awx/requirements/README.md

# Dependency Management

The `requirements.txt` and `requirements_ansible.txt` files are generated from `requirements.in` and `requirements_ansible.in`, respectively, using `pip-tools` `pip-compile`.

## How To Use

Commands should from inside `./requirements` directory of the awx repository.

Make sure you have `patch, awk, python3, python2, python3-venv, python2-virtualenv, pip2, pip3` installed. The development container image should have all these.

### Upgrading or Adding Select Libraries

If you need to add or upgrade one targeted library, then modify `requirements.in`,
then run the script:

`./updater.sh`

#### Upgrading Unpinned Dependency

If you require a new version of a dependency that does not have a pinned version
for a fix or feature, pin a minimum version and run `./updater.sh`. For example,
replace the line `asgi-amqp` with `asgi-amqp>=1.1.4`, and consider leaving a
note.

Then next time that a general upgrade is performed, the minimum version specifiers
can be removed, because `*.txt` files are upgraded to latest.

### Upgrading Dependencies

You can upgrade (`pip-compile --upgrade`) the dependencies by running

`./updater.sh upgrade`.

## What The Script Does

This script will:

  - Update `requirements.txt` based on `requirements.in`
  - Update/generate `requirements_ansible.txt` based on `requirements_ansible.in`
    - including an automated patch that adds `python_version < "3"` for Python 2 backward compatibility
  - Removes the `docutils` dependency line from `requirements.txt` and `requirements_ansible.txt`


## Licenses and Source Files

If any library has a change to its license with the upgrade, then the license for that library
inside of `docs/licenses` needs to be updated.

For libraries that have source distribution requirements (LGPL as an example),
a tarball of the library is kept along with the license.
To download the PyPI tarball, you can run this command:

```
pip download <pypi library name> -d docs/licenses/ --no-binary :all: --no-deps
```

Make sure to delete the old tarball if it is an upgrade.

## UPGRADE BLOCKERs

Anything pinned in `*.in` files involves additional manual work in
order to upgrade. Some information related to that work is outlined here.

### django

For any upgrade of Django, it must be confirmed that
we don't regress on FIPS support before merging.

See internal integration test knowledge base article `how_to_test_FIPS`
for instructions.

If operating in a FIPS environment, `hashlib.md5()` will raise a `ValueError`,
but will support the `usedforsecurity` keyword on RHEL and Centos systems.

Keep an eye on https://code.djangoproject.com/ticket/28401

The override of `names_digest` could easily be broken in a future version.
Check that the import remains the same in the desired version.

https://github.com/django/django/blob/af5ec222ccd24e81f9fec6c34836a4e503e7ccf7/django/db/backends/base/schema.py#L7

### social-auth-app-django

django-social keeps a list of backends in memory that it gathers
based on the value of `settings.AUTHENTICATION_BACKENDS` *at import time*:
https://github.com/python-social-auth/social-app-django/blob/c1e2795b00b753d58a81fa6a0261d8dae1d9c73d/social_django/utils.py#L13

Our `settings.AUTHENTICATION_BACKENDS` can *change*
dynamically as Tower settings are changed (i.e., if somebody
configures Github OAuth2 integration), so we need to
_overwrite_ this in-memory value at the top of every request so
that we have the latest version
see: https://github.com/ansible/tower/issues/1979

### django-oauth-toolkit

Version 1.2.0 of this project has a bug that error when revoking tokens.
This is fixed in the master branch but is not yet released.

When upgrading past 1.2.0 in the future, the `0025` migration needs to be
edited, just like the old migration was edited in the project:
https://github.com/jazzband/django-oauth-toolkit/commit/96538876d0d7ea0319ba5286f9bde842a906e1c5
The field can simply have the validator method `validate_uris` removed.

