The Need:
- Support several hundred Python developers and/or prod servers running Python code in a highly restrictive environment.
- Be able to provide any compatible module found in PyPi.org that a developer needs.
Environment:
- No external access.
- Internal network available.
- Support multiple platforms (Windows, Linux, Apple)
- Good chunk of developers and/or prod servers do not have access to compiling tools.
- At minimum, supports latest Python 2.7 and Python 3.x
The Ask:
- How does one provide support for the distribution of installing Python modules?
- How does one deal with those Python modules requiring compilation? Remember, many boxes will not have the compile tools available.
Def appreciate solutions based on similar real world experiences.
Assumptions:
- Assume a magical process exists which authorizes modules to be pulled into the internal network for distribution.
- Not that Anaconda can’t be a part of the answer, just be sure to address how you would work around PyPi.org packages not found there.
Clarifications:
- Docker containers are allowed.
Best Answer
Preface
Nowadays, there are lots of viable options if you want to host an own PyPI repository. There are many packages available that implement a PyPI repo server, most notable being:
There are also some other, more or less exotic packages like PyPICloud that uploads package files directly to Amazon S3 instance. JFrog's Artifactory also supports serving python packages, although not in free edition afaik so it only makes sense if you're already paying for a license. You can even create a local PyPI repo with using nothing but the python's stdlib, see my answer on SO.
Also, this topic was discussed several times on SO, with most popular questions being How to roll my own pypi? and how to create local own pypi repository index without mirror? Beware that the first question is rather old and contains mostly outdated answers, the second one being more up to date.
devpi
At my work, we evaluated the available solutions two years ago and are sticking with
devpi
since. Developed by the same people that are behind the popular testing frameworkpytest
and CI tasks automation tooltox
,devpi
is a versatile tool that:pluggy
library; the same one as used for extendingtox
orpytest
if you're familiar with them); you can customize a lot of stuff by writing your own plugins, from authentication to storage backends. There are also several in-house plugins available on the Github page.The most powerful feature IMO are the indexes. An index defines a set of packages that can be installed from the index URL. For example, imagine a single
devpi
instance with two indexes configured: indexfoo
offers packageA
and indexbar
offersB
. Now you have two repository URLs:will succeed, but
will fail. Indexes can inherit each other in the sense of extending own package base, so if
bar
inheritsfoo
, you will be able to install bothA
andB
frombar
index.This enables us to easily configure a package restriction policy: say, we have two main groups of users (devs and QA), each group having their own set of packages required, also we develop packages offered to customers and tools for internal use. No problem grouping them with indexes:
Now for example, the dev sets up the index URL
https://my.pypi.org/developer/sandbox
once and has access to all the new packages uploaded to e.g.company/base
, while the customer sets up the index URLhttps://my.pypi.org/customer/release
, not being able to access any packages fromcompany/internal
.The
root/pypi
is a special meta index: it is always present; if an index inherits it, all requests for installing packages that are not contained in the index are proxied to pypi.org. To turn off the pypi.org mirroring, simply don't inherit fromroot/pypi
.The upload restriction policy is also easy to set up on per-index basis: all devs can upload to their own private sandboxes and
company/dev
; all QAs can upload tocompany/qa
; only admin can upload tocompany/base
, uploads tocompany/internal
and the customer indices are made from CI server on successful nightly builds.Refer to devpi docs for the whole setup and configuration process; the docs are pretty extensive and cover most of the questions that will arise.