Hi Team,
How do we build custom execution environments with ansible-builder v3 when Galaxy collections include loose dependencies like ansible-pylibssh>=0.2.0? Pip is always invoked with --require-hashes, which rejects any non-== specifiers. Should users be pinning these themselves, or is ansible-builder expected to handle this case?
Any help on how to create a custom AWX EE image would really help as I have been stuck in this for over a week.
Thanks in advance!
Can you post a snippet of a config, and the error its generating for more context? \
Based on this page you should be able to list any python dependencies like
# List any python dependencies
python:
- pyvmomi>=6.7.1
And it should build without issue (depending on your image)
I have used podman/docker (chose anyone) to build the image and then store it in registry (in my case JFrog) and configured the AWX to pull the images. Its working as expected and also i was able to customize the images to ensure the size is not huge. Let me know if further details is required.
Thanks for your response. The error I am getting is:
32.42 + /usr/bin/python3.11 -m pip install --cache-dir=/output/wheels -r /tmp/src/requirements.txt
33.13 Collecting ansible-pylibssh>=0.2.0 (from -r /tmp/src/requirements.txt (line 1))
33.25 ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
33.25 ansible-pylibssh>=0.2.0 from https://files.pythonhosted.org/packages/93/ad/4b5bf86a4c6882f43d259684bded42620c705c92e86f992022f41acfbd95/ansible_pylibssh-1.2.2-cp311-cp311-manylinux_2_28_x86_64.whl (from -r /tmp/src/requirements.txt (line 1))
The issue is that ansible-builder enforces --require-hashes during pip installs.
Even though I explicitly pin ansible-pylibssh==1.2.2 in my execution-environment.yml, the >=0.2.0 requirement still gets pulled in by an Ansible collection (via ansible.netcommon), so the generated requirements.txt contains an unpinned >= line.
As a result:
>=) are not allowed.requirements.txt doesn’t help, since ansible-builder regenerates /tmp/src/requirements.txt from the collections each time.--require-hashes flag when ansible-builder runs pip.This makes it impossible to build the EE image with ansible-builder v3 if any collection depends on ansible-pylibssh>=0.2.0.
ansible-builder does not enforce use of --require-hashes, that must be some other collection that has that in requirements.txt that is specifying that.
As @sivel says, builder does not use --require-hashes unless you tell it to do so through PIP_OPTS or maybe a custom pip config. The pip docs state that if the --hash option is used with any requirement, then hash checking mode is enabled globally. I suspect one or more requirements from one of your collections is using --hash and thus turning it on. You’ll have to dig to identify which one, then possibly use the exclude keyword within the dependencies section of your EE to ignore those requirements.
Requirements files are expected to follow the PEP 508 standard, as outlined in the builder 3.1 porting guide. Anything outside of that standard is fed straight through to pip.