Bazel and rules_go packaging

I am trying to package kythe which is a google package built with bazel. This already sounds treacherous and it is. My attempt so far is here.

I started trying to use the buildBazelPackage function which is provided in nixpkgs.

The first problem that I had was that I needed to modify the WORKSPACE file in order to
set go_register_toolchains(go_version = "host"). That was inspired by this issue on the rules_go issue tracker. That helped get the build further.

The next problem I encounter is that the build script tries to use git clone. The build fails at this point with the error

fatal: unable to access 'https://github.com/golang/protobuf/': SSL certificate problem: unable to get local issuer certificate

Has anyone successfully built a bazel package which uses rules_go from source?

There aren’t many examples in nixpkgs already. Perhaps @benley had some success?

I was getting a similar issue while trying to package bazel-watcher, and IIRC, you have to use the fetchAttrs to download any of the dependencies, perhaps run go get in the preBuild or the postBuild attributes of the fetchAttrs. See the buildBazelPackage relevant code.

There’s also Tensorflow as another example, in Java though.

1 Like

The trick is to download dependencies in a separate derivation. @Profpatsch can say a lot more.

Are you suggesting that I nixify the repository information found in the WORKSPACE file and then patch the WORKSPACE file to use these versions that would exist in the nix store? There are a lot of precisely pinned dependencies so this would be quite a bit of effort.

As I understand it I must stop bazel trying to run git clone and the only way I can see to do that is to modify the go_repository rule.

@kalbasit I don’t think that go get will do the right thing (without knowing what it does exactly), does it read information in the WORKSPACE file? The dependencies are specified very precisely there so unless it does it will surely fetch the wrong thing.

I was not suggesting go get but I was suggesting to do bazel fetch //... which will import all those dependencies as specified by the WORKSPACE.

Hey @mpickering, so I finally managed to package bazel-watcher. The build was failing for me in the same manner that it’s failing for you.

The fix has two parts:

  • You need to export the variable GIT_SSL_CAINFO="${cacert}/etc/ssl/certs/ca-bundle.crt" exported in the derivation fetchAttrs.preBuild.
  • You need to make sure whatever script is failing the git clone is honoring the GIT_SSL_CAINFO, in my case that was coming from bazel-gazelle, and I ended up filing a pull request upstream.

Check out the bazel-watcher PR is here.

2 Likes