### azure-keyvault

Upgrading to 4.0.0 causes error because imports changed.

```
  File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/main/credential_plugins/azure_kv.py", line 4, in <module>
  from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
ImportError: cannot import name 'KeyVaultClient'
```

### slackclient

Imports as used in `awx/main/notifications/slack_backend.py` changed
in version 2.0. This plugin code will need to change and be re-tested
as the upgrade takes place.

### django-jsonfield

Instead of calling a `loads()` operation, the returned value is casted into
a string in some cases, introduced in the change:

https://github.com/adamchainz/django-jsonfield/pull/14

This breaks a very large amount of AWX code that assumes these fields
are returned as dicts. Upgrading this library will require a refactor
to accomidate this change.

### pip and setuptools

The offline installer needs to have functionality confirmed before upgrading these.
Versions need to match the versions used in the pip bootstrapping step
in the top-level Makefile.

## Library Notes

### requests-futures

This can be removed when a solution for the external log queuing is ready.
https://github.com/ansible/awx/pull/5092

### asgi-amqp

This library is not compatible with channels 2 and is not expected
to become so. This drives other pins in the requirements file.
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00			`# Dependency Management`

Add pip-compile updater.sh script Signed-off-by: github.com/clushie <47661139+clushie@users.noreply.github.com> 2019-06-28 12:36:06 +03:00			The `requirements.txt` and `requirements_ansible.txt` files are generated from `requirements.in` and `requirements_ansible.in`, respectively, using `pip-tools` `pip-compile`.
uninstall certifi if installed in venv's 2016-12-14 17:53:24 +03:00
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00			`## How To Use`

			Commands should from inside `./requirements` directory of the awx repository.

			Make sure you have `patch, awk, python3, python2, python3-venv, python2-virtualenv, pip2, pip3` installed. The development container image should have all these.

			`### Upgrading or Adding Select Libraries`

			If you need to add or upgrade one targeted library, then modify `requirements.in`,
			`then run the script:`

			`./updater.sh`
Dependency Updates * Dynamic Inventory Source Template against ansible 2.3 dynamic inventory sources. The major change is removal of `rax.py`. Most upstream scripts except `foreman.py` has quite trivial coding style changes, or minor functional extensions that does not affect Tower inventory update runs. `foreman.py`, on the other hand, went through quite a major refactoring, but functionalities stay the same. Major python dependency updates include apache-libcloud (1.3.0 --> 2.0.0), boto (2.45.0 --> 2.46.1) and shade (1.19.0 --> 1.20.0). Minor python dependency updates include indirect updates via `pip-compile`, which are determined by base dependencies. Some minor `task.py` extensions: - `.ini` file for ec2 has one more field `stack_filter=False`, which reveals changes in `ec2.py`. - `.ini` file for cloudforms will catch these four options from `source_vars_dict` of inventory update: `'version', 'purge_actions', 'clean_group_keys', 'nest_tags'`. These four options have always been available in `cloudforms.py` but `cloudforms.ini.example` has not mentioned them until the latest version. For consistency with upstream docs, we should make these fields available for tower user to customize. - YAML file of openstack will catch ansible options `use_hostnames`, `expand_hostvars` and `fail_on_errors` from `source_vars_dict` of inventory update as a response to issue #6075. * Remove Rackspace support Supports of Rackspace as both a dynamic inventory source and a cloud credential are fully removed. Data migrations have been added to support arbitrary credential types feature and delete rackspace inventory sources. Note also requirement `jsonschema` has been moved from `requirements.txt` to `requirements.in` as a primary dependency to reflect it's usage in `/main/fields.py`. Connected issue: #6080. * `pexpect` major update `pexpect` stands at the very core of our task system and underwent a major update from 3.1 to 4.2.1. Although verified during devel, please still be mindful of any suspicious issues on celery side even after this PR gets merged. * Miscellaneous - requests now explicitly declared in `requirements.in` at version 2.11.1 in response to upstream issue - celery: 3.1.17 -> 3.1.25 - django-extensions: 1.7.4 -> 1.7.8 - django-polymorphic: 0.7.2 -> 1.2 - django-split-settings: 0.2.2 -> 0.2.5 - django-taggit: 0.21.3 -> 0.22.1 - irc: 15.0.4 -> 15.1.1 - pygerduty: 0.35.1 -> 0.35.2 - pyOpenSSL: 16.2.0 -> 17.0.0 - python-saml: 2.2.0 -> 2.2.1 - redbaron: 0.6.2 -> 0.6.3 - slackclient: 1.0.2 -> 1.0.5 - tacacs_plus: 0.1 -> 0.2 - xmltodict: 0.10.2 -> 0.11.0 - pip: 8.1.2 -> 9.0.1 - setuptools: 23.0.0 -> 35.0.2 - (requirements_ansible.in only)kombu: 3.0.35 -> 3.0.37 2017-04-20 23:47:53 +03:00
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00			`#### Upgrading Unpinned Dependency`
uninstall certifi if installed in venv's 2016-12-14 17:53:24 +03:00
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00			`If you require a new version of a dependency that does not have a pinned version`
			for a fix or feature, pin a minimum version and run `./updater.sh`. For example,
			replace the line `asgi-amqp` with `asgi-amqp>=1.1.4`, and consider leaving a
			`note.`

			`Then next time that a general upgrade is performed, the minimum version specifiers`
			can be removed, because `*.txt` files are upgraded to latest.

			`### Upgrading Dependencies`

			You can upgrade (`pip-compile --upgrade`) the dependencies by running

			`./updater.sh upgrade`.

			`## What The Script Does`
Add notes for ./upgrade.sh 2019-11-21 23:51:45 +03:00
Add pip-compile updater.sh script Signed-off-by: github.com/clushie <47661139+clushie@users.noreply.github.com> 2019-06-28 12:36:06 +03:00			`This script will:`
Add note for docutils, unpin runner dependency 2019-05-09 23:34:37 +03:00
Add pip-compile updater.sh script Signed-off-by: github.com/clushie <47661139+clushie@users.noreply.github.com> 2019-06-28 12:36:06 +03:00			- Update `requirements.txt` based on `requirements.in`
			- Update/generate `requirements_ansible.txt` based on `requirements_ansible.in`
			- including an automated patch that adds `python_version < "3"` for Python 2 backward compatibility
			- Removes the `docutils` dependency line from `requirements.txt` and `requirements_ansible.txt`
uninstall certifi if installed in venv's 2016-12-14 17:53:24 +03:00
General upgrade of dependencies Update licenses for new versions after dependency upgrades pin pycurl to version that does not break on install implement new workflow for py2/3 requirements management require twisted tls extras, resolve service-identity version Upgrade celery to resolve importlib DeprecationWarning use flags to resolve the unsafe and cache problems 2019-04-11 17:49:00 +03:00
			`## Licenses and Source Files`

			`If any library has a change to its license with the upgrade, then the license for that library`
			inside of `docs/licenses` needs to be updated.

			`For libraries that have source distribution requirements (LGPL as an example),`
			`a tarball of the library is kept along with the license.`
			`To download the PyPI tarball, you can run this command:`

			```
			`pip download <pypi library name> -d docs/licenses/ --no-binary :all: --no-deps`
			```
uninstall certifi if installed in venv's 2016-12-14 17:53:24 +03:00
General upgrade of dependencies Update licenses for new versions after dependency upgrades pin pycurl to version that does not break on install implement new workflow for py2/3 requirements management require twisted tls extras, resolve service-identity version Upgrade celery to resolve importlib DeprecationWarning use flags to resolve the unsafe and cache problems 2019-04-11 17:49:00 +03:00			`Make sure to delete the old tarball if it is an upgrade.`
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00
			`## UPGRADE BLOCKERs`

			Anything pinned in `*.in` files involves additional manual work in
			`order to upgrade. Some information related to that work is outlined here.`

			`### django`

			`For any upgrade of Django, it must be confirmed that`
			`we don't regress on FIPS support before merging.`

			See internal integration test knowledge base article `how_to_test_FIPS`
			`for instructions.`

			If operating in a FIPS environment, `hashlib.md5()` will raise a `ValueError`,
			but will support the `usedforsecurity` keyword on RHEL and Centos systems.

