Server Setup

Do not run pip as root

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish, and lots of useful modules for them, this is your one-stop repository to get all performance-related software.
You have to maintain an active subscription in order to be able to use the repository!

It is quite unfortunate that there is very little stating on the web of the quite obvious thing to be aware of.
In plain text, with big loud characters, I’ll put it here for everyone to remember:

Do not ever run pip as root

Here, I’m going to touch on why not to run pip as root, give some examples on how it’s going to break things miserably, and what to do instead.
Let’s go.

Python and your system

Each Linux/GNU distro in unique in some wat. But their common feature is the package management system.
For Debian-based systems, that is apt. For CentOS/RHEL, it’s yum or dnf, and this is what we’ll touch in our examples.

You will find that many Python modules are available through the yum repositories as RPM packages, e.g.:

  • python2-requests
  • python2-tqdm
  • etc, etc.

You can simply install them as any other packages, for example:

sudo yum install python2-requests

Python modules that are available through yum (dnf) often serve as a base for the core OS functions like yum itself.

Not even that. All the packaged software that depends on Python modules in one way or the other, will depend on the system-packaged Python modules.

pip

Now, pip is the installer/manager for Python modules available via PyPi.
But it has no idea whatsoever about your package manager.
It has no idea about RPM format either, nor about what you already have installed through the system (yum) packages.

So when you invoke pip as root, it will more than likely overwrite Python modules that were installed via system packages.

The result of running pip as root, would be a dirty mix of Python modules installed via yum package management, and pip installed Python modules.

Example of breakage

For the illustration, I’m going to install the certbot package. It is a program for generating free TLS certificates:

sudo yum -y install epel-release
sudo yum install certbot
sudo certbot register # works fine

Now say you have the itch to install the latest and greatest version of a Python app that is not available via yum.
You went to its GitHub project package that wants you to install via pip.
And so you run pip install ... as root. Little did you know that the app required newer requests Python module.

The installation went through just fine, fetching and installing the newest version of requests Python library.

Which would be equivalent to (attention, do not run! example only):

sudo pip install -U requests

What now? Your great new app is working fine, but the certbot IS BROKEN with an error message:

ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.

Why that is? Because we’ve brought in newer requests library that requires newer pyOpenSSL.

We’ve created a mess of the machine by mixing Python modules from pip with Python modules/apps installed via system RPM packages.
You’ll have a hard time restoring things to a working state.

This is an easy example because there is an obvious failure in running certbot now.

But in other cases, you may not even notice the breakage, and things will just work in a weird way.

Remember. What makes the CentOS a Community Enterprise OS? It is packaging, of course!

When you install software in a way that mixes custom on top the system, you’re asking for trouble!

What to do instead

Software that is not available through the system packages (read, RPM) should either be packaged as such, or installed in a directory where it won’t tamper with the system packages function.

Python has a great concept of virtual environments. Essentially you can create a directory that holds all the Python modules for a Python app to run.

It is, however, not an easy concept for some folks. So a simple thing you can do to leverage Python virtualenvs in a user-friendly way, is to use pip-safe.

The pip-safe will allow you to install newest Python apps without damaging your system packages.

Install pip-safe

pip-safe itself is available via system packages, on CentOS/RHEL 7 and 8.

sudo yum install https://extras.getpagespeed.com/release-latest.rpm
sudo yum install pip-safe

Install a Python app

pip-safe install lastversion

We’ve just installed lastversion CLI utility from PyPi. Wen can now run it simply as lastversion linux and get the latest Linux kernel version.

How it works, behind the scenes

It installs each program into its own virtualenv at ~/.virtualenvs/<pypi-name>, and symlinks whichever executables it has over to ~/.local/bin/<cli-name>.
Simple and easy! Each program lives in its own virtual environment, so it can have whatever required Python module versions for it.
All without touching your system Python modules.

Install a Python app, for all users

You can also install a Python app from PyPi system-wide, by passing the --system switch:

pip-safe --system install lastversion

How it works, behind the scenes

Similar to user install, a program is installed into a virtualenv of its own.
The only difference is that system-wide Python apps are installed to /opt/pip-safe and their binaries are symlinked to /usr/local/bin/.

Manage Python apps, the safe way

Of course, pip-safe allows also listing and removing installed Python apps.

List installed Python packages/apps

pip-safe list

Remove a Python app

pip-safe remove <name>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.