https://pantsbuild.org/ logo
#general
Title
# general
e

echoing-farmer-15630

03/24/2021, 5:14 PM
Sigh, another probably obvious thing I'm missing. Is there a trick to using private repositories in python requirements and passing authorization? I have a
mytarget@ <git+ssh://git>@github.com:/myorg/myrepo.git@myhash
line in a
requirements.txt
file, but doing
./pants test ...
results in a
Copy code
ERROR: Command errored out with exit status 128: git clone -q 'ssh://****@github.com:/myorg/myrepo.git' /tmp/process-executionkhgvsl/.tmp/pip-download-1qlw9fjv/mytarget Check the logs for full command output.
...but copying/pasting the
git clone
command works just fine in the same shell (with ssh-agent); it's just not being passed to pants. Indeed the log report is
Copy code
Complete output (5 lines):
  <mailto:git@github.com|git@github.com>: Permission denied (publickey).
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  ----------------------------------------
...so that seems to be the problem, but I'm flummoxed. I apologize if this is an obvious question; I looked under "Installing from version control or local files" to get the basic format, but searching for "private repository", "ssh", "publickey" etc didn't help on the docs site. What am I missing?
h

hundreds-father-404

03/24/2021, 5:21 PM
Hello! Check out https://www.pantsbuild.org/docs/proxies. I think you want "Using a custom cheeseshop/PyPI"
e

echoing-farmer-15630

03/24/2021, 5:25 PM
I don't think so, though--that seems to be for a custom PyPI-style repository (for packages that have been built and uploaded to a repo; as that says, "If you host your own wheels at a custom index"), not for installing a package from a source repository. That is covered in https://www.pantsbuild.org/docs/python-third-party-dependencies#using-custom-repositories, "Installing from Version Control and Local Files"... only putting the requirement into that format doesn't solve the SSH authentication problem.
h

hundreds-father-404

03/24/2021, 5:44 PM
I see. Does authentication work when you use
pip install mytarget@ <git+ssh://git>@github.com:/myorg/myrepo.git@myhash
without Pants? It can be helpful to remove the variable of Pants, e.g. so that we see if it's because, for example, Pants strips most env vars
e

echoing-farmer-15630

03/24/2021, 5:51 PM
Yes. I can copy and past the command attempted by pants (replacing the
****
it prints in place of the username) and it works fine in my current shell, which has ssh-agent running and populated with my keys. If I understand it right, pants runs in a sort of chroot so it's clean and reproducible (as you say, stripping environment vars and everything), which it should do. One way I've had to deal with this in docker containers is by either passing the agent through (not sure if pants has such a capability) or by executing a script which rewrites
~/.ssh/config
, but that can go a little awry with github (and probably wouldn't work if pants is isolating itself correctly).
h

hundreds-father-404

03/24/2021, 5:53 PM
Okay, that's really interesting and yes I do imagine the environment stripping could be in play. I'm in a meeting, but if you have a chance, could you please run try with this option https://www.pantsbuild.org/docs/troubleshooting#debug-tip-inspect-the-chroot-with---no-process-execution-cleanup-local-dirs, and go to the chroot and play around with the
__run.sh
script? In particular, you may need to tweak the env vars. Don't worry about breaking that bash script, it's safe to mess around with
e

echoing-farmer-15630

03/24/2021, 5:57 PM
Thanks; I'll do that.
Not much progress, but interestingly just executing
./__run.sh
from a new user shell... works fine, with one warning from the install about compatible distributions (but not including the ssh authentications problem). How is the
__run.sh
executed to isolate itself?
(I'm not too surprised that executing it in a user shell works, because I have
keychain
running in the background which generally passes authentication requests just fine; I'm not entirely sure how to get a perfectly clean user shell yet but I'll poke about)
h

happy-kitchen-89482

03/24/2021, 6:36 PM
Hmm this is an interesting problem
Essentially we need to poke a hole through to the process sandbox so authentication works
w

witty-crayon-22786

03/24/2021, 6:36 PM
__run.sh
sets only relevant the environment variables for the process, so it should be fairly isolated.
h

happy-kitchen-89482

03/24/2021, 6:36 PM
So first question is how it works outside of Pants. Is this ssh-agent?
w

witty-crayon-22786

03/24/2021, 6:36 PM
but it is possible that the
ssh-agent
requires a terminal to do its work?
e

echoing-farmer-15630

03/24/2021, 6:37 PM
Possible. It should be ssh-agent (I'm running ssh-agent through keychain so that it's always on with new shells because I got tired of manually starting it, but perhaps I need to figure out how to start a clean shell for some of these tests and just use ssh-agent, but that has worked in the past)
w

witty-crayon-22786

03/24/2021, 6:38 PM
@echoing-farmer-15630: no need to share it, but do you have any environment variables related to SSH? perhaps
SSH_AUTH_SOCK
?
e

echoing-farmer-15630

03/24/2021, 6:39 PM
One solution of course would be to convince this particular developer to put his library in the monorepo with everyone else's, but tech solutions are often easier than social solutions 😉 Hmm, let me check... aha! Good thinking, @witty-crayon-22786; there is indeed an
SSH_AUTH_SOCK
for the agent.
and an
SSH_AGENT_PID
although I'm not sure if that's as relevant.
w

witty-crayon-22786

03/24/2021, 6:40 PM
so… there is a setting to allow these variable(s) to be passed through. but unfortunately, it has some hardcoded limits that were recently removed: https://www.pantsbuild.org/docs/reference-subprocess-environment
i think that what we should probably do is get a repro documented on a ticket, and then we can confirm that this is fixed on `main`… then, if it is, we can backport the fix
e

echoing-farmer-15630

03/24/2021, 6:41 PM
Hmm, that does look relevant (and indeed complains about its limits)
w

witty-crayon-22786

03/24/2021, 6:42 PM
would you mind documenting the setup and which version you’re on in a new ticket, and then we can validate the fix?
e

echoing-farmer-15630

03/24/2021, 6:42 PM
Sure. Is there a way for me to test the
main
branch easily?
w

witty-crayon-22786

03/24/2021, 6:44 PM
if you don’t mind getting your hands about … 45mins - 1hr dirty?
the pants repo can be run from source in your repository, but will need to be compiled
if not though, we’re happy to confirm the fix given a repro on a ticket
OH, actually: correction. @echoing-farmer-15630: there is in fact an easier way.
with modern pants scripts, you should be able to set
PANTS_SHA=${sha}
to run with any recent main build using prebuilt wheels
@echoing-farmer-15630: which release are you using?
e

echoing-farmer-15630

03/24/2021, 6:48 PM
2.3.0 as of today.
Copy code
❯ ./pants --version
/home/vputz/.cache/pants/setup/bootstrap-Linux-x86_64/2.3.0_py38
2.3.0
w

witty-crayon-22786

03/24/2021, 6:50 PM
ok: let me find a nearby SHA for that.
@echoing-farmer-15630: so, the closest build we have is somewhere between 2.4.0.dev2 and 2.4.0.dev3, but it should let you confirm that setting those variables does something:
to use it, you’d set:
Copy code
PANTS_SHA=d46197d033958ffda7d434aaf9b95148c96138d7 ./pants ...
e

echoing-farmer-15630

03/24/2021, 6:54 PM
You're a hero, @witty-crayon-22786 🙂 Working...
Well, we got a different error, but I think that may have done the trick on the first one; let me investigate
Yep, that got the tests running (and failing) from a different cryptic problem, but it solved the immediate issue (I'll start another thread about this one 🙂 ). Do you still want a new ticket for documentation with the note that that hash allows the private repos to work through passing the env var (and is there a way to do it without passing the flag on every call, within
pants.toml
for example)?
w

witty-crayon-22786

03/24/2021, 7:05 PM
huzzah.
and is there a way to do it without passing the flag on every call, within 
pants.toml
 for example
yes, all pants options can be set in all three locations: see https://www.pantsbuild.org/docs/options#setting-options
but i would not recommend running from the SHA release… we should be able to backport this feature to 2.3.x
e

echoing-farmer-15630

03/24/2021, 7:07 PM
Groovy, will look forward to that. Make a ticket for the backport reminder (and maybe documentation update for the custom repositories section to note that forwarding that variable may work?)
?
(I have one filled out, just wasn't sure I should still submit)
w

witty-crayon-22786

03/24/2021, 7:08 PM
@echoing-farmer-15630: ah, please do then. it will make good documentation
e

echoing-farmer-15630

03/24/2021, 7:09 PM
w

witty-crayon-22786

03/24/2021, 7:15 PM
will try to get another 2.3.0rc out today.
and maybe documentation update for the custom repositories section to note that forwarding that variable may work?
once we get this all resolved, if you have time to make the doc edit it would be super appreciated!
e

echoing-farmer-15630

03/24/2021, 7:15 PM
Will be glad to do so.
w

witty-crayon-22786

03/24/2021, 7:16 PM
thanks!