-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rebuilding images and adding new alma9 flavour
- Loading branch information
Showing
2 changed files
with
565 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,221 @@ | ||
#FROM coffeateam/coffea-base-almalinux8:0.7.22-py3.10 | ||
FROM coffeateam/coffea-dask-almalinux9:latest-py3.10 | ||
|
||
USER root | ||
LABEL maintainer="Oksana Shadura <[email protected]>" | ||
# Jupyterhub | ||
ARG TAG="development" | ||
ARG NB_USER="cms-jovyan" | ||
ARG NB_UID="6440" | ||
ARG NB_GID="11265" | ||
ARG CERT_DIR="/etc/cmsaf-secrets" | ||
# Hack for GH Actions | ||
ARG GITHUB_ACTIONS="false" | ||
# FIX ME AFTER TEST: | ||
#ARG BEARER_TOKEN_FILE="/tmp/.xcache/access_token" | ||
ARG BEARER_TOKEN_FILE="/tmp/.xcache/access_token" | ||
ARG SEC_TOKEN_SYSTEM_DIRECTORY="/tmp/.condor" | ||
ARG XCACHE_HOST="xcache" | ||
#ARG XCACHE_HOST="red-xcache1.unl.edu" | ||
|
||
|
||
# Configure environment | ||
ENV CONDA_DIR /usr/local | ||
ENV CERT_DIR $CERT_DIR | ||
ENV XCACHE_HOST $XCACHE_HOST | ||
ENV BEARER_TOKEN_FILE $BEARER_TOKEN_FILE | ||
ENV SEC_TOKEN_SYSTEM_DIRECTORY $SEC_TOKEN_SYSTEM_DIRECTORY | ||
ENV SHELL /bin/bash | ||
ENV NB_USER $NB_USER | ||
ENV USER $NB_USER | ||
ENV NB_UID $NB_UID | ||
ENV NB_GID $NB_GID | ||
ENV HOME /home/$NB_USER | ||
ENV PATH "${CONDA_DIR}/bin/:$PATH" | ||
ENV LC_ALL en_US.UTF-8 | ||
ENV LANG en_US.UTF-8 | ||
ENV LANGUAGE en_US.UTF-8 | ||
|
||
# Install all OS dependencies for notebook server that starts but lacks all | ||
# features (e.g., download as all possible file formats) | ||
RUN yum -y update \ | ||
&& yum -y group install "Development Tools" \ | ||
&& yum -y install \ | ||
wget \ | ||
epel-release \ | ||
gettext \ | ||
bzip2 \ | ||
ca-certificates \ | ||
sudo \ | ||
langpacks-en \ | ||
glibc-langpack-en \ | ||
glibc-all-langpacks \ | ||
liberation-fonts \ | ||
wget \ | ||
nss_wrapper \ | ||
openssl \ | ||
emacs \ | ||
git \ | ||
unzip \ | ||
nano \ | ||
vim \ | ||
curl \ | ||
net-tools \ | ||
libXext \ | ||
libSM \ | ||
libXrender \ | ||
nc \ | ||
openssh-clients \ | ||
tzdata \ | ||
unzip \ | ||
gdb \ | ||
&& yum clean all && rm -rf /var/cache/yum | ||
|
||
ENV TINI_VERSION v0.19.0 | ||
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-static-amd64 /usr/bin/tini | ||
RUN chmod +x /usr/bin/tini | ||
|
||
# Copy a script that we will use to correct permissions after running certain commands | ||
COPY jupyterhub/fix-permissions /usr/local/bin/fix-permissions | ||
RUN chmod a+rx /usr/local/bin/fix-permissions | ||
|
||
RUN rm -rf /etc/grid-security && \ | ||
ln -s /usr/local/etc/grid-security /etc/grid-security && \ | ||
chmod 755 /etc/grid-security/certificates && \ | ||
chmod g-w /etc/grid-security/certificates | ||
|
||
# Enable prompt color in the skeleton .bashrc before creating the default NB_USER | ||
# hadolint ignore=SC2016 | ||
RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashrc && \ | ||
# Add call to conda init script see https://stackoverflow.com/a/58081608/4413446 | ||
echo 'eval "$(command conda shell.bash hook 2> /dev/null)"' >> /etc/skel/.bashrc | ||
|
||
# Create NB_USER with name jovyan user with given UID and in the 'users' group | ||
# and make sure these dirs are writable by the `users` group. | ||
RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \ | ||
sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \ | ||
sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \ | ||
groupadd -r "${NB_USER}" --gid "$NB_GID" && \ | ||
useradd -l -m -s /bin/bash -N -u "${NB_UID}" "${NB_USER}" && \ | ||
mkdir -p "${CONDA_DIR}" && \ | ||
mkdir -p "${CERT_DIR}" && \ | ||
mkdir -p /var/lib/condor && \ | ||
chown -R "${NB_USER}:${NB_GID}" "${CONDA_DIR}" && \ | ||
chown -R "${NB_USER}:${NB_GID}" "${HOME}" && \ | ||
chmod g+w /etc/passwd && \ | ||
fix-permissions "${HOME}" && \ | ||
fix-permissions "${CONDA_DIR}" | ||
|
||
USER $NB_USER | ||
WORKDIR $HOME | ||
# Setup work directory for backward-compatibility | ||
RUN mkdir $HOME/work && \ | ||
mkdir -p $HOME/.local && \ | ||
mkdir -p $HOME/.condor/tokens.d && \ | ||
fix-permissions $HOME | ||
|
||
RUN mamba remove htcondor | ||
|
||
#Dask dependencies and HTCondor | ||
RUN mamba install --yes \ | ||
-c conda-forge \ | ||
htcondor==10.8.0 \ | ||
xgboost \ | ||
pyhf \ | ||
xrootd \ | ||
scipy>=1.8.1 \ | ||
cabinetry \ | ||
vector \ | ||
hist \ | ||
mplhep \ | ||
iminuit \ | ||
cmake \ | ||
ndcctools \ | ||
&& mamba clean \ | ||
--all \ | ||
--force-pkgs-dirs \ | ||
--yes | ||
|
||
RUN pip install --no-cache-dir \ | ||
aiostream \ | ||
supervisor \ | ||
correctionlib \ | ||
funcx \ | ||
pyyaml \ | ||
# ML packages | ||
dask-ml \ | ||
dask-gateway \ | ||
prometheus_client \ | ||
comm>=0.1.2 \ | ||
mlflow | ||
|
||
#RUN if [ "${TAG:-}" == "development" ]; then pip install --no-cache-dir git+https://github.com/CoffeaTeam/coffea-casa.git#egg=coffea_casa ; else pip install --no-cache-dir coffea_casa -U ; fi | ||
RUN pip install --no-cache-dir git+https://github.com/CoffeaTeam/coffea-casa.git#egg=coffea_casa | ||
|
||
# ------- xrootd-xcache-plugin ------------------------------- | ||
RUN cd /tmp && \ | ||
git clone -b xcache https://github.com/jthiltges/xrdcl-authz-plugin.git && \ | ||
cd xrdcl-authz-plugin && \ | ||
mkdir build && \ | ||
cd build && \ | ||
cmake /tmp/xrdcl-authz-plugin -DCMAKE_INSTALL_PREFIX=${CONDA_DIR} && \ | ||
make && \ | ||
make install | ||
|
||
ENV XRD_PLUGINCONFDIR="${CONDA_DIR}/etc/xrootd/client.plugins.d/" | ||
ENV XRD_PLUGIN="${CONDA_DIR}/lib/libXrdClXcachePlugin-5.so" | ||
|
||
# Include additional CA certificates beyond ca-policy-lcg | ||
COPY certs/* /etc/grid-security/certificates/ | ||
RUN openssl rehash /etc/grid-security/certificates/ | ||
|
||
# TODO: RETEST IF WE STILL NEED THIS | ||
ENV LD_LIBRARY_PATH="${CONDA_DIR}/lib/:$LD_LIBRARY_PATH" | ||
ENV PATH="${CONDA_DIR}/bin/:$PATH" | ||
|
||
USER root | ||
# Setup supervisord files | ||
COPY k8s-worker/supervisord.conf /etc/supervisor/ | ||
# Setup HTCondor user/group and change group for user $NB_USER | ||
# Fix error (submitting jobs as user/group 0 (root) is not allowed for security reasons) and | ||
# it configured from kubernetes side and updated in docker container to match it | ||
RUN groupadd -r condor && \ | ||
useradd -r -g condor -d /var/lib/condor -s /sbin/nologin condor | ||
|
||
# FIXME: merge PRs open in distributed.git (oshadura) | ||
# Distributed: we need to install patched version of distributed version | ||
COPY dask/distributed ${CONDA_DIR}/lib/python3.10/site-packages/distributed | ||
RUN cd ${CONDA_DIR}/lib/python3.10/site-packages/distributed && \ | ||
patch -p2 < 0001-Patch-from-bbockelman-adaptive-scaling.patch && \ | ||
patch -p2 < 0002-Allow-scheduler-to-preserve-worker-hostnames.patch | ||
# && patch -p2 < 0003-Activate-patch.patch | ||
# && patch -p2 < 0004-Add-possibility-to-setup-external_adress-for-schedul.patch | ||
# && patch -p2 < 0005-Add-nanny-patch.patch | ||
|
||
# FIXME: we have a wrong path, let's make a link. | ||
# cms-jovyan@jupyter-oksana-2eshadura-40cern-2ech:~$ echo $PATH | ||
# ${CONDA_DIR}/condabin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games | ||
RUN rm -rf ${CONDA_DIR}/condabin && ln -s ${CONDA_DIR}/bin ${CONDA_DIR}/condabin | ||
|
||
# Cleanup | ||
RUN rm -rf /tmp/* \ | ||
&& rm -rf $HOME/.cache/.pip/* \ | ||
&& mamba clean --all -f -y \ | ||
&& find ${CONDA_DIR} -type f -name '*.a' -delete \ | ||
&& find ${CONDA_DIR} -type f -name '*.pyc' -delete \ | ||
&& find ${CONDA_DIR} -type f -name '*.js.map' -delete \ | ||
&& (find ${CONDA_DIR}/lib/python3.10/site-packages/bokeh/server/static -type f,l -name '*.js' -not -name '*.min.js' -delete || echo "no bokeh static files to cleanup") \ | ||
&& rm -rf ${CONDA_DIR}/pkgs | ||
|
||
# Mkdir CVMFS mount directory. Mount done upstream in configs. Harmless | ||
# if not utilized, crucial if CVMFS is desired | ||
RUN mkdir /cvmfs | ||
|
||
# Prepare HTCondor spec. environment and execute dask-worker command | ||
# If we using this container as a sidecar, we don't setup any HTCondor spec. environment | ||
# nor and execute dask-worker command | ||
ADD prepare-env/prepare-env-cc-analysis.sh /usr/local/bin/prepare-env.sh | ||
RUN chmod ugo+x /usr/local/bin/prepare-env.sh | ||
|
||
USER $NB_USER | ||
ENTRYPOINT ["tini", "-g", "--", "/usr/local/bin/prepare-env.sh"] |
Oops, something went wrong.