cryptography NAPALM dependancy needs rust and newer pip on python36

[mtinberg]

Netbox doesn't deploy on RHEL/CentOS 7 python36 with pip3 v9.0.3 due to current release of cryptography depended on by NAPALM depending on rust during the build/install process, pip3 v9.0.3 setuptools doesn't have modules to build rust, but running pip3 install pip --upgrade in the venv then installing napalm works, as long as rust (1.47.0) is installed from EPEL.

We may need to add rust as a package dependancy then upgrade pip in the venv during deployment, maybe have the first pip/venv task be to set up an empty venv and upgrade pip, then install requirements/constraints then optional modules.

This may affect other platforms as well

[tyler-8]

This has affected a lot of packages/apps in the Python ecosystem.

I'm not crazy about blindly upgrading pip to the latest version - as there have been breaking pip changes in the past. IMO, we should select a known working version (whatever is released right now) and pin that as part of the pip constraints perhaps?

The latest version of pip has a pre-compiled wheel of the cryptography package so there's no need to install rust on the target system. So the pre-install steps should be pip install pip==X.Y.Z wheel=X.Y.Z to ensure the following tasks can complete.

[tyler-8]

It's worth noting that the NetBox upgrade.sh is doing a 'blind' pip upgrade now https://github.com/netbox-community/netbox/issues/5776 but I still think a pinned pip is the better approach.

[lae]

I'm on board with pinned pip via the constraints role variable. Although pinning to a minor version (x.y) instead of a patch version (x.y.z) seems like it'd be appropriate to keep the maintenance overhead low.