Page MenuHomePhabricator
Create Task
Maniphest T369693

[toolforge, toolforge-cli] Experiment with PyInstaller to package CLI tools for buildpack images
Closed, DeclinedPublic
Actions

Description

As a potential solution, or at least a temporary workaround, to make our CLI tools available in buildservice containers, we're tentatively exploring the use of PyInstaller (docs) to create standalone executables.

  • Suggested by @dcaro as a way to package existing Python CLIs for injection into buildpack images
  • PyInstaller bundles the Python runtime, potentially allowing for cross-platform compatibility
  • Initial tests show some challenges with glibc version mismatches between build and target environments:
slavina@pyre:~$ pyenv global 3.12
slavina@pyre:~$ python --version
slavina@pyre:~$ ./test
[3238867] Failed to load Python shared library '/tmp/_MEIFXJYLl/libpython3.12.so.1.0': dlopen: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.38' not found (required by /tmp/_MEIFXJYLl/libpython3.12.so.1.0)
slavina@pyre:~$ ldd --version
ldd (Debian GLIBC 2.36-9+deb12u7) 2.36

The binary was built with glibc 2.39 on fedora, and the test was on debian bookworm. The Python version (or Python being installed at all) on the system executing the binary shouldn't matter as that is the whole point of pyinstaller – it bundles a python interpreter with all the libs.

Next steps

  1. Investigate building the binary in a container matching our buildpack base image (Ubuntu 22.04 LTS)
  2. Attempt to package one of our existing CLI tools

Considerations

  • Requires rebuilding images when CLI tools are updated
  • The webservice CLI might need additional testing
  • Long-term, we may want to continue efforts on OpenAPI CLI generation for a more stable solution

Related Objects
Search...

Event Timeline

Slst2020 created this task.Jul 10 2024, 9:28 AM
Slst2020 removed dcaro as the assignee of this task.
Slst2020 updated the task description. (Show Details)Jul 10 2024, 9:46 AM
aborrero added a comment.Jul 10 2024, 12:05 PM
  • Requires rebuilding images when CLI tools are updated

This reminded me, this was precisely one of the main problems related with embedding the toolforge binaries (notably tools-webservices) in container images, and what triggered the current CLI/API architecture in the first place.

Not saying this initiative is wrong, but definitely triggered a reflection.

Slst2020 added a comment.Jul 10 2024, 2:38 PM
In T369693#9968955, @aborrero wrote:
  • Requires rebuilding images when CLI tools are updated

This reminded me, this was precisely one of the main problems related with embedding the toolforge binaries (notably tools-webservices) in container images, and what triggered the current CLI/API architecture in the first place.

Not saying this initiative is wrong, but definitely triggered a reflection.

What alternatives are there? Is there any option right now other than NFS for mounting packages/binaries into the containers? And raw API calls are not user friendly.

bd808 added a subtask: T369569: `webservice` requires effective user to be the tool user and listed in NSS passwd data.Jul 10 2024, 3:18 PM
bd808 added a subtask: T369573: `toolforge jobs` requires current user to be the tool user and listed in NSS passwd data.
aborrero added a comment.Jul 10 2024, 3:20 PM
In T369693#9969631, @Slst2020 wrote:

What alternatives are there? Is there any option right now other than NFS for mounting packages/binaries into the containers? And raw API calls are not user friendly.

I don't have any :-(

I think previously the narrative was: use the raw API directly.

bd808 added a comment.Jul 10 2024, 3:24 PM
In T369693#9969898, @aborrero wrote:

I think previously the narrative was: use the raw API directly.

If the API changes then the in-container code needs to change to keep up. If I need to rebuild my container to deploy updated locally maintained code or centrally maintained client or sdk code I still need to rebuild the container. Strict API deprecation policies and backwards compatibility shims are potential partial solutions.

aborrero added a comment.Jul 10 2024, 3:28 PM
In T369693#9969935, @bd808 wrote:

Strict API deprecation policies and backwards compatibility shims are potential partial solutions.

Yes, I agree, that's why since day 1 we have versioned API endpoints, with things like /v1/ in the path.

dcaro added a comment.Jul 10 2024, 3:39 PM
In T369693#9969957, @aborrero wrote:
In T369693#9969935, @bd808 wrote:

Strict API deprecation policies and backwards compatibility shims are potential partial solutions.

Yes, I agree, that's why since day 1 we have versioned API endpoints, with things like /v1/ in the path.

More specifically T356974: [builds-api,jobs-api,envvars-api,api-gateway] Figure out and document how to do non-backwards compatible changes
We are almost there for that one, next thursday we deploy the last big api path change, and then we can start the deprecation protocol specified there + announce a stable api that people can use (keeping an eye on the protocol there for backwards incompatible changes).

With that and some stats we can at least track the usage of the deprecated APIs (and clis using those), and hopefully the tools doing so and communicate better those changes/help people migrate/create alternatives/etc.

The rebuilding of the containers might be relieved if we do something like auto-updating clis (ex, checking what's the latest version and installing it when running the first time), though that might break some people's flows, they would not break more than just changing the API and leaving the old clis running.

That becomes way way easier if the clis can be deployed as standalone binaries, avoiding having to support multiple package manager repositories (ex. ubuntu/debian) and minimizing the dependencies (thus this task to explore it).
Something that also helps distributing the clients eventually to users (not yet addressed here, but would help in that regard too).

dcaro triaged this task as High priority.Jul 10 2024, 3:42 PM
dcaro changed the status of subtask T369569: `webservice` requires effective user to be the tool user and listed in NSS passwd data from Open to In Progress.Jul 10 2024, 5:32 PM
SD0001 unsubscribed.Jul 10 2024, 5:36 PM
LucasWerkmeister unsubscribed.Jul 10 2024, 6:51 PM
dcaro changed the status of subtask T369573: `toolforge jobs` requires current user to be the tool user and listed in NSS passwd data from Open to In Progress.Jul 11 2024, 7:52 AM
dcaro closed subtask T369573: `toolforge jobs` requires current user to be the tool user and listed in NSS passwd data as Resolved.Jul 15 2024, 9:23 AM
dcaro edited projects, added Toolforge (Toolforge iteration 13); removed Toolforge (Toolforge iteration 12).Jul 17 2024, 11:23 AM
dcaro edited projects, added Toolforge (Toolforge iteration 14); removed Toolforge (Toolforge iteration 13).Aug 5 2024, 7:40 AM
dcaro closed subtask T369569: `webservice` requires effective user to be the tool user and listed in NSS passwd data as Resolved.Aug 13 2024, 7:39 AM
dcaro moved this task from Toolforge iteration 14 to Ready to be worked on on the Toolforge board.Sep 25 2024, 8:00 AM
dcaro edited projects, added Toolforge; removed Toolforge (Toolforge iteration 14).
dcaro closed this task as Declined.Mar 12 2025, 3:02 PM

We are moving on with golang generated code instead

Restricted Application added a project: cloud-services-team. · View Herald TranscriptMar 12 2025, 3:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits