Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python 3.12 on Ubuntu 24.04 is Externally Managed - PIP is broken #10781

Closed
2 of 15 tasks
molson504x opened this issue Oct 14, 2024 · 18 comments · Fixed by valkey-io/valkey-py#113
Closed
2 of 15 tasks

Python 3.12 on Ubuntu 24.04 is Externally Managed - PIP is broken #10781

molson504x opened this issue Oct 14, 2024 · 18 comments · Fixed by valkey-io/valkey-py#113

Comments

@molson504x
Copy link

molson504x commented Oct 14, 2024

Description

Python 3.12 on the ubuntu-24.04 image (which is also slowly becoming ubuntu-latest) is using an "Externally Managed" instance of Python - either it was installed via a package manager (apt?) or it is packaged with the OS. This also uses PIP 24, which (starting with PIP 23) enforces EXTERNALLY-MANAGED flagged python installs.

If your workflow includes anything that tries to do a pip install to set up python dependencies, it will fail with an error similar to:

error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.
    
    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.
    
    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.
    
    See /usr/share/doc/python3.12/README.venv for more information.

We found this by accident because our workflows target ubuntu-latest which is slowly being changed to target ubuntu-24.04 instead of ubuntu-22.04. We confirmed that adding a setup-python step to our workflow (which sets up 3.12.3) fixes the problem because it'll install a stand-alone interpreter and update the system path to use that interpreter, however there is no documentation anywhere saying that is now a requirement. Hence this issue :)

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • macOS 15
  • macOS 15 Arm64
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

  Image: ubuntu-24.04
  Version: 20241006.1.0

HOWEVER, we were targeting ubuntu-latest and discovered on subsequent runs that ubuntu-latest targeted ubuntu-22.04 which made this intermittent for us. When we hard-targeted ubuntu-24.04 we consistently reproduced this.

I can't provide a build link due to client confidentiality purposes, however this is pretty easy to test.

Is it regression?

Yes (since the behavior of ubuntu-latest changed and broke a workflow)

Expected behavior

PIP should continue to work, or GitHub needs to formally publish the breaking change along with remediation steps (which is to use the setup-python action). Ideally, the version of Python that comes pre-installed on the runner image is not externally managed.

Actual behavior

See the error in the description... :)

Also - the inconsistency with using ubuntu-latest being either ubuntu-22.04 and ubuntu-24.04 is really bad. This is going to cause a lot of painful debugging for a lot of people because of this inconsistency causing intermediate but not repeatable failures.

Repro steps

  1. Prepare a workflow which tries to install a python dependency using PIP and targets ubuntu-24.04.
  2. Observe the error.

REMEDIATION:

  1. Prepare a workflow with steps to install python (setup-python) and then tries to use PIP. This workflow should target ubuntu-24.04.
  2. Observe no error and the machines are all happy.
@subir0071
Copy link
Contributor

Hi @molson504x , Thanks for bringing this issue to our notice. Will analyze the same and provide an update.

@subir0071
Copy link
Contributor

To unblock yourself, please consider using ubuntu-22.04 runner in your workflow.

runs-on: ubuntu-22.04

Cause :
ubuntu-24.04 runner uses python 3.12 as the default installation, which has a marker file EXTERNALLY-MANAGED.
This file insists and tolls like pip install packages within a virtual environment.

@molson504x
Copy link
Author

To unblock yourself, please consider using ubuntu-22.04 runner in your workflow.

runs-on: ubuntu-22.04

Cause : ubuntu-24.04 runner uses python 3.12 as the default installation, which has a marker file EXTERNALLY-MANAGED. This file insists and tolls like pip install packages within a virtual environment.

Hey @subir0071 - yeah, that was one of our solutions. We actually did it a different way. We added a setup-python step to the workflow, and since that installs a python interpreter that is not externally managed it solves the problem. HOWEVER, my main issue with this is it's a breaking change which is not documented, and it is an intermittent breaking change due to the phased rollout of updating the ubuntu-latest tag. This breaking change should really be documented somewhere.

