SERVER-98876 Make python toolchain readonly, explicitly exclude pyc files (#30731)

GitOrigin-RevId: aedebc5d1678c81984bdf55a2befd7f7de433ea2
2024-12-31 14:13:37 -06:00 · 2024-12-31 14:13:37 -06:00 · cb06ffe686
parent 18f997b4ec
commit cb06ffe686
3 changed files with 27 additions and 18 deletions
--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@ -186,9 +186,9 @@ poetry(
    name = "poetry",
    lockfile = "//:poetry.lock",
    pyproject = "//:pyproject.toml",
-    python_interpreter_target_default = "@py_host//:bin/python3",
-    python_interpreter_target_mac = "@py_host//:bin/python3",
-    python_interpreter_target_win = "@py_host//:python.exe",
+    python_interpreter_target_default = "@py_host//:dist/bin/python3",
+    python_interpreter_target_mac = "@py_host//:dist/bin/python3",
+    python_interpreter_target_win = "@py_host//:dist/python.exe",
 )

 http_archive(
--- a/bazel/toolchains/python_toolchain.BUILD
+++ b/bazel/toolchains/python_toolchain.BUILD
@ -3,12 +3,12 @@ load("@bazel_tools//tools/python:toolchain.bzl", "py_runtime_pair")
 filegroup(
    name = "files",
    srcs = glob(
-        include=["**/*"],
+        include=["dist/**/*"],
        # bazel runfiles do not support paths with spaces
        # https://github.com/bazelbuild/bazel/issues/4327
        # The setuptools developers will not remove the spaces from these files
        # https://github.com/pypa/setuptools/issues/746
-        exclude=["**/setuptools/**/* *"]),
+        exclude=["**/setuptools/**/* *", "**/*.pyc"]),
    visibility = ["//visibility:public"],
 )

--- a/bazel/toolchains/python_toolchain.bzl
+++ b/bazel/toolchains/python_toolchain.bzl
@ -7,37 +7,37 @@ URLS_MAP = {
    "linux_aarch64": {
        "sha": "3e26a672df17708c4dc928475a5974c3fb3a34a9b45c65fb4bd1e50504cc84ec",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-unknown-linux-gnu-install_only.tar.gz",
-        "interpreter_path": "bin/python3",
+        "interpreter_path": "dist/bin/python3",
    },
    "linux_amd64": {
        "sha": "ee37a7eae6e80148c7e3abc56e48a397c1664f044920463ad0df0fc706eacea8",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-unknown-linux-gnu-install_only.tar.gz",
-        "interpreter_path": "bin/python3",
+        "interpreter_path": "dist/bin/python3",
    },
    "linux_ppc64le": {
        "sha": "7937035f690a624dba4d014ffd20c342e843dd46f89b0b0a1e5726b85deb8eaf",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-ppc64le-unknown-linux-gnu-install_only.tar.gz",
-        "interpreter_path": "bin/python3",
+        "interpreter_path": "dist/bin/python3",
    },
    "linux_s390x": {
        "sha": "f9f19823dba3209cedc4647b00f46ed0177242917db20fb7fb539970e384531c",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-s390x-unknown-linux-gnu-install_only.tar.gz",
-        "interpreter_path": "bin/python3",
+        "interpreter_path": "dist/bin/python3",
    },
    "windows_amd64": {
        "sha": "35458ef3163a2705cd0952ba1df6012acb42b043349dcb31ab49afec341369cf",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-pc-windows-msvc-static-install_only.tar.gz",
-        "interpreter_path": "python3.exe",
+        "interpreter_path": "dist/python3.exe",
    },
    "macos_aarch64": {
        "sha": "916c35125b5d8323a21526d7a9154ca626453f63d0878e95b9f613a95006c990",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-aarch64-apple-darwin-install_only.tar.gz",
-        "interpreter_path": "bin/python3",
+        "interpreter_path": "dist/bin/python3",
    },
    "macos_x86_64": {
        "sha": "178cb1716c2abc25cb56ae915096c1a083e60abeba57af001996e8bc6ce1a371",
        "url": "https://github.com/indygreg/python-build-standalone/releases/download/20231002/cpython-3.11.6+20231002-x86_64-apple-darwin-install_only.tar.gz",
-        "interpreter_path": "bin/python3",
+        "interpreter_path": "dist/bin/python3",
    },
 }

@ -76,6 +76,7 @@ def _py_download(ctx):
    ctx.report_progress("downloading python")
    retry_download_and_extract(
        ctx = ctx,
+        output = "dist",
        tries = 5,
        url = urls,
        sha256 = sha,
@ -83,21 +84,21 @@ def _py_download(ctx):
    )

    windows_python = False
-    for name in ctx.path(".").readdir():
+    for name in ctx.path("dist").readdir():
        if name.basename == "python.exe":
            windows_python = True
            break

    if windows_python:
        # windows does not have python version specific dir
-        usercustomize_file = "Libs/site-packages/usercustomize.py"
+        usercustomize_file = "dist/Lib/site-packages/usercustomize.py"
    else:
        # detect python version without execution
        # this looks for the `python#.#` binary on macos and linux
        # and extracts the version information at the end of the binary,
        # starlark doesn't have regex support so had to roll our own
        # parsing.
-        python_base_dir = ctx.path("bin")
+        python_base_dir = ctx.path("dist/bin")
        bin_files = python_base_dir.readdir()
        python_major_version = -1
        python_minor_version = -1
@ -119,7 +120,7 @@ def _py_download(ctx):
        if python_major_version == -1 or python_minor_version == -1:
            ctx.fail("Could not detect python versions")

-        usercustomize_file = "lib/python" + python_major_version + "." + python_minor_version + "/site-packages/usercustomize.py"
+        usercustomize_file = "dist/lib/python" + python_major_version + "." + python_minor_version + "/site-packages/usercustomize.py"

    ctx.file(
        usercustomize_file,
@ -145,6 +146,14 @@ sys.dont_write_bytecode = True
        "{interpreter_path}": interpreter_path,
    }

+    if os == "windows":
+        # Read-only secures the toolchain but on windows makes bazel unable to clean or reinstall it
+        #ctx.execute(['icacls', 'dist', '/inheritance:r', '/grant:r', 'Everyone:R', '/T'])
+        #ctx.execute(['icacls', 'dist', '/inheritance:r', '/grant:r', 'Administrators:R', '/T'])
+        pass
+    else:
+        ctx.execute(["chmod", "-R", "544", "dist"])
+
    ctx.template(
        "BUILD.bazel",
        ctx.attr.build_tpl,
@ -171,7 +180,7 @@ py_download = repository_rule(
            doc = "Host architecture.",
        ),
        "interpreter_path": attr.string(
-            default = "bin/python3",
+            default = "dist/bin/python3",
            doc = "Path you'd expect the python interpreter binary to live.",
        ),
        "build_tpl": attr.label(
@ -231,7 +240,7 @@ def setup_mongo_python_toolchains():
        arch = "amd64",
        os = "windows",
        build_tpl = "//bazel/toolchains:python_toolchain.BUILD",
-        interpreter_path = "python.exe",
+        interpreter_path = "dist/python.exe",
        sha256 = URLS_MAP["windows_amd64"]["sha"],
        urls = [URLS_MAP["windows_amd64"]["url"]],
    )