Skip to content

Conversation

@bpinsard
Copy link
Collaborator

@bpinsard bpinsard commented Sep 8, 2025

This PR adds:

  • an alpine Dockerfile that contains all the necessary dependencies for running apptainer and datalad
  • a github workflow to build that container on each change to the Dockerfile.

Registry auth needs to be polished (generate token, store as secret... )

Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @bpinsard, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new Docker container environment, built on Alpine Linux, specifically designed to simplify the process of building Apptainer containers. It comes pre-configured with all the essential tools and libraries, including Apptainer itself, Datalad, and Datalad-container, providing a ready-to-use setup for containerization workflows.

Highlights

  • New Dockerfile for Apptainer Builds: An Alpine-based Dockerfile has been added to facilitate the creation of Apptainer containers.
  • Essential Dependencies Included: The Dockerfile pre-installs key tools such as Apptainer, Datalad, and Datalad-container, along with other necessary utilities like git and openssh-client.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new Dockerfile for building Apptainer containers. The implementation is a good start, but there are opportunities to optimize the Docker image by improving layer management, cleanup, and removing unnecessary packages. My review includes suggestions to combine RUN layers for better efficiency and to reconsider the inclusion of a testing package to keep the image lean.

Comment on lines +4 to +11
RUN apk add --no-cache apptainer py3-pytest ca-certificates libseccomp squashfs-tools tzdata fuse2fs fuse-overlayfs squashfuse \
python3 py3-pip git openssh-client git-annex curl bzip2 bash\
&& mkdir -p $APPTAINER_TMPDIR \
&& cp /usr/share/zoneinfo/UTC /etc/localtime \
&& apk del tzdata \
&& rm -rf /tmp/* /var/cache/apk/*

RUN pip install --break-system-packages --no-cache-dir datalad datalad-container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The apk and pip installations are in separate RUN layers, and the cleanup logic is suboptimal. This can lead to a larger final image size because temporary files from the pip installation are not cleaned up. It's a Docker best practice to chain related commands into a single RUN layer and perform cleanup at the end. This creates a more compact and efficient image layer.

Additionally, rm -rf /var/cache/apk/* is redundant when using the --no-cache flag with apk add.

RUN apk add --no-cache \
        apptainer \
        py3-pytest \
        ca-certificates \
        libseccomp \
        squashfs-tools \
        fuse2fs \
        fuse-overlayfs \
        squashfuse \
        python3 \
        py3-pip \
        git \
        openssh-client \
        git-annex \
        curl \
        bzip2 \
        bash \
        tzdata \
    && pip install --break-system-packages --no-cache-dir datalad datalad-container \
    && mkdir -p $APPTAINER_TMPDIR \
    && cp /usr/share/zoneinfo/UTC /etc/localtime \
    && apk del tzdata \
    && rm -rf /tmp/*

FROM alpine:3.21.3
ENV PATH="/usr/local/apptainer/bin:$PATH" \
APPTAINER_TMPDIR="/tmp-apptainer"
RUN apk add --no-cache apptainer py3-pytest ca-certificates libseccomp squashfs-tools tzdata fuse2fs fuse-overlayfs squashfuse \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The py3-pytest package is being installed. pytest is a testing framework and is generally not required in a production or builder image unless its explicit purpose is to execute tests. Including it adds unnecessary bloat to the image, increasing its size and potential attack surface. If this image is not intended for running tests, please consider removing this package.

- name: Log in to the Container registry
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you know value to use if for docker hub? https://github.com/docker/login-action?tab=readme-ov-file#docker-hub then does not use any then

Comment on lines +32 to +33
username: repro-bot
password: ${{ secrets.REPROBOT_REGISTRY_TOKEN }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
username: repro-bot
password: ${{ secrets.REPROBOT_REGISTRY_TOKEN }}
username: ${{ secrets.DOCKER_LOGIN }}
password: ${{ secrets.DOCKER_TOKEN }}

to be more inline with setup we have in https://github.com/ReproNim/reprostim/blob/master/.github/workflows/docker.yml

@yarikoptic
Copy link
Member

elderly me recalled that we already do have repronim/containers container with singularity on docker hub https://hub.docker.com/repository/docker/repronim/containers/tags (tag 0.3.20) with singularity 3.9.0:

yoh@typhon:~$ docker run --privileged --rm repronim/containers --version
/entrypoint.sh: line 4: GID: unbound variable
yoh@typhon:~$ docker run --privileged --rm --entrypoint singularity repronim/containers --version
singularity version 3.7.0
yoh@typhon:~$ docker run --privileged --rm --entrypoint singularity repronim/containers:0.3.20 --version
singularity version 3.7.0

Apparently it was built using pushed (so no CI action) over 3 years back using our minor wrapper
https://github.com/ReproNim/containers/blob/HEAD/scripts/Dockerfile.singularity-shim
around the the https://quay.io/repository/singularity/singularity images .

Unfortunately more recent "-slim" flavors of those images were not usable as is, and I updated now with more information and comparison against apptainer images from ghcr at

That container we have was intended to serve a wrapper to execute singularity within docker whenever singularity is not available, e.g. under OSX. And it seems still to work.

But the question really becomes whether we need any custom image (of singularity or docker) to build/convert from docker:// into SIF?! I do not think so. I think we should be just fine with a choice of a stock, clearly versioned image... will do some experimentation now...

@bpinsard
Copy link
Collaborator Author

bpinsard commented Oct 14, 2025

My experience with singularity has been less smooth than with apptainer, notably requiring --privileged for singularity in docker, while apptainer works with --device /dev/fuse --security-opt apparmor:unconfined --security-opt "seccomp:unconfined".

There are no official apptainer build AFAIK, which is the reason I made one on alpine.
I packaged it with datalad for a completely functional datalad-container env, but that can be separated.

@bpinsard
Copy link
Collaborator Author

Currently in singularity in docker unprivileged, I am unable to run it, even after install fuse3, it cannot squash_fuse for weird reason, then it tries to unpack the whole squash, which is time consuming and then fails again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants