We are developing a system for a customer that does not want to allow installation of packages from outside repositories. The project is in Python and defines its dependencies via setuptools
; most of these dependencies are found on PyPI, and others are found on our company's repository. Some of them require system libraries to be present (e.g. libevent
for gevent
). None of them can be installed (as a direct download from the repository) in the customer's servers.
Right now, we are packaging the project, its dependencies, and recursively all dependencies of its dependencies, into RPMs, which we bundle into a single distribution tarball. This is time-consuming and error prone. Furthermore, we do not really need versioning, since the project is a service and client code does not get to choose which version of the service it talks to. We would just need to ship the latest version once we know it is stable.
The main alternative I have been considering is buildout: build the project in a staging machine with the same OS and interpreter as the production machine, then tar the whole directory and copy to the production machine. But I am not sure whether this would really be an improvement over the current distribution method.
What other options are there? Which one has been used successfully? Is there some kind of community best practice here?
Best Answer
There are two chief approaches to application distribution:
Isolating from the system/Sandboxing
As much as possible is bundled, system APIs are possibly hooked and redirected into the sandbox. The app is installed into its own, separate directory hierarchy. In UNIX,
/opt
is for this.Pros:
Cons:
Integrating into the system
The app uses the system's package manager and resides in the standard directory hierarchy.
Pros:
Cons:
As such, apps of the 1st type tend to be used when the environment is perceived "hostile" (unpredictable/unreliable/uncooperative), and the customer is fine with paying the extra costs (both for you and for them) of working in one and/or with your equally uncooperative app.