-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An attempt to run Python exe in a more hermetic way #863
Conversation
Not sure why CI fails. When I run |
python/repositories.bzl
Outdated
|
||
set -o errexit -o nounset -o pipefail | ||
|
||
external/{repo_name}/{python_bin} -B -s -I "$@" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want -S (upper case) as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this would harm in the case a custom toolchain from this repo is used. In the case a system python is used, this may even be desirable.
python/repositories.bzl
Outdated
|
||
set -o errexit -o nounset -o pipefail | ||
|
||
external/{repo_name}/{python_bin} -B -s -I "$@" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the "external/" part here might depend on if a flag is set?
https://bazel.build/reference/command-line-reference#flag--legacy_external_runfiles
I think you can drop the "external/" part, but not 100% sure.
Actually, what's the CWD when this is invoked? The relative path here means it would have to be the runfiles root. But what is doing that chdir()? (Sorry if I missed it)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing this out. If --nolegacy_external_runfiles
, then this path doesn't work. The CWD in my example is
/home/mvukov/.cache/bazel/_bazel_mvukov/bc9f8eb0563a76ddb0353ce7869ddf8d/execroot/hermetic_python/bazel-out/k8-fastbuild/bin/demo.runfiles/hermetic_python
where hermetic_python is the repo name. When --legacy_external_runfiles
is used, then external/
has to be used...
But what is doing that chdir()? (Sorry if I missed it)
I'm not doing any chdir in this PR :) Can you be a bit more specific?
I've got a few questions about this:
Is this the right place to be solving the problem? To me, this feels like a similar problem to: |
In the meantime, I found that using -I won't work as per doc "-I : isolate Python from the user's environment (implies -E and -s)". This effectively nulls PYTHONPATH set by the stub. I removed that in 10ffa53. After this,
Still, it's a pity that the first entry still sneaks in the path.
If we decide to move forward with this PR, I'd work on support for Windows.
The generated stub driven by a platform interpreter calls the generated wrapper, the wrapper then calls a custom interpreter.
Not sure, to be honest. I am looking into an intermediate solution until bazelbuild/bazel#15897 gets implemented or until https://github.com/aspect-build/rules_py gets out of experimental. TBH, I would be just happy at the moment if py_runtime had an extra argument |
👋 As you found, rules_py on the other hand can set this, (I'm the author of rules_py 😄) as it doesn't use the runfiles layout for running It's probably worth setting the new On the topic of rules_py, I can help with issues using it to push it out of experimental if needed. |
This is related to #382 and bazelbuild/bazel#7091. Also worth noting that @groodt already added |
@mattem Many thanks. I'll try rules_py with a large monorepo to see how that works. |
I tested https://github.com/aspect-build/rules_py on a large monorepo and works as expected (after a couple of minor issues were resolved -- the current main branch works fine). Haven't tried out remote execution, but, the ruleset plays well now with remote caching. It would be nice to have rules_python and rules_py in the same repo eventually. :) |
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Current custom toolchains allow the repo path and user's local Python packages to sneak in the Python path. For instance,
sys.path
can be something like:with a toolchain registered as
What is the new behavior?
With the proposed fix, based on rules_py I created a small wrapper script for the interpreter that removes the repo root and the local folder from the path.
Does this PR introduce a breaking change?
Other information
I didn't look into a wrapper for Windows yet. Please let me know if this could end up in the main branch and based on that I can proceed further. An alternative could be to have an extra argument like
interpreter_flags
inpython_register_toolchains
.