Inform pants about 3rd party dependencies and constraints #5789
Conversation
cognifloyd
requested review from
winem,
arm4b,
nzlosh,
rush-skills,
amanda11 and
a team
pull-request-size
bot
added
the
size/L
cognifloyd
force-pushed
the
pants-reqs
branch
from
5aec400 to
c1a9302
Compare
pants.toml
Outdated
| # ignore requirements.txt for now, preferring interrim files that are decoupled from | ||
| # legacy requirements files generation: requirements-pants.txt & lockfiles/st2-constraints.txt | ||
| "/requirements.txt", |
There was a problem hiding this comment.
once we remove the legacy stuff, we can move requirements-pants.txt to requirements.txt.
cognifloyd
changed the title
BUILD
Outdated
| "gitpython": ["git"], | ||
| "python-editor": ["editor"], | ||
| "python-json-logger": ["pythonjsonlogger"], | ||
| "python-statsd": ["statsd"], | ||
| "sseclient-py": ["sseclient"], | ||
| "oslo.config": ["oslo_config"], | ||
| "RandomWords": ["random_words"], |
There was a problem hiding this comment.
Feel free to upstream these to Pants's default_module_mapping.py. Ditto the other python_requirement targets.
There was a problem hiding this comment.
Will do. But we'll need to keep them here, until we upgrade to a version of pants that includes them.
There was a problem hiding this comment.
Huh. It turns out gitpython is already available, so I can delete that already. Cool.
There was a problem hiding this comment.
| # was in fixed-requirements.txt, but not in requirements-pants.txt | ||
| # keyczar is used by a python2-only test. | ||
| #python-keyczar | ||
|
|
||
| ########### | ||
|
|
||
| # not needed with switch to pytest | ||
| #nose | ||
| #nose-timer | ||
| #nose-parallel | ||
| #rednose |
There was a problem hiding this comment.
I think we should delete them once we drop the old requirements infra. We still need to keep both sets of requirements in sync until that happens, so having a note about requirements that we don't need to include is helpful.
| # fixed-requirements.txt: | ||
| # Fix MarkupSafe to < 2.1.0 as 2.1.0 removes soft_unicode | ||
| # >=0.23 was from jinja2 | ||
| MarkupSafe<2.1.0,>=0.23 |
There was a problem hiding this comment.
I'm a bit confused by this file. The only requirement that doesn't seem to be commented out is MarkupSafe.
Why are all the other pinned versions, not uncommented?
There was a problem hiding this comment.
Because I'm not sure if they're still valid.
With requirements-pants.txt, I've essentially removed all of the versions that were "pinned"/"locked" in fixed-requirements.txt, because that is supposed to be handled by the lockfile. So, the requirements should be as broad as possible, and then the lockfile will lock them to a single version.
The same thing applies with st2-constraints.txt. I believe most of these transitive constraints were in fixed-constraints.txt in order to "pin"/"lock" them. But, some of them might be actual constraints due to known issues in those transitive deps. So, I documented all of them, but left them commented. I hope we can just delete them later.
As we enable other tools like pylint, we'll get additional feedback about whether or not we need some of these constraints. And, after we have the lockfile, we can start "exporting" a virtualenv with pants. That way we can run all of our tests using a virtualenv generated by the lockfile which will tell us if there are any functional issues where we still need these constraints.
Does that make sense?
I suppose we could also uncomment all of these constraints, and then comment one or more of them, if needed, to generate the lockfile.
There was a problem hiding this comment.
Another issue with our current approach vs using the pants+pex lockfile: generating the lockfile does not support the legacy pip resolver. Our current set of "pinned" dependencies does not work with the newer resolver (which is why we have a really old version of pip pinned), so we need to loosen our requirements to give the resolver room to figure out which versions are actually compatible.
I have successfully tested generating the lockfile with the requirements+constraints in this PR. I will try uncommenting the rest of these transitive dep constraints and see if that still resolves.
There was a problem hiding this comment.
OK. I uncommented many of the constraints and I can still generate the lockfile. I left only a few commented.
I really hope we can just delete all of these constraints, hopefully sooner rather than later.
There was a problem hiding this comment.
I just tried to cleanup / standardize the documentation of all of these constraints. @amanda11 does that help?
There was a problem hiding this comment.
Thanks for the answers. I seem to remember there being some problems going up further on the pip version - but that maybe resolved. But if we do end up upping the pip version might need to find the old PR from when I last upped the version - as I seem to recall having to downgrade it.
But agree for now good to keep in synch.
cognifloyd
force-pushed
the
pants-reqs
branch
from
42eb761 to
bc7f431
Compare
cognifloyd
force-pushed
the
pants-reqs
branch
2 times, most recently
from
f02fcc8 to
85daf63
Compare
It is already available in the default_module_mapping
cognifloyd
force-pushed
the
pants-reqs
branch
from
85daf63 to
fefc94d
Compare
Background
This is another part of introducing pants, as discussed in various TSC meetings.
