C2(authentik-source-build): close authentik-python-backend-derivation
Python backend builds and verifies on ringtail. Updated lessons learned with dynamic store-ref discovery, pipefail/grep fixes, and build results. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
eb11d7c960
commit
11995f8d4e
1 changed files with 9 additions and 6 deletions
|
|
@ -1,7 +1,6 @@
|
|||
---
|
||||
title: Build Authentik Python Backend
|
||||
modified: 2026-02-28
|
||||
status: active
|
||||
modified: 2026-03-01
|
||||
requires:
|
||||
- mirror-authentik-build-deps
|
||||
tags:
|
||||
|
|
@ -52,7 +51,7 @@ Nix builds are sandboxed with no network access. The pattern is:
|
|||
- The 4 in-tree packages are installed from monorepo source, not PyPI
|
||||
- Standard `djangorestframework` 3.16.1 from PyPI (no longer forked as of 2026.2.0)
|
||||
|
||||
## Lessons Learned (WIP)
|
||||
## Lessons Learned
|
||||
|
||||
Build issues encountered and resolved:
|
||||
|
||||
|
|
@ -62,10 +61,14 @@ Build issues encountered and resolved:
|
|||
| gssapi `gss_acquire_cred_impersonate_name` undeclared | `NIX_CFLAGS_COMPILE="-include gssapi/gssapi_ext.h"` — function is in `gssapi_ext.h`, not auto-included |
|
||||
| xmlsec linker error `-lltdl` | Add `pkgs.libtool` to buildInputs (provides libltdl) |
|
||||
| psycopg-c needs `libpq` | Add `pkgs.libpq` to buildInputs |
|
||||
| FOD references 19 store paths | Strip with `remove-references-to`, delete `bin/` and `.pyc` files, placeholder `pyvenv.cfg` |
|
||||
| Still 6 residual store refs | Need to add `glibc.dev` and other `-dev` outputs to `refTargets` list — WIP |
|
||||
| Static `refTargets` list missed 6 store refs | Replaced with dynamic discovery: `grep -aohE '/nix/store/...'` finds all refs, `remove-references-to` strips them |
|
||||
| `xargs grep` exit code 123 under `pipefail` | Wrap pipeline in `{ ... \|\| true; }` — grep returning 1 (no match) causes xargs to return 123 |
|
||||
| `grep -aoE` includes filename prefix in output | Use `grep -aohE` (`-h` suppresses filenames) to get clean store paths |
|
||||
| autoPatchelfHook can't find libraries | `buildInputs` in main derivation must include all libraries that `.so` files link against |
|
||||
|
||||
The `uv sync` completes in ~3.5 minutes. Reference stripping reduced 19 → 6 remaining store refs. Next iteration needs to capture all remaining dev/lib output paths in the `refTargets` list.
|
||||
The `uv sync` completes in ~3.5 minutes. Dynamic reference discovery finds 19 unique store paths and strips all of them. After stripping, `remove-references-to` mangles hashes to `eeee...` bytes — about 40 files still "contain" `/nix/store/` strings but with invalid hashes, which is expected and harmless. `autoPatchelfHook` in the main derivation resolves all NEEDED entries with 0 unsatisfied dependencies.
|
||||
|
||||
Build verified: `$out/bin/python3.14 -c "import authentik"` succeeds, along with all key dependencies (django 5.2.11, lxml, xmlsec, psycopg, guardian, opencontainers).
|
||||
|
||||
## Related
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue