Closed Bug 1692400 Opened 8 months ago Closed 8 months ago

updatebot docker image fails to build: error: Can not find Rust compiler


(Release Engineering :: General, defect)



(firefox87 fixed)

Tracking Status
firefox87 --- fixed


(Reporter: glandium, Assigned: tjr)


(Blocks 1 open bug)



(1 file)

The docker image is rebuilt when one of its ancestors is rebuilt, and when that happens, it fails with:

    copying src/cryptography/py.typed -> build/lib.linux-x86_64-3.7/cryptography
    running build_ext
    generating cffi module 'build/temp.linux-x86_64-3.7/_padding.c'
    creating build/temp.linux-x86_64-3.7
    generating cffi module 'build/temp.linux-x86_64-3.7/_openssl.c'
    running build_rust
        =============================DEBUG ASSISTANCE=============================
        If you are seeing a compilation error please try the following steps to
        successfully install cryptography:
        1) Upgrade to the latest pip and try again. This will fix errors for most
           users. See:
        2) Read for specific
           instructions for your platform.
        3) Check our frequently asked questions for more information:
        4) Ensure you have a recent Rust toolchain installed:
        5) If you are experiencing issues with Rust for *this release only* you may
           set the environment variable `CRYPTOGRAPHY_DONT_BUILD_RUST=1`.
        =============================DEBUG ASSISTANCE=============================
    error: Can not find Rust compiler

This is due to the recent change in the python cryptography module, that now has a dependency on rust. It wouldn't be a problem if they provided wheels for python 3.7, but they don't.

This raises the problem that what's installed in the docker image depends on when the docker image is built, which is also not great. Ideally, we'd have versions frozen, and checked with sha256s. In this instance, that would also allow to pin to a version that doesn't require rust.

Flags: needinfo?(tom)

(Upgrading pip would be another workaround)

I think what's happening is that python-requests is pulling in python-cryptography. Updatebot itself does pin versions in poetry.

What do you recommend about this situation? It seems like this is specific instance of a generic problem we have with our Dockerfiles and just happened to manifest here vs in some other Dockerfile?

From my limited understanding, apt supports doing something like apt-get install foo=<version> which would pin by version (but not SHA.) But I don't think we do that anywhere else in-tree. I'm not sure how to pin apt packages by SHA.

I'm happy enough with a workaround if this is something that's going to need to be tackled eventually for all our Dockerfiles...

Flags: needinfo?(tom) → needinfo?(mh+mozilla)

(Note that one reason we use Debian in docker images is that apt packages don't change much, this is not a case of apt going rogue ; Also note that in the case of this particular image, it's not based on the snapshot-based Debian images, but that's not really a concern, although ideally, this would need fixing, but there's no rush)

I realize I had forgotten to link to the full log:

This all starts from python3 -m pip install poetry... ironic.

Flags: needinfo?(mh+mozilla)

This enables us to get a wheel for python cryptography instead of
building it ourselves, which breaks because we don't have a rust

Assignee: nobody → tom
Pushed by
Update pip before using it r=glandium
Closed: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.