Related PRs can be found in:
Overview of this PR
Our 3rd party dependencies will be in a lockfile that looks like
lockfiles/st2.lock. But, before pants can generate that, we need to add several pieces of metadata including dependencies and python version constraints.This PR focuses on registering all of our dependencies. Future PRs will add the python version constraints (aka interpreter constraints) and other metadata so that we can actually generate the lockfile.
The Third-party dependencies document (in pantsbuild docs) is especially helpful in understanding the contents of this PR.
Relevant Pants documentation
modulesandmodule_mappingwhen the module name is not standardpython_requirementstargetmodule_mappingfieldoverridesfieldpython_requirementtargetmodulesfielddependenciesfieldThe purposes of
*requirements.txtToday,
*requirements.txtconflates several purposes:With pants, I think we should manage each of these purposes with separate files, leaving
requirements.txtto only record our direct dependencies (purpose 1). These files are:*requirements.txtrequirements-pants.txt*requirements.txtlockfiles/st2-constraints.txtrequirements.txtlockfiles/st2.lockToday, the first two purposes are actually spread out across multiple files. In this chart,
*requirements.txtincludes:requirements.txt,fixed-requirements.txt, and**/in-requirements.txt.The many
requirements.txtfiles and the scripts that compile them to generate the "locked" version of the file are heavily interdependent. To avoid introducing another relationship on all of that infrastructure, I opted to create new files instead:requirements-pants.txt,st2-constraints.txt, andst2.lock(the lockfile has to be added in a follow-up PR).requirements-pants.txtrequirements-pants.txtdoes not need to constrain any transitive dependencies or handle locking or pinning any dependencies, so the requirements in it should be broad as possible. If there are known code incompatibilities in our direct dependencies, then we should add a version range to that requirement. Otherwise, we let the tooling (pants+pex+pip) pick the best version given all the other constraints we through at it.st2-constraints.txtI put
st2-constraints.txtunderlockfiles/since it's primary purpose is to narrow the range of valid versions that pex can choose from when creating the lockfile.I went through all of our requirements to determine if they are direct or transient dependencies. I put the transient deps in
st2-constraints.txtand included comments about:fixed-requirements.txt(if any)Everything in
st2-constraints.txtis, ideally, temporary. Eventually, we should be able to remove the version constraints on the transient dependencies (deps of our direct deps). With the current*requirements.txtinfra, that is very difficult to do, because it is not clear what is a direct dependency and what ended up in there to fix a build. Many of these issues get resolved upstream. Isolating these "exceptional" constraints makes it easier to comment them out and validate whether or not they are still needed.So, I looked through the git history to determine how much has changed since each one was introduced. The
MarkupSafeconstraint was added fairly recently in #5581. Most of the other constraints seem to be either (a) no longer necessary, or (b) the only reason to include them is to "lock" or pin that dependency. Locking will be handled bylockfiles/st2.lock, so I left everything exceptMarkupSafecommented out. They are not needed to create a valid lockfile. Once we have pants running more of our infrastructure, we'll be able to uncomment/update any constraints that are actually still needed.lockfiles/st2.lockAgain, pants needs more metadata before we can generate this, so it will be added in a follow-up PR. Plus, the lockfile is 4544 lines long, so I want to isolate introducing it in a PR that has basically nothing else in it.
BUILDPants needs additional metadata about some of our direct dependencies. Others, like
pywinrm, should really only be used in one specific module of our code base (thewinrm_runnerin this case). Still others are really only needed for tests of a specific pack. These oddities are difficult to express in a simplerequirements.txtfile, but we can express them cleanly inBUILDfiles.Many packages do not declare that they use
setuptoolsbecause they assume that all virtualenvs will just have it. Pants only includes the bare minimum it needs to run each linter or test. Ifsetuptoolsis not an explicit dep, then it is not included. ForstevedoreI told pants about this implicit dependency like this (I did the same forflexas well):st2/BUILD
Lines 26 to 31 in e9df91d
Other packages, like
toozhave runtime dependencies that pants can't easily discover. This block makes sure our defaulttoozbackends are included in the relevant venv whenever we usetooz:st2/BUILD
Lines 32 to 38 in e9df91d
Still other packages are installed with one name, but imported with another. pants uses a
module_mappingto figure out which imports come from which 3rd party dependencies.We use
modulesto tell pants that thepywinrmpackage provides thewinrmmodule:st2/contrib/runners/winrm_runner/BUILD
Lines 1 to 4 in e9df91d
And we use
module_mappingto do the same for requirements defined inrequirements-pants.txt(but only if they aren't in the defaultmodule_mappingdefined in pants:st2/BUILD
Lines 4 to 12 in e9df91d
planned changes to
pants.tomlWe can't adjust config in
pants.tomluntil a future PR as some of that config is interdependent. Briefly, these are the settings that will be needed:[python].enable_resolves = true[python].default_resolve = "st2"[python.resolves].st2 = "lockfiles/st2.lock"[python.resolves_to_constraints_file].st2 = "lockfiles/st2.lock"