<div dir="ltr"><p dir="ltr"><br>
On Jun 26, 2014 12:12 PM, "Angus Salkeld" <<a href="mailto:angus.salkeld@rackspace.com" target="_blank">angus.salkeld@rackspace.com</a>> wrote:<br>
><br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> On 25/06/14 15:13, Clark Boylan wrote:<br>
> > On Tue, Jun 24, 2014 at 9:54 PM, Adrian Otto <<a href="mailto:adrian.otto@rackspace.com" target="_blank">adrian.otto@rackspace.com</a>> wrote:<br>
> >> Hello,<br>
> >><br>
> >> Solum has run into a constraint with the current scheme for requirements management within the OpenStack CI system. We have a proposal for dealing with this constraint that involves making a contribution to openstack-infra. This message explains the constraint, and our proposal for addressing it.<br>
> >><br>
> >> == Background ==<br>
> >><br>
> >> OpenStack uses a list of global requirements in the requirements repo[1], and each project has it’s own requirements.txt and test-requirements.txt files. The requirements are satisfied by gate jobs using pip configured to use the <a href="http://pypi.openstack.org" target="_blank">pypi.openstack.org</a> mirror, which is periodically updated with new content from <a href="http://pypi.python.org" target="_blank">pypi.python.org</a>. One motivation for doing this is that <a href="http://pypi.python.org" target="_blank">pypi.python.org</a> may not be as fast or as reliable as a local mirror. The gate/check jobs for the projects use the OpenStack internal pypi mirror to ensure stability.<br>
> >><br>
> >> The OpenStack CI system will sync up the requirements across all the official projects and will create reviews in the participating projects for any mis-matches. Solum is one of these projects, and enjoys this feature.<br>
> >><br>
> >> Another motivation is so that users of OpenStack will have one single set of python package requirements/dependencies to install and run the individual OpenStack components.<br>
> >><br>
> >> == Problem ==<br>
> >><br>
> >> Stackforge projects listed in openstack/requirements/projects.txt that decide to depend on each other (for example, Solum wanting to list mistralclient as a requirement) are unable to, because they are not yet integrated, and are not listed in openstack/requirements/global-requirements.txt yet. This means that in order to depend on each other, a project must withdraw from projects.txt and begin using pip with <a href="http://pypi.poython.org" target="_blank">pypi.poython.org</a> to satisfy all of their requirements.I strongly dislike this option.<br>
> >><br>
> >> Mistral is still evolving rapidly, and we don’t think it makes sense for them to pursue integration wight now. The upstream distributions who include packages to support OpenStack will also prefer not to deal with a requirement that will be cutting a new version every week or two in order to satisfy evolving needs as Solum and other consumers of Mistral help refine how it works.<br>
> >><br>
> >> == Proposal ==<br>
> >><br>
> >> We want the best of both worlds. We want the freedom to innovate and use new software for a limited selection of stackforge projects, and still use the OpenStack pypi server to satisfy my regular requirements. We want the speed and reliability of using our local mirror, and users of Solum to use a matching set of requirements for all the things that we use, and integrated projects use. We want to continue getting the reviews that bring us up to date with new requirements versions.<br>
> >><br>
> >> We propose that we submit an enhancement to the gate/check job setup that will:<br>
> >><br>
> >> 1) Begin (as it does today) by satisfying global-requirements.txt and my local project’s requirements.txt and test-requirements.txt using the local OpenStack pypi mirror.<br>
> >> 2) After all requirements are satisfied, check the name of my project. If it begins with ‘stackforge/‘ then look for a stackforge-requirements.txt file. If one exists, reconfigure pip to switch to use <a href="http://pypi.python.org" target="_blank">pypi.python.org</a>, and satisfy the requirements listed in the file. We will list mistralclient there, and get the latest tagged/released version of that.<br>
> >><br>
> > I am reasonably sure that if you remove yourself from the<br>
> > openstack/requirements project list this is basically how it will<br>
