-
Notifications
You must be signed in to change notification settings - Fork 944
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Virtual Environment for Python Deps #2294
Conversation
@lindluni took some liberties on your bash script :) |
@ferrarimarco this should help with #2224 |
@admiralAwkbar I'll fix the issue later tonight. I need to build outside of virtualenv, otherwise it tries to link against that interpreter instead of the one installed in the container |
dependencies/requirements.txt
Outdated
@@ -0,0 +1,13 @@ | |||
ansible-lint[core]==5.2.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend a separate requirements.txt
for each dependency.
This will fail to upgrade certain dependencies that have fixed dependencies on each other (like snakefmt
).
Also, black
below is a regression compared to the current working version.
Dependabot works with directories, so you could have a python
folder with a .txt
for each tool, then do something like this in build-python-binaries.sh
:
while read -r line; do
# Install dependency
pipx install "${line}"
done < ./python/*.txt
With this we can also remove the self-contained black binary install. |
Maybe I'm missing the point, but how is this going to help? If dependencies are conflicting during updates, they're going to conflict during the installation as well, right? |
They won't because pipx installs each tool in its own virtualenv. Separation of the dependencies would allow dependabot to upgrade each tool independently. If they're in the same requirements.txt, then dependabot will try to ensure that the versions don't conflict and may hold back updates. |
Best I could figure pipx doesn't support requirement files, it runs purely npx. Switched to virtual environments instead. Can't say python is in any way shape or form my forte, but this works. Need to come back and revisit the size by pruning and reusing where we can, and need to update the README for adding new deps. |
I also need to add doc on updating the deps |
It doesn't, but it does support the standard python requirements specifier. One thing I noticed is that the there are multiple requirements listed per tool. Why is that? Instead of fixing transitive dependencies, it's probably better to just let Lastly, instead of having a directory per-tool with a EDIT: Looking at the dependabot code again, it's not clear if separate requirements files in the same directory will result in dependabot trying to resolve each file separately or as one giant unit. I can probably come up with a quick test to verify and report back.
I'm happy to help if that would be useful. Also, my apologies to Github staff if I'm stepping out of line with these comments, just happened to have looked into this already and I think it could be simpler. |
@jalaziz the issue with not fixing the transitive deps is you never know if a transitive dep has a vulnerability in it. Dependabot can only tell if the package listed has a vulnerability. So if I fail to list the transitive deps, we are at the mercy of the upstream project to patch the vulnerability, and we will never know if we are consuming vulnerable dependencies because the upstream failed to patch something. It lets us make informed decisions about the dependencies we are consuming, to remove them, fork them, or to help patch an upstream project when we can. And by no means are you out of line. We are a community and we are here to learn from each other. |
I'm also not saying my approach is best, good, or anything of the sort, I personally think the use of virtual environments is far too heavy, my first go around was to actually compile all the projects with pyinstaller, but ansible-core was a nightmare to do that with |
Yeah, that's totally fair. I was actually wondering if Dependabot would actually do the right thing after my comment and started questioning it myself. In that case, yeah, virtualenvs are probably a safe bet.
Oh lord, I can imagine. That being said, virtualenvs may not be too bad. If setup correctly, virtual envs will share the system's python through symlinks. That would be roughly equivalent or better to what you'd be getting with PyInstaller (minus potential compression and other small optimizations). |
Also, I think the Dependabot config will definitely need updating now as I don't believe it recurses into subdirectories (dependabot/dependabot-core#2178 and dependabot/dependabot-core#1015). |
Still need to update dependabot, and add the readme, but this is ready for everyone's thoughts |
We use virtual environments and no longer install the packages via pip directly in the image. It should be enough that the version tests check for the existence already and that the version comes back correctly.
Rebase failed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dank fixes all around
Looks like the dependabot update was still missing from this PR. Should I open a new PR? |
@jalaziz PR's are always welcome :) |
* Build static python depenencies * Address linting * Fix copy path * cleaner * Stage virtual environments * Update Dockerfile to support virtual environments * Remove old python builds * Remove unnecessary RUN step * Fix merge conflicts * Remove test checking for PIP packages We use virtual environments and no longer install the packages via pip directly in the image. It should be enough that the version tests check for the existence already and that the version comes back correctly. * Remove binary installation of black * cleaner * Remove pip * pretty Co-authored-by: Admiral Awkbar <admiralawkbar@github.com>
* Build static python depenencies * Address linting * Fix copy path * cleaner * Stage virtual environments * Update Dockerfile to support virtual environments * Remove old python builds * Remove unnecessary RUN step * Fix merge conflicts * Remove test checking for PIP packages We use virtual environments and no longer install the packages via pip directly in the image. It should be enough that the version tests check for the existence already and that the version comes back correctly. * Remove binary installation of black * cleaner * Remove pip * pretty Co-authored-by: Admiral Awkbar <admiralawkbar@github.com>
Fixes issues with python deps
Proposed Changes
Readiness Checklist
Author/Contributor
Reviewing Maintainer
breaking
if this is a large fundamental changeautomation
,bug
,documentation
,enhancement
,infrastructure
, orperformance