Improve wheel building and provide ipaserver wheel for local testing #397
Conversation
| @@ -210,7 +215,7 @@ | |||
|
|
|||
| register = Registry() | |||
|
|
|||
| def convert_to_ipa_rule(rule): | |||
| def _convert_to_ipa_rule(rule): | |||
There was a problem hiding this comment.
This change is not related to pyhbac, should be in separate patch
There was a problem hiding this comment.
I made the function a private function because it uses pyhbac internally. Since it's only used internally, I figured out that it makes more sense to make it private than to add a check for pyhbac is not None here, too.
There was a problem hiding this comment.
I included a comment in the commit message.
tiran
force-pushed
the
ipaserver_bundle
branch
from
d17ff7e
to
5710587
Compare
|
@tiran I have very vague idea how this is helpful. You have mentioned it during post-devconf "API meeting". But I no longer remember it and description of this PR is very general. In order to move all the pypi patches forward, we need to document(maybe design) the whole pypi workflow. This is not mentioned in http://www.freeipa.org/page/V4/Build_system_refactoring nor in http://www.freeipa.org/page/V4/Integration_Improvements I.e. how FreeIPA project will work/supply packages to PYPI and what are actually the requirements for these packages. What is expected to work and what not (like everything related to pyhbac). Right now I have no idea what are the missing blocker parts and what are just nice-to-have things. Also I don't really like the part that the patches use custom repo of python-nss. But I'm glad that you are working with @jdennis to improve it. @stlaz, with PR #367 what are the remaining usages of python-nss? Could we actually get rid of python-nss completely? |
|
@pvoborni The remaining usages are server/CA certificates verification in |
|
@pvoborni The main reason for this PR is explained in the initial PR message. I like to run an IPA framework server with specially instrumented Python builds for profiling or for debugging. The special builds are powerful and incredible useful tools to find bugs or hot spots. Profile and debug builds have a different ABI than standard builds. Therefore I have to compile all C extensions myself to make them compatible with the new ABI. It is much easier than it sounds, because distutils, setuptools and pip just take care of all the complicated bits and pieces. But this works only for native Python packages. SSSD uses its own build system and has no packages on PyPI. It would take too much time and effort to change SSSD now. Commits 1f195bb and c69c30c make pyhbac and other SSSD components optional. Commit 905118a allows me to build all ipaserver wheel and full ipaclient wheels with Last but not least 5710587 is a workaround for a python-nss packaging issue. @jdennis is aware of the problem and will address it in due time. We can't get rid of python-nss. Dogtag PKI's Python modules depend on python-nss. |
|
To clarify and emphasis, this PR has nothing to do with the PyPI packaging effort. Zero. Zip. Nada. Nilch! The sole intent of this PR is debugging and profiling. It gives us tools to find bugs, to increase performance and to reduce memory usage. |
|
I can't say I agree with this approach. If this is just for testing, surely you can work around the missing |
ipaserver/setup.py
Outdated
| @@ -76,4 +70,12 @@ | |||
| 'IPASecStore = ipaserver.secrets.store:IPASecStore', | |||
| ], | |||
| }, | |||
| extras_require={ | |||
| # These packages are currently not available on PyPI. | |||
| "caacl": ["pyhbac"], | |||
There was a problem hiding this comment.
The missing pyhbac does not actually affect caacl, but cert - cert-request is the only place where the acl_evaluate function is called.
tiran
force-pushed
the
ipaserver_bundle
branch
from
5710587
to
c505a31
Compare
|
@HonzaCholasta FreeIPA has conditional imports for SSSD modules in several places, e.g. in the trust plugin. 96f614e closes the gap and applies the same technique to the last unconditional import from SSSD. |
|
The trust plugin and other trust bits are optional. The cert plugin, which depends on An acceptable compromise would be to skip the cert plugin entirely if try:
import pyhbac
except ImportError:
raise errors.SkipPluginModule(reason=_('pyhbac is not installed')) |
|
I didn't know about the |
tiran
force-pushed
the
ipaserver_bundle
branch
2 times, most recently
from
e51fe8b
to
ab6d1f1
Compare
|
@jdennis released python-nss 1.0.1. I removed my workaround. |
|
needs rebase |
ipaserver/plugins/caacl.py
Outdated
| try: | ||
| import pyhbac | ||
| except ImportError: | ||
| pyhbac = None |
There was a problem hiding this comment.
SkipPluginModule should be raised here as well. Alternatively, you could move acl_evaluate and this import to cert.py, since that the only place where it's used, and raise SkipPluginModule there.
|
I've moved the code to cert.py and raise SkipPluginModule from there. |
|
PR is blocked by #613 |
|
Please rebase, it is ok to me, I see potential for future server unit testing. I will test when rebased. If somebody is against this please say it now. |
|
LGTM. |
|
Thanks @MartinBasti I rebased the PR and added a small workaround for |
| @MK_ENDIF@ | ||
|
|
||
| # additional wheels for bundle, e.g. IPA_EXTRA_WHEELS="ipatests[webui] pylint" | ||
| IPA_EXTRA_WHEELS= |
There was a problem hiding this comment.
I added these two lines to document the intent of IPA_EXTRA_WHEELS.
| $(PYTHON) -m pip wheel \ | ||
| rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELBUNDLEDIR)/$(item)-*.whl) | ||
| @# dbus-python sometimes fails when MAKEFLAGS is set to -j2 or higher | ||
| MAKEFLAGS= $(PYTHON) -m pip wheel \ |
There was a problem hiding this comment.
That's the workaround for dbus-python.
|
Build failed: |
|
You need dbus-devel package. I opened https://pagure.io/freeipa/issue/6842 to track lack of documentation. |
|
So put it into specfile to |
|
And document in |
|
@MartinBasti |
|
@tiran sorry, but then something doesn't work as expected Probably because |
tiran
force-pushed
the
ipaserver_bundle
branch
2 times, most recently
from
8764e8d
to
60f2d3c
Compare
|
Missing dependency |
|
Sigh, I got it. |
|
Can you rebase please? I see Ben's commits in this PR |
The pyhbac module is part of SSSD. It's not available as stand-alone PyPI package. It would take a lot of effort to package it because the code is deeply tight into SSSD. Let's follow the example of other SSSD Python packages and make the import of pyhbac conditionally. It's only necessary for caacl and hbactest plugins. I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it does not check for presence of pyhbac package itself. The check is performed earlier in execute(). The prefix indicates that it is an internal function and developers have to think twice before using it in another place. This makes it much easier to install ipaserver with instrumented build of Python with a different ABI or in isolated virtual envs to profile and debug the server. Signed-off-by: Christian Heimes <cheimes@redhat.com>
ipaserver did not have extra_requires to state additional dependencies. Signed-off-by: Christian Heimes <cheimes@redhat.com>
To create a wheel bundle with ipaserver and its dependencies:
make wheel_bundle IPA_SERVER_WHEELS=1
To include additional dependencies:
make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
tiran
force-pushed
the
ipaserver_bundle
branch
2 times, most recently
from
9b753e5
to
c8c9450
Compare
The PR improve wheel bundle building and allows ipaserver bundles for local testing
with instrumented build of Python. Debug builds and instrumented builds can have a different binary interface (ABI). For example it is useful for dtrace or test installations in a virtual env. ipaplatform and ipaserver will not be uploaded to PyPI, though.