> > work. Pip is configured to use the OpenStack mirror and fall back on<br>
> > <a href="http://pypi.python.org" target="_blank">pypi.python.org</a> for packages not available on the OpenStack mirror<br>
> > [2]. So I don't think there is any work to do here with additional<br>
> > requirements files. It should just work. Adding a new requirements<br>
> > file will just make things more confusing for packagers and consumers<br>
> > of your software.<br>
><br>
> Adrian I know this is not the optimal solution, but I think this is<br>
> the most pragmatic solution (esp. given we need to progress and not be held<br>
> up by this), most stackforge projects are in the same boat as us.<br>
> As far as pypi breakages (most are easily fixable by restricting the<br>
> package versions if we get an issue with a new release<br>
> of *random-api-breaking-package*).<br>
></p>
<p dir="ltr">I've looked through the infra choose mirror code, and Clark is correct. If the project isn't in the projects.txt file they will only access to <a href="http://pypi.openstack.org">pypi.openstack.org</a> however if removed then it will first check <a href="http://pypi.openstack.org">pypi.openstack.org</a> and then fall back to to <a href="http://pypi.python.org">pypi.python.org</a>. I think the only real solution is what Angus mentioned, remove yourself from projects.txt at least until all your dependencies can be provided by <a href="http://pypi.openstack.org">pypi.openstack.org</a> or another solution is put into place. In the mean time you can at least progress and continue development.</p>
<p dir="ltr">If you code requires a direct dependency (rather then an optional dependency) of some non integrated project, then your stuck until they are.<br></p><p dir="ltr"><br>
><br>
> >><br>
> >> == Call To Action ==<br>
> >><br>
> >> What do you think of this approach to satisfy a balance of interests? Everything remains the same for OpenStack projects, and Stackforge projects get a new feature that allows them to require software that has not yet been integrated. Are there even better options that we should consider?<br>
> >><br>
> >> Thanks,<br>
> >><br>
> >> Adrian Otto<br>
> >><br>
> >><br>
> >> References:<br>
> >> [1] <a href="https://review.openstack.org/openstack/requirements" target="_blank">https://review.openstack.org/openstack/requirements</a><br>
> ><br>
> > For what it is worth the Infra team has also been looking at<br>
> > potentially using something like bandersnatch to mirror all of pypi<br>
> > which is now a possibility because OpenStack doesn't depend on<br>
> > packages that are hosted external to pypi. We would then do<br>
> > requirements enforcement via checks rather than explicit use of a<br>
> > restricted mirror. There are some things to sort out like platform<br>
> > dependent wheels (I am not sure that any OpenStack project directly<br>
> > consumes these but I have found them to be quite handy) and the<br>
> > potential need for more enforcement to keep this working, but I think<br>
> > this is a possibility.<br>
><br>
> This would be neat.<br>
><br>
> - -Angus<br>
><br>
> ><br>
> > Clark<br>
> ><br>
> > [2] <a href="https://git.openstack.org/cgit/openstack-infra/config/tree/modules/openstack_project/files/slave_scripts/select-mirror.sh#n54" target="_blank">https://git.openstack.org/cgit/openstack-infra/config/tree/modules/openstack_project/files/slave_scripts/select-mirror.sh#n54</a><br>
> ><br>
> > _______________________________________________<br>
> > OpenStack-dev mailing list<br>
> > <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
> ><br>
><br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v1<br>
> Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
><br>
> iQEcBAEBAgAGBQJTq4A7AAoJEFrDYBLxZjWo51UH/1MoUNlFkWErEjHWmmXEB3dK<br>
> iLkf+kanOPoy6lB1F8n7sYTnniylS6+jHqikHtxNb53vyfP1qwVuMvh44HrgHoSm<br>
> 3Z/d08dF8T0yI0y2WUmCfuDvrzWFqkxf99zve/R7JHZane2vCfUK3vJYDyV+75sY<br>
> jBUo6vMh51l91vf1wDFfIw6AltqMLGnuGaul6GS0ALx2T3Glr6OQwfXbKDxGB1eJ<br>
> L3EOzeW4Qn8TkabW8Z+zl1d9nnNiKWeUs7rk+hOAR3LPO2smxLStsKKRSJrjnrU0<br>
> ri62fl93q3QQ+E2ATBc74hQWxQBoYKiiPNhJ4iUSrAx44Adn0n5jQy0k5y34Kj8=<br>
> =tVqv<br>
> -----END PGP SIGNATURE-----<br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/</a></p>
</div>