Cache binaries downloaded for packaging locally

[swiatekm]

What does this PR do?

It makes it possible to avoid re-downloading binaries on each mage package invocation. It does this by:

• Introducing a KEEP_ARCHIVE environment variable, which, when set, prevents deletion of the binary archive in the drop path: 0e63536
• Making the binary download code send a If-Modified-Since header based on the modification time of the existing file. If this returns a Not Modified code, we skip the download: a7ec517

The environment variable is introduced to avoid potentially breaking the CI and unified builds. We need to more carefully verify that it won't before enabling it by default.

Why is it important?

Redownloading binaries wastes time and makes agent difficult to work with on slow internet connections.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• [ ] I have added tests that prove my fix is effective or that my feature works
• [ ] I have added an entry in ./changelog/fragments using the changelog tool
• [ ] I have added an integration test or an E2E test

How to test this PR locally

Run EXTERNAL=true SNAPSHOT=true DEV=true KEEP_ARCHIVE=true mage package twice. The second time should be faster.

Related issues

• Relates https://github.com/elastic/observability-dev/issues/4702

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[pkoutsovasilis]

I did look at the code and the endgoal makes total sense to me and it is welcome improvement. There is only this part that we rely on the server telling us if something has changed or not (by using "If-Modified-Since" http header) that I am not sure how I feel about it. By leveraging the latter we kinda "expose" our packaging to any bugs of the artifacts server (has caused us issues in the past). Maybe a more controlled by us solution would be to download first the sha512 file compare it with what we have locally and if different download. wdyt?

[swiatekm]

I did look at the code and the endgoal makes total sense to me and it is welcome improvement. There is only this part that we rely on the server telling us if something has changed or not (by using "If-Modified-Since" http header) that I am not sure how I feel about it. By leveraging the latter we kinda "expose" our packaging to any bugs of the artifacts server (has caused us issues in the past). Maybe a more controlled by us solution would be to download first the sha512 file compare it with what we have locally and if different download. wdyt?

For what it's worth, I think our artifacts API just passes that header to the underlying object storage, which should have a correct implementation. I originally thought we always check the downloaded file against the hash, but it seems like we might not? If we did, that would solve the problem, because even if the artifacts api was wrong, we'd get a hash mismatch and at least see the problem.

For the record, I think actual packaging steps in the CI should always redownload the artifacts, ideally by calling mage clean.

[pkoutsovasilis]

For what it's worth, I think our artifacts API just passes that header to the underlying object storage, which should have a correct implementation. I originally thought we always check the downloaded file against the hash, but it seems like we might not?

and for this exact reason of having to speculate when we rely on an external server, I would prefer utilising the sha512 files. (PS: if what you say is true and the underlying storage relies on the modified time of the file, is not the most reliable thing out there). Also, as you do mention above, you would solve another problem we currently have of not validating the components we download by hash, win win scenario 🙂

[swiatekm]

For what it's worth, I think our artifacts API just passes that header to the underlying object storage, which should have a correct implementation. I originally thought we always check the downloaded file against the hash, but it seems like we might not?

and for this exact reason of having to speculate when we rely on an external server, I would prefer utilising the sha512 files. (PS: if what you say is true and the underlying storage relies on the modified time of the file, is not the most reliable thing out there). Also, as you do mention above, you would solve another problem we currently have of not validating the components we download by hash, win win scenario 🙂

I would consider If-Changed-Since headers on say, S3 or GCS, to be reliable. Surely there's tons of code out there that relies on this working correctly. But the integrity check is useful regardless, because the mod time on the client isn't necessarily reliable, as many processes can easily mess with it, even by accident.

In the meantime, how about I submit a PR with just the download refactor? It has benefits on its own, like not passing the content of downloaded files as strings. 😅

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[michalpristas]

i suspect this is primarily for local usage.
also i would prefer to have other option as well meaning cleanup before build in case i had last build with KEEP and i changed my mind

[swiatekm]

i suspect this is primarily for local usage. also i would prefer to have other option as well meaning cleanup before build in case i had last build with KEEP and i changed my mind

Isn't mage clean good enough for that? I'd prefer not to add even more environment variables. We already have a ton.

[swiatekm]

I've rebased this change on #9218, making it much simpler. With #9226, we always verify checksums, so we'll immediately know if the artifacts API served us a stale download, or if the file is corrupted for whatever reason. So this change should be quite safe now. It's only really intended for local use, although we can later look into keeping the downloaded binaries on CI runners, if we want.

@pkoutsovasilis @michalpristas can you review again? 🙏

[pkoutsovasilis]

@swiatekm please merge the latest main in here; the failure you see is because I merged this one #9832 and I managed to hit your CI run just right in the middle; so the clean up step run with the latest code in main but the pipeline was loaded before the merge so any changes are lost.

PS: we are working on a solution to get away from such failures

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: cb04629

Failed CI Steps

• arm:sudo: default

History

• 💔 Build #26515 failed 9a9e956
• 💔 Build #26472 failed 4680a90
• 💛 Build #24654 was flaky 1dfd0c7
• 💔 Build #24426 failed d25fea1
• 💔 Build #24425 failed e0734b2

cc @swiatekm

[github-actions]

@Mergifyio backport 8.18 8.19 9.0 9.1

[mergify]

backport 8.18 8.19 9.0 9.1

✅ Backports have been created

• #9906 [8.18] (backport #9133) Cache binaries downloaded for packaging locally has been created for branch 8.18
• #9907 [8.19] (backport #9133) Cache binaries downloaded for packaging locally has been created for branch 8.19
• #9908 [9.0] (backport #9133) Cache binaries downloaded for packaging locally has been created for branch 9.0
• #9909 [9.1] (backport #9133) Cache binaries downloaded for packaging locally has been created for branch 9.1