OR - even better would be to package the runner image with a python interpreter which is not externally managed.

@subir0071
Copy link
Contributor

Hi @molson504x , Hope you are able to progress with your CI/CD workload. Kindly suggest on the closure of this ticket. Thanks.

aiven-sal added a commit to valkey-io/valkey-py that referenced this issue Oct 16, 2024
@lpascal-ledger
Copy link

lpascal-ledger commented Oct 16, 2024

Hello @subir0071 👋

Are you suggesting that the issue will not be managed in the ubuntu-24.04 GitHub image, and it, by default, will always trigger an error when doing a pip install <something> ?

@geekosaur
Copy link

geekosaur commented Oct 16, 2024

I can confirm that standard Ubuntu 24.04 throws this error as well. It will be necessary to replace the standard Python installation, whether by GitHub or by an action, to avoid it.

@gtskaushik
Copy link

This broke our builds too

@liamhuber
Copy link

liamhuber commented Oct 16, 2024

...either needs to be resolved or documented before I will accept closing this issue.

Agreed. The image documentation page lists:

Language and Runtime

  • ...
  • Python 3.10.12
  • ...

Package Management

  • ...
  • Pip 24.0
  • ...

Without any notes, it feels misleading to me to have this listed yet pip install... immediately raises an error on the image.

I would find it most convenient to be able to continue usage as with 22.04, but a documentation update seems reasonable.

srl295 added a commit to unicode-org/cldr that referenced this issue Oct 16, 2024
- Update commit-checker.yml to revert to runs-on: ubuntu-22.04
- issue in actions/runner-images#10781
@srl295
Copy link

srl295 commented Oct 16, 2024

for what it's worth, pipenv install seemed to also trigger this issue. So, I thought I was using a virtual environment.

I was not able to reproduce this using an ubuntu:24.04 docker image. (i.e. pipenv install succeeded). I'll probably use the runs-on: ubuntu-22.04 instead.

@molson504x
Copy link
Author

@subir0071 - Based on the post in #10636 I'm willing to close this, however this should still be addressed in documentation about ubuntu-24.04 runners or should be addressed by installing a non-system-managed python interpreter in the image.

Comment, for reference:

Hey everyone - thank you for your input. Based on community feedback we have decided to rollback the ubuntu-latest migration. All runs on ubuntu-latest will go back to Ubuntu-22 while we work out the issues with the image. We apologize for any service disruption you all may have had, and appreciate everyone’s feedback and patience. The rollback will be completed in the next hour.

To give some context for the changes we made - our images have become very large over the past 2 years and we were trying to free up some space to give us some breathing room going forward. There is currently no extra free space left for installing any more tooling, while still maintaining our free space SLA of 14gb. The size of the image also impacts performance of the VMs as well. Since a new OS is always a cutover, we took the opportunity to free up some space. Clearly this was not the right approach, and we apologize for the pain we have caused.

We will re-evaluate our communication and rollout strategy before beginning this migration again.

@molson504x
Copy link
Author

Closing this issue, per comment in #10636 - rolling back ubuntu-latest to reference ubuntu-22.04 runner image.

@subir0071 subir0071 removed the investigate Collect additional information, like space on disk, other tool incompatibilities etc. label Oct 16, 2024
@geekosaur
Copy link

Yes, I know this has been closed, but I want to provide a few examples supporting my stance on this.

Using an action or a venv to install a private/safe Python was always the correct thing to do, and Canonical as of 24.04 is enforcing it.

  • Back in 2006-2007 a requested update to a Perl module in our environment broke (Open)SuSE's yast.
  • Roughly a decade later, I tried to help someone repair their Ubuntu system after upgrading a Python module that broke apt-get. (Ultimately they ended up reinstalling; the broken module broke post-install scripts as well, so we couldn't even fall back to dselect/dpkg.)

