Best practice proposal: do not recommend --system for a Docker context#2762
Merged
uranusjr merged 3 commits intopypa:masterfrom Aug 29, 2018
Merged
Conversation
added 2 commits
August 20, 2018 13:38
Despite an application's Docker container not usually running other Python processes than the application itself, it still has a system Python whose packages should not necessarily be overwritten or upgraded by an application's choices. For example, `python3-software-properties` in Ubuntu contains utilities written in Python like `add-apt-repository` whose [use is widespread in Dockerfiles](https://github.com/search?l=Dockerfile&q=%22add-apt-repository%22&type=Code). By inadvertently applying an application's dependency onto the the container's Python, it is possible to: - subtly break system-level software like these that is still present in the container image - run into errors where that software is executed while extending the image with another Dockerfile - run into errors when `docker run|exec ... COMMAND` is used to run another process inside the same container for debugging purposes I realize this is not necessarily a likely use case, but we have seen enough projects/tools vendoring `Requests` in fear of a conflict. Very open on the wording and whether `system Python` is the correct term to designate the global Python for that OS/container image.
Member
|
I think this is a reasonable change. Personally I am against using Python without virtual environments, even inside a container. Most people are simply doing it wrong. |
Member
|
I did mean to look at this -- I have no real qualms with it per se but I want to caveat that heroku does this not to manage infrastructure, but they do it on their python buildpack -- most containers are deployed without virtualenvs as I believe you both note, I believe the purpose is to stay slim and reduce attack surface area by installing as little as possible That said, still no issues with the change, just wanted to caveat a bit |
|
Any reasons then why you are using "--system" at https://github.com/pypa/pipenv/blob/master/Dockerfile#L28? |
Member
|
Because no one bothered to fix it yet :p Pull requests are welcomed! |
ferndot
added a commit
to flexy/cookiecutter-drf
that referenced
this pull request
May 20, 2019
New best practice, see: pypa/pipenv#2762
ferndot
added a commit
to flexy/cookiecutter-drf
that referenced
this pull request
May 20, 2019
New best practice, see: pypa/pipenv#2762
ferndot
added a commit
to flexy/cookiecutter-drf
that referenced
this pull request
May 20, 2019
New best practice, see: pypa/pipenv#2762
ferndot
added a commit
to flexy/cookiecutter-drf
that referenced
this pull request
May 20, 2019
New best practice, see: pypa/pipenv#2762
ferndot
added a commit
to flexy/cookiecutter-drf
that referenced
this pull request
May 20, 2019
New best practice, see: pypa/pipenv#2762
ferndot
added a commit
to flexy/cookiecutter-drf
that referenced
this pull request
May 20, 2019
New best practice, see: pypa/pipenv#2762
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The issue
Despite an application's Docker container not usually running other Python processes than the application itself, it still has a system Python whose packages should not necessarily be overwritten or upgraded by an application's choices.
For example,
python3-software-propertiesin Ubuntu contains utilitieswritten in Python like
add-apt-repositorywhose use is widespread inDockerfiles.
By inadvertently applying an application's dependency onto the the container's Python, it is possible to:
docker run|exec ... COMMANDis used to run another process inside the same container for debugging purposesI realize this is not necessarily a likely use case, but we have seen
enough projects/tools vendoring
Requestsin fear of a conflict.The fix
The best practice in my opinion is to favor virtual environments inside a Docker container as the standard use case, as it is for deployment onto a full-fledged OS.
Very open on the wording and whether
system Pythonis the correct termto designate the global Python for that OS/container image.
The checklist
news/directory to describe this fix with the extension.bugfix,.feature,.behavior,.doc..vendor. or.trivial(this will appear in the release changelog). Use semantic line breaks and name the file after the issue number or the PR #.