crypt/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-01-27 19:42:53 +03:00
Code Activity
Files
c668172ef0844ebd641575aeac865d91c59eaa8e
certbot/tools/docker
History
Adrien Ferrand d38766e05c Enable again build isolation with proper pinning of build dependencies (#8443) 
Fixes #8256

First let's sum up the problem to solve. We disabled the build isolation available in pip>=19 because it could potential break certbot build without a control on our side. Basically builds are not reproductible. Indeed the build isolation triggers build of PEP-517 enabled transitive dependencies (like `cryptography`) with the build dependencies defined in their `pyproject.toml`. For `cryptography` in particular these requirements include `setuptools>=40.6.0`, and quite logically pip will install the latest version of `setuptools` for the build. And when `setuptools` broke with the version 50, our build did the same.

But disabling the build isolation is not a long term solution, as more and more project will migrate on this approach and it basically provides a lot of benefit in how dependencies are built.

The ideal solution would be to be able to apply version constraints on our side on the build dependencies, in order to pin `setuptools` for instance, and decide precisely when we upgrade to a newer version. However for now pip does not provide a mechanism for that (like a `--build-constraint` flag or propagation of existing `--constraint` flag).

Until I saw https://github.com/pypa/pip/issues/9081 and https://github.com/pypa/pip/issues/8439.

Apart the fact that https://github.com/pypa/pip/issues/9081 shows that pip maintainers are working on this issue, it explains how pip works regarding PEP-517 and infers which workaround can be used to still pin the build dependencies. It turns out that pip invokes itself in each build isolation to install the build dependencies. It means that even if some flags (like `--constraint`) are not explicitly passed to the pip sub call, the global environment remains, in particular the environment variables.

Thus it is known that every pip flag can alternatively be set by environment variable using the following pattern for the variable name: `PIP_[FLAG_NAME_UPPERCASE]`. So for `--constraint`, it is `PIP_CONSTRAINT`. And so you can pass a constraint file to the pip sub call through that mechanism.

I made some tests with a constraint file containing pinning for `setuptools`: indeed under isolation zone, the constraint file has been honored and the provided pinned version has been used to build the dependencies (I tested it with `cryptography`).

Finally this PR takes advantage of this mechanism, by setting `PIP_CONSTRAINT` to `pip_install`, the snap building process, the Dockerfiles and the windows installer building process.

I also extracted out the requirements of the new `pipstrap.py` to be reusable in these various build processes.

* Use workaround to fix build requirements in build isolation, and renable build isolation

* Clean imports in pipstrap

* Externalize pipstrap reqs to be reusable

* Inject pipstrap constraints during pip_install

* Update docker build

* Update snapcraft build

* Prepare installer build

* Fix pipstrap constraints in snap build

* Add back --no-build-cache option in Docker images build

* Update snap/snapcraft.yaml

* Use proper flags with pip

Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2020-12-16 10:49:31 -08:00
..
core
Enable again build isolation with proper pinning of build dependencies (#8443)
2020-12-16 10:49:31 -08:00
lib
Docker build improvements (#8218)
2020-08-18 10:48:01 -07:00
plugin
Enable again build isolation with proper pinning of build dependencies (#8443)
2020-12-16 10:49:31 -08:00
build.sh
Remove usage of buildkit (#8408)
2020-10-26 15:20:27 -07:00
deploy.sh
Docker build improvements (#8218)
2020-08-18 10:48:01 -07:00
README.md
Docker build improvements (#8218)
2020-08-18 10:48:01 -07:00

README.md

Running Certbot in Docker

Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates automatically or configure your webserver, because our installer plugins cannot reach your webserver from inside the Docker container.

Most users should install Certbot by following the installation instructions at https://certbot.eff.org/instructions. You should only use Docker if you are sure you know what you are doing (you understand volumes) and have a good reason to do so, such as following the one service per container rule.

For more information, please read Certbot - Running with Docker.

Certbot Docker Tools

Goal

This code is used to build and deploy new versions of the Certbot and Certbot DNS plugin Docker images to Docker Hub.

High-level behavior

Running ./build.sh <TAG> all && ./deploy.sh <TAG> all causes the Docker images to be built and deployed to Docker Hub for all supported architectures where <TAG> is the base of the tag that should be given to the given images. The tag should either be nightly or a git version tag like v0.34.0. The given tag is only the base of the tag because the CPU architecture is also added to the tag.

Configuration

To run these scripts you need:

  1. An x86_64 machine with Docker installed and the Docker daemon running. You probably don't want to use the docker snap as these scripts have failed when using that in the past.
  2. To be logged into Docker Hub with an account able to push to the Certbot and Certbot DNS Docker images on Docker Hub.
View Git Blame Copy Permalink