[Python-ideas] Python-specific Travis CI

Fri Apr 18 21:07:18 CEST 2014

On Apr 18, 2014, at 2:04 PM, David Wilson <dw+python-ideas at hmmz.org> wrote:

> Hi there,
> 
> In my travails to get py-lmdb (github.com/dw/py-lmdb) into a state I can depend on, I've been exploring continuous integration options since sometime mid last year, in the hopes of finding the simplest option that allows the package to be tested on all sensible versions of Python that I might bump into in a commercial environment.
> 
> It seems this simple task currently yields one solution - Travis CI, except that by default Travis supports neither Windows, nor any version of Python older than about 3 months, without requiring serious manual configuration and maintenance.
> 
> The library just about has a working Travis CI at this point – although it is incredibly ugly. Testing against all recent versions of Python (by "recent" I mean "anything I've seen and might reasonably expect to bump into while consulting, i.e. since 2.5") requires around 14 Debian packages to be installed, followed by installation of compatible versions of easy_install and Pip for each interesting Python version.

Travis comes with 2.6, 2.7, 3.2, and 3.3 as well as PyPy 2.2.1 out of the box and I’ve got a PR merged there which is waiting on a deploy which will expand that out to also include 3.4 (as well as making a command line available that will build 2.4, 2.5, Jython, and others (Basically the latest versions of the above are installed, and you can use ``python-build`` to build anything located here https://github.com/yyuu/pyenv/tree/master/plugins/python-build/share/python-build).

And honestly with the new PR I’ve laid out in Travis adding any older versions to be supported out of the box is simple and the biggest barrier is likely convincing the Travis folks they are needed (For example, if you’re distributing on PyPI the number of 2.5 or 3.1 users are *tiny* https://caremad.io/blog/a-look-at-pypi-downloads/).

> 
> The result just about works, but this week I'm again finding that it doesn't quite go far enough, as I begin working on a Windows binary distribution for my package.
> 
> Windows is almost the same problem all over again - testing supported/sensible extension module builds requires 14 binary installations of Python (one for each of 32 bit and 64 bit), 3 distinct versions of Microsoft Visual Studio (that I'm aware of so far), and a compatible version of Windows to run it all on.

As far as I’m aware the Travis-CI folks are working on Windows support but there is currently no ETA on it as they have to figure out licensing concerns and the like.

> 
> So the work done to support CI on Travis more or less isn't enough. It seems the best option now is a custom Jenkins setup, and acquiring licenses for all the Microsoft software necessary to build the package.

One thing to look out for here, is that you can’t test arbitrary PRs easily with this solution without whitelisting contributors because Travis runs a PR test in an isolated VM instance, whereas Jenkins runs it on a shared machine, and this shared machine through the jenkins API has more or less full control of the entire jenkins cluster.

> 
> 
> You may wonder why one might care about so many old Python versions in weird and exotic environments - to which I can't really give a better answer than that I've lost so much time working with packages that suffer from platform/version compatibility issues, that I'd like to avoid it in my own code.
> 
> While it isn't so true in web development, there are pretty huge installations of Python around the world, many of which aren't quite near migrating to 2.6, never mind 3.4. This can happen for different reasons, from maintaining private forks of Python (perhaps in a post-audited state, where another audit simply isn't in the budget), through to having thousands of customers who have written automation scripts for their applications using an older dialect.
> 
> In any case it's enough to note these installations do and will continue to exist, than to question why they exist..
> 
> 
> So in the coming months I'll probably end up configuring a Jenkins, porting the Travis CI scripts over to it to a private Ubuntu VM configured as a Jenkins runner, and setting up a new Windows VM as a second runner, but it seems entirely wasteful that so much effort should be made for just one project.
> 
> And that leads to thinking about a Python-specific CI service, that could support builds similar to Travis CI, except for all configurations of Python still in active use. One aspect of such a service that is particularly interesting, is the ability to centralize management of the required licenses – the PSF has a much greater reputation, and is much more likely to be granted a blanket license covering a CI service for all open source Python code, than each individual project is by applying individually.
> 
> Licensing aside, having a 0-cost option for any Python project to be tested would improve the quality of our ecosystem overall, especially in the middle of the largest transition to date - the 3.x series.
> 
> Following from the ecosystem improvement angle, there might be no reason a Python-specific CI service could not automatically download, build and py.test every new package entering PyPI, producing as side effect scoreboards similar to the Python 3 Wall of Superpowers (http://python3wos.appspot.com/). This would make a sound base for building future improvements for PyPI - for example a lint service, verifying "setup.py" is not writing to /etc/passwd, or uploaded eggs aren't installing a new SVCHOST.EXE to %SystemDir%.

I’ve thought about working on something like this for PyPI, one of the big barriers there being that there is no central way to define what versions you support, what OSs, what required _external_ dependencies you have, or even what your test runner is (besides setup.py test which is far from standard or ubiquitous).

> 
> It could even make sense to have the hypothetical service produce signed, "golden" artefacts for upload to PyPI - binaries built from source in a trusted environment, free of any Bitcoin ransom-ware surreptitiously inserting itself into the bdist_egg ZIP file.

A build farm for Wheels is something else that I’d love to do.

> 
> There are many problems with providing a CI service, for example, the handling of third party commercial libraries required during the build process. An example of this might be producing a build of cx_Oracle, where Oracle's proprietary SDK is a prerequisite.
> 
> Still, it would not require many resources, or even very much code, to provide a service that could minimally cover at least basic needs for purely open source software, and so the idea appeals to me.

I think you’re vastly underestimating the complexity in machine resources, code, and time.

For security purposes you are more or less required to use throw away VMs which get destroyed after a single use. The sanest way of doing this is to manage a pool of VM workers, pull one off the pool, run tasks on it, and then destroy it and let the pool spawn a new one. This puts a bottleneck on how many tests you can run both in how large your pool is, and in how fast your VMs boot. Look at a project like https://travis-ci.org/pyca/cryptography which builds 40 different configurations for each “build” each taking about 8 minutes each. So if you have a pool of 5 VMs, you can run 5 tests at a time, so that splits that 40 into 5 chunks, and you get roughly 64 minutes to process 40 builds, plus we’ll say our machines boot in roughly 60s (a little fast for cloud servers, but not unreasonable), so there’s an additional 4-5 minutes just in booting. So roughly an hour and 10 minutes for a single test run if with 5 VMs for just a single project. (In reality Cryptography has more than 40 builds because it uses Travis and jenkins together to handle things travis doesn’t).

So the machine cost is high, you’re probably looking at let’s just say a worker pool of 20 (though I think to actually replace Travis CI it’d need to be much higher) of roughly 4GB machines (last I recall travis machines were 3gig and change) which comes out to roughly 1k to 2k in server costs just for that pool. Add into that whatever support machines you would need (queues, web nodes, database servers, etc) you’re probably looking in the 2-4k range just for the servers once all was said and done.

I believe the code cost would also be fairly high. There isn’t really an off the shelf solution that is going to work for this. You’ve mentioned Jenkins, however Jenkins does not scale well at all (look at the Openstack infra for all the things they’ve invented around Jenkins to try and scale it). There is a good chance some things could be reused from Openstack but I’m fairly sure some of it is specific enough to Openstack that it’d still require a decent amount of coding to make it generic enough to work.

I also think the time investment would be high outside of the effort to build it. I hang out in the #openstack-infra channel and I can see how much effort goes into maintaing that infra (and i’m sure it’s similar to travis-ci). This means that it’s likely not going to be something we can just set it up and forget about it and will require an active infrastructure team to handle it. Now Python happens to have one of those, but we’re mostly volunteers with part times for on call stuff (who also volunteer for other stuff too!) and this would be a significant increase I believe in that work load.

> 
> Any thoughts?
> 
> 
> David
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/

It’s my personal opinion that a sort of “test during development” CI system like Travis is not something that making Python specific is very useful in the long run. Travis is open source and they are incredibly open to things that will make Python a more first class citizen there (disclaimer: I’m friends with them and I’ve helped add the Python support to start with, and then improve it over time). One obvious flaw in this is that Travis only supports github while there are others on Bitbucket or even their own hosting, and for those people this idea might be much more attractive.

I do think there is maybe room for a “release testing” system and I definitely think there is room for a build farm (Which is a much smaller scale since the whole of PyPI pushes releases far less often than push commits to branches or make PRs or what have you).

Just my 2 cents!

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20140418/5e146ecb/attachment.sig>