Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pip>=20.2 needlessly re-installs dependencies available on the system in system-site-packages venv #8695

Closed
TimoRoth opened this issue Aug 4, 2020 · 7 comments · Fixed by #8702
Labels
type: bug A confirmed bug or unintended behavior
Milestone

Comments

@TimoRoth
Copy link

TimoRoth commented Aug 4, 2020

What did you want to do?

We are using a venv that explicitly does use system-site-packages, in order to allow users in a container, which does not allow write access to /, to install their own packages while still using all the (partially very complex to install/build) packages provided by the container image.
This used to work fine until pip>=20.2, and is still broken in latest pip dev build as of today.

Output

Singularity> python3 -m venv --system-site-packages test_venv
Singularity> source ./test_venv/bin/activate
(test_venv) Singularity> pip list | grep numpy
numpy              1.19.1
WARNING: You are using pip version 20.1.1; however, version 20.2.1 is available.
You should consider upgrading via the '/home/users/fmaussion/test_venv/bin/python3 -m pip install --upgrade pip' command.
(test_venv) Singularity> pip install numpy
Requirement already satisfied: numpy in /usr/local/pyenv/versions/3.7.8/lib/python3.7/site-packages (1.19.1)
WARNING: You are using pip version 20.1.1; however, version 20.2.1 is available.
You should consider upgrading via the '/home/users/fmaussion/test_venv/bin/python3 -m pip install --upgrade pip' command.
(test_venv) Singularity> pip install --upgrade pip setuptools
Collecting pip
  Using cached pip-20.2.1-py2.py3-none-any.whl (1.5 MB)
Collecting setuptools
  Using cached setuptools-49.2.1-py3-none-any.whl (789 kB)
Installing collected packages: pip, setuptools
  Attempting uninstall: pip
    Found existing installation: pip 20.1.1
    Uninstalling pip-20.1.1:
      Successfully uninstalled pip-20.1.1
  Attempting uninstall: setuptools
    Found existing installation: setuptools 47.1.0
    Uninstalling setuptools-47.1.0:
      Successfully uninstalled setuptools-47.1.0
Successfully installed pip-20.2.1 setuptools-49.2.1
(test_venv) Singularity> pip install numpy
Collecting numpy
  Using cached numpy-1.19.1-cp37-cp37m-manylinux2010_x86_64.whl (14.5 MB)
Installing collected packages: numpy
Successfully installed numpy-1.19.1

As you can see, before updating pip to 20.2, it correctly notices that numpy is already installed and does not need to do anything.
After the update, it goes and installs a copy of the same numpy version in the venv.
The same happens when installing a package that depends on numpy. Also the same goes for any other dependency that's already provided by the system site-packages.
"pip list" correctly lists numpy as installed in either case.

Additional information

The reason we are doing it this way is because building some of those dependencies, which are binary and annoying to deal with (most prominently gdal and fiona). The singularity container image has all of them pre-built, with optimizations specific for the host systems CPU.

For now I've instructed users to either use --no-deps when installing things, or to explicitly pin pip to <20.2.

@triage-new-issues triage-new-issues bot added the S: needs triage Issues/PRs that need to be triaged label Aug 4, 2020
@sbidoul sbidoul added the type: bug A confirmed bug or unintended behavior label Aug 4, 2020
@triage-new-issues triage-new-issues bot removed the S: needs triage Issues/PRs that need to be triaged label Aug 4, 2020
@sbidoul
Copy link
Member

sbidoul commented Aug 4, 2020

I can reproduce. It might be a side effect of changes made to check_if_exists.

@sbidoul
Copy link
Member

sbidoul commented Aug 4, 2020

This is due to the local_only argument of search_distributions that is True by default when called from utils.misc.get_distribution().

@fdebrabander
Copy link

Can confirm, also have the same issue.

@sbidoul
Copy link
Member

sbidoul commented Aug 6, 2020

@fdebrabander the issue is fixed in #8702 and should be part of the next patch release. You can test it by installing that branch with pip install -U "pip @ git+https://github.com/pypa/pip@refs/pull/8702/head".

@EricCousineau-TRI
Copy link
Contributor

EricCousineau-TRI commented Aug 6, 2020

Can also confirm; on Ubuntu 18.04 with python3-numpy installed on the system (numpy==1.13.3), I can see this happening:

$ mkdir -p ~/venv/sys
$ (
set -eu
cd ~/venv/sys
rm -rf ./*
python3 -m virtualenv -p python3 --system-site-packages .
source bin/activate
pip install pip==20.2.1
pip install numpy
)
...
Successfully installed numpy-1.19.

$ (                                                                                                                                                                                                 
set -eu                                                                                                                                                                                                        
cd ~/venv/sys
rm -rf ./*
python3 -m virtualenv -p python3 --system-site-packages .
source bin/activate
pip install pip==20.2
pip install numpy
)
...
Requirement already satisfied: numpy in /usr/lib/python3/dist-packages (1.13.3)

@EricCousineau-TRI
Copy link
Contributor

EricCousineau-TRI commented Aug 6, 2020

FWIW Our investigation in #8726 was motivated by us running into this problem.

Something to note is that this new behavior does seem to be in line with what these docs say about --upgrade-strategy=only-if-needed:
https://github.com/pypa/pip/blob/f17c1d6d3bf4b4ee8b7b0e669c449b9cd86e94f6/docs/html/development/architecture/upgrade-options.rst#controlling-what-gets-installed

  • only-if-needed - packages are only upgraded if they are named in the pip command or a requirement file (i.e, they are direct requirements), or an upgraded parent needs a later version of the dependency than is currently installed.
  • to-satisfy-only (undocumented) - packages are not upgraded (not even direct requirements) unless the currently installed version fails to satisfy a requirement (either explicitly specified or a dependency).

@EricCousineau-TRI
Copy link
Contributor

EricCousineau-TRI commented Aug 6, 2020

Eh, not sure about the direct correlation, tho.

20.2.1 was released on Aug. 4.
20.2 was released on July 28.

The commit that introduced these docs (5da3a7d) was made back in Feb.

EDIT: Didn't read upstream thread. Source was root-caused - sorry for the noise!

kmohrf pushed a commit to grouprise/grouprise that referenced this issue Aug 9, 2020
Updating the pip package within the virtualenv adds another uncertainty
(and reduces reproducibility).  Thus we should stick to the version
shipped in the docker base image.

Specifically the upgrade from pip 2.2.0 to 2.2.1 broke the handling of
"--system-site-packages" and thus causes build failures.
(see pypa/pip#8695)
kmohrf pushed a commit to grouprise/grouprise that referenced this issue Aug 9, 2020
Updating the pip package within the virtualenv adds another uncertainty
(and reduces reproducibility).  Thus we should stick to the version
shipped in the docker base image.

Specifically the upgrade from pip 2.2.0 to 2.2.1 broke the handling of
"--system-site-packages" and thus causes build failures.
(see pypa/pip#8695)
kmohrf pushed a commit to grouprise/grouprise that referenced this issue Aug 10, 2020
Updating the pip package within the virtualenv adds another uncertainty
(and reduces reproducibility).  Thus we should stick to the version
shipped in the docker base image.

Specifically the upgrade from pip 2.2.0 to 2.2.1 broke the handling of
"--system-site-packages" and thus causes build failures.
(see pypa/pip#8695)
kmohrf pushed a commit to grouprise/grouprise that referenced this issue Aug 10, 2020
Updating the pip package within the virtualenv adds another uncertainty
(and reduces reproducibility).  Thus we should stick to the version
shipped in the docker base image.

Specifically the upgrade from pip 2.2.0 to 2.2.1 broke the handling of
"--system-site-packages" and thus causes build failures.
(see pypa/pip#8695)
bors bot referenced this issue in duckinator/emanate Aug 11, 2020
162: Update pip to 20.2.2 r=duckinator a=pyup-bot


This PR updates [pip](https://pypi.org/project/pip) from **20.2.1** to **20.2.2**.



<details>
  <summary>Changelog</summary>
  
  
   ### 20.2.2
   ```
   ===================

Bug Fixes
---------

- Only attempt to use the keyring once and if it fails, don&#39;t try again.
  This prevents spamming users with several keyring unlock prompts when they
  cannot unlock or don&#39;t want to do so. (`8090 &lt;https://github.com/pypa/pip/issues/8090&gt;`_)
- Fix regression that distributions in system site-packages are not correctly
  found when a virtual environment is configured with ``system-site-packages``
  on. (`8695 &lt;https://github.com/pypa/pip/issues/8695&gt;`_)
- Disable caching for range requests, which causes corrupted wheels
  when pip tries to obtain metadata using the feature ``fast-deps``. (`8701 &lt;https://github.com/pypa/pip/issues/8701&gt;`_, `8716 &lt;https://github.com/pypa/pip/issues/8716&gt;`_)
- Always use UTF-8 to read ``pyvenv.cfg`` to match the built-in ``venv``. (`8717 &lt;https://github.com/pypa/pip/issues/8717&gt;`_)
- 2020 Resolver: Correctly handle marker evaluation in constraints and exclude
  them if their markers do not match the current environment. (`8724 &lt;https://github.com/pypa/pip/issues/8724&gt;`_)
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/pip
  - Changelog: https://pyup.io/changelogs/pip/
  - Homepage: https://pip.pypa.io/
</details>



Co-authored-by: pyup-bot <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
type: bug A confirmed bug or unintended behavior
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants