refactor(deps): move per-Python lockfiles into lockfiles/pyXX/ subdirs

Each `lockfiles/pyXX/` directory is a separate Dependabot watchpoint,
which lets the py39 entry carry a permanent `ignore: urllib3 >= 2.7.0`
rule (urllib3 2.7.0 dropped Python 3.9) without holding back the
other interpreters. py39 lockfile regenerated with urllib3 2.6.3.

Windows lockfile follows the same scheme: `lockfiles/py313-windows/
requirements.txt`. All build/install scripts, GitHub workflows,
container fixtures (cpu-usage, strongswan-connections, users) and
docs (INSTALL.md, BUILD.md, CONTRIBUTING.md, tox.ini) updated to
the new paths.

Author: markuslf

.github/dependabot.yml

@@ -8,8 +8,64 @@ updates:
       time: '05:00'
       timezone: 'Etc/UTC'
 
+  # One entry per Python LTS lockfile. Each lockfile lives in its own
+  # directory under `lockfiles/` so Dependabot can apply per-version
+  # ignore rules (e.g. urllib3 cannot move past 2.6.x on Python 3.9).
   - package-ecosystem: 'pip'
-    directory: '/'
+    directory: '/lockfiles/py39'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'
+    ignore:
+      # urllib3 >= 2.7.0 requires Python 3.10+; the py39 lockfile is
+      # for RHEL 8 / Debian 11 (Python 3.9) and must stay on 2.6.x.
+      - dependency-name: 'urllib3'
+        versions: ['>=2.7.0']
+
+  - package-ecosystem: 'pip'
+    directory: '/lockfiles/py310'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'
+
+  - package-ecosystem: 'pip'
+    directory: '/lockfiles/py311'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'
+
+  - package-ecosystem: 'pip'
+    directory: '/lockfiles/py312'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'
+
+  - package-ecosystem: 'pip'
+    directory: '/lockfiles/py313'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'
+
+  - package-ecosystem: 'pip'
+    directory: '/lockfiles/py314'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'
+
+  - package-ecosystem: 'pip'
+    directory: '/lockfiles/py313-windows'
     schedule:
       interval: 'weekly'
       day: 'friday'

.github/workflows/lf-build-windows-x86_64.yml

@@ -82,8 +82,8 @@ jobs:
         run: 'python.exe -m pip install --upgrade ordered-set Nuitka'
 
       # install 3rd party libraries for all check plugins
-      - name: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\requirements-py313-windows.txt --require-hashes'
-        run: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\requirements-py313-windows.txt --require-hashes'
+      - name: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\lockfiles/py313-windows/requirements.txt --require-hashes'
+        run: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\lockfiles/py313-windows/requirements.txt --require-hashes'
 
       - name: 'Verify Python installation'
         run: 'python.exe -m pip list'

BUILD.md

@@ -176,9 +176,10 @@ Prerequisites:
 * **Visual Studio 2022 Build Tools** (supplies MSVC, required by Nuitka
   `--msvc=latest`).
 * `python3 -m pip install --upgrade ordered-set Nuitka`.
-* `python3 -m pip install --require-hashes --requirement requirements-py313-windows.txt`
-  from the monitoring-plugins repository root. The `pyXX` in the filename
-  matches the Python version the Windows build is pinned to (3.13 today).
+* `python3 -m pip install --require-hashes --requirement lockfiles/py313-windows/requirements.txt`
+  from the monitoring-plugins repository root. The `pyXX` directory under
+  `lockfiles/` matches the Python version the Windows build is pinned to
+  (3.13 today).
 * The plugin must carry a `.windows` marker file. Plugins without it are
   skipped by `compile-one.sh`.
 

CHANGELOG.md

@@ -21,8 +21,8 @@ Monitoring Plugins:
 
 Build, CI/CD:
 
-* requirements: one hash-pinned lockfile per supported Python LTS (`requirements-py39.txt` to `-py314.txt`) replaces the single `requirements.txt`. Windows uses `requirements-py313-windows.txt`
-* requirements: build scripts auto-detect the Python version and pick the matching file. urllib3 lands at 2.7.0 on Python 3.10+, closing two of the four Dependabot advisories
+* requirements: one hash-pinned lockfile per supported Python LTS, each in its own `lockfiles/pyXX/` subdirectory (`py39` to `py314`). Replaces the single `requirements.txt`. Windows uses `lockfiles/py313-windows/requirements.txt`
+* requirements: build scripts auto-detect the Python version and pick the matching file. urllib3 lands at 2.7.0 on Python 3.10+, closing two of the four Dependabot advisories; the `py39` lockfile pins urllib3 to 2.6.x via Dependabot ignore (urllib3 2.7.0 requires Python 3.10+)
 
 
 ### Changed

CONTRIBUTING.md

@@ -158,7 +158,7 @@ When creating a new plugin, make sure to deliver:
 * README file explaining "How?" and "Why?"
 * A free, monochrome, transparent SVG icon from <https://simpleicons.org> or <https://fontawesome.com/search?ic=free>, placed in the `icon` directory.
 * Optional: `unit-test/run` - the unittest file (see [Unit Tests](#unit-tests))
-* Optional: extend the repo-root `requirements.in` with new Python deps; the per-Python lockfiles `requirements-pyXX.txt` are regenerated from it
+* Optional: extend the repo-root `requirements.in` with new Python deps; the per-Python lockfiles under `lockfiles/pyXX/requirements.txt` are regenerated from it
 * If providing performance data: Grafana dashboard (see [GRAFANA.md](GRAFANA.md)) and `.ini` file for the Icinga Web 2 Grafana Module
 * Icinga Director Basket Config for the check plugin (`build-basket`)
 * Icinga Service Set in `all-the-rest.json` if appropriate (see [Service Set vs. Service Template](#service-set-vs-service-template))
@@ -1040,7 +1040,7 @@ The canonical distro matrix is the cpu-usage `CONTAINERFILES` list. **Where poss
 
 Rules and tips:
 
-* **Reuse cpu-usage's `containerfiles/`** as a starting point for a new plugin - the per-distro bootstrap (pacman / apt / dnf / zypper + venv + `pip install -r requirements-pyXX.txt --require-hashes`, where `pyXX` matches the distro's Python LTS) is identical, only the bind-mount path for the plugin script changes.
+* **Reuse cpu-usage's `containerfiles/`** as a starting point for a new plugin - the per-distro bootstrap (pacman / apt / dnf / zypper + venv + `pip install -r lockfiles/pyXX/requirements.txt --require-hashes`, where `pyXX` matches the distro's Python LTS) is identical, only the bind-mount path for the plugin script changes.
 * **`clean_up=False` on `DockerImage`**. Testcontainers' default cleans up the built image and prunes dangling parent layers on exit, which turns every run into a full rebuild. `clean_up=False` keeps the image around so subsequent runs hit podman's layer cache and finish in seconds.
 * **`,Z` on bind mounts**. On SELinux-enforcing hosts (RHEL, Fedora, Rocky) unrelabelled bind mounts are denied by the container runtime. `mode='ro,Z'` relabels the source so the container can read it; without the `Z` flag the plugin inside the container sees "Permission denied" on `import lib`.
 * **Rootless podman caveats** - same as for the service-container pattern: `TESTCONTAINERS_RYUK_DISABLED=true` must be set, `CONTAINER_HOST` / `DOCKER_HOST` must point at the rootless socket. `tools/run-unit-tests` does this automatically.

INSTALL.md

@@ -125,16 +125,16 @@ and Icinga Director command definitions portable (see
 
 Unlike the RPM and DEB packages (which ship a pre-built venv under
 `/usr/lib64/linuxfabrik-monitoring-plugins/venv/`), the source zip only carries source
-files. The repository ships one hash-pinned lockfile per supported Python LTS
-(`requirements-py39.txt` ... `requirements-py314.txt`). Pick the file that matches the
+files. The repository ships one hash-pinned lockfile per supported Python LTS under
+`lockfiles/pyXX/requirements.txt` (`py39` ... `py314`). Pick the file that matches the
 Python on the target host and run `pip` against it once, as the user that will run the
 plugins (`icinga` on RHEL, `nagios` on Debian/Ubuntu):
 
 ```bash
 PY_TAG="py$(python3 -c 'import sys; print(f"{sys.version_info.major}{sys.version_info.minor}")')"
 sudo -u icinga python3 -m pip install --user --upgrade pip
 sudo -u icinga python3 -m pip install --user \
-    --requirement /usr/lib64/nagios/plugins/requirements-${PY_TAG}.txt --require-hashes
+    --requirement /usr/lib64/nagios/plugins/lockfiles/${PY_TAG}/requirements.txt --require-hashes
 ```
 
 
@@ -170,7 +170,7 @@ for dir in $(find "${plugin_source_dir}" -maxdepth 1 -type d); do
         "${dir}/${file}" \
         "${remote_user}@${remote_host}:${remote_target_dir}/${file}"
 done
-scp "${plugin_source_dir}/../requirements-py"*.txt "${remote_user}@${remote_host}:/tmp"
+scp -r "${plugin_source_dir}/../lockfiles" "${remote_user}@${remote_host}:/tmp"
 ```
 
 Once complete, the remote directory looks like this:
@@ -191,7 +191,7 @@ Install the Python dependencies for the user that runs the plugins (`icinga` on
 PY_TAG="py$(python3 -c 'import sys; print(f"{sys.version_info.major}{sys.version_info.minor}")')"
 sudo -u icinga python3 -m pip install --user --upgrade pip
 sudo -u icinga python3 -m pip install --user \
-    --requirement /tmp/requirements-${PY_TAG}.txt --require-hashes
+    --requirement /tmp/lockfiles/${PY_TAG}/requirements.txt --require-hashes
 ```
 
 
@@ -273,16 +273,17 @@ installation is required.
 ### From Source (Python 3.9+)
 
 On Windows, running the `.py` files directly requires a local Python 3.13
-installation and the dependencies from `requirements-py313-windows.txt` (the lockfile
-matches the version the Windows binary build is pinned to; see `BUILD.md`). Clone the
-repository and point the Icinga 2 agent at the `.py` files:
+installation and the dependencies from `lockfiles/py313-windows/requirements.txt` (the
+lockfile matches the version the Windows binary build is pinned to; see `BUILD.md`).
+Clone the repository and point the Icinga 2 agent at the `.py` files:
 
 ```powershell
 git clone https://github.com/Linuxfabrik/monitoring-plugins.git `
     "C:\Program Files\ICINGA2\sbin\linuxfabrik"
 python -m pip install --upgrade pip
 python -m pip install --requirement `
-    "C:\Program Files\ICINGA2\sbin\linuxfabrik\requirements-py313-windows.txt" --require-hashes
+    "C:\Program Files\ICINGA2\sbin\linuxfabrik\lockfiles\py313-windows\requirements.txt" `
+    --require-hashes
 ```
 
 

build/compile-multiple.sh

@@ -17,7 +17,7 @@ if ! uname -a | grep -q "_NT"; then
     # We are in a container.
     source /opt/venv/bin/activate
     PY_TAG="py$(python3 -c 'import sys; print(f"{sys.version_info.major}{sys.version_info.minor}")')"
-    REQS="$REPO_DIR/monitoring-plugins/requirements-${PY_TAG}.txt"
+    REQS="$REPO_DIR/monitoring-plugins/lockfiles/${PY_TAG}/requirements.txt"
     if [ ! -f "$REQS" ]; then
         echo "❌ No requirements file for Python ${PY_TAG} at $REQS" >&2
         exit 1

build/create-vendor-tarball.sh

@@ -17,7 +17,7 @@ $LFMP_PYTHON -m pip download \
 # as a unpinned dependency (which is already downloaded in the previous step).
 # All dependencies including hashes are already listed in our requirements anyway.
 PY_TAG="py$($LFMP_PYTHON -c 'import sys; print(f"{sys.version_info.major}{sys.version_info.minor}")')"
-REQS="$LFMP_DIR_REPOS/monitoring-plugins/requirements-${PY_TAG}.txt"
+REQS="$LFMP_DIR_REPOS/monitoring-plugins/lockfiles/${PY_TAG}/requirements.txt"
 if [ ! -f "$REQS" ]; then
     echo "❌ No requirements file for Python ${PY_TAG} at $REQS" >&2
     exit 1

build/install-vendor.sh

@@ -18,7 +18,7 @@ $LFMP_VENV_PIP install \
 # during vendor-install we are working *inside* the target venv.
 LFMP_VENV_PYTHON="$(dirname "$LFMP_VENV_PIP")/python"
 PY_TAG="py$($LFMP_VENV_PYTHON -c 'import sys; print(f"{sys.version_info.major}{sys.version_info.minor}")')"
-REQS="requirements-${PY_TAG}.txt"
+REQS="lockfiles/${PY_TAG}/requirements.txt"
 if [ ! -f "$REQS" ]; then
     echo "❌ No requirements file for Python ${PY_TAG} at $REQS" >&2
     exit 1

check-plugins/cpu-usage/unit-test/containerfiles/archlinux-vlatest

@@ -20,7 +20,7 @@ RUN pacman-key --init && \
 WORKDIR /tmp
 
 # Use ADD to download the requirements.txt file
-ADD https://raw.githubusercontent.com/Linuxfabrik/monitoring-plugins/refs/heads/main/requirements.txt /tmp/requirements.txt
+ADD https://raw.githubusercontent.com/Linuxfabrik/monitoring-plugins/refs/heads/main/lockfiles/py313/requirements.txt /tmp/requirements.txt
 
 # Set up a Python virtual environment and install dependencies
 RUN python -m venv /tmp/venv && \