From 2c6fc8d396e2007dfc2df63c74a05e4b5e938a62 Mon Sep 17 00:00:00 2001 From: Ivan Chvets Date: Wed, 14 Jun 2023 17:24:07 -0400 Subject: [PATCH] feat: update rockcraft with new non root solution https://github.com/canonical/seldon-core-operator/issues/133 Summary of changes: - Updated rockcraft.yaml with new run-user option to run as non-root. - Updated import procedure. - Tested with integration tests on the branch. --- sklearnserver/rockcraft.yaml | 21 ++++++++------------- sklearnserver/tests/test_rock.py | 5 ++++- sklearnserver/tox.ini | 3 ++- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/sklearnserver/rockcraft.yaml b/sklearnserver/rockcraft.yaml index 8773fa2..324b1fb 100644 --- a/sklearnserver/rockcraft.yaml +++ b/sklearnserver/rockcraft.yaml @@ -1,25 +1,27 @@ +# Based on https://github.com/SeldonIO/seldon-core/tree/master/servers/sklearnserver/sklearnserver name: sklearnserver summary: An image for Seldon SKLearn Server description: | This image is used as part of the Charmed Kubeflow product. The SKLearn Server serves models which have been stored as pickles. -version: v1.16.0_20.04_1 # -_ +version: v1.16.0_20.04_1 # __ license: Apache-2.0 base: ubuntu:20.04 +run-user: _daemon_ services: sklearnserver: override: replace summary: "sklearnserver service" startup: enabled # Yet again, use a subshell to jam conda into a working state. Can't use bashrc, because it immediately - # exits if PS1 isn't set, so no-go from scripts - command: bash -c 'cd /microservice && export PATH=/opt/conda/bin/${PATH} && eval $(/opt/conda/bin/conda shell.bash hook 2> /dev/null) && source /opt/conda/etc/profile.d/conda.sh && conda activate && seldon-core-microservice $MODEL_NAME --service-type $SERVICE_TYPE --persistence $PERSISTENCE' + # exits if PS1 isn't set, so no-go from scripts. + command: bash -c 'cd /microservice && export PATH=/opt/conda/bin/:${PATH} && eval $(/opt/conda/bin/conda shell.bash hook 2> /dev/null) && source /opt/conda/etc/profile.d/conda.sh && conda activate && seldon-core-microservice ${MODEL_NAME} --service-type ${SERVICE_TYPE} &> /tmp/log.txt' environment: + # the following environment variables are taken from: + # https://github.com/SeldonIO/seldon-core/blob/master/servers/sklearnserver/environment + # NOTE: PERSISTENCE is omitted because it is depricated MODEL_NAME: "SKLearnServer" SERVICE_TYPE: "MODEL" - PERSISTENCE: "0" - user: ubuntu - platforms: amd64: @@ -78,13 +80,6 @@ parts: # but it does need to match pebble's workdir install -D -m 755 ${CRAFT_STAGE}/microservice/SKLearnServer.py microservice/SKLearnServer.py - non-root-user: - plugin: nil - overlay-script: | - # Create a user in the $CRAFT_OVERLAY chroot - groupadd -R $CRAFT_OVERLAY -g 1001 ubuntu - useradd -R $CRAFT_OVERLAY -M -r -u 1001 -g ubuntu ubuntu - security-team-requirement: plugin: nil after: [sklearnserver] diff --git a/sklearnserver/tests/test_rock.py b/sklearnserver/tests/test_rock.py index b087051..ff5e9c0 100644 --- a/sklearnserver/tests/test_rock.py +++ b/sklearnserver/tests/test_rock.py @@ -32,7 +32,10 @@ def test_rock(ops_test: OpsTest, rock_test_env): """Test rock.""" check_rock = CheckRock("rockcraft.yaml") container_name = rock_test_env - LOCAL_ROCK_IMAGE = check_rock.get_image_name() + LOCAL_ROCK_IMAGE = f"{check_rock.get_image_name()}:{check_rock.get_version()}" # verify that all artifacts are in correct locations subprocess.run(["docker", "run", LOCAL_ROCK_IMAGE, "exec", "ls", "-la", "/microservice/SKLearnServer.py"], check=True) + + # verify that rockcraft.yaml contains correct image name for PREDICTIVE_UNIT_IMAGE environment variable + #assert CheckRock.get_environment()["PREDICTIVE_UNIT_IMAGE"].contains(LOCAL_ROCK_IMAGE) diff --git a/sklearnserver/tox.ini b/sklearnserver/tox.ini index 9871460..8ed8612 100644 --- a/sklearnserver/tox.ini +++ b/sklearnserver/tox.ini @@ -66,7 +66,7 @@ commands = print(CheckRock("rockcraft.yaml").get_version())'\'') && \ sudo skopeo --insecure-policy copy oci-archive:$ROCK.rock docker-daemon:$ROCK:$VERSION && \ docker save $ROCK > $ROCK.tar && \ - microk8s ctr image import $ROCK.tar && \ + microk8s ctr image import $ROCK.tar --digests=true && \ predictor_servers=$(yq e ".data.predictor_servers" {env:LOCAL_CHARM_DIR}/src/templates/configmap.yaml.j2) && \ predictor_servers=$(jq --arg jq_rock $ROCK -r '\''.SKLEARN_SERVER.protocols.seldon.image=$jq_rock'\'' <<< $predictor_servers) && \ predictor_servers=$(jq --arg jq_version $VERSION -r '\''.SKLEARN_SERVER.protocols.seldon.defaultImageVersion=$jq_version'\'' <<< $predictor_servers) yq e -i ".data.predictor_servers=strenv(predictor_servers)" {env:LOCAL_CHARM_DIR}/src/templates/configmap.yaml.j2' @@ -74,3 +74,4 @@ commands = sed -i "s/namespace: YQ_SAFE/namespace: {{ namespace }}/" {env:LOCAL_CHARM_DIR}/src/templates/configmap.yaml.j2 # run charm integration test with rock tox -c {env:LOCAL_CHARM_DIR} -e integration +