Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Distroless python sdk #32960

Merged
merged 12 commits into from
Nov 6, 2024
Merged

Conversation

damondouglas
Copy link
Contributor

@damondouglas damondouglas commented Oct 29, 2024

Addresses #32817 adding Python SDK (non-ML) distroless variants.

Latest vulnerability report

Expand for more details:

image

Testing

Prior to submitting this PR, ran:

./gradlew :sdks:python:test-suites:dataflow:py311:validatesDistrolessContainer -PpythonVersion=3.11
Expand for more detail:
> Task :sdks:python:test-suites:dataflow:py311:validatesDistrolessContainer
============================= test session starts ==============================
platform linux -- Python 3.11.9, pytest-7.4.4, pluggy-1.5.0
rootdir: /usr/local/google/home/damondouglas/projects/distroless-python-sdk/sdks/python
configfile: pytest.ini
plugins: xdist-3.6.1, hypothesis-6.116.0, timeout-2.3.1, requests-mock-1.12.1
timeout: 600.0s
timeout method: signal
timeout func_only: False
collected 1 item

apache_beam/examples/wordcount_it_test.py .                              [100%]

======================== 1 passed in 306.46s (0:05:06) =========================

image

------------------------

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

sdks/python/container/Dockerfile Outdated Show resolved Hide resolved
sdks/python/test-suites/dataflow/common.gradle Outdated Show resolved Hide resolved
sdks/python/test-suites/dataflow/build.gradle Outdated Show resolved Hide resolved
@github-actions github-actions bot removed the build label Oct 31, 2024
@damondouglas damondouglas marked this pull request as ready for review November 2, 2024 01:33
Copy link
Contributor

github-actions bot commented Nov 2, 2024

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @liferoad for label python.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

Copy link
Contributor

@Abacn Abacn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this is a good start. Note that the current change does not enter new automatically ran workflows. Could consider add a "beam_PostCommit_Python_ValidatesContainer_Dataflow_Distroless.yml" GitHub Action workflow, or just create another job running distroless containers in the existing "beam_PostCommit_Python_ValidatesContainer_Dataflow.yml" workflow

def repository = "us.gcr.io/apache-beam-testing/${System.getenv('USER')}"
def tag = java.time.Instant.now().getEpochSecond()
def imageURL = "${repository}/beam_python${project.ext.pythonVersion}_sdk_${buildTarget}:${tag}"
project.rootProject.ext['docker-repository-root'] = repository
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overwriting root properties may have surprising effect, saying if one creates another task that produces container sequentially,

  • py39
  • py39-distroless
  • py310
  • py310-distroless

Could it happen that py39-distroless invocation affects the configurations for the py310 target? If so is there a way to avoid it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Abacn , thank you for meeting with me a couple days back. I realized that having separate py<version>-distroless gradle projects could be avoided with the logic introduced in container/common.gradle by querying the container-build-target property. Thus, there is no py<version>-distroless. The description has a screenshot in the collapsed markdown of the Dataflow Job that succeeded with the validatesDistrolessContainer task. I don't have the means while currently on vacation to test again but I (mostly) remember that the tag is needed to be set on the rootProject level to work. validatesDistrolessContainer should not interfere with other tasks and these properties should only be set when the task executes, not when it is configured.

@damondouglas
Copy link
Contributor Author

Thanks, this is a good start. Note that the current change does not enter new automatically ran workflows. Could consider add a "beam_PostCommit_Python_ValidatesContainer_Dataflow_Distroless.yml" GitHub Action workflow, or just create another job running distroless containers in the existing "beam_PostCommit_Python_ValidatesContainer_Dataflow.yml" workflow

Thank @Abacn , the GitHub Action workflow will be addressed in #33003. The goal of this PR is to make backward compatible changes to existing Python container-related Dockerfile and related gradle tasks. Could you let me know if adding the workflow is important to your review of this PR and I can do so when I return from vacation in a couple weeks?

Copy link
Contributor

@Abacn Abacn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the clarifications. This looks good to me. I understand this is currently an no-op to workflow as both test workflow and push docker image to dockerhub are pending. Defer to you for the timeline to merge

@damondouglas damondouglas merged commit 81f35ab into apache:master Nov 6, 2024
94 checks passed
@damondouglas damondouglas deleted the distroless-python-sdk branch November 6, 2024 20:06
shunping added a commit to shunping/beam that referenced this pull request Nov 12, 2024
Abacn added a commit that referenced this pull request Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants