Skip to content

Commit

Permalink
feat: update rockcraft with new non root solution
Browse files Browse the repository at this point in the history
canonical/seldon-core-operator#133

Summary of changes:
- Updated rockcraft.yaml with new run-user option to run as non-root.
- Updated import procedure.
- Tested with integration tests on the branch.
  • Loading branch information
Ivan Chvets committed Jun 14, 2023
1 parent fc4dd79 commit 2c6fc8d
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 15 deletions.
21 changes: 8 additions & 13 deletions sklearnserver/rockcraft.yaml
Original file line number Diff line number Diff line change
@@ -1,25 +1,27 @@
# Based on https://github.com/SeldonIO/seldon-core/tree/master/servers/sklearnserver/sklearnserver
name: sklearnserver
summary: An image for Seldon SKLearn Server
description: |
This image is used as part of the Charmed Kubeflow product. The SKLearn Server serves
models which have been stored as pickles.
version: v1.16.0_20.04_1 # <upstream-version>-<base-version>_<Charmed-KF-version>
version: v1.16.0_20.04_1 # <upstream-version>_<base-version>_<Charmed-KF-version>
license: Apache-2.0
base: ubuntu:20.04
run-user: _daemon_
services:
sklearnserver:
override: replace
summary: "sklearnserver service"
startup: enabled
# Yet again, use a subshell to jam conda into a working state. Can't use bashrc, because it immediately
# exits if PS1 isn't set, so no-go from scripts
command: bash -c 'cd /microservice && export PATH=/opt/conda/bin/${PATH} && eval $(/opt/conda/bin/conda shell.bash hook 2> /dev/null) && source /opt/conda/etc/profile.d/conda.sh && conda activate && seldon-core-microservice $MODEL_NAME --service-type $SERVICE_TYPE --persistence $PERSISTENCE'
# exits if PS1 isn't set, so no-go from scripts.
command: bash -c 'cd /microservice && export PATH=/opt/conda/bin/:${PATH} && eval $(/opt/conda/bin/conda shell.bash hook 2> /dev/null) && source /opt/conda/etc/profile.d/conda.sh && conda activate && seldon-core-microservice ${MODEL_NAME} --service-type ${SERVICE_TYPE} &> /tmp/log.txt'
environment:
# the following environment variables are taken from:
# https://github.com/SeldonIO/seldon-core/blob/master/servers/sklearnserver/environment
# NOTE: PERSISTENCE is omitted because it is depricated
MODEL_NAME: "SKLearnServer"
SERVICE_TYPE: "MODEL"
PERSISTENCE: "0"
user: ubuntu

platforms:
amd64:

Expand Down Expand Up @@ -78,13 +80,6 @@ parts:
# but it does need to match pebble's workdir
install -D -m 755 ${CRAFT_STAGE}/microservice/SKLearnServer.py microservice/SKLearnServer.py
non-root-user:
plugin: nil
overlay-script: |
# Create a user in the $CRAFT_OVERLAY chroot
groupadd -R $CRAFT_OVERLAY -g 1001 ubuntu
useradd -R $CRAFT_OVERLAY -M -r -u 1001 -g ubuntu ubuntu
security-team-requirement:
plugin: nil
after: [sklearnserver]
Expand Down
5 changes: 4 additions & 1 deletion sklearnserver/tests/test_rock.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,10 @@ def test_rock(ops_test: OpsTest, rock_test_env):
"""Test rock."""
check_rock = CheckRock("rockcraft.yaml")
container_name = rock_test_env
LOCAL_ROCK_IMAGE = check_rock.get_image_name()
LOCAL_ROCK_IMAGE = f"{check_rock.get_image_name()}:{check_rock.get_version()}"

# verify that all artifacts are in correct locations
subprocess.run(["docker", "run", LOCAL_ROCK_IMAGE, "exec", "ls", "-la", "/microservice/SKLearnServer.py"], check=True)

# verify that rockcraft.yaml contains correct image name for PREDICTIVE_UNIT_IMAGE environment variable
#assert CheckRock.get_environment()["PREDICTIVE_UNIT_IMAGE"].contains(LOCAL_ROCK_IMAGE)
3 changes: 2 additions & 1 deletion sklearnserver/tox.ini
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,12 @@ commands =
print(CheckRock("rockcraft.yaml").get_version())'\'') && \
sudo skopeo --insecure-policy copy oci-archive:$ROCK.rock docker-daemon:$ROCK:$VERSION && \
docker save $ROCK > $ROCK.tar && \
microk8s ctr image import $ROCK.tar && \
microk8s ctr image import $ROCK.tar --digests=true && \
predictor_servers=$(yq e ".data.predictor_servers" {env:LOCAL_CHARM_DIR}/src/templates/configmap.yaml.j2) && \
predictor_servers=$(jq --arg jq_rock $ROCK -r '\''.SKLEARN_SERVER.protocols.seldon.image=$jq_rock'\'' <<< $predictor_servers) && \
predictor_servers=$(jq --arg jq_version $VERSION -r '\''.SKLEARN_SERVER.protocols.seldon.defaultImageVersion=$jq_version'\'' <<< $predictor_servers) yq e -i ".data.predictor_servers=strenv(predictor_servers)" {env:LOCAL_CHARM_DIR}/src/templates/configmap.yaml.j2'
# replace yq safe placeholder with original value
sed -i "s/namespace: YQ_SAFE/namespace: {{ namespace }}/" {env:LOCAL_CHARM_DIR}/src/templates/configmap.yaml.j2
# run charm integration test with rock
tox -c {env:LOCAL_CHARM_DIR} -e integration

0 comments on commit 2c6fc8d

Please sign in to comment.