Skip to content

Add more options to df_engine docker build, slim down features for some packages #1540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
albertlockett merged 9 commits into from
Dec 8, 2025
Merged

Add more options to df_engine docker build, slim down features for some packages #1540

albertlockett merged 9 commits into from
Dec 8, 2025
+24 −9

Conversation

@JakeDern
Copy link
Contributor

@JakeDern JakeDern commented Dec 6, 2025
edited
Loading

This PR addresses a few problems that I ran into getting df_engine running in my kubernetes environment. The end result of all this is that you can now run a docker build like this: docker build --build-arg FEATURES="azure" --build-arg RUSTFLAGS="-C target-feature=-gfni" --build-arg DEBUG=1 --build-context otel-arrow=../../ -f Dockerfile -t df_engine .

TLS

Some of the Azure SDK crates + reqwest have a lot of default features enabled that we are not using and which rely on linking with openssl for TLS. This was giving me trouble with our musl build.

I've disabled default features for these packages at the workspace level and opted for using rustls-tls with reqwest in the otap crate.

Configuring the docker build

  • Added the FEATURES build arg to the dockerfile and the cross platform build script so that you can turn on features like azure when building
  • Added the ability to specify RUSTFLAGS for the docker build so that we can turn some features on or off when compiling which brings me to my next item...

Adding some optional debug utils to the image

When running on k8s I was getting very mysterious crashes after a couple of seconds with 0 logs to stdout. Remoting into the container and running the binary gave me the "Illegal instruction (core dumped)" message, which was a start.

After checking the obvious vector extensions like SSE/AVX/AVX512, I was stumped. So, I added gdb to the container and found the exact instruction which is the longest mnemonic I have ever seen (comes from arrow's buffer crate):

(gdb)  x/i $pc
=> 0x7ffff745fb4f <new+463>:    vgf2p8affineqb $0x0,%ymm3,%ymm5,%ymm5

Turns out my laptop has support for a specific feature called gfni, which the nodes with Intel Xeon processors that I was running did not.

I think this will not be the last time someone needs to debug a native code/cross-compilation problem, so I added an option to the build called DEBUG that will include gdb (and maybe other debug utilities in the future) in the image.

@github-actions github-actions bot added the rust Pull requests that update Rust code label Dec 6, 2025
@codecov
Copy link

codecov bot commented Dec 6, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.52%. Comparing base (b3ee4b0) to head (c6171b6).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1540      +/-   ##
==========================================
+ Coverage   83.44%   83.52%   +0.08%     
==========================================
  Files         428      428              
  Lines      119043   119720     +677     
==========================================
+ Hits        99338   100000     +662     
- Misses      19171    19186      +15     
  Partials      534      534
Components Coverage Δ
otap-dataflow 84.69% <ø> (+0.08%) ⬆️
query_abstraction 80.61% <ø> (ø)
query_engine 90.30% <ø> (+0.03%) ⬆️
syslog_cef_receivers ∅ <ø> (∅)
otel-arrow-go 53.50% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@JakeDern JakeDern changed the title Add more options to otap_df docker build, slim down features for some packages Add more options to df_engine docker build, slim down features for some packages Dec 6, 2025
@JakeDern JakeDern marked this pull request as ready for review December 6, 2025 21:11
@JakeDern JakeDern requested a review from a team as a code owner December 6, 2025 21:11
lalitb
lalitb reviewed Dec 7, 2025
View reviewed changes
rust/otap-dataflow/crates/otap/Cargo.toml Outdated
azure_identity = { workspace = true, optional = true }
flate2 = { workspace = true, optional = true }
reqwest = { workspace = true, optional = true }
reqwest = { workspace = true, optional = true, default-features = false, features = ["rustls-tls"] }
Copy link
Member

@lalitb lalitb Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of comments here -

  • No need to repeat [default-features = false] in the crate if the workspace already sets it.
  • It’s better to let the crate manage its own reqwest features instead of forcing them at the workspace level.
  • Pick one of rustls-tls or rustls-tls-native-roots. They both pull in their own CA bundles, so using both at once doesn’t help.

Copy link
Contributor Author

@JakeDern JakeDern Dec 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review!

No need to repeat [default-features = false] in the crate if the workspace already sets it.

Good to know! Removed it in the otap crate.

It’s better to let the crate manage its own reqwest features instead of forcing them at the workspace level.

Makes perfect sense, removed at the workspace level.

Pick one of rustls-tls or rustls-tls-native-roots. They both pull in their own CA bundles, so using both at once doesn’t help.

Good catch, I meant to pick rustls-tls not rustls-tls-native-roots and forgot to update both places. Removed the workspace level feature anyways now, so we just have rustls-tls in the otap crate.

@lalitb
Copy link
Member

lalitb commented Dec 7, 2025
edited
Loading

One thing to keep in mind: the PR switches the TLS backend from native-tls (OpenSSL or BoringSSL) to rustls with ring. That solves the musl build issue, but ring isn’t FIPS 140-2 or 140-3 certified. If FIPS compliance becomes important later, we might want to look at rustls-tls-aws-lc-rs instead since aws-lc is FIPS validated, or potentially move back to native-tls. Not a blocker, just something to be aware of.

@JakeDern
Copy link
Contributor Author

JakeDern commented Dec 7, 2025
edited
Loading

One thing to keep in mind: the PR switches the TLS backend from native-tls (OpenSSL or BoringSSL) to rustls with ring. That solves the musl build issue, but ring isn’t FIPS 140-2 or 140-3 certified. If FIPS compliance becomes important later, we might want to look at rustls-tls-aws-lc-rs instead since aws-lc is FIPS validated, or potentially move back to native-tls. Not a blocker, just something to be aware of.

Yeah absolutely, my goal here is just to try to get things working in the context of the existing docker build. We actually have a couple of other challenges on the Microsoft side related to crypto with this project, because rustls-tls-aws-lc-rs is not an approved library internally either, despite the FIPS compliance, and there's no plan for it to be.

I started trying to get arrow-rs-object-store to allow for pluggable crypto a few months ago rather than just swap from ring to rustls-tls-aws-lc-rs, but I haven't had time to revisit the work: apache/arrow-rs-object-store#462.

albertlockett
albertlockett reviewed Dec 8, 2025
View reviewed changes
@jmacd jmacd added this pull request to the merge queue Dec 8, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 8, 2025
@albertlockett albertlockett added this pull request to the merge queue Dec 8, 2025
Merged via the queue into open-telemetry:main with commit 99113cf Dec 8, 2025
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmacd jmacd jmacd approved these changes

@albertlockett albertlockett albertlockett approved these changes

+2 more reviewers

@lalitb lalitb lalitb left review comments

@clhain clhain clhain left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

rust Pull requests that update Rust code

Projects

OTel-Arrow
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@JakeDern @lalitb @jmacd @albertlockett @clhain