Red Hat / Fedora avoid this by shipping their own minimal Python install that system tools use, avoiding the user-facing one, but I don't think this scales especially if you're trying to keep image sizes down. The only reliable way to avoid it is to assume the system-provided language packages are intended to work with the system and install your own if you will be upgrading or installing additional packages not via the system's package manager.

@eli-schwartz
Copy link

Using an action or a venv to install a private/safe Python was always the correct thing to do, and Canonical as of 24.04 is enforcing it.

This is both wrong and fallaciously wrong.

Inside of a temporary container, all the reasons for installing additional python interpreters just to have a different environment, are not applicable. The original rationale for this "Externally Managed" change even notes that scenario. But "Ubuntu Linux" doesn't know when it is being used "as a container", that's been deferred to container vendors such as Github Actions to fix by deleting the marker file. Of course, no container vendors bother to do so.

@srl295
Copy link

srl295 commented Nov 4, 2024

@eli-schwartz wrote

Inside of a temporary container, all the reasons for installing additional python interpreters just to have a different environment, are not applicable. …

I would agree, and note that specifically, at the end of this section of the Python docs:

In certain contexts, such as single-application container images that aren’t updated after creation, a distributor may choose not to ship an EXTERNALLY-MANAGED file, so that users can install whatever they like (as they can today) without having to manually override this rule.

However, the recommendation section here recommends to

Keep the marker file in container images

Rafiot pushed a commit to Rafiot/valkey-py that referenced this issue Dec 3, 2024
Signed-off-by: Salvatore Mesoraca <[email protected]>
Signed-off-by: Raphaël Vinot <[email protected]>
Rafiot pushed a commit to Rafiot/valkey-py that referenced this issue Dec 3, 2024
This reverts commit 318019a.

Signed-off-by: Salvatore Mesoraca <[email protected]>
Signed-off-by: Raphaël Vinot <[email protected]>
Rafiot pushed a commit to Rafiot/valkey-py that referenced this issue Dec 3, 2024
Signed-off-by: Salvatore Mesoraca <[email protected]>
Signed-off-by: Raphaël Vinot <[email protected]>
Rafiot pushed a commit to Rafiot/valkey-py that referenced this issue Dec 3, 2024
This reverts commit 318019a.

Signed-off-by: Salvatore Mesoraca <[email protected]>
Signed-off-by: Raphaël Vinot <[email protected]>
Rafiot pushed a commit to Rafiot/valkey-py that referenced this issue Dec 3, 2024
Signed-off-by: Salvatore Mesoraca <[email protected]>
Signed-off-by: Raphaël Vinot <[email protected]>
Rafiot pushed a commit to Rafiot/valkey-py that referenced this issue Dec 3, 2024
This reverts commit 318019a.

Signed-off-by: Salvatore Mesoraca <[email protected]>
Signed-off-by: Raphaël Vinot <[email protected]>
t0b3 added a commit to t0b3/inkscape-silhouette that referenced this issue Dec 22, 2024
ubuntu-24.04 breaks `pip install` for system packages
see also actions/runner-images#10781

action/setup-python would mitigate this effect but runs into different
pip install build issues due to preinstalled sytem packages not found
(i.e. cairo not found)
@janbrasna
Copy link

Karinza38 added a commit to Karinza38/runner-images that referenced this issue Dec 22, 2024
Fixes actions#10781

Add a non-externally managed Python interpreter to the `ubuntu-24.04` runner image to avoid pip installation errors.

* **Template Update**
  - Add a provisioner in `images/ubuntu/templates/ubuntu-24.04.pkr.hcl` to install a stand-alone Python interpreter.
  - Update environment variables to include the new Python path.

* **Toolset Update**
  - Specify non-externally managed Python installations in `images/ubuntu/toolsets/toolset-2404.json`.

* **Documentation Update**
  - Document the inclusion of a non-externally managed Python interpreter in `images/ubuntu/Ubuntu2404-Readme.md`.
  - Note the resolution of pip installation errors.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/actions/runner-images/issues/10781?shareId=XXXX-XXXX-XXXX-XXXX).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment