-
-
Notifications
You must be signed in to change notification settings - Fork 636
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden PATH setting in pex runs #9760
Comments
This also manifests here: Lines 35 to 50 in e328b58
... so this relates to #7735. |
Hi @stuhood I have the global config below:
By one way or another, Python (v3.7.3) was installed on my Mac along with Xcode, with limited permissions (
First case
When I run some commands, I am receiving a “Permission Denied” and the logs show explicitly that this Xcode Python is being used instead of the Pyenv one.
Second case
This forces to choose the pyenv interpreter, but as mentioned there, we run into another issue because some of the console tools are out of scope. Third case I tried to tune the I ended-up tightening the constraints to |
Thanks @etiennedupont : agreed that this is a problem. I think that we should prioritize this before 2.0. How I think that we will tackle this will be to have Platform/Environment specific |
I'm about ready to begin implementation here. A sketch of what I'm thinking: The ability to adjust the PATH (filtering) for a process will be a fairly universal thing, and a global default for processes is likely. But it will likely also be necessary to adjust this on a So, will:
|
Ok, the current state of this is that I've mostly completed (1) and (2), and decided that the most likely path forward is for this to be a PATH filter. Implementing this as a filter will mean that the rust
Finally, point 3 is OK as a followup: if people can configure global PATH filters now, we can migrate toward having scoped configuration later (similar to #7735 later introducing environment-specific filters). I have to switch to other things, but this remains important for the alpha, so I'll resume early next week I hope. |
As an alternate idea late to the game: Currently we do this as you pointed out:
That's unfortunate though since Pex natively supports specifying an alternate interpreter search path in its API (but not in its CLI): I think it makes perfect sense to support specifying a custom interpreter search path at least for the PEX runtime side of things 1st class in PEX since, independent of Pants, any PEX might contain code that shells out and thus wants to separate its interpreter selection search at boot time from its ambient PATH at runtime. |
Talked with Stu about the above offline, but the short is that we do need filtering of PATH per Process, this is still too coarse a knob for PEX runtime interpreter selection in any case where the PEX user code needs access to the unadulterated PATH to find its own tools to use. I've filed pex-tool/pex#1012 over in Pex to add this feature which will allow fixing the PEX runtime case completely leaving Stu's more general PATH filtering work to stand for general Process execution control. |
One big thing I was missing is that pants/src/python/pants/python/python_setup.py Lines 178 to 205 in e328b58
|
I think that @jsirois 's current tack on this is sufficient to resolve the issue for alpha. |
Previously we used PATH to steer interpreter selection for hermetic PEX bootstrap and runtime. This led to fragile or impossible to solve setups. Switch to using PEX_PYTHON_PATH to both discover a bootstrap interpreter and steer runtime interpreter selection. Introduce a find_binary rule to facilitate this that uses ~portable bash for now. Also introduce a PexRuntimeEnvironment to steer bootstrap interpreter probing and allow specification of the PATH that should be exposed to the PEX runtime environment. Fixes pantsbuild#9760 # Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
Previously, `--python-setup-interpreter-search-paths` would be used both to find Python interpreters and to set the $PATH for the running PEX subprocess. This resulted in many awkward/impossible set ups. Switch to using PEX_PYTHON_PATH to both discover a bootstrap interpreter and steer runtime interpreter selection. Introduce a find_binary rule to facilitate this that uses ~portable bash for now. Also introduce a PexRuntimeEnvironment to steer bootstrap interpreter probing and allow specification of the PATH that should be exposed to the PEX runtime environment. Fixes #9760. [ci skip-rust] [ci skip-build-wheels]
Opened #10526 with some followup. |
…0858) ### Problem The first error in #10855 is that when we search a search path which does not include `bash`, lookups fail silently because the discovery script fails to start. The usecase described on #9760 (setting `interpreter_search_path=["<PYENV>"]`) is one example where `bash` will not be present. ### Solution Recurse to locate an absolute path for `bash` before using `bash`. Additionally, change the "discovery" portion of `BinaryPaths` from `FallibleProcessResult` to `ProcessResult` to fail more quickly in cases where discovery errors, as opposed to succeeding with an empty result. ### Result The added test passes, and the usecase from #9760 works on my machine. [ci skip-rust] [ci skip-build-wheels]
The
interpreter_search_paths
can be used to adjust wherePEX
will go hunting for pythons.But when trying to adjust the setting, it is not currently possible to "remove" the PATH from
interpreter_search_paths
. The following:... fails under v2 because this line:
pants/src/python/pants/backend/python/rules/hermetic_pex.py
Line 53 in e328b58
...ends up relying on the presence of the default
PATH
entry frominterpreter_search_paths
... completely clearing the list results in not being able to find tools used by the shims (bash
,sed
,cut
, etc), but also in not being able to find system headers.The following does work:
... but is repository specific: i.e., it's not a good idea to install something like this globally, as it might override per-repo defaults.
In short: we need to decouple setting the PATH in executions from how
PEX
chooses interpreters.The text was updated successfully, but these errors were encountered: