Support & Document simple hermetic installation that works in docker run --network=none #22942
Description
Is your feature request related to a problem? Please describe.
TL;DR: The scie-pants launcher, which is now enforced by default, introduces complexity for strict offline Docker environments where hermeticity is required.
scie-pants' dynamic resolution logic (resolving internal mappings -> fetching Portable Python Builds -> fetching PEX) and reliance on the jump launcher system make it difficult to create a strictly static image. Even after pre-seeding attempts, the launcher often persists in attempting network connections at runtime, which causes failures in docker run --network=none environments.
To achieve a static install, we have had to bypass the launcher entirely. However, because wheels are no longer published to PyPI, we are forced to hardcode specific release artifact URLs. This approach is brittle and harder to maintain than industry-standard package management.
Standard tools like uv can achieve the necessary installation goals without the runtime network dependencies, as demonstrated below:
FROM python:3.12-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
ENV NO_SCIE_WARNING=True
RUN uv tool install https://github.com/pantsbuild/pants/releases/download/release_2.30.0/pantsbuild_pants-2.30.0-cp311-cp311-manylinux2014_x86_64.whl \
--python=3.11Describe the solution you'd like
I would like to request an official, documented path for static installation that relies on standard Python packaging tools rather than the custom launcher. Specifically:
- Resume publishing Pants wheels to PyPI: This would allow standard tools (
uv) to manage the installation versioning without hardcoded URLs. - Default
NO_SCIE_WARNING=True: If a user installs via industry-standard methods, the CLI shouldn't warn against it. - Document a "Container-First" installation method: Provide a minimal, supported recipe for installing Pants in a container that allows the image to run successfully in a completely airtight (
--network=none) environment immediately after build.
Describe alternatives you've considered
We attempted to follow the standard scie-pants bootstrap flow in the Dockerfile below. Despite running the bootstrap during the build phase, the launcher triggers a re-resolution or network check at runtime, causing the container to crash in offline mode.
Dockerfile:
FROM python:3.11-slim
RUN apt-get update && apt-get install -y curl
ADD --chmod=755 https://static.pantsbuild.org/setup/get-pants.sh /tmp/
RUN /tmp/get-pants.sh --bin-dir /usr/local/bin
ENV SCIE_BASE=/usr/local/pants/
RUN mkdir -p $SCIE_BASE && cd $SCIE_BASE && touch pants.toml && \
PANTS_VERSION=2.30.0 pants --version
# Even though we ran it above, specifying the version explicitly here
# triggers a re-resolution or network check, failing in offline mode.
# Reproduce via docker run --network=none
CMD ["sh", "-c", "PANTS_VERSION=2.30.0 pants --version"]
Error Output:
$ docker build -t test . && docker run --network=none test
Failed to determine release URL for Pants: 2.30.0: pants.2.30.0-cp311-linux_x86_64.pex: URL check failed: https://github.com/pantsbuild/pants/releases/download/release_2.30.0/pants.2.30.0-cp311-linux_x86_64.pex: <urlopen error [Errno -3] Temporary failure in name resolution>
If this is unexpected (you are using a known good Pants version), try upgrading scie-pants first.
...
Error: Failed to establish atomic directory ... Population of work directory failed: Boot binding command failed: exit status: 1
I am aware that I could reroute the network calls via this, but this would still result in a re-installation, and would add further configuration complexity.