Add content dir where Ansible will look for the content provided by ACD #67093
Conversation
ansibot
added
WIP
ansibot
added
stale_ci
|
Okay, @nitzmahone @mattclay and I talked about this today. We discussed four possibilities with certain drawbacks:
I'll update the code in this PR to reflect using |
samdoran
removed
the
needs_triage
|
I'm a bit confused by this PR. @abadger's comment refers to some examples of installing an ibm provided collection, but the code currently -only- looks for an Is there a disconnect between what is being asked for and what this PR does or am I reading it incorrectly? |
ansibot
added
the
stale_ci
| for path in sys.path: | ||
| sys_installed_path = os.path.join(os.path.abspath(path), 'ansible_collections') | ||
| if os.path.isdir(sys_installed_path): | ||
| self._n_configured_paths.append(sys_installed_path) |
There was a problem hiding this comment.
This adds paths at the end of the list. Which means that it'll be shadowed by user-provided paths. Is this intended? Should this also be documented somewhere?
There was a problem hiding this comment.
It is definitely the intent; this feature primarily exists to support ACD and have an "it just works" fallback for 2.9-authored content to transparently resolve to, and depending on how downstream ansible-base ends up being packaged, possibly an RPM-installed version of same. User-installed content should absolutely be able to mask it.
Docs and tests are both missing from this PR at the moment, I'd argue that both need to be addressed before it's merged. That should be achievable once migration is behind us.
There was a problem hiding this comment.
Docs and tests are both missing from this PR at the moment
Scratch docs. One of the caveats to allowing this feature, is that no documentation is provided for users about it. This is purely an internal thing that we are effectively just not communicating about its existence. It will be unsupported for any users who find it and try to use it. It's basically "for us only".
There was a problem hiding this comment.
Personally, I'd want to have it supported b/c it's easier to ship dists this way in some cases.
There was a problem hiding this comment.
Personally, I'd want to have it supported b/c it's easier to ship dists this way in some cases
That decision is mostly out of my hands. The decision came from "higher" up. The supported way of distributing collections is galaxy/ah only.
There was a problem hiding this comment.
Just for the record, I agree with @webknjaz - although I understand it's out of your hands. Being able to pip install a library and have that result in a corresponding ansible collection being installed would be hugely beneficial for some things. Mostly saying that in case further conversations happen by those who are higher up to register user interest in such a feature.
There was a problem hiding this comment.
@emonty FTR this is how ACD will work @ PyPI @ Ansible 2.10. So it'd be pretty easy for users to figure out how it works. Maybe it's not something that business desires, but the community would definitely want this.
webknjaz
left a comment
webknjaz
left a comment
There was a problem hiding this comment.
I'm curious if Ansible CLIs should list Python dists that are installed on the system in the ansible_collections implicit namespace. It'd be useful for the purposes of security analysis.
| elif self._n_configured_paths is None: | ||
| self._n_configured_paths = [] | ||
|
|
||
| # Append all ``ansible_collections`` dirs from sys.path to the end |
There was a problem hiding this comment.
This comment would be a bit more useful if it explained the effect of the change:
| # Append all ``ansible_collections`` dirs from sys.path to the end | |
| # Append all ``ansible_collections`` dirs from sys.path to the end | |
| # which enables the collection loader to locate and import Python | |
| # modules that are distributed as Python distributed packages via | |
| # PyPI or similar indexes. Specifically, it enables users to distribute | |
| # Python content as long as dists follow PEP 420 Implicit Namespace | |
| # Packages conventions. | |
| # Refs: | |
| # * https://packaging.python.org/guides/packaging-namespace-packages/ | |
| # * https://packaging.python.org/guides/creating-and-discovering-plugins/#using-namespace-packages | |
| # * https://setuptools.readthedocs.io/en/latest/setuptools.html#namespace-packages | |
| # * https://setuptools.readthedocs.io/en/latest/setuptools.html#find-namespace-packages | |
| # | |
| # SECURITY CONSIDERATIONS: | |
| # This provides yet another place for injecting Python code. | |
| # We should be clear about it when informing users about the places | |
| # where modules/plugins are loaded from. | |
| # | |
| # NOTE: It is possible to publish a "broken" namespace package | |
| # NOTE: so that when it's installed it breaks user's ability | |
| # NOTE: to install other Python packages in that namespace. |
There was a problem hiding this comment.
I'd take out the REFS. Security considerations should go somewhere else. maybe there should be a single place in the documentation which lists all the locations that the collections can be loaded from. The note is correct but within ansible, we use our special loader which establishes a namespace prior to loading anything else so this should only break with third party code which might try to load the ansible-collections package without establishing the namespace first. So if we state that here, it should note that it won't break us, only third parties.
ansibot
removed
the
stale_ci
|
So here's a demo Python dist working with this patch: https://github.com/webknjaz/ansible-collection-python-dist-boo / https://pypi.org/project/ansible-collections.python.dist.boo/ / https://test.pypi.org/project/ansible-collections.python.dist.boo/ |
In the example, the ibm collection would be installed inside of the With standard sys.path settings in Fedora and RHEL:
|
This comment has been minimized.
This comment has been minimized.
webknjaz
force-pushed
the
acd-content-dir
branch
3 times, most recently
from
1f42521 to
22ce66d
Compare
ansibot
added
the
needs_revision
ansibot
added
core_review
ansibot
added
needs_revision
After talking with nitzmahone and mattclay we settled on this feature looking up collections in specifically named subdirectories of sys.path's directories. We discussed pros and cons of doing this in several different ways and decided that looking for an ansible_collections package directly in sys.path had less drawbacks than looking for ansible_collections as a subdirectory of a package in sys.path. In some ways of doing it, the extra redirection could have helped point out packaging mistakes but not enough to justify the complexity of coding it that way.
Co-Authored-By: Sviatoslav Sydorenko <[email protected]>
Co-Authored-By: Matt Clay <[email protected]>
Co-Authored-By: Matt Clay <[email protected]>
webknjaz
force-pushed
the
acd-content-dir
branch
from
c9c5e3e to
43e8b6d
Compare
webknjaz
changed the title
|
Ah, GH lost my commit message and co-authors on merge :( |
12 participants
SUMMARY
Add content dir where Ansible will look for content provided by ACD
ISSUE TYPE
COMPONENT NAME
lib/ansible/utils/collection_loader.py
ADDITIONAL INFORMATION