Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin versions of our main top-level libraries #28

Merged
merged 1 commit into from
Feb 14, 2018
Merged

Pin versions of our main top-level libraries #28

merged 1 commit into from
Feb 14, 2018

Conversation

samuelhwilliams
Copy link
Contributor

@samuelhwilliams samuelhwilliams commented Feb 13, 2018
edited
Loading

Summary

Pin the versions of our main libraries so that we don't accidentally do a major/minor upgrade that breaks our deploys. I've taken these versions from what is currently installed in the latest frontend docker image. Also clarifies that we are using pip3/python3 to install uwsgi/awscli. I looked into upgrading Supervisor to Python3 and while it seems it is mostly compatible, they haven't explicitly released version 4.0.0 that comes with official support, so leaving it as-is for now. Supervisor/supervisor#510

root@556a0412-e832-4ac3-41c9-68e7:/# /usr/local/bin/pip list
DEPRECATION: The default format will switch to columns in the future. You can use --format=(legacy|columns) (or define a format=(legacy|columns) in your pip.conf under the [list] section) to disable this warning.
awscli (1.14.31)
awscli-cwlogs (1.4.4)
botocore (1.8.35)
colorama (0.3.7)
docutils (0.14)
jmespath (0.9.3)
pip (9.0.1)
pyasn1 (0.4.2)
python-dateutil (2.6.1)
PyYAML (3.12)
rsa (3.4.2)
s3transfer (0.1.12)
setuptools (38.2.4)
six (1.11.0)
uWSGI (2.0.15)
wheel (0.30.0)

Dependencies of these libraries are still not pinned, so theoretically things could still break, but at least it's a lot less likely.

Ticket

https://trello.com/c/Y6H3QWlM/315-uwsgi-version-should-be-pinned

@samuelhwilliams samuelhwilliams mentioned this pull request Feb 13, 2018
Merged
Wynndow
Wynndow reviewed Feb 13, 2018
View reviewed changes
Copy link
Contributor

@Wynndow Wynndow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're doing this, should we be specifying versions for the debian packages we're pulling with apt-get?

@samuelhwilliams
Copy link
Contributor Author

Maybe. Although this ticket is just about the uwsgi version, which I extended to our python libs. If we think it's important to also pin our other dependencies, I might make a new ticket for that.

Wynndow
Wynndow approved these changes Feb 13, 2018
View reviewed changes
Copy link
Contributor

@Wynndow Wynndow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, maybe another ticket. On the other hand, if we pin the versions, how do we ever get/become aware of security updates to those packages?

@samuelhwilliams
Copy link
Contributor Author

That's certainly a far wider issue, yes...

CrystalPea
CrystalPea reviewed Feb 13, 2018
View reviewed changes
base.docker
/usr/bin/python2.7 /usr/bin/pip install supervisor==3.3.3 && \
pip install --no-cache-dir uwsgi awscli awscli-cwlogs && \
/usr/bin/python2.7 /usr/bin/pip install supervisor==${SUPERVISOR_VERSION} && \
/usr/local/bin/pip3 install --no-cache-dir uwsgi==${UWSGI_VERSION} awscli==${AWSCLI_VERSION} awscli-cwlogs==${AWSCLI_CWLOGS_VERSION} && \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it used mostly when we deploy code, or in development environments, too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is primarily for deployed applications, although you can use the docker containers locally as well.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, cheers ☺️

@CrystalPea
Copy link

We could use a tool to check if our dependencies have security issues in their current versions, for example this one:
https://hub.docker.com/r/owasp/dependency-check/

@samuelhwilliams
Copy link
Contributor Author

samuelhwilliams commented Feb 13, 2018
edited
Loading

@CrystalPea Definitely, we should have some sort of thorough dependency-checker for our docker containers. Would need to add a tech debt ticket if we don't already have one. 😄

Edit: We have one already! https://trello.com/c/ZXPjYFE8/322

@samuelhwilliams samuelhwilliams merged commit f4f33a6 into master Feb 14, 2018
@samuelhwilliams samuelhwilliams deleted the shw-pin-lib-versions branch February 14, 2018 10:41
@samuelhwilliams samuelhwilliams mentioned this pull request Feb 14, 2018
Closed
samuelhwilliams
samuelhwilliams commented Feb 14, 2018
View reviewed changes
base.docker
ENV SUPERVISOR_VERSION 3.3.3
ENV UWSGI_VERSION 2.0.15
ENV AWSCLI_VERSION 1.14.31
ENV AWSCLI_CWLOGS_VERSION 1.4.4
Copy link
Contributor Author

@samuelhwilliams samuelhwilliams Feb 14, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something in this section, unbelieveably (to me at least), has broken this... 😕 Investingating which one in particular...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CrystalPea CrystalPea CrystalPea left review comments

@Wynndow Wynndow Wynndow approved these changes

@benvand benvand Awaiting requested review from benvand

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@samuelhwilliams @CrystalPea @Wynndow