Stop including pip in the final app image #264
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edmorley
force-pushed
the
pip-build-only
branch
from
7f9c371
to
3ec4cb7
Compare
Malax
approved these changes
Sep 4, 2024
edmorley
force-pushed
the
pip-build-only
branch
from
3ec4cb7
to
775b4eb
Compare
After #254, pip is now installed into its own layer rather than into the system site-packages directory inside the Python layer. This means its now possible to exclude pip from the final app image, by making the pip layer be a build-only layer. Excluding pip from the final app image: - Prevents several classes of user error/confusion/bad app design patterns seen in support tickets (see #255 for more details). - Reduces app image supply chain surface area. - Reduces app image size by 13 MB and layer count by 1, meaning less to have to push to the remote registry. - Matches the approach used for Poetry, where we don't make Poetry available at run-time either. Users that need pip at run-time for a temporary debugging task can run `python -m ensurepip --default-pip` in the container at run-time to make it available again (this command doesn't even have to download anything - it uses the pip bundled with Python). Or if pip is an actual run-time dependency of the app, then the app can add `pip` to its `requirements.txt` (which much more clearly conveys the requirements of the app, and also allows the app to pick what pip version it needs at run-time). Should we find that pip's absence causes confusion in the future, we could always add a wrapper/shim `pip` script in the app image which does something like: ``` echo "pip isn't installed at run-time, if you need it temporarily run 'python -m ensurepip --default-pip' to install it" exit 1 ``` ...to improve discoverability. We'll also document pip (and Poetry) being available at build-time only in the docs that will be added by #11. Closes #255. GUS-W-16697386.
edmorley
force-pushed
the
pip-build-only
branch
from
775b4eb
to
143eaa8
Compare
heroku-linguist bot
added a commit
that referenced
this pull request
Sep 17, 2024
## heroku/python ### Added - The Python version can now be configured using a `.python-version` file. Both the `3.X` and `3.X.Y` version forms are supported. ([#272](#272)) ### Changed - pip is now only available during the build, and is longer included in the final app image. ([#264](#264)) - Improved the error messages shown when an end-of-life or unknown Python version is requested. ([#272](#272))
Merged
heroku-linguist bot
added a commit
to heroku/cnb-builder-images
that referenced
this pull request
Sep 17, 2024
## heroku/python ### Added - The Python version can now be configured using a `.python-version` file. Both the `3.X` and `3.X.Y` version forms are supported. ([#272](heroku/buildpacks-python#272)) ### Changed - pip is now only available during the build, and is longer included in the final app image. ([#264](heroku/buildpacks-python#264)) - Improved the error messages shown when an end-of-life or unknown Python version is requested. ([#272](heroku/buildpacks-python#272))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After #254, pip is now installed into its own layer rather than into the system site-packages directory inside the Python layer.
This means its now possible to exclude pip from the final app image, by making the pip layer be a build-only layer.
Excluding pip from the final app image:
Users that need pip at run-time for a temporary debugging task can run
python -m ensurepip --default-pipin the container at run-time to make it available again (this command doesn't even have to download anything - it uses the pip bundled with Python).Or if pip is an actual run-time dependency of the app, then the app can add
pipto itsrequirements.txt(which much more clearly conveys the requirements of the app, and also allows the app to pick what pip version it needs at run-time - something that isn't possible with the pip installed by the buildpack).Should we find that pip's absence causes confusion in the future, we could always add a wrapper/shim
pipscript in the app image which does something likeecho "pip isn't installed at run-time, if you need it temporarily run 'python -m ensurepip --default-pip' to install it" && exit 1to improve discoverability. We'll also document pip (and Poetry) being available at build-time only in the docs that will be added by #11.Closes #255.
GUS-W-16697386.