Merge pull request #16 from tmaeno/master

tmaeno · web-flow · commit aff94bb987fe · 2025-06-30T09:46:14.000+02:00
pilot container
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,94 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+        with:
+          cosign-release: 'v2.2.4'
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          #platforms: linux/amd64,linux/arm64
+          
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,94 @@
+ARG PILOT_VERSION=3.10.4.12
+
+ARG PYTHON_VERSION=3.12.11
+ARG BOOST_VERSION=1.88.0
+
+FROM docker.io/almalinux:9.6
+
+ARG PYTHON_VERSION
+ARG PILOT_VERSION
+ARG BOOST_VERSION
+
+RUN dnf install -y epel-release yum-utils \
+    && yum-config-manager --enable crb \
+    && dnf update -y
+
+# install rucio dependencies
+RUN dnf install -y \
+        gfal2-all \
+        gfal2-devel \
+        nordugrid-arc-client \
+        nordugrid-arc-plugins-gfal \
+        nordugrid-arc-plugins-globus \
+        nordugrid-arc-plugins-s3 \
+        nordugrid-arc-plugins-xrootd \
+        xrootd-client
+
+# install other dependencies mainly for building Python and Boost
+RUN dnf install -y gcc make voms-clients apptainer wget openssl-devel bzip2-devel libffi-devel zlib-devel \
+    which emacs unzip cmake bzip2 gcc-c++ glib2-devel
+
+# install Python
+RUN mkdir /tmp/python && cd /tmp/python && \
+    wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz && \
+    tar -xzf Python-*.tgz && rm -f Python-*.tgz && \
+    cd Python-* && \
+    ./configure  && \
+    make altinstall && \
+    echo /usr/local/lib > /etc/ld.so.conf.d/local.conf && ldconfig && cd / && rm -rf /tmp/python
+
+# install Boost Python
+RUN mkdir /tmp/boost && cd /tmp/boost && \
+    wget https://archives.boost.io/release/${BOOST_VERSION}/source/boost_$(echo ${BOOST_VERSION} | sed 's/\./_/g').tar.bz2 && \
+    tar -xf boost_*.tar.bz2 && rm -f boost_*.tar.bz2 && \
+    cd boost_* && \
+    export CPLUS_INCLUDE_PATH=$CPLUS_INCLUDE_PATH:/usr/local/include/python$(echo ${PYTHON_VERSION} | sed -E 's/\.[0-9]+$//') && \
+    ./bootstrap.sh --with-python=/usr/local/bin/python$(echo ${PYTHON_VERSION} | sed -E 's/\.[0-9]+$//') && \
+    ./b2 install && cd / && rm -rf /tmp/boost
+
+RUN  dnf clean all && rm -rf /var/cache/dnf
+
+# setup venv with pythonX.Y
+RUN python$(echo ${PYTHON_VERSION} | sed -E 's/\.[0-9]+$//') -m venv /opt/pilot
+
+RUN /opt/pilot/bin/pip install --no-cache-dir -U pip setuptools
+RUN /opt/pilot/bin/pip install --no-cache-dir -U rucio-clients psutil gfal2-python
+
+# rucio clients configuration
+RUN mkdir -p /opt/rucio/etc && \
+    ln -s /scratch/rucio.cfg /opt/rucio/etc/rucio.cfg
+
+# install CA certificates
+RUN mkdir -p /etc/grid-security/certificates &&  \
+    mkdir /tmp/cert && \
+    cd /tmp/cert && \
+    wget -l1 -r -np -nH -e robots=off --cut-dirs=7 http://repository.egi.eu/sw/production/cas/1/current/tgz/ && \
+    bash -c 'for tgz in $(ls *.tar.gz); do tar xzf ./$tgz --strip-components=1 -C /etc/grid-security/certificates; done' && \
+    cd - && \
+    rm -rf /tmp/cert
+
+ENV X509_CERT_DIR=/etc/grid-security/certificates
+
+# setup pilot
+RUN mkdir /pilot
+WORKDIR /pilot
+
+ARG WRAPPER_NAME=runpilot2-wrapper.sh
+
+# copy the wrapper script
+COPY ${WRAPPER_NAME} .
+RUN chmod +x ${WRAPPER_NAME}
+
+# download and extract pilot tarball
+RUN wget -O pilot3.tar.gz https://github.com/PanDAWMS/pilot3/archive/refs/tags/${PILOT_VERSION}.tar.gz && \
+    tar xvfz pilot3.tar.gz && rm -f pilot3.tar.gz && mv pilot3-* pilot3
+
+# create entrypoint script
+RUN echo '#!/bin/bash' > entrypoint.sh && \
+    echo 'cp /scratch/* .' >> entrypoint.sh && \
+    echo 'source /opt/pilot/bin/activate' >> entrypoint.sh && \
+    echo './'${WRAPPER_NAME}' $@' >> entrypoint.sh && \
+    chmod +x entrypoint.sh
+
+ENTRYPOINT ["/pilot/entrypoint.sh"]
+CMD ["/bin/bash"]
diff --git a/README.md b/README.md
@@ -1 +1,26 @@
 Production wrapper for Pilot 3
+
+To run the container:
+
+```bash
+$ echo -n <your_token> > token.txt
+$ cp /somewhere/rucio.cfg .
+$ docker run -v ${PWD}:/scratch -e OIDC_AUTH_TOKEN=/scratch/token.txt -e OIDC_AUTH_ORIGIN=<vo.role> -it --platform linux/amd64 ghcr.io/pilot-wrapper/pilot-wrapper:master -s <site_name> -r <queue_name> -q <queue_name> -j unified -i PR --pythonversion 3 -w generic --pilot-user rubin --url <panda_server_url> -d --localpy --piloturl local --container -t
+```
+where you need to replace `<blah>`. E.g.:
+```bash
+$ # x509 for rucio access
+$ cp ~/.globus/user* .
+$ cp /tmp/x509up_u123456 .
+$ # rucio config with x509
+$ cat rucio.cfg
+[client]
+rucio_host = https://voatlasrucio-server-prod.cern.ch:443
+auth_host = https://atlas-rucio-auth.cern.ch:443
+client_cert = /scratch/usercert.pem
+client_key = /scratch/userkey.pem
+client_x509_proxy = /scratch/x509up_u123456
+auth_type = x509_proxy
+request_retries = 3
+$ docker run -v ${PWD}:/scratch -e OIDC_AUTH_TOKEN=/scratch/token.txt -e OIDC_AUTH_ORIGIN=panda_dev.pilot -it --platform linux/amd64 ghcr.io/pilot-wrapper/pilot-wrapper:master -s CERN -r CERN -q CERN -j unified -i PR --pythonversion 3 -w generic --pilot-user rubin --url https://aipanda123.cern.ch:25443 -d --localpy --piloturl local --container -t
+```
diff --git a/runpilot2-wrapper.sh b/runpilot2-wrapper.sh
@@ -853,7 +853,9 @@ function main() {
   echo
 
   echo "---- Retrieve pilot code ----"
-  piloturl=$(get_piloturl ${pilotversion})
+  if [[ ${piloturl} != 'local' ]]; then
+    piloturl=$(get_piloturl ${pilotversion})
+  fi
   log "Using piloturl: ${piloturl}"
 
   log "Only supporting pilot3 so pilotbase directory: pilot3"
