From 6f710cf07395e85fc4f6e0dbb8b7b94ea049e5fe Mon Sep 17 00:00:00 2001 From: Sai Shanmukha Narumanchi Date: Thu, 6 Jun 2024 10:26:11 -0500 Subject: [PATCH 1/3] Add new GH Workflow and restructure nf base image Dockerfiles (#181) --- .../build_and_push_nf_base_images.yml | 69 +++++++++++++++++++ .../workflows/get_layer_info_for_nf_imgs.yml | 6 +- .../compliant_anibali_pytorch/Dockerfile | 15 ---- .../Dockerfile | 0 .../Dockerfile | 25 +++++++ .../Dockerfile | 36 ++++++++++ 6 files changed, 132 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/build_and_push_nf_base_images.yml delete mode 100644 nextflow-base-images/compliant_anibali_pytorch/Dockerfile rename nextflow-base-images/{nvcr_image => gen3-cuda-11.8-ubuntu22.04-openssl}/Dockerfile (100%) create mode 100644 nextflow-base-images/gen3-cuda-12.3-torch2.2-ubuntu22.04-openssl/Dockerfile create mode 100644 nextflow-base-images/gen3-cuda-12.3-ubuntu22.04-openssl/Dockerfile diff --git a/.github/workflows/build_and_push_nf_base_images.yml b/.github/workflows/build_and_push_nf_base_images.yml new file mode 100644 index 00000000..688e6c6b --- /dev/null +++ b/.github/workflows/build_and_push_nf_base_images.yml @@ -0,0 +1,69 @@ +name: Push new nextflow images to ECR +on: + workflow_dispatch: + push: + branches: master + paths: + - 'nextflow-base-images/**' #Runs every time this folder gets updated + - '.github/workflows/build_and_push_nf_base_images.yml' + schedule: + - cron: '0 0 * * 6' # Run at midnight UTC every Saturday + +jobs: + build_and_push_nf_images: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + with: + path: containers + + + - name: Checkout other private repository + uses: actions/checkout@v3 + with: + repository: uc-cdis/base-images + token: ${{ secrets.PLANXCYBORG_TOKEN }} + path: base-images + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to Amazon ECR + env: + AWS_REGION: us-east-1 # Replace with your AWS region + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_ACCT_654654631253_ECR }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACCT_654654631253_ECR }} + run: | + aws ecr-public get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin public.ecr.aws/u5x5h6w3 + + - name: Build and push Docker images + run: | + dir=base-images/amazonlinux-base/ + echo "Building an image present in $dir" + image_name=nextflow-approved/public + tag_name=$(basename "$dir") + docker build -t public.ecr.aws/u5x5h6w3/$image_name:$tag_name $dir + docker push public.ecr.aws/u5x5h6w3/$image_name:$tag_name + echo "Built an image with name --> $image_name:$tag_name" + + for dir in containers/nextflow-base-images/*/;do + echo "Building an image present in $dir" + image_name=nextflow-approved/public + tag_name=$(basename "$dir") + docker build -t public.ecr.aws/u5x5h6w3/$image_name:$tag_name $dir + docker push public.ecr.aws/u5x5h6w3/$image_name:$tag_name + echo "Built an image with name --> $image_name:$tag_name" + done + + - name: Trigger `get_layer_info_for_nf_imgs.yml` workflow + env: + GH_TOKEN: ${{ secrets.PLANXCYBORG_TOKEN }} + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/uc-cdis/containers/actions/workflows/get_layer_info_for_nf_imgs.yml/dispatches \ + -f "ref=master" diff --git a/.github/workflows/get_layer_info_for_nf_imgs.yml b/.github/workflows/get_layer_info_for_nf_imgs.yml index 0cd4396c..2dae2c89 100644 --- a/.github/workflows/get_layer_info_for_nf_imgs.yml +++ b/.github/workflows/get_layer_info_for_nf_imgs.yml @@ -1,14 +1,12 @@ name: Update Nextflow-approved image's layers on: + # Primarily this workflow is only expected to be triggered by `build_and_push_nf_base_images.yml`, these extra triggers are just added for convenience. workflow_dispatch: push: branches: master paths: - - 'nextflow-base-images/**' #Runs every time this folder gets updated + - 'nextflow-base-images/**' - '.github/workflows/get_layer_info_for_nf_imgs.yml' - schedule: - - cron: '0 0 * * 0' # Run at midnight UTC every Sunday - jobs: get_image_layers: runs-on: ubuntu-latest diff --git a/nextflow-base-images/compliant_anibali_pytorch/Dockerfile b/nextflow-base-images/compliant_anibali_pytorch/Dockerfile deleted file mode 100644 index da1ddc18..00000000 --- a/nextflow-base-images/compliant_anibali_pytorch/Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Use the specified base image -FROM anibali/pytorch:1.13.1-cuda11.7-ubuntu22.04 - -# Change the USER to `root` to have necessary privileges to perform apt-get commands -USER root -RUN apt-get update && apt-get -y upgrade - -# Upgrade pillow to the latest stable version -RUN pip install --upgrade pillow - -# install openssl 3.0.8 as it is required for FIPS compliance. -RUN mamba install -yc conda-forge openssl=3.0.8 - -# Change USER back to the one in the anibali image to limit privileges -USER user diff --git a/nextflow-base-images/nvcr_image/Dockerfile b/nextflow-base-images/gen3-cuda-11.8-ubuntu22.04-openssl/Dockerfile similarity index 100% rename from nextflow-base-images/nvcr_image/Dockerfile rename to nextflow-base-images/gen3-cuda-11.8-ubuntu22.04-openssl/Dockerfile diff --git a/nextflow-base-images/gen3-cuda-12.3-torch2.2-ubuntu22.04-openssl/Dockerfile b/nextflow-base-images/gen3-cuda-12.3-torch2.2-ubuntu22.04-openssl/Dockerfile new file mode 100644 index 00000000..5ff21418 --- /dev/null +++ b/nextflow-base-images/gen3-cuda-12.3-torch2.2-ubuntu22.04-openssl/Dockerfile @@ -0,0 +1,25 @@ +FROM public.ecr.aws/u5x5h6w3/nextflow-approved/public:gen3-cuda-12.3-ubuntu22.04-openssl + +# Set environment variables +ENV DEBIAN_FRONTEND=noninteractive + +# Install system dependencies +RUN apt-get update && \ + apt-get install -y \ + git \ + python3-pip \ + python3-dev \ + python3-opencv \ + libglib2.0-0 + +# Upgrade pip +RUN python3 -m pip install --upgrade pip + +# Install PyTorch and torchvision +RUN pip3 install torch -f https://download.pytorch.org/whl/cu123/torch_stable.html + +# Set the working directory +WORKDIR /app + +# Set the entrypoint +ENTRYPOINT [ "python3" ] diff --git a/nextflow-base-images/gen3-cuda-12.3-ubuntu22.04-openssl/Dockerfile b/nextflow-base-images/gen3-cuda-12.3-ubuntu22.04-openssl/Dockerfile new file mode 100644 index 00000000..65e8347f --- /dev/null +++ b/nextflow-base-images/gen3-cuda-12.3-ubuntu22.04-openssl/Dockerfile @@ -0,0 +1,36 @@ +# Use the specified base image +FROM nvcr.io/nvidia/cuda:12.3.1-base-ubuntu22.04 + +RUN apt-get purge -y --auto-remove openssl && apt-get autoremove && apt-get autoclean + +RUN apt-get update && apt-get -y upgrade && apt install -y wget + +RUN apt install -y build-essential && \ + apt-get install -y python3 && \ + apt-get install -y python3-pip + +# install openssl 3.0.8 as it is required for FIPS compliance. +WORKDIR /tmp +RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz && \ + tar -xzvf openssl-3.0.8.tar.gz && \ + rm openssl-3.0.8.tar.gz + +WORKDIR /tmp/openssl-3.0.8 +RUN ./Configure enable-fips && \ + make && \ + make install + +# Changing adding `/usr/local/lib` as a prefix to LD_LIBRARY_PATH will +# give precedence to OpenSSL 3.0.8 library files over the 3.0.2 +ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64:$LD_LIBRARY_PATH + +# Make config changes ti ensure FIPS compliance +RUN sed -i 's$# .include fipsmodule.cnf$.include /usr/local/ssl/fipsmodule.cnf$g' /usr/local/ssl/openssl.cnf +RUN sed -i 's$providers = provider_sect$providers = provider_sect\nalg_section = algorithm_sect$g' /usr/local/ssl/openssl.cnf +RUN sed -i 's$# fips = fips_sect$fips = fips_sect$g' /usr/local/ssl/openssl.cnf +RUN sed -i -e 's$# activate = 1$activate = 1 \n\n[algorithm_sect]\ndefault_properties = fips=yes$g' /usr/local/ssl/openssl.cnf + + +# Clean up the temporary directory +WORKDIR / +RUN rm -rf /tmp/openssl-3.0.8 From 416329a0f62f007b93fc5283616ac2cfc9e7de53 Mon Sep 17 00:00:00 2001 From: Sai Shanmukha Narumanchi Date: Mon, 10 Jun 2024 14:39:05 -0500 Subject: [PATCH 2/3] Chore/automatically delete untagged public images (#185) --- .../build_and_push_nf_base_images.yml | 24 +++++++++++++++---- .secrets.baseline | 18 +++++++------- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build_and_push_nf_base_images.yml b/.github/workflows/build_and_push_nf_base_images.yml index 688e6c6b..b508a56c 100644 --- a/.github/workflows/build_and_push_nf_base_images.yml +++ b/.github/workflows/build_and_push_nf_base_images.yml @@ -30,11 +30,14 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 + - name: Set up AWS CLI + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACCT_654654631253_ECR }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACCT_654654631253_ECR }} + aws-region: us-east-1 + - name: Login to Amazon ECR - env: - AWS_REGION: us-east-1 # Replace with your AWS region - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_ACCT_654654631253_ECR }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACCT_654654631253_ECR }} run: | aws ecr-public get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin public.ecr.aws/u5x5h6w3 @@ -67,3 +70,16 @@ jobs: -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/uc-cdis/containers/actions/workflows/get_layer_info_for_nf_imgs.yml/dispatches \ -f "ref=master" + + - name: Delete untagged docker images from public ECR + run: | + REPO_NAME=nextflow-approved/public + IMAGE_IDS=$(aws ecr-public describe-images --repository-name $REPO_NAME --query 'imageDetails[?imageTags==null].imageDigest' --output text) + if [ -n "$IMAGE_IDS" ]; then + for IMAGE_ID in $IMAGE_IDS; do + echo "Deleting image with SHA hash - $IMAGE_ID" + aws ecr-public batch-delete-image --repository-name $REPO_NAME --image-ids imageDigest=$IMAGE_ID + done + else + echo "No untagged images to delete." + fi diff --git a/.secrets.baseline b/.secrets.baseline index 72559e6f..e8dcb6bb 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2023-09-28T19:27:35Z", + "generated_at": "2024-06-06T20:34:12Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -58,6 +58,14 @@ } ], "results": { + ".github/workflows/build_and_push_nf_base_images.yml": [ + { + "hashed_secret": "8ca221cf185226c33b30e6b150183acb037eff56", + "is_verified": false, + "line_number": 76, + "type": "Base64 High Entropy String" + } + ], "BRH-notebooks/combined_demos/BDCat_Biolincc_Framingham_study_exploration.ipynb": [ { "hashed_secret": "4604f7226a4eca86fab1f34f8204fa9223b2c27e", @@ -442,14 +450,6 @@ "type": "Base64 High Entropy String" } ], - "azlinux-jupyter-scipy/start.sh": [ - { - "hashed_secret": "f98370d81077aed0aa3500bfc8de3f3e1dac52f6", - "is_verified": false, - "line_number": 133, - "type": "Secret Keyword" - } - ], "jupyter-geo/start.sh": [ { "hashed_secret": "f98370d81077aed0aa3500bfc8de3f3e1dac52f6", From ad758f0a1bd26cd38f829e6972b063e95332dcdc Mon Sep 17 00:00:00 2001 From: Sai Shanmukha Narumanchi Date: Tue, 11 Jun 2024 11:43:39 -0500 Subject: [PATCH 3/3] Update GH workflow to process `allowed_base_images.txt` (#187) * Update shell script to test the new changes, and remove the `master` trigger --------- Co-authored-by: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com> --- .github/workflows/get_layer_info_for_nf_imgs.yml | 10 ++++++++++ nextflow-base-images/allowed_base_images.txt | 1 + 2 files changed, 11 insertions(+) diff --git a/.github/workflows/get_layer_info_for_nf_imgs.yml b/.github/workflows/get_layer_info_for_nf_imgs.yml index 2dae2c89..b8a0007f 100644 --- a/.github/workflows/get_layer_info_for_nf_imgs.yml +++ b/.github/workflows/get_layer_info_for_nf_imgs.yml @@ -22,6 +22,16 @@ jobs: TOKEN=$(curl -s https://public.ecr.aws/token/ | jq -r .token) layer_json="{}" while IFS= read -r image_url; do + # Ignore lines that start with # + if [[ "$image_url" == \#* ]]; then + echo "Skipping this line -- $image_url" + continue + fi + # Strip the first * if a line starts with * + if [[ "$image_url" == \** ]]; then + echo "Stripping * from this line -- $image_url" + image_url="${image_url:1}" + fi manifest_url=$(echo ${image_url} | sed 's|public\.ecr\.aws/\(.*\):\(.*\)|https://public.ecr.aws/v2/\1/manifests/\2|') tag_name=$(echo ${image_url} | sed 's|\(.*\):\(.*\)|\2|') echo $manifest_url, $tag_name diff --git a/nextflow-base-images/allowed_base_images.txt b/nextflow-base-images/allowed_base_images.txt index 30a2f9af..d1e391c8 100644 --- a/nextflow-base-images/allowed_base_images.txt +++ b/nextflow-base-images/allowed_base_images.txt @@ -1,3 +1,4 @@ +# Note that base images with an asterisk `*` are temporarily unavailable for use and are being updated. public.ecr.aws/u5x5h6w3/nextflow-approved/public:amazonlinux-base public.ecr.aws/u5x5h6w3/nextflow-approved/public:gen3-cuda-11.8-ubuntu22.04-openssl public.ecr.aws/u5x5h6w3/nextflow-approved/public:gen3-cuda-12.3-ubuntu22.04-openssl