search

cisagov / ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Creative Commons Zero v1.0 Universal
8 stars 2 forks source link

Fix pip failure on Debian Bookworm #70

Closed jsf9k closed 1 year ago

jsf9k commented 1 year ago

πŸ—£ Description

This pull request:

  1. Removes a vars file specific to Ubuntu Xenial
  2. Modifies the role to install system packages vice pip packages where possible
  3. Adds a CLI argument to pip to fix broken builds on Debian Bookworm

πŸ’­ Motivation and context

  1. We no longer support Ubuntu Xenial as it is EOL.
  2. On Debian-based systems, newer versions of pip balk at installing pip packages under the system Python, as pip now (correctly) regards the system Python as "externally managed". In general, it is better to install system packages against the system Python wherever possible.
  3. This Ansible role requires the installation of one pip package, since there is no system package available. In order to do this on Debian Bookworm we must insist via a CLI argument that pip install the package against the system Python, contrary to pip's better judgement.

πŸ§ͺ Testing

All automated tests pass.

βœ… Pre-approval checklist

jsf9k commented 1 year ago

What does @cisagov/team-ois think about creating an issue to get rid of the srvlookup dependency, so that we are no longer installing pip packages under the system python? I think it is a good idea.

dav3r commented 1 year ago

What does @cisagov/team-ois think about creating an issue to get rid of the srvlookup dependency, so that we are no longer installing pip packages under the system python? I think it is a good idea.

I'm all for it. If we think of reasons why this is a bad idea, they can be discussed in that issue.

jsf9k commented 1 year ago

What does @cisagov/team-ois think about creating an issue to get rid of the srvlookup dependency, so that we are no longer installing pip packages under the system python? I think it is a good idea.

I'm all for it. If we think of reasons why this is a bad idea, they can be discussed in that issue.

See #71 and commit d43d19c.

mcdonnnj commented 1 year ago

What does @cisagov/team-ois think about creating an issue to get rid of the srvlookup dependency, so that we are no longer installing pip packages under the system python? I think it is a good idea.

I'm all for it. If we think of reasons why this is a bad idea, they can be discussed in that issue.

See #71 and commit d43d19c.

Commenting here to tie it together (commented on the issue already) but I think we should explore using pipx as this problem will be a recurrent thing when Debian Bookworm officially releases later this year (2023). Playing whack-a-mole with specific dependencies is not a long term solution in my opinion. I think using Python virtual environments directly or installing with pipx are better solutions to pursue.

jsf9k commented 1 year ago

What does @cisagov/team-ois think about creating an issue to get rid of the srvlookup dependency, so that we are no longer installing pip packages under the system python? I think it is a good idea.

I'm all for it. If we think of reasons why this is a bad idea, they can be discussed in that issue.

See #71 and commit d43d19c.

Commenting here to tie it together (commented on the issue already) but I think we should explore using pipx as this problem will be a recurrent thing when Debian Bookworm officially releases later this year (2023). Playing whack-a-mole with specific dependencies is not a long term solution in my opinion. I think using Python virtual environments directly or installing with pipx are better solutions to pursue.

Noted. At the same time, this Ansible role is broken today and this PR remedies that. In addition, getting rid of pip installs on the system Python is a good thing to do even if you end up using pipx, Rid-X, etc. down the line.

mcdonnnj commented 1 year ago

What does @cisagov/team-ois think about creating an issue to get rid of the srvlookup dependency, so that we are no longer installing pip packages under the system python? I think it is a good idea.

I'm all for it. If we think of reasons why this is a bad idea, they can be discussed in that issue.

See #71 and commit d43d19c.

Commenting here to tie it together (commented on the issue already) but I think we should explore using pipx as this problem will be a recurrent thing when Debian Bookworm officially releases later this year (2023). Playing whack-a-mole with specific dependencies is not a long term solution in my opinion. I think using Python virtual environments directly or installing with pipx are better solutions to pursue.

Noted. At the same time, this Ansible role is broken today and this PR remedies that. In addition, getting rid of pip installs on the system Python is a good thing to do no matter what you end up doing down the line (pipx, Rid-X, etc.).

Oh yeah I'm totally fine with this PR to get things going now. I'm simply talking about ways to long-term resolve this problem.