cmake: embed Python dependencies

[pereman2]

With these changes python dependencies are embedded inside a
__pypackages__ folder in pybind/mgr which will be preprended to the
PYTHONPATH so that that folder is the first one checked for
dependencies.

ceph.spec.in is updated to disable installing dashboard dependencies by
default and instead we provide a --without embedded_pip_pkgs option to disable embedded
dependencies.

New dependencies are added to pybind/mgr/requirements-mgr.txt and a lock
file is generated with pip-tools through a tox command: tox -e gen-mgr-requirements.

A script is introduced, in script/pypackages.sh, to generate the pypackages folder which holds
the dependencies and later used by the mgr to import them.

Signed-off-by: Pere Diaz Bou pdiazbou@redhat.com

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[epuertat]

@pereman2 apart from regular (old-fashioned) pip, we can explore modern incarnations of that, like pipenv, pip-compile or poetry. The idea of having the plain requirements defined, and later the whole list of pinned dependencies is closer to our (not so bad) experience with npm and package.json and package-lock.json.

Dependabot supports the following formats for defining Python dependencies:

Language	Ecosystem	Manifest file	Dependency scope supported
Python	Poetry	poetry.lock	✔
Python	Poetry	pyproject.toml	✔
Python	pip	requirements.txt	✔ Scope is development if the filename contains test or dev, else it is runtime
Python	pip	pipfile.lock	✔
Python	pip	pipfile	✔

[rzarzynski]

I'm not a cmake nor mgr expert but I don't see any obvious issues here, so – FWIW – LGTM.

[epuertat]

Really nice PoC, @pereman2 !

My observations:

• We cannot assume that during cmake the system will have access to the internet, so we should act otherwise. In fact, that's already the assumption and why install-deps.sh scans the requirements.txt and prefetches those Python deps.
• There are (at least) 2 possible approaches here:
  • Downloading but not installing the packages (e.g.: install-deps.sh and make-dist running pip download) and then cmake runs the pip install from these downloaded packages.
  • The approach already used for npm packages: Python packages are downloaded and installed to their locations in the Ceph repo, and then are tarballed and 'injected' in the package stage
• We need to add the requirements lock file and a check that fails if there's a mismatch between the requirements and the lock file (npm install and other tools implement this behaviour by default).

[pereman2]

jenkins test make check

[epuertat]

LGTM! Just a few suggestions.

[epuertat]

Are these the latest or the current ones?

[pereman2]

I've updated:
cherrypy from 18.4.0 > 18.8.0
saml 1.9.0 > 0.9.0, looks like a downgrade but pip install has these versions: 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0 reported when I try to install 1.9.0
the rest of packages have the same issue as the two above, so I had to either upgrade or to point to a similar version

[epuertat]

Interestingly we've been using the wrong python package for a while: it's the python-saml, not the saml one.

[tchaikov]

the commit message is practically empty. would be better to put the content of cover letter into the commit message.

but a bigger problem is, this change makes the process of introducing dashboard simpler, but it defeats the purpose of packaging. and make the life of downstream maintainer more difficult.

i've been working on facilitating the process by introducing the .requires files, for instance https://github.com/ceph/ceph/blob/main/debian/ceph-mgr-dashboard.requires . i understand this is far from a complete solution. but instead of reinventing the wheel, i believe a better solution is to work with the packaging machinery instead of vendoring python dependencies.

i see two approaches here

1. to package dashboard as a proper python package. so the packaging tools is able to extract the dependencies from, for instance, egg-info.
2. to use the homebrew scripts to generate the dependencies from requirements.txt and insert them into ceph.spec.in and debian/control. the .requires files is an early attempt in this direction.

[epuertat]

the commit message is practically empty. would be better to put the content of cover letter into the commit message.

@pereman2 can you please fix this?

but a bigger problem is, this change makes the process of introducing dashboard simpler, but it defeats the purpose of packaging. and make the life of downstream maintainer more difficult.

@tchaikov why is that?

I think it's too much to say that "this defeats the purpose of packaging". It just overrides the dependency-sharing capability, but keeps on leveraging the remaining capabilities of the distro package management system (and it's internally relying on another package manager, pip).

i see two approaches here

1. to package dashboard as a proper python package. so the packaging tools is able to extract the dependencies from, for instance, egg-info.
2. to use the homebrew scripts to generate the dependencies from requirements.txt and insert them into ceph.spec.in and debian/control. the .requires files is an early attempt in this direction.

Would one of those resolve the following problem?

We'd like to use FastAPI (not a sudden whim) which is a widespread Python package that would basically allow the Dashboard team to focus on exposing more Ceph features in a web UI, and spend less time implementing and fixing type checking, validation, serialization or self-documenting REST API endpoints (as FastAPI provides).

Out of the 7 distro-releases currently supported by the Ceph community, only 2 provide (Ubuntu 22.04 and Debian 11) such a package. But fastapi depends on pydantic, starlette and uvicorn. uvicorn in turn also requires click, h11 and wsproto... So for start using this fastapi package, we'd need to create/ask for another 30-35 Python packages in different distros and releases (and this would add to the existing burden of 42 Python package deps of ceph-mgr modules, including transitive deps).

So our goal by placing Python-only deps inside the Ceph Dashboard package is:

• Enabling the adoption of modern Python packages (instead of reinventing the wheel),
• Simplifying the migration process to newer distro releases or Python versions, or the adoption from new distros,
• Ensuring a single/frozen stack of Python package versions across different distros (right now every distro has a different version of the same package; just by looking at cherrypy: CentOS 8: 18.4.0, Debian 10: 8.9.1, Ubuntu 22.04: 18.6.1, OpenSUSE 15.3 18.3.0, ...). This would provide consistent testing and unified security scanning (via Github's dependabot).

We could also discuss about whether distro packages should have precedence in the ceph-mgr sys.path over embedded deps (our approach here was the opposite). That way, users could override the embedded deps by installing newer packages, but I'm afraid that it would probably bring other side-effects.

[dvanders]

With the current ceph.spec will the pip install happen when building the srpm or the rpm? In other words, will the the py deps be bundled into the srpm? I hope so... build nodes might not have internet access.

[epuertat]

@pereman2 this should be quicker to test & troubleshoot without teuthology, just Shaman (or a local rpmbuild) + simple vstart (ceph-dev) cluster running on RPMs. Here you have an example.

[epuertat]

@pereman2: I think I got it: there's a missing install(DIRECTORY __pypackages__ ...) in the src/pybind/mgr/CMakeLists.txt.

[cbodley]

looks like that worked for https://pulpito.ceph.com/cbodley-2023-03-10_17:38:32-rgw:verify-wip-pereman2-testing-2022-09-05-1259-distro-default-smithi/

the find command listed everything, and ceph-mgr seems to have started up okay. there were several warnings about missing NOTIFY_TYPES, is that related somehow?

2023-03-10T17:56:21.074+0000 7f016c819040 -1 mgr[py] Module rbd_support has missing NOTIFY_TYPES member
2023-03-10T17:56:22.302+0000 7fd769c15040 -1 mgr[py] Module devicehealth has missing NOTIFY_TYPES member
...

[pereman2]

looks like that worked for https://pulpito.ceph.com/cbodley-2023-03-10_17:38:32-rgw:verify-wip-pereman2-testing-2022-09-05-1259-distro-default-smithi/

the find command listed everything, and ceph-mgr seems to have started up okay. there were several warnings about missing NOTIFY_TYPES, is that related somehow?

2023-03-10T17:56:21.074+0000 7f016c819040 -1 mgr[py] Module rbd_support has missing NOTIFY_TYPES member
2023-03-10T17:56:22.302+0000 7fd769c15040 -1 mgr[py] Module devicehealth has missing NOTIFY_TYPES member
...

great news, thanks @epuertat and @cbodley for the pointers. Those warnings are expected

[pereman2]

jenkins test make check

[cbodley]

@pereman2 have you had a chance to investigate the PR check failures?

[pereman2]

@cbodley should be fixed now... It was a stupid mistake

[pereman2]

there is a failure in tox-mgr where some nested dependecies of folders are not added to requirements I thought would happen by installing a dependency. For example:

ERROR __pypackages__/lib/python3/site-packages/asyncssh/gss_unix.py - ModuleNotFoundError: No module named 'gssapi'
ERROR __pypackages__/lib/python3/site-packages/asyncssh/gss_win32.py - ModuleNotFoundError: No module named 'sspi'

if you do locally pip install --target deps asyncssh it won't install gssapi nor sspi. So I'm not sure how to deal with this @epuertat, any idea?

On the other hand, If I run vstart.sh this isn't a problem somehow

[pereman2]

ERROR lib64/python3.10/site-packages/virtualenv/discovery/windows/__init__.py - ModuleNotFoundError: No module named 'winreg'
ERROR lib64/python3.10/site-packages/virtualenv/discovery/windows/pep514.py - ModuleNotFoundError: No module named 'winreg'

for example it tries to import things like winreg which are windows specific and in the previous example asyncssh has an optional feature gssapi which is added manually if the asyncssh user wants it

[epuertat]

there is a failure in tox-mgr where some nested dependecies of folders are not added to requirements I thought would happen by installing a dependency. For example:

ERROR __pypackages__/lib/python3/site-packages/asyncssh/gss_unix.py - ModuleNotFoundError: No module named 'gssapi'
ERROR __pypackages__/lib/python3/site-packages/asyncssh/gss_win32.py - ModuleNotFoundError: No module named 'sspi'

if you do locally pip install --target deps asyncssh it won't install gssapi nor sspi. So I'm not sure how to deal with this @epuertat, any idea?

On the other hand, If I run vstart.sh this isn't a problem somehow

Based on https://github.com/ronf/asyncssh#optional-extras and https://github.com/ronf/asyncssh/blob/8c0b42ca4fce32a4ee1979b20de85a7b7b84f80b/setup.py#L61-L69, those packages are extras, so they need to be explicitly installed via pip install ... asyncssh[gssapi].

[rzarzynski]

A note from bug scrub: this PR (and its related ticket) have been discussed during a CLT meeting. The outcome in our memory is that the Dashboard Folks we'll take care (please correct if I'm wrong).

[github-actions]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[rzarzynski]

jenkins retest this please

[rzarzynski]

@ceph/dashboard: ping.

[epuertat]

@rzarzynski IMHO this is still a sensible approach... but not as urgent as when the CentOS 9 Python deps were blocking Reef. I'd keep it open, even if PEP 582 (local __pypackages__) has been rejected after a 5-year deliberation.

[github-actions]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[github-actions]

This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution!