Can't compile bazel behind a proxy

[phdeniel]

Hi,

I'd like to compile bazel on Fedora28. Since bazel requires bazel for compiling, I have installed a bazel 0.22 from Fedora/Copr repository. I ran the compile.sh script which tells to run "bazel build //src:bazel". So far, evrything is fine. But my machine is behind a SQUID proxy (running on another machine on port 1080 with no auth), and I have http_proxy + https_proxy pointing to that proxy, and no_proxy=localhost,127.0.0.1. It seems like bazel does not like proxies at all, for I have the following result. The address 10.200.255.254:1080 is my proxy, it works fine with wget, curl of dnf. Fun fact : bazel 0.22 says it can't download https://mirror.bazel.build/openjdk/azul-zulu11.29.3-ca-jdk11.0.2/zulu11.29.3-ca-jdk11.0.2-linux_x64-minimal-90755145cb6e6418584d8603cd5fa9afbb30aecc-1549209948.tar.gz but wget actually can download it. It seems like bazel does not care about my proxy envvar. What should I do ?

Extract from the command-line: $ bazel build //src:bazel INFO: Invocation ID: 7f267cd1-51f6-4d91-85db-afc797b1323b ERROR: /home/denielp/bazel/src/BUILD:219:1: no such package '@openjdk_linux_minimal//file': java.io.IOException: Error downloading [https://mirror.bazel.build/openjdk/azul-zulu11.29.3-ca-jdk11.0.2/zulu11.29.3-ca-jdk11.0.2-linux_x64-minimal-90755145cb6e6418584d8603cd5fa9afbb30aecc-1549209948.tar.gz] to /home/denielp/.cache/bazel/_bazel_denielp/4884ab1c8a85fee5e1fa7c3b610b7efb/external/openjdk_linux_minimal/file/zulu-linux-minimal.tar.gz: Proxy address 10.200.255.254:1080 is not a valid URL and referenced by '//src:embedded_jdk_minimal_cached' ERROR: Analysis of target '//src:bazel' failed; build aborted: Analysis failed INFO: Elapsed time: 12.851s INFO: 0 processes. FAILED: Build did NOT complete successfully (1 packages loaded, 1 target configured) currently loading: tools/build_defs/repo Fetching @openjdk_linux_minimal; fetching 12s Fetching @remotejdk_linux; fetching 12s Fetching @bazel_skylib; fetching 12s Fetching @desugar_jdk_libs; fetching 12s

[aehlig]

I'd like to compile bazel on Fedora28. Since bazel requires bazel for compiling, [...]

There is also the option of bootstrapping from a distribution archive; those are also available for release candidates, see, e.g., https://releases.bazel.build/0.23.0/rc1/index.html

[...] "bazel build //src:bazel". But my machine is behind a SQUID proxy [...] Fun fact : bazel 0.22 says it can't download https://mirror.bazel.build/openjdk/azul-zulu11.29.3-ca-jdk11.0.2/zulu11.29.3-ca-jdk11.0.2-linux_x64-minimal-90755145cb6e6418584d8603cd5fa9afbb30aecc-1549209948.tar.gz but wget actually can download it. [...] What should I do ?

Unfortunately, bazel's download utility and proxies is a known issue.

A quick work around is to manually download the needed files and put them to some directory. Then you can tell bazel using the --distdir option to first search there before even going to network, e.g., bazel build --distdir /path/to/where/you/put/the/files/ //src:bazel.

Also, if you have a jdk on your system already (e.g., the one taken from your distribution) there is no need to download one freshly; you can tell bazel to using by providing the option --host_javabase=@local_jdk//:jdk, i.e., bazel build --host_javabase=@local_jdk//:jdk //src:bazel.

[phdeniel]

Thanks for your answer.

Is there no hope for having that bazel download issue fixed so that proxy could be used ? The workaround that you suggested is certainly a better and faster solution. I do have complementary questions : 1) can I put all the files that I will download in the same directory, even if they are from different locations ? Won't I mess up bazel when doing that ? 2) How can I get the list of all the files that I need to download ? This question does not apply to compiling bazel, but will apply to compiling TensorFlow. How can I ask a "bazel managed tree" to tell me everything it needs to be downloaded ?

[aehlig]

1. can I put all the files that I will download in the same directory, even if they are from different locations ? Won't I mess up bazel when doing that ?

The way --distdir works is that, whenever asked to fetch a file with a provided sha256 sum, bazel first takes the "basename" of the first provided URL and then checks in in all directories provided via a --distdir argument for a file with that name (that's a single stat(2) per directory) and, if present, checks is the hash matches. If in that way a file with the correct hash is found, it is taken instead of downloading.

The --distdir option can be given multiple times to provide multiple directories to search for, and read-only access is enough; so a shared directory of upstream archives can be used.

2. How can I get the list of all the files that I need to download ?  [...]

If someone with network access can do a clean build of the project, the fetches can be recorded. Unfortunately, by the imperative nature of WORKSPACE files, there is, in general, no way of knowing all the external dependencies ahead of time without executing (a WORKSPACE file can define a repository and then load a symbol form a bzl file in it and call the loaded function which then can define more external repositories).

[rogerhu]

Bazel supports proxies but remember that basic HTTP auth is disabled in JDK8 (https://confluence.atlassian.com/kb/basic-authentication-fails-for-outgoing-proxy-in-java-8u111-909643110.html):

Make sure to pass that flag in:

bazel --host_jvm_args="-Djdk.http.auth.tunneling.disabledSchemes=" <cmd>

[pamgluss-slack]

Bazel supports proxies but remember that basic HTTP auth is disabled in JDK8 (https://confluence.atlassian.com/kb/basic-authentication-fails-for-outgoing-proxy-in-java-8u111-909643110.html):

Make sure to pass that flag in:

bazel --host_jvm_args="-Djdk.http.auth.tunneling.disabledSchemes=" <cmd>

I'm wondering if I could get a further elaboration on this -- is there a PR to review where proxy variables being respected by bazel build is introduced?

We have http_proxy et all in our environment and go environment but are running into timeouts when using bazel build specifically to import go modules.

From a teammate (paraphrasing slightly)

Bazel is failing to download certain golang dependencies (doesn't seem to respect HTTP_PROXY env variables and the proxy) using go get directly seems to work.  Commands like bazel build :gen work just fine on my non-(proxy'd) ec2 but don't work on a newer (proxy'd) enabled ec2.

...

why is Bazel not respecting the HTTP_PROXY environment variable, or (more likely since Bazel explicitly says it does respect it), why is it not propagating that variable to subprocesses like go when it needs to fetch packages?

I have been facing this problem:

08:50:36  ***/agenda/cmd/cli imports
08:50:36    github.com/spf13/cobra: github.com/spf13/cobra@v1.6.0: Get "https://proxy.golang.org/github.com/spf13/cobra/@v/v1.6.0.zip": dial tcp 172.253.63.141:443: i/o timeout
08:50:36  ***/agenda/cmd/looper imports
08:50:36    github.com/prometheus/client_golang/prometheus/promhttp: github.com/prometheus/client_golang@v1.12.1: Get "https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.12.1.zip": dial tcp 172.253.63.141:443: i/o timeout
...

Where adding the line you mention to our bazel build ... command does not change the behavior