (Clojure team)19:12:42

haven't worked on it yet

borkdude20:12:58

Why does clj download this long list of deps with an empty deps.edn? Among these is an AWS api lib. Why? I'll post this as a snippet.

borkdude20:12:15

When setting :mvn/local-repo "/tmp/mvn/foo" the list is even longer. I thought the tools jar was an uberjar that contained all clj needs

dominicm20:12:42

@borkdude Is it possibly the deps in the system deps.edn?

borkdude20:12:43

I guess so yes:

:aliases {
    :deps {:replace-deps {org.clojure/tools.deps.alpha {:mvn/version "0.9.833"}
                          org.slf4j/slf4j-nop {:mvn/version "1.7.25"}}
           :ns-default clojure.tools.cli.api}
    :test {:extra-paths ["test"]}
  }

borkdude20:12:11

The question remains: why is there an AWS api lib among the deps of tools.deps.alpha. That feels not right.

Derek20:12:35

fetching from an s3 repo, maybe?

👍 3
borkdude20:12:37

Ah right, that must be it!

borkdude20:12:39

The tree looks great. But to get the deps tree of tools.deps I had to add it to the main deps, because you can't activate an alias. So running into the same problem that Sean ran into.

dominicm20:12:42

@borkdude I don't fully understand why those aren't part of uberjar either though :)

Alex Miller (Clojure team)21:12:27

the :deps alias doesn't use the uberjar

Alex Miller (Clojure team)21:12:36

running -X:deps tree is in no way magical and doesn't use any parts of clj - it's just running a program that is in tools.deps.alpha library

Alex Miller (Clojure team)21:12:25

the uberjar is used by clj to get the classpath of the program to run

Alex Miller (Clojure team)21:12:35

@borkdude I'm a little confused by "But to get the deps tree of tools.deps I had to add it to the main deps, because you can't activate an alias. So running into the same problem that Sean ran into."

Alex Miller (Clojure team)21:12:13

or nvm, I think I am reading it properly now

borkdude21:12:24

@alexmiller it's not magical, but the deps it downloads are probably already in the uberjar. but I get the point of not using that as that would be magical. unless :deps was by convention a built-in thing that always uses the tools jar.

Alex Miller (Clojure team)21:12:00

it's intentionally not that because there is no way to add additional deps and then de-dupe across the uberjar

Alex Miller (Clojure team)21:12:11

uberjars are inherently unfriendly to combination

Alex Miller (Clojure team)21:12:15

uberjars are evil, but a useful evil if you keep them to yourself

Alex Miller (Clojure team)21:12:52

anyways, I'm going to change -Stree to do the format above too, so you'll be able to do all the things you do now with deps

Alex Miller (Clojure team)21:12:38

and whenever we get to it, you should be able to use options to modify the -X:deps tree program too

Alex Miller (Clojure team)21:12:47

one question I have is whether -Stree should show something like above or if it should be filtered to just the included libs like it does now

borkdude21:12:51

filtering can always be done with grep

borkdude21:12:17

$ clj -X:deps tree | grep -v "X "

Alex Miller (Clojure team)21:12:52

I guess what I'm asking is would you prefer to usually see excluded or not?

seancorfield22:12:13

(FWIW, I've spent a chunk of today moving us off the CLJ_CONFIG "hack" and we've decided to bite the bullet and generate our deps.edn files from a master template and a subproject template -- handling all the :override-deps directly ourselves... if the CLI / t.d.a ever supports an additional "shared project" deps.edn file, we'll switch back to that format... just got tired of dealing with tooling that doesn't honor CLJ_CONFIG and/or aliases 😞 )

borkdude22:12:48

So you basically went the interdeps-like route?

seancorfield22:12:48

There were things I didn't like about how interdeps worked so I did not go back and look at it when I rebuilt our stuff today.

borkdude22:12:17

I figured you didn't want to take on some dep, that's why I added the -like suffix

seancorfield22:12:43

We ended up with <subproject>/<subproject>-deps.edn for the templates and a <subproject>/<subproject>-deps.md5 file for the checksums so we can regen on-demand automatically in our build script.

seancorfield22:12:02

The checksum for each subproject includes the checksum for the master file as well, so we regenerate any <subproject>/deps.edn file if either the master template or the subproject template has changed. We have not yet tackled the issue of transitive :local/root dependencies (we probably won't, unless it actually bites us).

borkdude22:12:05

I'll probably roll my own solution for this too, like I did in the boot era, if this remains unsupported.

borkdude22:12:04

Do you actually parse the EDN and merge yourself, or do you use simple string templating

seancorfield22:12:10

Merge the EDN. I lift the :defaults aliases out of the master template and pull it's :override-deps out and then update the project template deps with those overrides.

borkdude22:12:14

yeah, easy enough.

seancorfield22:12:05

Four hours of restructuring our "build" script etc and I can now run the new -X:deps tree on our subprojects 🙂

seancorfield22:12:22

So, yeah, the new tree structure is very nice -- thanks @alexmiller -- I haven't yet seen a * case in any of our subprojects...

Alex Miller (Clojure team)22:12:05

I changed that before I put it out, but you can check for the trailing :superseded tag

seancorfield22:12:00

Oh, I thought * indicated the newer selected version?

seancorfield22:12:50

Ah, OK. I see some :older-version tags. Haven't seen a :superseded tag yet

Alex Miller (Clojure team)22:12:55

are you still doing a flat list of deps?

Alex Miller (Clojure team)22:12:31

if so, you'll never see it

Alex Miller (Clojure team)22:12:43

or if you're always doing some stuff to use a consistent set of transitive dep versions, same thing

seancorfield22:12:03

Just run a full pass looking for :superseded and, yup, plenty are showing up. Nice!

seancorfield22:12:27

(mostly Jackson "of course")

☝️ 3
Alex Miller (Clojure team)22:12:17

I mean, that is actually something to maybe look at given that Jackson version changes are (often) breaking

Alex Miller (Clojure team)22:12:44

there's like a next level of potential analysis here to gather the set of versions seen

seancorfield22:12:44

Yeah, it looks like we unexpectedly have some lower level pieces of Jackson that aren't being explicitly overridden...

seancorfield22:12:16

Here's partial output:

. com.fasterxml.jackson.dataformat/jackson-dataformat-smile 2.10.2 :newer-version
      . com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.10.2 :newer-version
  X com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.8.11 :superseded
    . com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.8.11
    . com.fasterxml.jackson.dataformat/jackson-dataformat-smile 2.8.11
    X com.fasterxml.jackson.dataformat/jackson-dataformat-smile 2.9.6 :parent-omitted
    X com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.9.6 :parent-omitted
  X com.fasterxml.jackson.dataformat/jackson-dataformat-smile 2.8.11 :superseded
I'm not sure how to interpret that @alexmiller?

seancorfield22:12:38

These are a top-level dep in a :local/root dep of this project:

. com.fasterxml.jackson.dataformat/jackson-dataformat-cbor 2.8.11
    . com.fasterxml.jackson.dataformat/jackson-dataformat-smile 2.8.11
I guess we'll need to add it in some of our projects that only depend on other :local/root projects

Alex Miller (Clojure team)22:12:03

the tags you'll see at the end are really an artifact of the order they're found so that's not super relevant, but can be relevant if the set of considered versions are substantially different

Alex Miller (Clojure team)22:12:09

you probably aren't even use those sub parts of jackson anyways

seancorfield22:12:50

Ah, OK. So nothing to worry about here because it picks the same version anyway?