			`Keep an eye on https://code.djangoproject.com/ticket/28401`

			The override of `names_digest` could easily be broken in a future version.
			`Check that the import remains the same in the desired version.`

			`https://github.com/django/django/blob/af5ec222ccd24e81f9fec6c34836a4e503e7ccf7/django/db/backends/base/schema.py#L7`

			`### social-auth-app-django`

			`django-social keeps a list of backends in memory that it gathers`
			based on the value of `settings.AUTHENTICATION_BACKENDS` at import time:
			`https://github.com/python-social-auth/social-app-django/blob/c1e2795b00b753d58a81fa6a0261d8dae1d9c73d/social_django/utils.py#L13`

			Our `settings.AUTHENTICATION_BACKENDS` can change
			`dynamically as Tower settings are changed (i.e., if somebody`
			`configures Github OAuth2 integration), so we need to`
			`_overwrite_ this in-memory value at the top of every request so`
			`that we have the latest version`
			`see: https://github.com/ansible/tower/issues/1979`

			`### django-oauth-toolkit`

			`Version 1.2.0 of this project has a bug that error when revoking tokens.`
			`This is fixed in the master branch but is not yet released.`

			When upgrading past 1.2.0 in the future, the `0025` migration needs to be
			`edited, just like the old migration was edited in the project:`
			`https://github.com/jazzband/django-oauth-toolkit/commit/96538876d0d7ea0319ba5286f9bde842a906e1c5`
			The field can simply have the validator method `validate_uris` removed.

			`### azure-keyvault`

			`Upgrading to 4.0.0 causes error because imports changed.`

			```
			`File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/main/credential_plugins/azure_kv.py", line 4, in <module>`
			`from azure.keyvault import KeyVaultClient, KeyVaultAuthentication`
			`ImportError: cannot import name 'KeyVaultClient'`
			```

			`### slackclient`

			Imports as used in `awx/main/notifications/slack_backend.py` changed
			`in version 2.0. This plugin code will need to change and be re-tested`
			`as the upgrade takes place.`

			`### django-jsonfield`

			Instead of calling a `loads()` operation, the returned value is casted into
			`a string in some cases, introduced in the change:`

			`https://github.com/adamchainz/django-jsonfield/pull/14`

			`This breaks a very large amount of AWX code that assumes these fields`
			`are returned as dicts. Upgrading this library will require a refactor`
			`to accomidate this change.`

Get rid of hacks to simplify process Remove poetry and wheel from bootstrap installs Cleanup some docs around them 2019-12-18 21:22:20 +03:00			`### pip and setuptools`
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00
			`The offline installer needs to have functionality confirmed before upgrading these.`
Attempts to simplify build environment Remove build isolation flag Do not use --ignore-installed for any pip install commands Add Makefile comments do not use system site packages for awx venv Consolidate bootstrap pins Do another upgrade, properly document wheel 2019-12-16 16:24:33 +03:00			`Versions need to match the versions used in the pip bootstrapping step`
			`in the top-level Makefile.`
Update pip and setuptools in requirements txt Versions selected to be pre-19 pip due to unresolved issues with the build systems Upgrade everything, party on document new process rotate license files fix Swagger schema generation target Remove --ignore-installed flag 2019-11-18 23:12:45 +03:00
			`## Library Notes`

			`### requests-futures`

			`This can be removed when a solution for the external log queuing is ready.`
			`https://github.com/ansible/awx/pull/5092`

			`### asgi-amqp`

			`This library is not compatible with channels 2 and is not expected`
			`to become so. This drives other pins in the requirements file.`