feat(tvix/store): use reqwests' rustls-native-roots feature

This makes reqwest honor `SSL_CERT_FILE` - previously it was using the
chain bundled in webpki-roots.

`object_store` pulls in `reqwest` with this feature, and the cargo
solver will enable that feature globally as soon as we pull it in, as it
assumes features are additive.

This requires setting `SSL_CERT_FILE` when running tests, otherwise
they'll fail with the unhelpful "NotFound" error.

This was quite some fun to debug, why adding `object_store` to
tvix-castore suddenly made tvix-store tests fail!

Change-Id: I64fc82b4d994715480efdb1ffecb279716456ab9
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11090
Reviewed-by: raitobezarius <tvl@lahfa.xyz>
Tested-by: BuildkiteCI
This commit is contained in:
Florian Klink 2024-03-03 16:47:32 +02:00 committed by flokli
parent 4b4443240e
commit 1c16dee207
4 changed files with 14 additions and 23 deletions

8
tvix/Cargo.lock generated
View file

@ -2233,6 +2233,7 @@ dependencies = [
"percent-encoding", "percent-encoding",
"pin-project-lite", "pin-project-lite",
"rustls", "rustls",
"rustls-native-certs",
"rustls-pemfile", "rustls-pemfile",
"serde", "serde",
"serde_json", "serde_json",
@ -2247,7 +2248,6 @@ dependencies = [
"wasm-bindgen-futures", "wasm-bindgen-futures",
"wasm-streams", "wasm-streams",
"web-sys", "web-sys",
"webpki-roots",
"winreg", "winreg",
] ]
@ -3802,12 +3802,6 @@ dependencies = [
"wasm-bindgen", "wasm-bindgen",
] ]
[[package]]
name = "webpki-roots"
version = "0.25.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10"
[[package]] [[package]]
name = "which" name = "which"
version = "4.4.2" version = "4.4.2"

View file

@ -6710,6 +6710,12 @@ rec {
target = { target, features }: (!("wasm32" == target."arch" or null)); target = { target, features }: (!("wasm32" == target."arch" or null));
features = [ "dangerous_configuration" ]; features = [ "dangerous_configuration" ];
} }
{
name = "rustls-native-certs";
packageId = "rustls-native-certs";
optional = true;
target = { target, features }: (!("wasm32" == target."arch" or null));
}
{ {
name = "rustls-pemfile"; name = "rustls-pemfile";
packageId = "rustls-pemfile"; packageId = "rustls-pemfile";
@ -6790,12 +6796,6 @@ rec {
target = { target, features }: ("wasm32" == target."arch" or null); target = { target, features }: ("wasm32" == target."arch" or null);
features = [ "AbortController" "AbortSignal" "Headers" "Request" "RequestInit" "RequestMode" "Response" "Window" "FormData" "Blob" "BlobPropertyBag" "ServiceWorkerGlobalScope" "RequestCredentials" "File" "ReadableStream" ]; features = [ "AbortController" "AbortSignal" "Headers" "Request" "RequestInit" "RequestMode" "Response" "Window" "FormData" "Blob" "BlobPropertyBag" "ServiceWorkerGlobalScope" "RequestCredentials" "File" "ReadableStream" ];
} }
{
name = "webpki-roots";
packageId = "webpki-roots";
optional = true;
target = { target, features }: (!("wasm32" == target."arch" or null));
}
{ {
name = "winreg"; name = "winreg";
packageId = "winreg"; packageId = "winreg";
@ -6875,7 +6875,7 @@ rec {
"wasm-streams" = [ "dep:wasm-streams" ]; "wasm-streams" = [ "dep:wasm-streams" ];
"webpki-roots" = [ "dep:webpki-roots" ]; "webpki-roots" = [ "dep:webpki-roots" ];
}; };
resolvedDefaultFeatures = [ "__rustls" "__tls" "hyper-rustls" "rustls" "rustls-pemfile" "rustls-tls" "rustls-tls-webpki-roots" "stream" "tokio-rustls" "tokio-util" "wasm-streams" "webpki-roots" ]; resolvedDefaultFeatures = [ "__rustls" "__tls" "hyper-rustls" "rustls" "rustls-native-certs" "rustls-pemfile" "rustls-tls-native-roots" "stream" "tokio-rustls" "tokio-util" "wasm-streams" ];
}; };
"ring" = rec { "ring" = rec {
crateName = "ring"; crateName = "ring";
@ -11009,7 +11009,7 @@ rec {
name = "reqwest"; name = "reqwest";
packageId = "reqwest"; packageId = "reqwest";
usesDefaultFeatures = false; usesDefaultFeatures = false;
features = [ "rustls-tls" "stream" ]; features = [ "rustls-tls-native-roots" "stream" ];
} }
{ {
name = "sha2"; name = "sha2";
@ -12346,13 +12346,6 @@ rec {
} }
]; ];
};
"webpki-roots" = rec {
crateName = "webpki-roots";
version = "0.25.3";
edition = "2018";
sha256 = "045g7az4mj1002m55iydln4jhyah4br2n0zms3wbz41vicpa8y0p";
}; };
"which" = rec { "which" = rec {
crateName = "which"; crateName = "which";

View file

@ -36,7 +36,7 @@ tvix-castore = { path = "../castore" }
url = "2.4.0" url = "2.4.0"
walkdir = "2.4.0" walkdir = "2.4.0"
async-recursion = "1.0.5" async-recursion = "1.0.5"
reqwest = { version = "0.11.22", features = ["rustls-tls", "stream"], default-features = false } reqwest = { version = "0.11.22", features = ["rustls-tls-native-roots", "stream"], default-features = false }
xz2 = "0.1.7" xz2 = "0.1.7"
[dependencies.tonic-reflection] [dependencies.tonic-reflection]

View file

@ -24,6 +24,10 @@ in
(depot.tvix.crates.workspaceMembers.tvix-store.build.override { (depot.tvix.crates.workspaceMembers.tvix-store.build.override {
runTests = true; runTests = true;
testPreRun = ''
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt;
'';
# virtiofs feature currently fails to build on Darwin. # virtiofs feature currently fails to build on Darwin.
# we however can ship it for non-darwin. # we however can ship it for non-darwin.
features = if pkgs.stdenv.isDarwin then [ "default" ] else [ "default" "virtiofs" ]; features = if pkgs.stdenv.isDarwin then [ "default" ] else [ "default" "virtiofs" ];